ASD Essential Eight Maturity Model¶
Last updated: 2026-04-01 07:21 UTC
The Essential Eight is a set of baseline mitigation strategies from the Australian Signals Directorate (ASD), recommended for all Australian organisations and mandated for Commonwealth entities.
The Eight Strategies¶
Prevent Malware Delivery and Execution¶
| # | Strategy | Purpose |
|---|---|---|
| 1 | Application Control | Prevent execution of unapproved/malicious programs |
| 2 | Patch Applications | Remediate known application vulnerabilities |
| 3 | Configure Microsoft Office Macros | Block macros from the internet, only allow vetted macros |
| 4 | User Application Hardening | Block ads, Java, Flash, and unnecessary features in browsers |
Limit Extent of Cyber Incidents¶
| # | Strategy | Purpose |
|---|---|---|
| 5 | Restrict Administrative Privileges | Limit admin access to only those who need it |
| 6 | Patch Operating Systems | Remediate known OS vulnerabilities |
| 7 | Multi-factor Authentication | Protect against credential theft and reuse |
Recover Data and System Availability¶
| # | Strategy | Purpose |
|---|---|---|
| 8 | Regular Backups | Ensure data and systems can be recovered |
Maturity Levels¶
| Level | Description |
|---|---|
| Maturity Level Zero | Weaknesses in overall cyber security posture |
| Maturity Level One | Partly aligned, focus on adversaries using commodity tradecraft |
| Maturity Level Two | Aligned to mitigate adversaries operating with moderate investment |
| Maturity Level Three | Fully aligned, mitigates adversaries who are more adaptive and less reliant on public tooling |
Assessment
Organisations can self-assess their Essential Eight maturity using the Essential Eight Assessment Process Guide.
Key Updates¶
- November 2023: Updated to include revised maturity levels and control requirements
- Mandated: All non-corporate Commonwealth entities must implement to at least Maturity Level Two
- PSPF Alignment: Maps to the Protective Security Policy Framework (PSPF) requirements