Definition and purpose

The primary purpose of the Essential 8 is to provide a practical and prioritized set of strategies to mitigate cybersecurity incidents. These strategies are aimed at making it harder for adversaries to compromise systems, detect and respond to incidents when they occur, and recover quickly from breaches.

Governing Body

The Essential 8 framework is governed and maintained by the Australian Cyber Security Centre (ACSC), which is part of the Australian Signals Directorate (ASD).

Last updated

The Essential 8 was last updated in July 2021.

Applies to

The Essential 8 applies to a broad range of industries and organizations, both in the public and private sectors. It is particularly recommended for Australian government agencies and businesses seeking to enhance their cybersecurity posture.

Controls and requirements

The Essential 8 includes the following eight mitigation strategies:

• Application Control: Ensuring only approved applications can execute on systems.
• Patch Applications: Patching applications (e.g., Flash, web browsers, Microsoft Office) within 48 hours to address security vulnerabilities.
• Configure Microsoft Office Macro Settings: Block macros from the internet and only allow vetted macros either in 'trusted locations' with limited write access or digitally signed with a trusted certificate.
• User Application Hardening: Configure web browsers to block Flash, ads, and Java, and disable unneeded features.
• Restrict Administrative Privileges: Limit the use of administrative privileges and use regular user accounts for day-to-day activities.
• Patch Operating Systems: Patch operating systems within 48 hours to address security vulnerabilities.
• Multi-factor Authentication (MFA): Implement MFA for all remote access, including cloud services, and administrative access.
• Daily Backups: Perform daily backups of important data, software, and configuration settings and store them offline.

Please refer to the official Essential 8 documentation for details on controls and requirements.

Audit type, frequency, and duration

Audits for the Essential 8 typically involve assessing an organization's compliance with the framework's strategies. This can be conducted through internal audits or by external cybersecurity auditors. The frequency of audits may vary based on organizational needs, risk assessments, and regulatory requirements, but annual audits are commonly recommended.

The duration of an Essential 8 audit depends on the organization's size, the complexity of its IT environment, and the scope of the audit.