Essential Eight maturity model: a plain-English guide.

The Essential Eight is the most-quoted, least-understood cybersecurity baseline in Australia. Every Commonwealth tender mentions it. Every supplier questionnaire asks for it. And every business owner gets a quote for “Essential Eight uplift” that varies by an order of magnitude. This is the version we wish someone had handed us when we first started running ML2 uplift projects for Canberra government contractors.

What the Essential Eight actually is

The Australian Cyber Security Centre (ACSC, part of the Australian Signals Directorate) publishes the Essential Eight as a baseline of mitigation strategies that, in their assessment, prevent the largest share of real-world cyber incidents seen in Australian government and enterprise environments.

The eight are: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. They are not novel. They are not glamorous. They are, in our experience, the things that catch real attackers.

Maturity levels describe how completely each strategy is implemented. ML0 means not implemented or only partially implemented. ML1 mitigates against opportunistic adversaries using widely-available tools. ML2 mitigates against adversaries willing to invest more time and effort to compromise a target. ML3 mitigates against adaptive, well-resourced adversaries.

What level you actually need

ML1: a sensible commercial baseline

ML1 is a defensible position for most Australian SMEs without specific regulatory or contractual obligations. It catches opportunistic attacks (phishing-led ransomware, password-spray attacks, mass-deployed exploit kits) that account for the bulk of real-world incidents. If you have nothing pushing you higher, ML1 is what we would recommend implementing properly rather than aspiring to ML2 and never finishing.

ML2: the Commonwealth contracting baseline

ML2 is the line most Commonwealth contractors are pushed to evidence. If you want to bid for federal government work that handles OFFICIAL or OFFICIAL: Sensitive data, expect ML2 to be in your supplier questionnaire. Defence supply chain, Home Affairs, ATO, and Services Australia work often references ML2 explicitly.

ML2 is also the level where your application-control story has to be real. Audit-mode allow-listing isn’t enough. You need enforcement, you need an exception process, and you need to prove it to an assessor.

ML3: defence supply chain and high-risk environments

ML3 is the right target if you handle Defence material at PROTECTED, sit in critical infrastructure, or have a contractual obligation that names ML3. It is meaningfully harder than ML2. Application control is enforced everywhere including servers, privileged access management is mandatory rather than “restricted by policy,” and the evidence burden is significantly heavier.

The realistic cost of ML2 uplift

Small organisation (under 50 staff, Microsoft 365)

Total cost: AUD $25,000 to $60,000 in services plus tooling licences. Timeline 3 to 5 months. Assumes a clean Microsoft 365 environment, modern Windows 10/11 fleet, no on-prem servers running line-of-business workloads. The bulk of the work is application control rollout and evidence pack production.

Mid-sized organisation (50 to 200 staff, mixed environment)

Total cost: AUD $60,000 to $150,000 in services plus tooling and licence true-ups. Timeline 5 to 8 months. Includes mixed infrastructure (some on-prem, some cloud), industry-specific applications (often the hardest piece for application control), more complex identity and admin-privilege remediation, and a fuller policy/process documentation set.

Larger organisation (200+ staff, multi-site, legacy systems)

Total cost: AUD $150,000 to $400,000+ in services over 8 to 14 months. Often involves replacing legacy line-of-business apps that cannot be brought under application control, redesigning admin-privilege workflows, and standing up a managed-security-operations capability for ongoing sustainment.

In every band, ongoing sustainment costs (patch operations, application-control exception management, evidence refresh, periodic re-assessment) typically run 15 to 30 percent of the initial uplift annually. Budget for it before signing for ML2; the risk is achieving compliance once and then drifting back below the line within 18 months.

The eight strategies, ranked by what kills projects

1. Application control (the project-killer)

Almost every ML2 project that runs over budget runs over budget here. The goal is to allow only approved executables to run. The reality is that organisations have hundreds of approved-but-unmanaged applications, contractors install their own tooling, and industry-specific software ships unsigned executables that change every release.

Get this right by starting in audit mode for at least 8 to 12 weeks, building a mature exception process, and accepting that enforcement happens last. Microsoft Defender Application Control (formerly WDAC) and AppLocker are the typical tools in M365-native estates. Third-party application-control products (ThreatLocker, Airlock Digital) often win in larger environments.

2. Patch applications and operating systems

The strategies are split but the project is the same: prove that you patch internet-facing services within two weeks (ML1), within 48 hours for critical vulnerabilities (ML2), and within 48 hours universally (ML3). The tooling is straightforward. The evidence is what fails most assessments. You need a vulnerability scanner, you need patching tooling (Intune for endpoints, dedicated server patching elsewhere), and you need reporting that proves the SLA was met.

3. Restrict administrative privileges

ML1 wants admin accounts segregated from daily-use accounts. ML2 wants privileged-access workflows reviewed annually and time-limited. ML3 wants privileged access management (PAM) tooling. The hardest part is usually the cultural shift inside the IT team itself: Australian SMEs commonly run with three or four people sharing local admin. ML2 removes that.

4. Multi-factor authentication

ML2 requires MFA on all internet-facing services (your tenant’s Microsoft 365 accounts, external SaaS, VPN, RDP). ML3 also requires MFA for privileged actions and important data. The tooling is mature; the gap is usually legacy applications that can’t do modern auth and one or two SaaS products that nobody got around to enabling MFA on. Conditional Access in Entra ID solves most of it cleanly.

5. Macro settings, user-application hardening, backups

The remaining three strategies are usually the cheapest. Configure Office macros to block by default with allow-list exceptions. Harden browsers and PDF readers (block legacy auth, disable unnecessary features, enforce updates). Test your backups and prove restoration. None of these are technically hard. They become hard when nobody owns the policy or the evidence trail.

Evidence: the part most projects underestimate

Achieving ML2 in your tenant is one thing. Producing the evidence pack an assessor will accept is another. A defensible Essential Eight evidence pack typically includes: a documented system security plan referencing each strategy, configuration screenshots and exports proving enforcement, sample audit logs covering at least three months, exception registers with business justification, change-control evidence, patch SLA reports, restore test evidence, and signed policy documents.

The evidence pack is where junior consultancies cut corners and where assessors push back. Plan for evidence collection from week one of the uplift, not week 16.

Common failures we see

• Treating it as a tooling purchase. M365 + Defender + Intune is necessary; the policy, configuration, and evidence work is most of the project.
• Skipping the gap assessment. A two-week structured gap assessment saves months of misdirected uplift work.
• Application control rushed to enforcement. Skipping audit mode is the fastest way to break business operations and lose executive support.
• No sustainment plan. Achieving ML2 once and then drifting because patching, exception review, and evidence refresh aren’t owned.
• Confusing IRAP and Essential Eight. They overlap but aren’t the same. Essential Eight is one input to an IRAP assessment, not a substitute.

Essential Eight and the broader compliance landscape

If you are pursuing ML2 because of a specific contract, get the contract’s exact language before scoping. “Aligns with Essential Eight ML2” is not the same as “evidenced ML2 by an IRAP-assessed assessor.” The first is a self-attestation; the second triggers a formal IRAP process and a meaningfully larger budget.

We’ve led Essential Eight uplift projects ranging from ML1 baseline programmes for Sydney professional-services firms through to ML2-evidenced rollouts for ACT government contractors operating in Essential Eight ML2 + IRAP-assessed environments. Read about how we did it for an ACT government contractor alongside their ERP rollout, where Essential Eight ML2 was a contractual prerequisite.

What to do next

If you’re bidding for Commonwealth work in the next 12 months, treat Essential Eight as a sales enabler rather than a compliance burden. Get your gap assessment done now, sequence the uplift around your business operations, and build the evidence pack as you go rather than at the end. If you’re not bidding for government work, ML1 implemented properly is far better than ML2 attempted and abandoned.

Before your next IT leadership meeting, download our Essential Eight ML2 readiness checklist — 83 control checks, evidence prompts, and the audit gaps we see most often.