Enterprise

Essential Eight Cyber Security Assessment

Assess your organisation's maturity against the ACSC Essential Eight Maturity Model — Australia's most widely adopted cyber security baseline for enterprise and government.

Overview

The Essential Eight Cyber Security Assessment provides a structured framework for evaluating your organisation's implementation of the Australian Cyber Security Centre's Essential Eight Maturity Model. With questions across all eight mitigation strategies, the assessment covers Maturity Levels 1, 2, and 3 in full — from foundational controls through to mature, hardened implementations.

Each mitigation strategy is assessed individually, giving your team a clear view of where implementation is strong, where gaps exist, and which gaps carry the highest residual risk. The assessment is aligned to the ACSC's current published guidance at cyber.gov.au and reflects the evidence expectations of real-world assurance reviews.

The tool runs entirely in your browser — no data leaves your device — making it suitable for use in sensitive environments, including government and regulated industry contexts where data sovereignty matters.

Who It's For

This assessment is designed for:

  • CISOs and security managers assessing or reporting on Essential Eight maturity
  • GRC teams conducting internal compliance reviews against ACSC guidance
  • Government agencies and contractors with Essential Eight reporting obligations
  • Organisations subject to the SOCI Act or APRA CPS 234 using Essential Eight as a baseline
  • Internal audit teams validating cyber security control effectiveness
  • Security advisors conducting structured gap assessments for clients

Typical Outcomes

Organisations using this assessment typically gain:

  • Clear visibility of current maturity level across all eight mitigation strategies
  • Identification of the highest-risk gaps within each strategy
  • A prioritised remediation roadmap sequenced by risk and effort
  • Evidence-based assessment outputs suitable for board reporting and audit preparation
  • A defensible baseline for tracking maturity improvement over time
  • Structured documentation to support regulatory and contractual assurance requirements

Assessment Coverage

The assessment covers all eight ACSC mitigation strategies across Maturity Levels 1–3:

Prevent Malware Delivery and Execution:

  • Application Control — Restricting execution to approved applications; enforcement on workstations and servers; path-based controls; interpreter restrictions; SIEM integration
  • Patch Applications — Patching cadence for internet-facing and internal applications; vulnerability scanning; end-of-life software management; patch verification
  • Office Macros — Macro execution controls; trusted location management; digitally signed macro policy; blocking macros from the internet; user awareness
  • App Hardening — Browser hardening; disabling web advertisements; Java controls; PowerShell logging; attack surface reduction; hardening validation

Limit the Extent of Cyber Security Incidents:

  • Admin Privileges — Least privilege enforcement; privileged access workstations; just-in-time access; privileged access reviews; credential tiering; PAM controls
  • Patch Operating Systems — OS patching cadence; internet-facing vs internal systems; end-of-life OS management; patch compliance reporting; vulnerability scanning
  • Multi-Factor Authentication — MFA coverage across user types; phishing-resistant MFA for privileged accounts; MFA for remote access and cloud services; MFA exception management

Recover Data and System Availability:

  • Regular Backups — Backup frequency and scope; offsite and offline backup storage; immutable backup controls; backup testing and restoration; backup access credential management

What You Receive

Executive Summary Report

Board-ready maturity overview across all eight strategies with overall score, maturity level attainment, and highest-priority findings. Exportable to Word for executive and audit circulation.

Detailed Gap Register

Comprehensive findings register with risk ratings, evidence requirements, and maturity level mapping across all eight strategies. Exportable to Excel for remediation planning and tracking.

Maturity Visualisations

Strategy-by-strategy maturity charts and dashboard showing current ML attainment and gap profile, suitable for management review presentations and regulatory reporting.

Prioritised Remediation Roadmap

Actionable recommendations ranked by risk severity and maturity level, designed to support structured uplift planning and investment prioritisation.

All data remains in your browser — nothing is transmitted externally. Consistent methodology supports reassessment for trend tracking and continuous improvement reporting.

Ready to Assess Your Essential Eight Maturity?

Contact us to discuss access and how the assessment can be deployed in your organisation.

Contact Us

Often Used Alongside

Organisations frequently combine the Essential Eight assessment with complementary frameworks to address broader governance and compliance requirements.

Energy Sector • SOCI Act Aligned

AESCSF v2 Maturity Assessment

The Essential Eight underpins several AESCSF domains. Use both assessments together to satisfy AEMO reporting obligations and demonstrate broader cyber maturity.

Learn more
Critical Infrastructure • SOCI Act

ECSO Readiness Assessment

For organisations with Systems of National Significance designation, combine Essential Eight maturity assessment with ECSO readiness to address all SOCI Act cyber obligations.

Learn more

Further Reading

Resource

The Essential Eight Explained: A Plain-Language Guide for Australian Organisations

What the ASD's Essential Eight mitigation strategies actually require, how the maturity levels work, and what organisations typically find when they assess for the first time.

Read the guide

Have questions about how our assessments work?

Read the Enterprise Assessment FAQ →

Also assessing against ISO 27001?

View ISO 27001 Assessment →