Essential Eight Assessment

Independent assessment of current maturity against the ACSC Essential Eight model, with a prioritised roadmap to the target maturity level.

What is an Essential Eight assessment?

The Essential Eight is the ACSC’s set of eight prioritised cyber security mitigation strategies. The Australian Government requires Commonwealth entities to implement the Essential Eight at Maturity Level 2 or above. Many state government agencies and private sector organisations use the same model as a baseline security standard.

A maturity assessment evaluates your current implementation across all eight strategies against the ACSC Essential Eight Maturity Model. It establishes where you are today, where your gaps are relative to your target maturity level, and what you need to do to close them.

Who is this assessment for?

Government agencies: Commonwealth entities with a mandate to achieve Essential Eight ML2 or above. State government agencies with equivalent requirements. Agencies preparing for an IRAP assessment where the Essential Eight is part of the scope.

Commercial organisations: Organisations required to demonstrate Essential Eight compliance as a condition of a government contract, an insurance policy, or a supplier security questionnaire. Also relevant for organisations using the Essential Eight as a practical security baseline before pursuing ISO 27001 certification.

How does the assessment work?

1. Phase 1: Documentation and configuration review. This involves a review of security policies, configuration baselines, patch management records, and access control documentation against each Essential Eight strategy at the target maturity level.
2. Phase 2: Reporting. We deliver the assessment report, maturity heatmap, and remediation roadmap.

Timeline

3 to 6 weeks depending on assessment boundary size and documentation maturity.