Skip to main content
Comprehensive Essential 8 Assessment Guide [2025]

Comprehensive Essential 8 Assessment Guide [2025]

Written on .

What Is An Essential 8 Assessment?

An Essential 8 assessment is a detailed review of an organisation’s cyber security practices based on the Essential 8 framework; Eight key strategies developed by the Australian Cyber Security Centre (ACSC) to help prevent cyber attacks.

A Shift Computer Solutions Essential 8 assessment evaluates how well your organisation has implemented critical controls such as application whitelisting, timely patching, and multi-factor authentication. The goal is to identify security gaps and ensure alignment with best-practice standards.

Regularly conducting an Essential 8 health check is vital for strengthening your organisation’s cyber defences, reducing the risk of incidents, and demonstrating a strong commitment to protecting your systems, data, and reputation.

Why Do You Need Essential 8?

For Australian businesses, the Essential 8 acts as a strong line of defence against cybercrime, helping protect sensitive data, critical assets, and business reputation.

By putting these strategies in place, it becomes much harder for attackers to gain access. This brings clear, practical benefits:

  • Prevent data breaches: Safeguard customer information and avoid costly penalties.
  • Build trust: Show clients and partners that security is a top priority.
  • Stay up and running: Reduce the risk of downtime caused by cyber threats.

What Categories Are Included In Essential Eight?

  • Patch Applications
  • Patch Operating Systems
  • Configure Microsoft Office Macro Settings
  • User Application Hardening
  • Restrict Administrative Privileges
  • Multi-Factor Authentication
  • Application Control
  • Regular Backups
  • Doing this assessment helps your organisation check how strong your cyber security is and spot any weak points. It also helps you improve your protection to match what the Australian government recommends, so you’re less likely to be hit by a cyberattack.
essential 8 controls using icons

What Is The Essential Eight Maturity Model?

The Essential Eight Maturity Model is a free tool from the Australian Cyber Security Centre (ACSC) that helps businesses check how well they’ve put the eight key cyber safety steps in place. It gives your business a score from 0 to 3, where 3 means your systems are very secure.

Level 0: No Controls In Place:

The organisation hasn’t met even the basic level of cyber security, which means there are serious weaknesses and it’s at high risk of being attacked.

Level 1: Basic Controls In Place:

Some security steps have been taken, but they might not be fully set up or written down properly. This level can stop simple attacks that use tools easily found online.

Level 2: Controls Are Active And Monitored:

Security protections are properly in place and watched closely. This level helps defend against more serious attackers who are willing to spend extra time trying to break in.

Level 3: Controls Are Strong And Always Improving:

Security is well-developed and regularly updated based on new threats and risks. This level protects against expert hackers who design their attacks for specific businesses.

What Level Of Maturity In The Essential 8 Is My Organisation At?

There are two main ways to find out your Essential Eight maturity level:

Self-assessment: You can use the ACSC’s free online tool to answer questions about how well your business is using each of the eight security steps.

Professional audit: You can hire a cyber security expert to do a full check. They’ll find what you’re doing well, what needs work, and how you can improve.

Self-Assessment

The ACSC explains what each level—One, Two, or Three—means in detail. We’ve provided a summary here, but you can read the full list on their website.

To begin, your organisation should start by checking if it meets the requirements for Level 1. You can’t skip ahead to Level 2 or 3—you need to work your way up.

Why Must You Assess At Level 1?

The goal of the framework is to give your organisation one overall level. Being strong in some areas doesn’t count if other parts are weak. To say your business is at Level 1, 2, or 3, all areas must meet that level, or have other protections in place to make up for anything that’s missing.

Where Do You Start?

First, it’s important to understand the eight strategies that make up the Essential Eight.

  • Patch Applications: Regularly update applications to address known security flaws.
  • Patch Operating Systems: Keep operating systems up to date to prevent exploitation.
  • Multi-Factor Authentication (MFA): Use additional login steps (like a code sent to your phone) to verify user identity.
  • Restrict Administrative Privileges: Limit admin access to only those who need it, and only when necessary.
  • Application Control: Only allow approved applications to run on your systems.
  • Restrict Microsoft Office Macros: Limit macro use to reduce the risk of malicious code execution.
  • User Application Hardening: Configure browsers and document readers to block risky features.
  • Daily Backups: Ensure important data is backed up every day and can be restored if needed.

Next, be familiar with the four maturity levels used in the framework:

Each control is assessed against a maturity level:

  • Level 0: No security controls have been implemented.
    • The organisation has not met the minimum security requirements of Maturity Level One, indicating significant weaknesses in its overall cybersecurity posture.
  • Level 1: Controls are partly in place and aligned with the strategy’s intent.
    • Basic security controls are in place, but they may be only partially implemented or not well documented. This level offers protection against opportunistic attackers who rely on publicly available tools to exploit common system vulnerabilities.
  • Level 2: Controls are mostly in place and operating as intended.
    • Provides protection against more advanced attackers who use commonly available tools and are prepared to spend more time and resources to breach specific targets.
  • Level 3: Controls are fully implemented, monitored, and continuously improved.
    • Security controls are fully optimised and continuously improved using risk assessments and threat intelligence. This level defends against highly skilled attackers who tailor their tools and techniques to target specific organisations.
essential 8 maturity levels from 0 - 3

You’ll also need to evaluate the quality of evidence you can provide to support your assessment. The ACSC outlines four levels of confidence:

  • Excellent Evidence: You’ve tested the control in action (e.g. simulating an event to validate application control rules).
  • Good Evidence: You’ve reviewed system settings directly to confirm compliance.
  • Fair Evidence: You’ve reviewed copies or screenshots of settings, not the system itself.
  • Poor Evidence: You rely only on written policies or verbal confirmation without verifying implementation.

Pursuing the highest quality evidence, rather than relying on policy statements alone, adds credibility to your assessment and ensures a more accurate reflection of your organisation’s cyber maturity.

Patch Applications

App makers often release updates to fix security problems. To stay safe, it’s important to check that the apps your organisation uses are up to date. You can do this by comparing them to the latest versions from the companies that make them and looking at when the updates were released.

Websites like the SANS Internet Storm Center, Microsoft’s Security Response Center, and the Cybersecurity and Infrastructure Security Agency’s list of known threats can help you understand how serious the risks are and whether hackers are actively using them.

  • At least every two weeks, an automated asset discovery process is employed to assist in identifying assets for ensuing vulnerability screening operations.
    • See an example of the asset discovery process.
    • Check the scope and dates of recent scans.
    • Examine the network for any unauthorized assets.
    • Think about coordinating vulnerability scans with asset discovery timing.
  • Vulnerability scanning is done using a vulnerability scanner that has an updated vulnerability database.
    • Watch a demonstration of the security scan and check that it includes all the online services your business uses.
    • Make sure the scanner’s threat database was updated recently, ideally within the last 24 hours.
  •  A vulnerability scanner is used every day to find missing updates or security fixes in services.
    • Look at a recent scan to see what was checked.
    • Check the scan dates and details to make sure scans are happening daily.
    • Make sure the scan includes all the services your organisation actually uses.
  • A vulnerability scanner is used at least once a week to find missing updates in Office programs, web browsers and their add-ons, email apps, PDF readers, and security software.
    • Review a scan report and make sure all these types of apps are included.
    • Check earlier scans to confirm they happened weekly and covered the right programs.
  • Important updates for online services, when the risk is high or hackers are already using the flaw, must be applied within 48 hours.
    • Use a network scanner to check what versions are running and when they were installed. Compare that to the patch release date to make sure the 48-hour rule is met.
    • Tools like Nessus Essentials, Nexpose Community Edition, OpenVAS, and Qualys Community Edition can help. ASD also offers tools, but you need to be a partner or work with one to use them.
    • If you don’t have a scanner, you can manually check version numbers and install dates.
  • Less urgent updates for online services, when the issue is not critical and hackers aren’t actively using it, must be applied within two weeks.
    • The same process as for critical patches applies here.
    • Use scanners or manual checks to find and confirm updates. Tools like E8MVT can help identify missing patches.
    • Some services can be missed, so using an automatic scanner is usually more thorough.
  • Updates for Office programs, web browsers and their add-ons, email apps, PDF readers, and security software must be installed within two weeks of release.
    • Look at the list of installed programs in ‘Programs and Features’.
    • Use vulnerability scanners or PowerShell to create a full list of all installed apps. The ACSC provides a PowerShell script that shows programs with uninstall options, use this along with the standard app list to make sure nothing is missed.
    • Compare each app’s version and install date to the date the latest patch came out. For manual checks, record both the version and the install date
  • Online services that are no longer supported by the company that made them must be removed.
    • Use scanners to find services that have reached end-of-life and are no longer supported.
    • Keep records showing that these unsupported services were removed from your systems.
  • Old versions of Office tools, web browsers (and their extensions), email software, PDF readers, Adobe Flash Player, and security products must also be removed if they’re no longer supported.
    • Use scanners to check if these programs are still supported.
    • Show the current versions and check if they match what’s supported.
    • Confirm that Adobe Flash Player is no longer on your network.

Patch Operating Systems

Companies that make operating systems (like Windows or Linux) often release updates to fix security problems. Systems that don’t get updates, especially ones connected to the internet, are more likely to be attacked by hackers. Even systems that aren’t online, like office computers or internal servers, still need regular updates to stay safe from advanced threats.

Websites like the SANS Internet Storm Center, Microsoft’s Security Response Center, and CISA’s list of known risks can help you figure out how serious a problem is and how fast you need to fix it.

  • An automatic tool is used at least every two weeks to find all devices and systems on the network, so they can be checked for security issues later.
    • Check how well the automatic asset discovery tool is working. It might be a separate tool or built into your security scanner.
    • Look at past scan reports to make sure they run often enough and cover everything.
    • Try to run asset discovery scans at the same time as your security scans to save time and effort.
    • Use the tool to find any unknown or unauthorised devices on the network, and follow up to see what they are.
  • A vulnerability scanner with up-to-date information is used to check for security issues.
    • Watch the scanning process to see how it works.
    • Make sure the scanner’s database (the list of known risks) was updated recently, ideally in the last 24 hours.
  • A vulnerability scanner is used every day to check for missing updates in operating systems on servers and devices that are connected to the internet.
    • Review how these daily scans are done and make sure they are actually happening.
    • Look at recent scan logs to check the dates and details, confirming that scans are being run every day.
  • A vulnerability scanner is used at least every two weeks to check for missing updates on office computers, internal servers, and devices that aren’t connected to the internet.
    • Review how these scans are done and make sure they are happening at least every two weeks.
    • Look at recent scan logs to check the dates and what was scanned, making sure the two-week rule is being followed.
  • Patches or updates for critical vulnerabilities in internet-facing servers and network devices must be applied within 48 hours if the vendor classifies the issue as critical or if there are known exploits in the wild.
    • Use a network-based vulnerability scanner to verify that operating systems are up to date.
    • Free tools such as Nessus Essentials, Nexpose Community Edition, OpenVAS, and Qualys Community Edition may be used. The ASD also offers tools for partners or those working with a partner organisation.
    • Be cautious when relying on Windows Server Update Services (WSUS) for verification. WSUS may report that updates were deployed, but not whether they were successfully installed, are pending restart, or have failed.
    • Use WMIC or PowerShell to generate a list of installed hotfixes and their install dates. Cross-check these against vendor patch releases to confirm that all critical updates have been applied.
  • For non-critical vulnerabilities, where no active exploits exist, patches must be applied within two weeks of release.
    • Follow the same validation steps as for critical vulnerabilities.
    • Use a network-based vulnerability scanner to confirm that systems are up to date.
    • Nessus Essentials, Nexpose Community Edition, OpenVAS, and Qualys Community Edition remain suitable tools.
    • The same limitations apply to WSUS, it may not reliably confirm successful installation.
    • WMIC or PowerShell should be used to list applied hotfixes. Compare against the vendor’s patch release information to verify all required updates are in place.
  • Patches, updates, or other vendor-recommended fixes for vulnerabilities in operating systems of workstations, internal servers, and non-internet-facing network devices must be applied within one month of release.
    • Follow the same verification process as outlined above
    • Use a network-based vulnerability scanner to confirm that operating systems are fully up to date.
    • Suitable free tools include Nessus Essentials, Nexpose Community Edition, OpenVAS, and Qualys Community Edition. The ASD also provides tools, although access is limited to ASD partners or those working with one.
    • Note from the ASD: If relying on Windows Server Update Services (WSUS), be aware it may report that patches were delivered but not confirm if they were successfully installed, are stuck, or pending a system restart.
    • Use WMIC or PowerShell to generate a list of installed hotfixes and their application dates. These should be compared against the vendor’s patch release schedule to verify compliance.
  • Operating systems that are no longer supported by their vendors must be decommissioned and replaced.
    • Use vulnerability scanners to detect the current operating system version.
    • Alternatively, use commands such as winver for Windows or cat /etc/os-release for Linux systems to check OS details.
    • Capture screenshots of version outputs and compare them against official vendor support documentation to confirm support status.
graphic of laptop with blue background

Multi-Factor Authentication

Multi-factor authentication (MFA) improves security by making it harder for attackers to misuse login details. It is especially strong against brute force attacks that can easily break through simple password-only protection. At Maturity Level One, the focus is on protecting online services with MFA. Approved methods combine something the user has (like a device or one-time password) with something the user knows (like a password).

Biometrics, such as fingerprints or face scans, are not recommended because they are not secret and can sometimes be inaccurate. However, they may be used to unlock other authentication methods. Methods like SMS codes or push notifications, which can be vulnerable to tricking users, should be used with caution.

  • Multi-factor authentication (MFA) is used to verify users when they access their organisation’s online services that handle sensitive information.
    • Test by logging into all of the organisation’s services and check if users must use more than one factor (like a password and a one-time code), either at the same time or one after the other.
    • If you are checking a department you don’t know well, look for any online portals that might be missing MFA.
  • MFA is also used to verify users accessing third-party online services that store, process, or share the organisation’s sensitive information.
    • Try logging into these third-party services and check if MFA is in place.
    • If MFA is missing, find out whether it’s not available or simply not set up.
  • When possible, MFA should also be used for third-party online services that handle non-sensitive information.
    • Test by logging into these services.
    • If MFA is not an option, confirm with the service provider whether MFA is supported or not.
  • Multi-factor authentication (MFA) is used to verify users when they access their organisation’s online customer services that handle sensitive customer information.
    • Try logging into the organisation’s customer services and check if MFA is required.
    • If MFA is not used, confirm whether it is unavailable or just not set up.
  • MFA is also used for users accessing third-party customer services that manage sensitive customer information.
    • Test by logging into these third-party services and check for MFA.
    • If MFA is missing, check with the vendor to see if it is supported.
  • MFA is also used to verify customers when they access customer-facing online services that handle sensitive customer data.
    • Test the login process to see if MFA is available.
    • Find out if MFA is set up automatically when a customer creates an account or if customers must set it up themselves afterward. It is riskier if MFA is not required right away.
  • MFA must use either two different types of proof (like something the user has and something they know), or one thing the user has that gets unlocked by something they know or are.
    • Check and review how MFA is used across different systems and services.
    • Make sure to tell the difference between multi-step authentication and multi-factor authentication — only true multi-factor authentication meets Level One requirements.
    • Compare how strong different MFA methods are, like security keys, one-time password devices, mobile apps, and SMS codes.

Restriction Of Administrative Privileges

Organisations should have clear, documented processes for managing privileged access as part of their daily operations. Requests for access to systems, applications, or data should be formally submitted through a form, service desk ticket, or email, and must be approved by a supervisor or the appropriate owner.

It is important to maintain records of all access requests and keep an up-to-date list of applications requiring privileged access. Given the high risks associated with privileged accounts, which are common targets for attackers, access to the internet, email, and web services should be restricted and only permitted under specific, necessary conditions.

  • Privileged users are given a separate, dedicated account that is only used for tasks requiring privileged access.
    • Check if users have two different accounts: one for regular tasks and one for privileged tasks. Having two accounts is correct; using only one account for everything is not.
  • Requests for privileged access to systems, applications, and data must be properly validated when first made.
    • Ask to see submitted forms, tickets, or emails where privileged access was requested and approved by a supervisor or system owner. Compare these requests to actual privileged account access records to check if the process is working correctly.
  • Privileged accounts (unless officially authorised) must not be able to access the internet, email, or web services.
    • Log in as a privileged user and test if internet access is blocked. Check the network’s proxy settings to confirm privileged accounts are restricted.
    • Use PowerShell to check if privileged accounts have email access. You can find an example here.
    • Use BloodHound to find any privileged accounts that might have been missed.
    • If some privileged accounts (such as cloud service management accounts) are allowed internet access, confirm that it was approved through a formal request.
  • Privileged accounts that are authorised to access online services must only have the minimum access they need.
    • Review how access is limited for privileged accounts that manage online services (such as cloud platforms), making sure they are restricted from using other internet services.
  • Privileged users must use different working environments for privileged and unprivileged tasks.
    • Ask how the organisation has set up separate environments for privileged and regular work. At this stage of Essential Eight maturity, it does not matter how this separation is done, just that it exists.
  • Unprivileged accounts must not be able to log into privileged environments.
    • Try to log into a privileged environment using a regular account.
    • Use BloodHound to check if any regular accounts have access to privileged environments, such as by finding cached credentials.
  • Privileged accounts (excluding local administrator accounts) must not log into unprivileged environments.
    • Test by trying to log into a regular environment using a privileged account, using a test account that should be deleted afterward.
    • Use BloodHound to help detect if any privileged accounts have accessed unprivileged environments by looking for cached credentials.
laptop and smart phone with security tick

Application Control

At this level, it is important to use an application control tool, like Microsoft AppLocker, Windows Defender Application Control, or third-party tools such as AirLock Digital, Ivanti, Trend Micro, or VMWare Carbon Black.

While you can try to assess application control without special tools, manual testing is not very reliable and can easily miss security problems that attackers could exploit.

Also, some application control tools might not protect certain file types, like .chm, .hta, and .cpl files, so this should be checked carefully.

It’s important to review the folders and paths used by regular user accounts and by temporary files from the operating system, web browsers, and email programs. Common paths include:

  • %userprofile%*
  • %temp%*
  • %tmp%*
  • %windir%\Temp*

To check how well application control works in these areas, try running safe test files with different formats. These should include .exe, .com, .dll, .ocx, .ps1, .bat, .vbs, .js, .msi, .mst, .msp, .chm, .hta, and .cpl files.

If any of these files can run from user profile folders or temporary folders, the application control is not working properly.

  • Application control must be set up on all workstations.
    • Check that workstations have an application control solution installed.
  • Application control must also cover user profiles and temporary folders used by the operating system, web browsers, and email programs.
    • Make sure application control protects user profile folders and temporary folders at a minimum.
    • This mainly applies to path-based rules. Publisher-based and hash-based rules automatically apply across the whole system.
  • Application control must limit what can run, like programs, software libraries, scripts, installers, compiled HTML files, HTML applications, and control panel tools, to only those approved by the organisation.
    • Test how well application control works by trying to write and run files in places users can access.
    • Free tools like AirLock Digital’s Application Whitelist Auditor or CyberArk’s Evasor can help check this.
    • If you can only use Microsoft tools, use SysInternals AccessChk. Run ‘accesschk -dsuvw [path] > report.txt’ to check folder permissions, and ‘whoami /groups’ to see your user groups.
    • Use PowerShell cmdlets to test and review AppLocker policies.
    • If tools are restricted, you might need to take screenshots showing ‘effective access’ permissions for important folders. Keep in mind this method has limits and might not find all issues, because application installers can sometimes change folder permissions in ways that disable protection.

Restriction Of Microsoft Office Macros

Users should only be allowed to run Microsoft Office macros if they have a clear business reason. Macro use must be limited to important applications, and both the need and approval must be recorded. Their access should match their Active Directory group permissions. If the user no longer needs macros for their work, their permission must be removed.

  • Microsoft Office macros must be disabled for users who do not have a proven business need.
    • You can work with an ACSC partner to assess this using ASD’s E8MVT tool.
    • To check it yourself, run a ‘gpresult’ command to create an RSoP (Resultant Set of Policy) report. Look for ‘VBA Macro Notification Settings’ under:
      User Configuration\Policies\Administrative Templates\<Microsoft Office Application>\Application Settings\Security\Trust Center\
  • The setting should be turned on.
    • Most users should have ‘VBA Macro Notification Settings’ set to Disable all macros without notification. Without this setting, users will be prompted to enable macros through the Message Bar, which increases risk.
    • For users who are approved to use macros, group policy can be left unconfigured, disabled, or enabled with another setting. However, antivirus scanning must be active, and macros from internet-sourced files must be blocked.
    • It is a good idea to calculate what percentage of users are allowed to use macros, to make sure permissions are not given too freely.
  • Microsoft Office macros from internet-sourced files must be blocked.
    • You can use ASD’s E8MVT tool with a partner to help check this.
    • In the RSoP report, confirm that ‘Block macros from running in Office files from the Internet’ is enabled under:
      User Configuration\Policies\Administrative Templates\<Microsoft Office Application>\Application Settings\Security\Trust Center\
    • Also, users should not be able to remove the “Mark of the Web” from files. To help prevent this, enable the setting ‘Hide mechanisms to remove zone information’ under:
      User Configuration\Policies\Administrative Templates\Windows Components\Attachment Manager\
    • Note: Even with this in place, users can still remove the Mark of the Web by copying files to and from external storage drives (like USBs formatted with FAT32 or exFAT). If external drives are allowed, it can be difficult to fully block this, especially at higher maturity levels where attackers are more advanced.
  • Microsoft Office macro antivirus scanning must be enabled.
    • An ACSC partner can help check this with ASD’s E8MVT tool.
    • In the RSoP report, check the ‘Macro Runtime Scan Scope’ setting under:
      User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Security Settings\Macro Runtime Scan Scope
    • It should be set to either:
      • Macros in files with the Mark of the Web (default), or
      • Macros in all files (preferred).
    • You can also test by using a harmless Microsoft Office macro that contains an EICAR antivirus test string.
  • Users should not be able to change Microsoft Office macro security settings.
    • Again, the ASD’s E8MVT tool can assist if you work with an ACSC partner.
    • In the RSoP report, check that ‘VBA Macro Notification Settings’ are locked by group policy under:
      User Configuration\Policies\Administrative Templates\<Microsoft Office Application>\Application Settings\Security\Trust Center\
    • Also, try logging in as a user and attempt to change macro settings in the Office Trust Center. The options should be greyed out so users cannot change them.

User Application Hardening

Internet Explorer 11 is missing important modern security features and has not been supported by Microsoft since June 15, 2022. Because of this, it is often targeted by cyber-attacks. It should be replaced with Microsoft Edge or another updated web browser.

To help protect against ‘malvertising’ (malicious ads used by attackers), it is recommended to block ads using browser add-ons, extensions, or content filters. For stronger protection, web browser settings should be controlled using group policy settings, not default settings that users can change if tricked.

When browser settings are set by group policy, users usually cannot change them. These settings often appear greyed out, show a padlock icon, or display a message when hovered over.

  • Internet Explorer 11 must be disabled or removed.
    • In the RSoP report, check that ‘Disable Internet Explorer 11 as a standalone browser’ is enabled.
    • You can also check through Windows Features (Settings > Apps & Features > Programs and Features > Turn Windows features on or off). Look for Internet Explorer 11 and see if it is still installed. (If it was already removed, it may not appear in the list.)
    • Be aware that regular users might still try to open Internet Explorer 11. Make sure ‘iexplore.exe’ is blocked through application control rules.
  • Web browsers must not run Java content from the internet.
    • Make a list of all installed web browsers and test each one by visiting a Java detection website, like this one.
    • Check browser plugins and extensions to ensure Java components are disabled.
    • If Java is needed for internal (intranet) use, set up extra protections, like web filters, to block Java content from the internet.
  • Web browsers must not display web advertisements from the internet.
    • Check if ad-blocking extensions or add-ons are installed in all web browsers.
    • Confirm ad-blocking is also happening through web content filters or proxies.
    • Test this by visiting a well-known ad-heavy website from an organisation computer and taking screenshots of what you see.
    • Remember: pop-up blockers alone are not enough to meet this requirement.
  • Users must not be able to change web browser security settings.
    • Review each installed web browser’s security settings to make sure users cannot change them.
    • Look for signs like greyed-out options or messages such as “This setting is managed by your organisation/administrator.”
    • Also check if users can change Java Control Panel settings. If they cannot, then this control is compliant.
Illustration of a computer screen on a blue background with icons and hanging light bulbs above it.

Regular Backups

Data, applications, and settings should be backed up regularly, based on how important they are to the organisation and its recovery plans. Backups should be tested at least once a year to make sure they work, instead of waiting until after a major security incident.

At this maturity level, it’s important to make sure regular users cannot access backups that belong to other users, but they should still be able to access their own backups. Privileged accounts, however, may still be allowed to access all users’ backups.

Regular users should be able to view (read) their backups, but they should not be able to change or delete them. This helps protect backups from being changed or deleted by ransomware that uses regular user permissions. Protecting backups from attacks by privileged users is handled at higher maturity levels.

  • Backups of data, applications, and settings must be done and kept based on how important they are to the business and its continuity plans.
    • Talk with the IT team about how often backups are done, especially for important data and applications.
    • Review the business continuity plan to check if backup times and how long backups are kept are properly documented.
    • You will need to make a judgement on whether the organisation is meeting the intent of this control.
  • Backups must be set up so that data, applications, and settings can all be restored to the same point in time.
    • Make sure the backup processes are coordinated to allow everything to be restored together. If not, it could cause problems or lead to data loss during recovery.
  • Backups must be stored securely and made resilient.
    • Check if the backup process keeps backups safe and protected.
    • Confirm that backups are encrypted and can be quickly restored if there is an IT system failure.
  • Restoring data, applications, and settings from backups must be tested as part of disaster recovery drills.
    • Review the results of disaster recovery tests, how often they happen, when the last one was done, and whether the test involved full or partial system recovery.
    • Confirm that reports were created after each exercise, showing what worked well and what could be improved.
    • Keep in mind: simple file recovery doesn’t count. Real system restoration must be tested.
  • Unprivileged accounts must not be able to access backups belonging to other users.
    • Check the backup system and Active Directory security groups to see who can access backups.
    • Make sure unprivileged users can only access their own backups. If backups are stored on a network share, use an unprivileged account to try accessing someone else’s backups.
  • Unprivileged accounts must not be able to modify or delete backups.
    • Test if unprivileged users can change or delete their own backups.
    • If backups are stored on a network share, use an unprivileged account to try editing, deleting, or taking ownership of backup files.
    • The organisation meets this control if the user cannot make any changes.

Strategies To Mitigate Cyber Security Incidents by ACSC

  • Control What Runs: Set up application whitelisting so that only approved programs can run on your devices.
  • Stay Up to Date: Keep your applications and operating systems updated with the latest security patches.
  • Secure Your Documents: Set Microsoft Office macro settings to be as safe as possible.
  • Minimise Admin Access: Only give administrative privileges to people who truly need them.
  • Protect Sensitive Information: Use multi-factor authentication to secure important systems and data.

Honesty Is The Key, You Can Get It In Two Ways

When reviewing your own organisation, it’s easy to let familiarity or the fear of upsetting people affect your judgment. You might know that a certain control is in place and skip the formal test to check if it still works. Or you might know there’s a patching policy and staff assigned to it, so you rate it positively without collecting strong evidence to prove it.

That’s why you need to practise being honest, and looking at the organisation like an outsider would. It can be challenging, and it’s helpful to pause during your review to check if you have accidentally overlooked anything.

Honesty is part of the Shift Computer Solutions approach, to make sure your organisation’s maturity level is accurate and trusted.

Contact us for a free and confidential conversation.

shift computer solutions tag

FAQ

What Is The ASD Essential Eight?

The Australian Cyber Security Centre’s (ACSC) Essential Eight is a risk management framework made up of eight important strategies (or security controls) that organisations can use to protect themselves against different types of cyber attackers.

What Are The ASD Essential Eight Security Controls?

The Essential Eight is considered the most effective basic level of cyber resilience for Australian organisations. The eight controls are:

  • Application Whitelisting
  • Configuring Macros
  • Multi-Factor Authentication
  • Restricting Administrative Privileges
  • Patching Applications
  • Application Hardening
  • Patching Operating Systems
  • Performing Daily Backups

What Is The Essential Eight Maturity Model?

The Essential Eight strategies are grouped by maturity levels, based on how advanced the threats they defend against are. This allows organisations to choose the maturity level that matches their risk profile and work toward stronger security over time.

Maturity Level 0: There are major weaknesses that leave the organisation open to attacks.

Maturity Level 1: Protection against attackers using basic, widely available tools.

Maturity Level 2: Protection against attackers who spend more time planning, researching, and using more effective tools.

Maturity Level 3: Protection against highly skilled attackers who carefully choose their targets and put serious effort into bypassing security controls.

Is The Essential Eight Mandatory?

While not legally required for all businesses, the Essential Eight is highly important in Australia. The Australian Signals Directorate (ASD) strongly recommends that all organisations, especially those handling sensitive or government information, follow it. Not following the Essential Eight can lead to reputational damage, financial loss, and possible legal trouble.

What Is The Difference Between Essential Eight And SOC 2?

Both deal with cybersecurity but focus on different things:

  • Essential Eight: A list of eight basic strategies designed to protect against common cyber threats. It acts like a must-have security checklist.
  • SOC 2 (Service Organization Control Type 2): A detailed independent audit that checks how a company manages important areas like security, availability, processing integrity, confidentiality, and privacy. SOC 2 is more customised to each organisation.

What Is The Difference Between ISM And Essential Eight?

  • ISM (Information Security Manual): A larger framework that covers all parts of information and data security for an organisation.
  • Essential Eight: A smaller part within the ISM that focuses specifically on eight technical strategies to defend against cyber threats and improve security.

What Is The Essential Eight Legislation?

There is no specific law called “Essential Eight legislation.” The Essential Eight are a set of recommended strategies from the Australian Cyber Security Centre (ACSC) to help organisations prevent cyber security incidents. They are not legally required, but following them can greatly strengthen an organisation’s cybersecurity.

What Is The Purpose Of An Essential Eight Assessment?

An Essential Eight assessment helps you:

  • Understand your cybersecurity posture.
  • Identify areas for improvement.
  • Show your commitment to security.
  • Reduces cyber risks.

What Is A Cybersecurity Framework?

A cybersecurity framework is a set of rules and best practices that help businesses manage and reduce cybersecurity risks. It gives organisations a clear way to find, assess, and respond to cyber threats, making sure their information systems and sensitive data stay protected.
The Essential Eight is one example of a cybersecurity framework, designed specifically for Australian organisations.

How Long Does An Essential Eight Assessment Take?

The time needed depends on your organisation’s size, the maturity level being assessed, and the quality of evidence available. However, most assessments are completed in less than a week.

Will The Audit Be Done Remotely Or Onsite?

We’re flexible. Most audits are done remotely, but if you are located in Brisbane or Ipswich, we can visit your office if you prefer an onsite audit.

Do You Audit Against A Specific Maturity Level Or Tell Us Which Maturity Level We’re At?

It depends on your goal. If you need to show assurance to third parties, we will audit you against your target maturity level. Otherwise, we can simply assess and tell you your current maturity level.

How Do You Become ASD Essential Eight Compliant?

The ASD has set four maturity levels, from Level 0 to Level 3. They recommend organisations aim for Level 2 compliance, but some may choose to meet Level 3 for stronger protection. To be compliant, organisations must meet the specific guidelines for each maturity level.

What Are The Key Differences Between The ASD Essential Eight Assessment And The Marsh 12 Key Controls Assessment?

  • ASD Essential Eight: Focuses on eight key security strategies outlined by the Australian Cyber Security Centre (ACSC) as the minimum standard for cyber resilience.
  • Marsh 12 Key Controls Assessment: Measures how mature an organisation is across 12 cybersecurity controls, often for review by cyber insurance providers to assess overall security strength and resilience.

If you need to prove to an external group that your organisation has truly reached Level 1, 2 or 3 maturity, it can help to use an assessor who is independent. Shift Computer Solutions is experienced in assessing many security frameworks, including the ASD Essential Eight.

Leave a Reply