A 7-step Essential Eight compliance checklist

Implementing Essential Eight (E8) is mandatory for in-scope organisations, such as government agencies, critical infrastructure providers, and other non-corporate Commonwealth entities (NCEs).

‍

Even if your organisation isn’t scoped by the framework, aligning with E8 is recommended because it outlines the baseline requirements for defending against cyber threats.

‍

Considering that a typical organisation only dedicates around 10% of its IT budget to security, E8 compliance can be overwhelming for many businesses that lack the bandwidth to adopt the necessary controls.

‍

Although there are only eight mitigation strategies, the depth and rigor required at higher maturity levels can be substantial. A structured approach helps organisations manage this complexity. This makes it a great starting point for organisations that want to mature their cybersecurity posture.

‍

If you’re among them, this guide will help by outlining seven actionable steps you can take to implement E8 to increase your organisation’s cyber resilience and maturity.

‍

Essential Eight: A quick overview

Essential Eight consists of prioritised risk mitigation strategies created by the Australian Signals Directorate (ASD). It was introduced in 2017 as an extension to the original set of four critical cybersecurity controls.

‍

As part of the framework, the ASD developed the Essential Eight Maturity Model, a set of implementation guidelines for the Essential Eight’s controls. The Model was created based on ASD’s experience with security risk detection, incident responses, and other related initiatives, offering a set of best practices to follow. These best practices are based on real-world incidents observed by the ASD, making them highly relevant for modern threat landscapes.

‍

According to the Model, the security requirements your organisation must meet depend on the necessary maturity level, which is mainly determined by the organisation’s exposure to different threats. 

‍

Essential Eight differentiates between four maturity levels outlined in the following table:

‍

‍

The security measures E8 prescribes are designed to complement each other, so before moving up, you should ensure all your controls meet the criteria of the current maturity level.

‍

Essential Eight compliance checklist: 7 steps to follow

To effectively implement the required Essential Eight strategies, you can take these steps:

1. Assess the necessary maturity level 
2. Establish scope
3. Perform a gap assessment
4. Patch applications and operating systems
5. Implement application hardening
6. Conduct the assessment
7. Monitor and review compliance

‍

Below, we’ll explain what you need to do within each step.

‍

{{cta_withimage22="/cta-blocks"}}

‍

Step 1: Assess the necessary maturity level 

When determining the required maturity level, you need to take a risk-based approach. In other words, outline your risk profile and appetite, as well as the sensitivity and confidentiality levels of the data you collect and store.

‍

“

To assess an organisation’s required maturity level, look hard at your self-assessed environment (compliance assets, risk mitigation practices, control depth, etc.) and their perceived likelihood of being targeted.

‍

For example, what industry do you operate in? How sensitive is the data you’re entrusted with? What does your attack surface look like? After considering all of these factors, you should be able to make an informed decision on your required maturity level.”‍

Tim Blair

Sr. Manager, GTM GRC SMEs, Vanta

|

LinkedIn

‍

The specific steps you can take to achieve this include basic-level practices like:

1. Auditing network size and complexity
2. Assessing internal policies and procedures
3. Auditing third-party risks

‍

The final factor to consider is the impact of a potential data breach. Understanding both the financial and non-financial consequences can help you determine the appropriate maturity level.

‍

Step 2: Establish scope

Firstly, you should clearly define why you’re implementing the Essential Eight. This will guide the depth and breadth of the scope—whether it is to meet regulatory requirements, reduce risk exposure, or prepare for future audits.

‍

Next, you’ll create a map of your organisational structure and IT infrastructure. Before any formal audit, you have to establish which applications, assets, and data flows should be included in the boundary and assessed. This ensures you don't waste time securing systems outside your operational environment or compliance needs. Consider known constraints and exceptions before locking in your scope, which could include any legacy systems and compensating controls. Any exceptions need to be well documented and approved by the proper channels.

‍

Next, you'll need to set a target Essential Eight maturity level. To do this, consider the threat environment, data sensitivity, and industry sector in which you operate. This will help you determine the relevant controls without being too rigid and risking disrupting your workflow. 

‍

Establishing the Essential Eight scope early on is crucial for effective alignment and compliance. Rushing the process can result in improper control implementation, leaving unidentified vulnerabilities that malicious parties can exploit.

‍

Step 3: Perform a gap assessment

After scoping your IT infrastructure, compare your security posture to the Essential Eight requirements. For comprehensive coverage, you should start with Maturity Level One and work your way up to include all eight mitigation strategies:

1. Patch applications
2. Patch operating systems
3. Application control
4. User application hardening
5. Multi-factor authentication
6. Restrict administrative privileges
7. Restrict Microsoft Office macros
8. Regular backups

‍

The reason for such a thorough assessment is the complementary nature of the Essential Eight strategies. Levelling up before implementing all the necessary measures of the current level can leave unaddressed vulnerabilities and damage your overall security posture.

‍

If performed well, the gap assessment will inform your starting maturity level and help you determine which in-scope applications to level up.

‍

Step 4: Patch applications and operating systems

Once you’ve scoped your assets and identified gaps, you should begin your patching efforts. Essential Eight defines three target maturity levels, which reflect increasing levels of attacker sophistication and capability:

1. Basic cyber threats
2. Moderate cyber threats
3. Advanced cyber threats

‍

These threats relate to different aspects of your IT infrastructure, including internet-facing services, commonly targeted applications, and network devices. A recommended practice is maintaining a continuously updated asset inventory that includes hardware and software components.

‍

The key challenge here is to ensure adequate asset discovery. Failure to do so can cause a significant setback because discovery ensures that relevant assets can be protected. In other words, without strong discovery processes, you could be unaware of unprotected assets, increasing the likelihood of their exploitation.

‍

When applying patches, response times should correspond with the criticality level, with higher levels prioritised. Note that patching can lead to system disruptions, which you should account for in your incident response plans to avoid excessive downtime.

‍

Step 5: Implement application hardening

Legacy applications are among the most commonly exploited pathways for successful cyberattacks, so application hardening is used to make them more resilient. This process can be conducted in two ways:

1. Reverse engineering protection: These techniques make it harder for attackers to study your app’s structure or logic and craft targeted exploits
2. Anti-tampering methods: Designed to detect and prevent unauthorised modifications to your application’s code or runtime environment

‍

The following table outlines examples of both approaches:

‍

‍

Besides these methods, the ASD suggests additional strategies, such as:

• Blocking web advertisements
• Disabling Java on accessed websites
• Disabling Adobe Flash content support

‍

Application hardening should be one of your top priorities, especially if your organisation is resource-constrained and can’t implement all E8 strategies in one go. The key steps to take besides the above technical measures include:

• Restricting administrative privileges
• Implementing strong access policies
• Embedding least privilege principles into organisational culture

‍

{{cta_withimage22="/cta-blocks"}}

‍

Step 6: Conduct the assessment

Essential Eight alignment often involves self-assessments and internal audits—there is no strict requirement to pass a third-party assessment to demonstrate compliance. Still, this might change based on several circumstances, such as:

• Specific government directives or policies
• Decisions made by regulatory bodies
• Contractual obligations

‍

In these cases, you may need a third-party audit to demonstrate E8 compliance to stakeholders who request it. 

‍

Even if your organisation isn’t subject to government directives, regulatory oversight, or contractual obligations, a third-party assessment carries more weight than self-assessment. It provides objective insight into the effectiveness of implemented measures and offers increased security assurance beyond internal audits.

‍

The ASD doesn’t mandate a frequency of reassessment, though industry best practices suggest conducting assessments at least annually. Ideally, you’ll also have a continuous monitoring process in place to bridge the gaps between individual reassessments (more on that below).

‍

The Directorate also doesn’t keep an official list of authorised third-party assessors, so any certified third-party auditor or assessor can perform an external audit on E8 maturity. This means you’ll need to explore the available options to find a reputable assessor who will help you understand your obligations and provide support during your compliance initiatives.

‍

Internal audits will likely involve many of the same activities as the initial gap assessment—you’ll compare the implemented controls to E8’s requirements to ensure full adherence. Make sure to document the process and collect sufficient evidence of compliance, as you might need to showcase it to stakeholders or regulatory bodies.

‍

Step 7: Monitor and review compliance

Essential Eight compliance isn’t a one-off project—after achieving compliance, continuous maintenance is what ensures a robust cybersecurity posture. The best way to do this is by setting up a continuous monitoring system that streamlines reassessments and lets you proactively identify any areas of non-compliance.

‍

In many cases, continuous monitoring is challenging for organisations due to a lack of efficient systems and workflows. Many organisations rely on traditional, inefficient monitoring methods that can introduce human error, delay remediation, and make compliance reporting unnecessarily time-consuming, such as:

• Disparate documentation systems
• Manual evidence collection
• Point-in-time assessments

‍

A superior option is to uplevel your security workflows through dedicated software that focuses on centralisation and automation. By adopting the right solution, you can achieve and maintain Essential Eight compliance with less pressure and lower costs.

‍

{{cta_withimage24="/cta-blocks"}} 

‍

Automate Essential Eight compliance with Vanta

Vanta is a trust management platform that helps you achieve Essential Eight compliance through pre-built resources and process automation. It offers a dedicated Essential Eight solution that automates up to 50% of compliance workflows, freeing up significant time and energy for your teams.

‍

The product does this through various useful features, most notably:

• Automated evidence collection
• Centralised compliance documentation management
• Pre-built templates for full regulatory coverage
• Continuous visibility into your compliance status
• [integrations_count] integrations with popular software (cloud providers, CRM systems, etc.)

‍

Vanta’s Essential Eight product comes with out-of-the-box support for Maturity Levels One, Two, and Three controls.

‍

For additional support, you can also leverage Vanta’s partner network to connect with auditors and assessors to assist with compliance.

‍

If you want to learn more about the Essential Eight product and see it live, schedule a custom demo for a hands-on experience. 

‍

{{cta_simple36="/cta-blocks"}}

‍