The ACSC Essential Eight is Australia's government-endorsed cyber security framework. It covers the eight controls most likely to prevent a serious cyber incident. We build our managed security programs around it.
The ACSC reviewed thousands of real cyber incidents across Australia and identified the controls that would have stopped or significantly reduced the damage in most of them. The Essential Eight is the result. Eight controls that, when implemented together, address the most common attacks including ransomware, credential theft, phishing, and system compromise.
It is also the framework the Australian Government mandates for Commonwealth entities, which gives it real credibility as a baseline for private sector businesses. Many Australian cyber insurers and regulators now reference it directly when assessing security posture.
Only software that you have approved is allowed to run. Everything else is blocked before it can execute. This stops a wide range of malware and ransomware at the point of delivery.
Keep software up to date. Attackers regularly exploit known vulnerabilities in applications that have not been patched. Setting clear timelines for applying updates reduces that risk significantly.
Limit which macros can run in Office documents. Malicious macros embedded in Word and Excel files are a common way attackers gain a foothold through phishing emails.
Configure browsers and user-facing applications to remove features that create risk. This includes disabling outdated plugins, controlling ad execution, and removing unnecessary browser extensions.
Limit who has admin access, what they can access, and when. Admin accounts used for everyday tasks create unnecessary risk. This control keeps privileged access tightly controlled.
Keep operating systems up to date and remove any that are no longer supported. Unpatched operating systems are a well-known attack path and one of the easier ones to close.
Require a second verification step for all users, particularly those with admin access. Even when a password is stolen, MFA stops it from being useful to an attacker.
Keep tested, offline backups of your critical data and system configurations. When ransomware hits, a reliable backup is the difference between recovering quickly and paying a ransom.
The ACSC defines four maturity levels for each of the eight strategies. Level 0 means controls are not in place. Level 3 is full implementation against targeted and sophisticated attackers. Most businesses should be working towards Maturity Level 2 at a minimum.
We assess your current position across all eight strategies and give you a plain-language view of where you stand and what to address first.