vividSoftware Solutions
Client portal Book a consultation

Insights · 5 June 2026

The Essential Eight, explained honestly for Australian SMEs

What the Essential Eight actually asks of Australian SMEs and small agencies, what the maturity levels mean, and where to start without overclaiming.

The Essential Eight is a set of eight baseline mitigation strategies published by the Australian Cyber Security Centre (ACSC). It is not a law, not a product and not something you can be certified against. It is a prioritised checklist that, implemented properly, prevents the majority of common intrusions.

That last sentence matters, because the Essential Eight attracts more overclaiming than almost anything else in Australian IT. This article explains what it actually asks, what the maturity levels mean, and where a small organisation should genuinely start.

The eight strategies

  1. Application control: only approved applications can run.
  2. Patch applications: internet-facing and productivity apps patched fast.
  3. Configure Microsoft Office macro settings: block macros from the internet.
  4. User application hardening: browsers and PDF readers locked down.
  5. Restrict administrative privileges: admin rights limited, separated and reviewed.
  6. Patch operating systems: known OS vulnerabilities closed quickly.
  7. Multi-factor authentication: phishing-resistant MFA on everything that matters.
  8. Regular backups: backed up, tested and protected from tampering.

Nothing on that list is exotic. The difficulty is doing all eight consistently, with evidence.

What the maturity levels mean

The ACSC defines maturity levels from zero to three. Maturity level one counters opportunistic attackers using widely available tools. Level two counters more capable adversaries willing to invest in a target. Level three addresses adversaries who adapt their tradecraft to your specific defences.

Two honest observations from the field:

  • Most Australian SMEs sit at maturity level zero or a partial level one, even when their IT provider says otherwise.
  • Level three across all eight strategies is rarely the right goal for a small organisation. The ACSC itself frames the target as risk-based.

Who actually has to comply

Federal non-corporate Commonwealth entities are required to implement the Essential Eight under the Protective Security Policy Framework, and several state frameworks reference it for their agencies and suppliers. For everyone else it is guidance, but increasingly it arrives through the back door: cyber insurance questionnaires, supplier security assessments and government tender questions all borrow its language.

If you sell to government, expect to be asked where you sit against it and to show evidence rather than adjectives.

The claims to avoid

There is no such thing as Essential Eight certification. Be wary of anyone, including a supplier, who claims to be “Essential Eight certified” or “fully compliant” without naming a maturity level, a date and an assessment method. The credible statement is smaller: “assessed at maturity level one across all eight strategies in March 2026, self-assessed, with evidence available.”

That is the standard we hold ourselves to. Our own practices are aligned to the Essential Eight and the ACSC Information Security Manual, and we say “aligned”, not “certified”, because that is what is true.

Where an SME should start

In Microsoft 365 environments, three strategies give the most protection for the least disruption:

  1. Phishing-resistant MFA everywhere, via Entra ID Conditional Access.
  2. Restrict administrative privileges by moving standing admin into Privileged Identity Management.
  3. Regular backups that are restore-tested on a schedule, with the evidence kept.

Then work through patching and macro settings, which Intune can enforce, and treat application control as the longer project it genuinely is.

A note for agencies and suppliers

If you are a small agency or a supplier into government, an honest self-assessment is worth more than an inflated one. Assessors and buyers have seen every flavour of overclaim. A documented maturity level with a dated uplift plan reads as competence; “we are fully Essential Eight compliant” with nothing behind it reads as risk. This is the approach we bring to our government work.

What to do this quarter

  1. Self-assess against all eight strategies and record a maturity level for each, honestly.
  2. Fix MFA, admin privileges and backup testing first.
  3. Write the uplift plan for the rest, with dates you can defend.

If you would like an independent assessment of where you sit, request a security review or read about our cybersecurity services.