SecurSentry
Topic hub

The Essential Eight, in plain English

The Essential Eight is the Australian Signals Directorate’s baseline set of eight mitigation strategies, published by the ACSC, that work together to protect a business from the most common cyber attacks. This guide explains the eight strategies, what the maturity levels mean and where an Australian small business should start.

Updated June 2026 4 guides in this hub ≈ 28 min to read it all

The short version

What is the Essential Eight, and who needs it?

The Essential Eight is the ASD’s baseline set of eight mitigation strategies, published by the Australian Cyber Security Centre (ACSC), that work together to protect organisations from the most common cyber threats. It started life as the most effective slice of a much longer list of strategies to mitigate cyber security incidents; the ACSC distilled it down to the eight that give the best return for the effort. For the full plain-English walk-through, read the eight controls, explained.

The eight are grouped by intent. Some prevent attacks from landing, some limit the extent of an attack that gets through, and some help you recover your data and systems afterwards. No single control does everything, which is why the ACSC’s standing advice is to bring them all up to the same standard rather than perfecting one and ignoring the rest.

It’s worth being clear about who it applies to. The Essential Eight is mandatory for many Australian Government entities. For most private small businesses it’s a strongly recommended baseline rather than a legal requirement, though you may find yourself needing it because a larger customer, an insurer, or a government-adjacent contract asks you to demonstrate it.

The eight strategies, in plain English

Here’s what each strategy means without the acronyms. A few are an afternoon’s work; others need a named owner and an ongoing routine, so treat the Essential Eight as a programme, not a one-off tick-box. Our plain-English checklist walks through each one as a simple self-assessment.

Put these eight in place at the same baseline level and you’ve genuinely reduced your risk. The certificate isn’t the point; the protection is.

How far should you take each one? (Maturity levels)

The Essential Eight comes with a maturity model running from Maturity Level Zero up to Maturity Level Three. Rather than treating each strategy as simply “done” or “not done”, the levels describe how well and how consistently you apply each one. The model is adversary-based: each level above ML0 is built to mitigate a tougher class of attacker.

For most Australian small businesses, Maturity Level One is the sensible target. It’s built to block the commodity, opportunistic attacks that smaller organisations face most. The ACSC recommends reaching the same level across all eight strategies before pushing any single one higher, because attackers look for the gap, not the average. Our maturity levels explained guide goes deep on ML1 to ML3 and who needs which.

Everything on the Essential Eight

Every guide, in one place

Start wherever your question is. Each guide is a short, plain-English read, and they build on each other as you go.

The Essential Eight is one door into the same work

The measures you put in place here aren’t a dead end. Much of the same everyday security work carries across to a standard like SMB1001. Do the work once, use it everywhere. We’re building SecurSentry around exactly that.

Frequently asked questions

What are the eight controls in the Essential Eight?

The eight mitigation strategies are: patch applications, patch operating systems, multi-factor authentication, restrict administrative privileges, application control, configure Microsoft Office macro settings, user application hardening, and regular backups. The ASD groups them by what they do — preventing attacks, limiting their extent, and recovering data and systems.

Is the Essential Eight mandatory for small businesses in Australia?

It is mandatory for many Australian Government entities, not for private small businesses in general. For most SMEs it is a strongly recommended baseline rather than a legal obligation, though you may meet it because a customer, insurer, or government contract asks you to.

Where should a small business start with the Essential Eight?

Maturity Level One is the baseline and the realistic starting point. The ACSC recommends working towards the same maturity level across all eight strategies before lifting any single one higher, because the eight are designed to complement each other.

What maturity level should a small business aim for?

For most Australian small businesses, Maturity Level One is the right starting target. It is built to mitigate the commodity, widely available tradecraft that opportunistic adversaries use most. You can step up to ML2 or ML3 later if your risk profile calls for it.

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.