Definition and purpose

The Essential Eight framework is a set of prioritized cybersecurity strategies that organizations can implement to enhance their cybersecurity posture and improve their cyber resilience. The purpose of the Essential Eight is to provide an optimal starting point for cybersecurity and serve as a baseline for organizations seeking to develop a robust cyber risk management program. It is highly beneficial for organizations in protecting against a wide range of cyber threats, including ransomware, phishing attacks, and other advanced cyber attacks.

Governing Body

The Australian Cyber Security Centre (ACSC), a part of the Australian Signals Directorate (ASD), is the governing body that manages and updates the Essential Eight framework.

Last updated

The Essential Eight framework is updated periodically based on evolving cyber threats and best practices. The most recent update was released in November 2022.

Applies to

The Essential Eight framework is sector-agnostic and can be applied to any organization—public or private—across various industries. While initially aimed at Australian organizations, the principles and strategies are universally applicable and are considered best practices for enhancing cybersecurity globally.

Controls and requirements

The Essential Eight framework consists of the following strategies:

• Application Whitelisting: Only allow approved applications to run on systems.
• Patch Applications: Timely patching of security vulnerabilities in software applications.
• Disable Unnecessary Features: Turn off unneeded features in applications, operating systems, and web browsers to reduce the attack surface.
• User Application Hardening: Configure web browsers to block Flash, ads, and Java on the internet.
• Restrict Administrative Privileges: Limit admin privileges to only those who need it and use strong, unique passwords.
• Patch Operating Systems: Keep the operating system updated with the latest security patches.
• Multi-Factor Authentication (MFA): Use at least two forms of authentication for accessing sensitive or critical systems.
• Daily Backups: Keep backups of essential data and ensure they are not directly accessible from user networks.

Please refer to the official Essential Eight Maturity Model documentation for a detailed list of controls and requirements.

Audit type, frequency, and duration

An Essential Eight audit would typically be an internal or third-party cybersecurity audit. Frequency may vary depending on the organization’s risk profile, but an annual assessment is generally recommended. The duration of the audit would depend on the size and complexity of the organization but could range from a few weeks to several months.