Essential Eight
The eight baseline mitigation strategies the ASD considers most effective against targeted cyber intrusion.
What Essential 8 actually is.
The Essential Eight is the ASD's prioritised list of mitigation strategies, drawn from the broader Strategies to Mitigate Cyber Security Incidents. Each strategy is measured against a three-level Maturity Model (ML1, ML2, ML3) that describes progressively stronger adversary capability being mitigated. It is mandatory for non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF) and widely adopted by state government, local government and regulated private sector as a reasonable baseline.
Mandatory for non-corporate Commonwealth entities (via PSPF). Recommended by the ACSC for all Australian organisations and is commonly referenced by state governments, insurers and boards as a minimum expectation.
The control areas the framework covers.
Summary of the control families and outcomes the framework drives. Always validate against the official publication for the authoritative wording.
-
01
Application control
Prevent execution of unapproved or malicious code, including executables, scripts, installers and compiled HTML.
-
02
Patch applications
Apply patches to internet-facing applications within 48 hours; other applications within two weeks.
-
03
Configure Microsoft Office macros
Disable macros for users without a demonstrated business need; block macros from the internet by default.
-
04
User application hardening
Configure web browsers to block Flash, ads and Java; disable untrusted Office add-ins.
-
05
Restrict administrative privileges
Limit privileged access to those with a demonstrated need; regularly revalidate.
-
06
Patch operating systems
Apply patches for internet-facing operating systems within 48 hours; others within two weeks.
-
07
Multi-factor authentication
MFA for privileged users, remote access and access to important data repositories.
-
08
Regular backups
Daily backups of important data, retained for three months, tested and held offline or immutable.
Read it from the issuing body.
For anything with a regulator or certification body behind it, the authoritative text is what counts - not our summary.
Essential Eight
cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
-
Essential Eight Maturity Modelcyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
-
Strategies to Mitigate Cyber Security Incidentscyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-to-mitigate-cyber-security-incidents
Content on this page is a plain-language summary for programme planning. It is not legal or regulatory advice, and it does not replace a current copy of the issuer's publication.
How Vectra delivers against Essential 8.
Assessment, engineering and operational services that line up with the framework's control areas.
ASD Essential Eight
Reach Maturity Level 3 across the ACSC's eight prioritised mitigation strategies.
Penetration Testing
Find it before the attackers do - CREST-certified engagements that deliver actionable findings, not compliance checkboxes.
Managed Detection & Response
Sovereign Australian XDR powered by nine global SOCs, AWS Australia hosting and 24x7 human-verified response.
Where Essential 8 shows up.
Sectors where Vectra most commonly applies this framework. Click through for the industry-specific program view.
Government
IRAP-assessed, PROTECTED-cleared cybersecurity for Commonwealth, state and local agencies operating under the ISM and PSPF.
Healthcare & Pharma
Cybersecurity for hospitals, health services, life-sciences and aged care - where patient safety and sensitive health data never pause.
Critical Infrastructure
SOCI Act-aligned OT/ICS cybersecurity for energy, water, telecommunications, transport and data-storage operators.
Banking & Finance
APRA CPS 234 and CPS 230 aligned cybersecurity for banks, insurers, superannuation funds and RSE licensees.
Aviation & Logistics
Cybersecurity for airports, airlines, freight forwarders, ports and supply-chain operators under SOCI, MTOFSA and ICAO.
Security, engineered around you.
Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.