Essential Eight framework: A comprehensive guide to compliance

In 2010, the Australian Signals Directorate (ASD) developed a set of prioritised threat mitigation strategies to provide cybersecurity guidance to government agencies and organisations. Over time, eight of those strategies proved to be the most effective and were formalised into the Essential Eight (E8) framework, officially published in 2017.

‍

The E8 framework is especially relevant for IT teams, security professionals, and compliance officers working in government agencies or businesses handling sensitive data.

‍

This article will break down everything you need to know about the Essential Eight framework to support your compliance process by covering these topics:

• What is the Essential Eight?
• Who needs to comply?
• The benefits of compliance 
• The eight E8 strategies

‍

What is the Essential Eight?

The Essential Eight is an Australian cybersecurity framework introduced in June 2017. Its primary purpose is to provide organisations with detailed guidance on strengthening their systems against cyber threats.

‍

Essential Eight is a direct expansion of the Australian Cyber Security Centre’s original “Top 4” strategies, initially recommended as the most effective security measures and included:

1. Application allowlisting
2. Patching applications 
3. Updating operating systems
4. Restricting administrative privileges

‍

The updated framework builds on these strategies by adding another four, ensuring comprehensive protection against a wide range of cyber threats.

‍

As a way to streamline compliance efforts and outline clear roadmaps towards a well-rounded security posture, the Essential Eight defines four maturity levels:

1. Maturity Level Zero: At this level, organisations don’t meet the minimum security requirements specified by Maturity Level One against cyber threats and obvious vulnerabilities in their security posture. When exploited, these security gaps could facilitate data breaches or compromise the integrity and availability of systems.
2. Maturity Level One: To achieve Maturity Level One, organisations must implement protections against the most common threats, such as basic hacking tools, phishing attempts, and other opportunistic attacks.
3. Maturity Level Two: This level introduces more stringent measures to ensure systems can mitigate targeted attacks. 
4. Maturity Level Three: As the highest maturity level, organisations must implement the most comprehensive security measures to achieve compliance and protection against sophisticated cyber attacks. 

‍

{{cta_withimage22="/cta-blocks"}}

‍

Who needs to comply with the Essential Eight?

As of 15 March 2022, following an update to the Protective Security Policy Framework, compliance with Essential Eight became mandatory for all Australian non-corporate Commonwealth entities (NCEs). NCEs include entities such as the Australian Taxation Office (ATO), Department of Home Affairs, Australian Signals Directorate (ASD), and the Australian Federal Police (AFP). Before this update, only the top four controls prescribed by the framework were required.

‍

To ensure that in-scope entities maintain alignment with Essential Eight requirements, they must undergo and pass audits by the Australian National Audit Office (ANAO) every five years, starting in June 2022.

‍

While compliance is not mandatory for private sector organisations, government agencies in some cases require suppliers to report on their Essential Eight implementations. Thus alignment with Essential Eight could become relevant to you if your business is:

• Contractors working with government agencies
• Health and education providers with public funding
• Organisations managing sensitive or citizen data

‍

Does Essential Eight require you to report data breaches?

While Essential Eight doesn’t directly outline breach notification requirements, Australian organisations may still be required to report them under the Privacy Act 1988 Notifiable Data Breaches scheme, administered by the Office of the Australian Information Commissioner (OAIC).

‍

Under this scheme, all covered entities must notify the OAIC and affected individuals of a data breach as soon as practicable if it’s likely to result in serious harm. These entities include:

• Australian government agencies 
• Organisations with an annual turnover of $3 million or more
• Health service providers
• Tax file number (TFN) recipients
• Credit reporting bodies
• Credit providers 

‍

For some regulated entities, the ACSC outlines a timeline, encouraging organisations to report critical incidents within 12 hours of detection and other breaches within 72 hours.

‍

Benefits of implementing the Essential Eight

“

One of the greatest benefits of Essential Eight compliance is that it supports best security practices for Microsoft Windows internet-facing networks.”

Jill Henriques

GRC Subject Matter Expert, GTM, Vanta

|

LinkedIn

‍

Even if your organisation isn’t considered an in-scope entity, pursuing Essential Eight compliance can benefit your security posture. Many of its requirements are intended to protect systems against the most common cyber threats, such as malware, ransomware, and data breaches.

‍

Aside from strengthening your defences, Essential Eight helps minimise operational damage in case of downtime. Compliance requires frequent system backups, which support business continuity by allowing your organisation to recover quickly in case of operational disruptions or data loss.

‍

Beyond technical benefits, Essential Eight supports building a culture of security in your organisation. Ensuring that policies and procedures directly address stakeholder concerns requires communicating with department members at every level, promoting greater cyber risk awareness and responsibility.

‍

Achieving Essential Eight compliance can also provide advantages beyond enhancing security. As the framework aims to protect your systems against a wide range of threats, many of its controls overlap with other significant regulations such as NIST CSF, ISO 27001, and SOC 2, meaning you’ll have a head start when pursuing those frameworks.

‍

{{cta_withimage24="/cta-blocks"}} 

‍

8 Essential Eight mitigation strategies

The eight Essential Eight strategies are grouped into three primary objectives:

‍

The sections below provide a brief overview of each strategy. However, since the requirements for patching applications and operating systems are the same, we’ve decided to cover them together.

‍

1. Patch applications and operating systems

Addressing newly discovered vulnerabilities in operating systems and applications is essential to maintaining a strong security posture. Under Essential Eight, you must apply vendor-released patches within defined timeframes, depending on the severity of the vulnerability and the type of system.

‍

Essential Eight divides threats into three categories—basic, moderate, and advanced, with the following patching timelines:

‍

These timelines also apply to patching operating systems, with the key difference being the focus on workstations, servers, and network devices rather than applications.

‍

You don't have to address all vulnerabilities simultaneously if you’re operating in a resource- or time-constrained environment. The ASD encourages prioritising externally facing systems, such as online services and internet-facing servers, before moving to offline assets.

‍

The ASD has recently made a change in guidance, requiring organisations to mitigate vulnerabilities of critical nature within 48 hours. This change impacts Maturity Level One through Maturity Level Three. Despite clear guidance, this patching control can be easily overlooked, particularly if you rely on manual patching and don’t have clear asset ownership. Consider automating patch deployments and maintaining a real-time inventory of critical assets to ensure your applications and systems are up to date. 

‍

2. Multi-factor authentication

Essential Eight considers multi-factor authentication (MFA) one of the most effective methods for preventing unwanted access to sensitive information and systems.

‍

To comply with Essential Eight, your MFA needs to contain at least two of the following factors:

• Something the user knows: A passphrase, password, or PIN
• Something the user has: A USB stick, smart card, access token, or smartphone
• Something the user is: A biometric, fingerprint, eye scan, or facial geometry

‍

Enforcing a layered approach ensures that your organisation’s systems stay safe even if one layer of authentication gets breached.

‍

ASD notes that some MFA factors are more secure and, therefore, more effective than others. They recommend using phishing-resistant MFA over weaker implementations that rely on the likes of Short Message Service (SMS) messages or voice calls.

‍

3. Restrict administrative privileges

Restricting administrative privileges reduces operational risk by minimising unnecessary administrative access to sensitive systems. Users with these privileges can change system configurations and operations and access sensitive data, making them a high-priority target for cyberattacks.

‍

You should carefully define your approach when implementing controls to meet this requirement. Several methods may appear to provide the benefits of restricting administrative privileges but don’t meet the intent of this strategy, such as:

• Minimising the total number of privileged accounts
• Implementing privileged accounts that can’t be attributed to individual users
• Granting temporary administrative privileges to user accounts
• Placing standard accounts in user groups with administrative privileges

‍

Instead of these methods, the ASD recommends implementing the following:

• Identify the tasks that require administrative access
• Confirm which stakeholders carry out these tasks
• Create individual accounts for staff members with admin privileges, and grant the minimum necessary access for them to perform their duties effectively
• Review access privileges for staff members frequently, particularly if they were involved in a cyber incident, change departments, or leave the organisation 

‍

4. Application control

Application control is a security approach that protects your organisation’s systems, including servers and end-user devices, from malicious code by limiting the applications that they can run. With proper implementation, your systems can only execute approved applications, such as software libraries, scripts, installers, and HTML applications.

‍

Two common application controls are blocking or allowing application execution. We recommend defining an allow list as the more secure approach.

‍

Allowlisting is a proactive process that ensures only approved applications and processes can run on an organisation’s systems. It involves identifying trusted software and events while blocking all other activity by default. When creating this list, you can identify the application events you want to approve or allow based on several identifiers, including:

• File paths: Only processes in a specified path are allowed to run
• Cryptographic hashes: Applications with identified hashes can load, regardless of file name and location
• File size: Specify the size of the application and use that as the identifying criterion
• Digital signatures: Leverage the application or vendor signature as an identifier 

‍

Application blacklisting (also known as denylisting) is the opposite and often a more reactive approach—you create a list of applications or events that are blocked from running on your systems, while all others are allowed by default. ASD guidance control is that Microsoft’s recommended application blocklist is implemented for Levels 2 and 3.

‍

Application control can be implemented using tools such as Microsoft AppLocker or Windows Defender Application Control (WDAC), or third-party solutions tailored to enterprise environments. 

‍

{{cta_withimage22="/cta-blocks"}}

‍

5. Restrict Microsoft Office macros

Although useful for automating repetitive tasks, Microsoft Office macros are an efficient way for malicious actors to compromise your organisation’s systems. Regardless of the Maturity Level you’re pursuing, Essential Eight requires you to disable all MS Office macros, except for those explicitly demonstrated as necessary.

‍

As an additional security measure, all macros originating from the Internet are prohibited. If your organisation allows macros from trusted locations, they must not be able to modify MS Office macro security settings.

‍

Requirements for Levels 2 and 3 are more stringent—to achieve compliance, you’ll need to ensure that even permitted macros are unable to make Win32 API calls.

‍

6. User application hardening

Application hardening is the process of strengthening the security of your organisation’s internet-facing applications. The primary goal of this strategy is to reduce the attack surface by limiting or minimising potential vulnerabilities that may be susceptible to malicious use.

‍

Independent of your chosen Maturity Level, you need to ensure that:

• Internet Explorer 11 is disabled
• Users cannot modify security settings
• Java is disabled
• Online advertisements are blocked

‍

If you’re pursuing Levels 2 and 3, you’ll also need to:

• Block MS Office from creating child processes or executable content and injecting code into other processes
• Configure MS Office to prevent it from activating Object Linking and Embedding packages
• Restrict PDF software from creating child processes

‍

7. Regular backups

Implementing workflows that enable regular backups is essential for your organisation to recover quickly from an operational disruption or data loss. Before developing these workflows, scope them thoroughly to ensure that they cover all key information, such as sensitive data, software, and configuration settings.

‍

When setting up your data backup procedures, you need to ensure that:

• Backups are performed daily
• You synchronise systems to enable restoration to a common point in time
• Backup data is retained in a secure and resilient manner by encrypting it or storing it off-site with redundancies in place

‍

Essential Eight doesn’t specify a retention period for backup data; instead, it only states that it should be maintained according to your business continuity and regulatory requirements. As an industry best practice, you should retain data backups for at least 90 days.

‍

Potential challenges of Essential Eight compliance

While Essential Eight offers a clear roadmap to strengthening your organisation’s cybersecurity posture, it can still be challenging to implement at scale, particularly due to its technical depth. Measures like application control, privilege management, and patching require close cooperation between your IT, security, and compliance teams and can easily result in delays.

‍

Controls like MFA and data backups add another layer of challenge as they may get implemented unevenly across departments and systems, especially in hybrid environments. 

‍

Legacy systems are another common roadblock, since they may require compensating controls like system isolation, network segmentation or monitoring, whose effectiveness you also need to demonstrate during compliance audits. This becomes especially challenging when vendors assess a vulnerability as critical, such as those enabling remote code execution or authentication bypass. In such cases, organisations should patch, update, or otherwise mitigate vulnerabilities within 48 hours. 

‍

This is especially true for organisations with a still maturing security posture and limited resources. These organisations may lack the necessary in-house expertise, which can lead to higher costs as they struggle to scale the framework alongside organisational growth, often requiring outside consultants to fill the gaps.

‍

Maintaining Essential Eight compliance also requires continuous evidence collection and a rapid response to patching and configuration updates. You can automate these processes with dedicated compliance management software and streamline them through real-time monitoring, freeing up bandwidth for your security teams.

‍

Secure ongoing Essential Eight compliance with Vanta

Vanta is a compliance and trust management platform that streamlines your Essential Eight compliance efforts by automating up to 50% of required workflows. It supports scalability through customisation and integrations, and offers real-time insight into your security posture for faster responses to regulatory changes and updates. 

‍

The platform offers a dedicated Essential Eight product with a built-in framework for Maturity Level Two that can be quickly adapted to Level 3 with custom controls. As part of the product, you can also access various features to make ongoing compliance more efficient, including:

• Pre-built templates for full regulatory coverage
• Automated evidence collection
• More than [integrations_count] integrations with popular tools
• Continuous visibility into your compliance status
• Centralised compliance documentation management

‍

Vanta also offers a partner network you can leverage to find an auditor or partner who can support your Essential Eight compliance process at every step.

‍

Schedule a custom demo and see firsthand how Vanta can optimise your Essential Eight compliance efforts.

‍

{{cta_simple36="/cta-blocks"}} | Essential Eight landing page