Free Resource · Cybersecurity

Essential Eight ML2 readiness checklist.

Eighty-three control checks across the eight strategies, with evidence prompts and the audit gaps we see most often. Print before your next assessment.

  • Fixed-price quotes. No hourly billing surprises.
  • Zero data loss. Across 500+ migrations.
  • Unlimited local support. Australian team, no offshore.
  • Technology-agnostic. Best fit, not highest margin.

This checklist is the working document our consultants use on the first day of an ML2 gap assessment. It covers what each strategy requires at maturity level 2, evidence the assessor will look for, and the gaps we find most often. Print it, mark it up, and bring it into your next IT leadership meeting.

Reference: this checklist reflects the Australian Cyber Security Centre’s Essential Eight Maturity Model. Always cross-check against the current ACSC publication; the model is updated periodically.

1. Application control

Block execution of unapproved/malicious software. ML2 requires application control on all workstations and servers.

  • Application control implemented on workstations using Microsoft Defender Application Control, AppLocker, or third-party (ThreatLocker, Airlock Digital).
  • Application control implemented on servers (often skipped — common ML2 finding).
  • Allow-list scope covers executables, software libraries, scripts, installers, compiled HTML, HTML applications, and control panel applets.
  • Block mode (not audit mode) enforced for at least 30 days before assessment.
  • Documented exception process with business justification for each exception.
  • Monthly review of application-control logs and exceptions.
  • Microsoft ‘recommended block’ rules implemented (LOLBins).

Evidence to collect

WDAC/AppLocker policy XMLs, Intune/SCCM deployment screenshots, sample audit log extracts (last 90 days), exception register, monthly review minutes.

2. Patch applications

Patch applications within 2 weeks of vendor release; within 48 hours for ‘critical’ severity or active exploitation.

  • Vulnerability scanner deployed and reporting (Defender for Endpoint, Tenable, Qualys, Rapid7).
  • Patch SLAs documented and reviewed monthly.
  • Critical vulnerabilities (CVSS 9.0+) patched or mitigated within 48 hours.
  • Standard vulnerabilities patched within 2 weeks.
  • Internet-facing services covered with explicit SLA.
  • Sample evidence of patch SLAs being met for the prior 3 months.
  • Unsupported applications removed or have a documented mitigation.

Evidence to collect

Vulnerability scan reports, patch deployment reports, SLA tracking spreadsheet, asset inventory showing supported versions.

3. Configure Microsoft Office macro settings

Block macros from the internet by default. Only signed macros, or macros from trusted locations, are permitted.

  • Macros blocked by default for all users via Intune or Group Policy.
  • Macros from the internet blocked at the source (mark-of-the-web).
  • Trusted Locations and signed-macro exceptions documented.
  • Macro execution events monitored centrally.
  • Antivirus scanning of macros enabled.

Evidence to collect

Intune/GPO configuration screenshots, signed-macro inventory, macro execution log samples.

4. User application hardening

Web browsers and office applications are configured to mitigate common attack vectors.

  • Internet Explorer 11 disabled or removed.
  • Web browser ads, Java content, and Flash blocked.
  • Web browser security settings cannot be disabled by users.
  • Office applications cannot create child processes.
  • PDF software blocked from creating child processes.
  • Office applications blocked from injecting code into other processes.
  • Microsoft Office add-ins centrally controlled.

Evidence to collect

Browser ADMX/Intune configuration, ASR (Attack Surface Reduction) rule deployment, sample event log entries.

5. Restrict administrative privileges

Privileged accounts are validated, time-limited, and segregated from unprivileged use.

  • Privileged accounts cannot read email or browse the internet.
  • Privileged accounts segregated from unprivileged use (separate accounts).
  • Privileged access is requested, approved, and time-limited.
  • Privileged access events centrally logged.
  • Annual review of privileged accounts and their continued need.
  • Cloud admin roles (Global Admin, Privileged Authentication Admin) limited and monitored.
  • Just-In-Time (JIT) elevation through Privileged Identity Management (PIM) for cloud admin roles.

Evidence to collect

Admin account inventory, PIM activation history, annual privilege review minutes, segregation policy.

6. Patch operating systems

Patch operating systems within 2 weeks; within 48 hours for critical severity. ML2 also requires automatic asset discovery.

  • OS patching SLAs documented and reviewed monthly.
  • Internet-facing servers patched within 48 hours for critical vulnerabilities.
  • Automatic asset discovery scanning at least fortnightly.
  • Sample evidence of OS patching SLAs being met for the prior 3 months.
  • Unsupported OS versions removed or have documented mitigation.
  • Network device firmware patching included in scope.

Evidence to collect

Asset discovery scan reports, OS patch reports, vulnerability scanner output for OS.

7. Multi-factor authentication

MFA enforced on all internet-facing services for users, and for privileged users on important data repositories.

  • MFA enforced on Microsoft 365 / Entra ID for all users.
  • MFA enforced on third-party SaaS (Salesforce, Xero, etc.).
  • MFA enforced on remote access (VPN, RDP gateways, Citrix).
  • MFA uses phishing-resistant factor or, at minimum, an authenticator app — not SMS — for privileged users (ML2).
  • Conditional Access blocks legacy authentication.
  • MFA bypass requires documented approval and is logged.
  • MFA adoption tracked and gaps remediated weekly.

Evidence to collect

Conditional Access policy export, MFA registration report, legacy auth block evidence.

8. Regular backups

Backups of important data, software, and configuration settings are performed, retained, tested, and protected from destruction.

  • Backup scope covers data, software, and configuration settings.
  • Backup frequency aligns with business continuity requirements.
  • Backup retention aligns with business continuity requirements (typically 90 days minimum for ML2).
  • Restoration testing performed at least annually.
  • Backups stored in a way that prevents unprivileged accounts from modifying or deleting them (immutable / air-gapped).
  • Backup access requires privileged credentials and MFA.
  • Cloud workload backups covered (M365, Azure, Salesforce, etc.).

Evidence to collect

Backup configuration screenshots, restoration test reports, immutable storage configuration, access logs.

The eight gaps that catch most ML2 projects

  • Application control still in audit mode at assessment time.
  • Servers excluded from application control scope.
  • Patch SLA reports exist but no evidence the SLA was actually met.
  • Privileged accounts share credentials or have email access.
  • MFA enabled but legacy auth not blocked.
  • Backups untested in the last 12 months.
  • Evidence pack assembled retroactively rather than continuously.
  • ‘Aligns with’ mistaken for ‘evidenced’.

Want a structured walk-through against your environment? Our gap assessment turns this checklist into a scored maturity statement, an evidence pack, and a sequenced uplift plan over two weeks. Read the long-form Essential Eight maturity model guide for context, or book a gap assessment.

Start the conversation

Need ML2 evidenced before your next tender?

We run gap assessments in two weeks. Scored maturity statement, evidence pack, sequenced uplift plan, fixed-price options to get you across the line.

Book a gap assessment
+61 455 221 921support@ambrit.com.au