Essential Eight Maturity Assessments

Defeat 85% of all cyberattacks

Are you Maturity Level, 1, 2, 3… or 0?

Essential Eight Maturity is Australia’s own cybersecurity framework that, if followed correctly, provides assurance that around 85% of cyberattacks can be defeated. 

Organisations can be assessed as having achieved one of four levels of maturity within the framework.  All organisations start at Maturity Level 0 and must be assessed to progress.

To progress to the next maturity level, an organisation must meet the maturity standard for each of the eight mitigation strategies. For example, achieving Maturity Level 2 in seven strategies but only Maturity Level 1 in one means the organisation is considered to be at Maturity Level 1 overall.

Our proven assessment framework effectively evaluates your current maturity level and provides a tailored plan to reach and maintain the next level of cyberattack readiness. This includes identifying gaps, recommending improvements, and supporting implementation to enhance your cybersecurity posture.

Computer One - IT Support for Legal Firms

How does the Essential Eight Maturity Assessement Work?

Organisations can be assessed as having achieved one of four levels of maturity:

  • Maturity Level 0 – Not meeting the requirements of Maturity Level 1.
  • Maturity Level 1 – Partially aligned with the intent of the mitigation strategy.
  • Maturity Level 2 – Largely aligned with the intent of the mitigation strategy.
  • Maturity Level 3 – Fully aligned with the intent of the mitigation strategy.

You must meet all the requirements of each element to progress as noted below:

  1. Application Control – Restricting the execution of unauthorised applications to prevent malware infections.
  2. Patching Applications – Ensuring applications are up-to-date to mitigate vulnerabilities.
  3. Configure Microsoft Office Macro Settings – Blocking macros from the internet and only allowing vetted macros.
  4. User Application Hardening – Configuring applications to reduce their attack surface.
  1. Restrict Administrative Privileges – Limiting administrative privileges only to those who need them.
  2. Patching Operating Systems – Keeping operating systems up-to-date to protect against vulnerabilities.
  3. Multi-factor Authentication – Implementing multi-factor authentication to strengthen user access controls.
  4. Regular Backups – Performing regular backups to ensure data can be restored in the event of an incident.

Key Features of Essential Eight Maturity Assessments

Our Essential Eight Maturity Assessment is designed to give medium-sized organisations a complete view of their cyber security baseline and a practical improvement plan. Key features of the service include:

  • Comprehensive Maturity Evaluation
    We perform an in-depth review of your current IT environment against the ACSC Essential Eight Maturity Model, establishing your baseline and pinpointing strengths and weaknesses across all eight control areas.
  • Experienced Cyber Security Experts
    Our assessments are led by experienced, qualified Essential Eight professionals who work closely with your team to gather information and thoroughly evaluate all mitigation tactics.
  • Tailored Recommendations and Roadmap
    We deliver a detailed report documenting your current maturity levels and vulnerabilities, with prioritised, actionable recommendations and a clear roadmap to guide your Essential Eight compliance journey.
  • Seamless, Independent Audit
    As an external assessor, we provide an unbiased, efficient review of your security controls, giving you clarity on your position without straining your internal resources.
  • Executive Debrief and Consultation
    We present findings in a clear, collaborative debrief with your Executive and IT teams, ensuring leadership understands your cyber risks and aligns on next steps.
  • Focus on Business Outcomes
    We prioritise tangible risk reduction and resilience, helping you harden defences, protect data, and streamline costs while improving security maturity using the Essential Eight framework.

Our Assessment Process

We follow a proven three-step assessment process to ensure thorough coverage and minimal disruption to your operations
Throughout the process, we maintain close communication with the assessment sponsor and minimal disruption. You can expect the engagement to be completed on a prompt timeline (often a few weeks, depending on the scale of your organisation), so you quickly gain the insights needed to take action.
  1. Discovery & Scoping – Our security expert begins with a series of interviews with your team to understand your business objectives, IT infrastructure, and current security measures. We’ll identify any existing implementations of Essential Eight controls and define your target maturity level. This stage sets clear goals and ensures the assessment is aligned with your organisation’s needs.
  2. Technical Assessment & Analysis – Next, we conduct a comprehensive audit of your environment against each of the eight Essential Eight controls. This includes reviewing configurations, policies, and systems. For each area, we gather evidence and evaluate your implementation against the Essential Eight maturity criteria. The result is a detailed analysis of which maturity level you currently meet for each control and what gaps remain. After the technical review, we compile our findings into a report – including maturity level scores, identified risks or shortcomings, and recommended improvements.
  1. Report Presentation & Roadmap Planning – We deliver a comprehensive report and then walk you through it in a formal presentation. In this debrief, our expert will highlight your overall Essential Eight maturity, explain any critical vulnerabilities uncovered, and discuss each recommendation. We then provide a tailored roadmap and guidance on next steps. The roadmap prioritises remediation activities. E.g. which controls to address first to achieve quick wins in security, and which longer-term initiatives will elevate you to the desired maturity level. You will come away with a clear, prioritised plan to boost your cyber security posture and move toward full Essential Eight compliance.

Why Choose Computer One for your Essential Eight Assessment?

  • Unmatched Expertise and End-to-End Capability
    We bring deep experience across all areas of the Essential Eight, offering end-to-end support from initial gap assessment through to remediation and ongoing management of security controls.
  • Proven Track Record in Cyber Security Assessments
    Computer One has assessed and uplifted cyber security for dozens of organisations across various industries, bringing real-world insights to strengthen your defences effectively.
  • Highly Accredited, Local Team
    Work with a security team that is industry-certified and accredited, providing on-the-ground support and 24/7 availability across Australia.
  • Practical Guidance and Support Beyond the Audit
    We don’t just deliver a report and walk away. We remain available post-assessment to assist with remediation and implementation.
  • Focused on Your Business Outcomes
    Our consultants ensure your roadmap aligns with your organisation’s risk profile, budget, and current technical environment.

Contact Our Essential Eight Maturity Assessments Team Today!

Please call us on 1300 667 871 or fill in the form below and we’ll be in touch quickly.

Essential Eight Maturity Assessments FAQs

Which organisations benefit from Essential Eight?

All organisations, regardless of size or sector, benefit from implementing the Essential Eight. This includes government agencies, large enterprises, small and medium-sized businesses (SMBs), schools, non-profits, and critical infrastructure providers. It is particularly valuable for SMBs because it offers an effective baseline of cybersecurity measures that are achievable even with limited resources.

Is the Essential Eight mandatory for Australian organisations?

Essential Eight compliance is mandatory for Australian Federal Government agencies. It is recommended but not legally required for private organisations. However, many industries increasingly consider Essential Eight compliance a de facto requirement for cyber resilience and insurance purposes.

What maturity levels does the Essential Eight framework use, and what do they mean?

The Essential Eight uses a four-level maturity model:

  • Level 0 (Not aligned): No meaningful implementation of Essential Eight strategies.
  • Level 1 (Partially aligned): Basic implementation to protect against opportunistic threats.
  • Level 2 (Mostly aligned): Good implementation, protecting against targeted, slightly more sophisticated attacks.
  • Level 3 (Fully aligned): Comprehensive implementation to defend against sophisticated, targeted cyber threats.

Organisations select a maturity level based on their specific risk exposure, with higher-risk organisations aiming for Level 2 or 3.

How is the Essential Eight measured?

Essential Eight maturity is measured by assessing each of the eight strategies individually against the criteria for maturity levels (0-3). An organisation's overall maturity is determined by the lowest maturity level achieved across all strategies. Organisations typically conduct annual self-assessments or engage external auditors for independent evaluations.

Which job titles need to be part of an Essential Eight maturity assessment?

Essential Eight assessments typically involve:

  • Chief Information Security Officer (CISO) or IT security managers.
  • Internal or external security auditors or assessors.
  • System administrators or IT operations staff.
  • IT architects or application/system owners.
  • Senior management or executive stakeholders (e.g., CIO, CEO, CFO).

Including these roles ensures technical accuracy, organisational alignment, and executive support for cybersecurity improvements.

How often should an organisation assess its Essential Eight maturity?

Organisations should conduct Essential Eight maturity assessments at least annually or whenever significant changes occur, such as major IT updates, new system deployments, or after cyber incidents. Continuous monitoring and regular reassessments help maintain a robust security posture.

Can small businesses implement the Essential Eight effectively?

Yes. Small businesses can effectively implement the Essential Eight because it focuses on straightforward, practical measures. Basic cybersecurity actions such as automatic updates, enabling MFA, restricting admin rights, and regular backups are achievable for small businesses even with limited IT resources.

How does Essential Eight compliance impact cyber insurance eligibility or premiums?

Implementing the Essential Eight can positively impact cyber insurance eligibility and potentially reduce premiums. Insurers increasingly use the Essential Eight as a baseline indicator of effective cyber risk management, making organisations that follow the framework more attractive due to reduced likelihood of claims.

What other cybersecurity frameworks are like the Essential Eight?

Frameworks similar or complementary to the Essential Eight include:

  • Australian Government Information Security Manual (ISM)
  • CIS Critical Security Controls (CIS Top 18)
  • NIST Cybersecurity Framework (NIST CSF)
  • ISO/IEC 27001
  • UK Cyber Essentials

Each provides broader or complementary guidelines, with the Essential Eight often serving as a practical subset within these comprehensive frameworks.

What are the common challenges organisations face in achieving Essential Eight compliance?

Common challenges include:

  • Legacy software or systems difficult to update or replace.
  • Resource and budget constraints, particularly in smaller organisations.
  • Resistance from users or management due to perceived inconvenience or operational impacts.
  • Viewing Essential Eight compliance merely as a checklist rather than a strategic priority.
  • Technical complexity of certain controls (e.g., application control and hardening).
  • Difficulty adapting to evolving guidelines and threat environments.
  • Organisational silos and communication gaps hindering effective implementation.

Despite these challenges, many organisations successfully implement Essential Eight by taking incremental steps and seeking external support where necessary.

Are there specific technologies or solutions recommended by ASD for Essential Eight implementation?

ASD remains vendor-neutral and does not endorse specific products. Instead, it recommends using existing, reliable, and proven security tools and configurations available within standard operating systems and applications. Examples include built-in tools like Microsoft AppLocker for application control, Group Policy settings for macro restrictions, vulnerability scanners for patch management, and common MFA solutions integrated with popular cloud services.

The Computer One logo with blue background
6 time winner of the
Menu
close
Menu
close
Menu
close
© 2025 Computer One Australia.
arrow-right linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram