ASD Essential Eight: eight strategies that actually stop breaches
The Australian Signals Directorate distilled decades of threat intelligence into eight prioritised mitigations. Three objectives, three maturity levels, eight strategies. Used by Australian government, critical infrastructure, and private sector organisations. BlackSheep tracks your maturity across all eight.
$249/month · All frameworks included · No credit card to start
8
Mitigation strategies
3
Maturity levels
3
Objectives
ML2
2026 recommended baseline
Three maturity levels. Start where you are.
Maturity Level One
Adversary: Commodity tradecraft
Defends against adversaries using publicly available exploits and common techniques. The starting point for all organisations. Covers the basics: patching within a month, MFA for internet services, basic application control.
Maturity Level Two
Adversary: Elevated tradecraft
Defends against adversaries who invest in targeting and can use more sophisticated tools and techniques. Tighter patching timelines (2 weeks), phishing-resistant MFA, advanced macro controls, privileged access workstations.
Maturity Level Three
Adversary: Advanced tradecraft
Defends against highly adaptive adversaries with advanced capabilities. 48-hour patching for exploited vulns, FIDO2/smart card MFA, comprehensive application control with testing, real-time response.
The eight mitigation strategies
Grouped into three objectives: prevent attacks, limit impact, and recover.
Application Control
Control which applications can execute. Allowlisting prevents unapproved and malicious software from running on your systems.
Patch Applications
Patch internet-facing and office applications within risk-appropriate timeframes. ML1: 1 month. ML2: 2 weeks. ML3: 48 hours for exploited vulns.
Configure Microsoft Office Macros
Block macros from the internet. Only allow vetted macros from trusted locations. Log and monitor macro execution.
User Application Hardening
Harden web browsers, email, and office apps. Block ads, Java, unnecessary extensions. Disable OLE packages and JavaScript in PDFs.
Restrict Administrative Privileges
Separate privileged and standard accounts. No email or web browsing from admin accounts. Revalidate privileged access regularly.
Patch Operating Systems
Patch OS vulnerabilities within risk-appropriate timeframes. Remove end-of-life operating systems. Use vulnerability scanners.
Multi-Factor Authentication
MFA for all internet-facing services, privileged access, and sensitive data. ML3 requires phishing-resistant MFA (FIDO2/smart cards).
Regular Backups
Back up data, software, and configs. Store offline or non-rewritable. Test restoration regularly. Protect from modification/deletion.
Common questions about the Essential Eight
Which maturity level should we target?
Most organisations should start with ML1 and work toward ML2. ML2 is the recommended baseline for all industries by 2026 under Australia's Cyber Security Strategy. ML3 is the target for critical infrastructure, finance, defence, and energy sectors. Start where you are and progress — a fully implemented ML1 is better than a partially implemented ML2.
How does the Essential Eight relate to ISO 27001?
They complement each other. ISO 27001 provides the management system framework (policies, risk management, governance). The Essential Eight provides specific, prioritised technical controls. Many organisations use ISO 27001 as the overarching structure and Essential Eight as the technical implementation priority list.
Can non-Australian organisations use the Essential Eight?
Absolutely. The eight strategies are based on universal threat intelligence and apply regardless of geography. Many international organisations adopt the Essential Eight because of its clear prioritisation and maturity model. It maps well to NIST CSF, CIS Controls, and other global frameworks.
How long does it take to reach ML1?
For a mid-size organisation with existing IT infrastructure, ML1 can be substantially achieved in 3-6 months with focused effort. Many organisations are partially compliant already — patching, MFA, and backups may be in place but not formalised. BlackSheep helps you see exactly where you stand from day one.
What changed in the 2023 maturity model update?
The November 2023 update aligned Essential Eight language with the ISM for consistency, refined maturity level requirements, and updated timeframes for patching based on current threat intelligence. The core eight strategies remain the same, but the implementation criteria at each maturity level were clarified.
Eight strategies. Three maturity levels. One platform.
BlackSheep tracks your progress across all eight mitigation strategies with scoring by maturity level. See your gaps, prioritise by risk, and demonstrate your cybersecurity posture.
$249/month. 30-day money-back guarantee.