The ACSC Essential Eight
The Australian Cyber Security Centre's Essential Eight is the control set almost every serious conversation about Australian SME cybersecurity ends up referencing. This is our plain-English map: what each control does, which maturity level you should be aiming for, and what CCP actually does to get you there and hold you there.
What the Essential Eight is
Published and maintained by the Australian Signals Directorate's ACSC. The eight controls aren't the only things that matter in cybersecurity, but in 2026 they are the lingua franca: insurers score against them, larger clients ask about them, regulators reference them, and every serious cyber-incident post-mortem maps back to one or more of them.
We map our services against this framework deliberately, because it's the one our clients are being asked about.
Go to the source
Our pages are a plain-language guide; the canonical definitions live with the ACSC. If you're producing evidence for a regulator, quote from these.
The canonical control definitions and ML1/ML2/ML3 requirements.
ACSC's own plain-language introduction to the eight mitigation strategies.
How the ACSC expects Essential Eight assessments to be conducted, if you are running one formally.
The eight controls
Only letting approved programs run on your computers. Everything else is blocked by default.
Read the controlKeeping your software up to date so it has the latest security fixes.
Read the controlStopping the little automation scripts inside Word and Excel from running unless they're from a trusted source.
Read the controlTurning off features in web browsers and Office that attackers commonly abuse.
Read the controlMaking sure only the people who need admin rights have them, and only when they need them.
Read the controlKeeping Windows, macOS, Linux and your server operating systems up to date.
Read the controlRequiring something more than a password to log in (a code, a key, an app).
Read the controlKeeping copies of your important data somewhere safe, and regularly testing that you can actually restore them.
Read the controlMaturity levels
Four levels run from ML0 to ML3. Overall maturity is scored against your weakest control, not averaged. Pick the lowest level that satisfies the people auditing you and the people whose data you hold, plus a small margin.
Partial or missing controls, no documented evidence. Where most mid-market Australian businesses sit before they've been assessed properly. ML0 is never a goal; the conversation is always about a realistic path to ML1 or above.
Controls that stand up to publicly-available adversary tradecraft. Right for businesses that don't hold materially sensitive client information. The baseline most cyber-insurance renewals and standard vendor-security audits now expect.
Controls tuned against more capable adversaries, with real isolation of privileged access and proper evidence trails. Right for law, finance, health and regulated services. This is where CCP lives and breathes.
Depth, centralised logging of privileged activity, hardware-backed credential protection, continuous validation. Built for defence-adjacent work, classified-information environments, and enterprises large enough to attract a dedicated threat actor.
Three questions will get you the right answer.
Interactive tool · three questions
Your recommended target
Answer the three questions to see the level that fits your business, and the reason for it.
Your business holds no data that, if breached, would meaningfully harm the people you serve. A breach costs you operationally but doesn't land other people in trouble. Most trades, light retail, logistics, marketing and professional services without privileged client data sit here. Our standard Managed IT Complete stack is designed to hold this level without you having to think about it.
You hold information whose exposure would do real harm to your clients, patients, donors or counterparties. Law firms, financial services, accounting, health and allied-health, education, not-for-profits with beneficiary data, conveyancers. This is CCP's native target: our Managed IT Complete plus Compliance stack is built to reach ML2 and hold it.
You handle classified or highly sensitive information under a specific obligation: defence supply chain, top-secret work, critical-infrastructure operators. If you're wondering whether ML3 applies, it almost certainly doesn't; the parties who need ML3 have been told so in writing.
Not a target, a starting point. If an honest assessment puts you here, the conversation is about a realistic path to ML1, ML2 or ML3, whichever profile above matches your business.
Free self-assessment
Score yourself. Get a branded PDF.
Short self-assessment you can run yourself. Answer honestly for where you sit today and download a CCP-branded PDF report you can share with your board, broker or auditor. Runs entirely in your browser. No email required, nothing sent to us unless you choose to book a call.
Take the self-assessmentHow CCP helps you get there
Cyber maturity isn't a one-shot project. It's a cycle. Each pass through the loop, we re-audit against the current bar, learn from what changed in your environment, and step the maturity up. The threats move and your environment moves; the loop is the only honest answer.
Step 01
01 · Assess where you actually sit.
A written, honest audit of the environment against the ACSC criteria, control by control. You get a current-state posture rating for each of the eight controls and a single overall maturity level that reflects the weakest among them.
Click any step to read it
Step 01
A written, honest audit of the environment against the ACSC criteria, control by control. You get a current-state posture rating for each of the eight controls and a single overall maturity level that reflects the weakest among them.
Common questions
For questions about a specific control (macros, backups, MFA, etc.), see that control's page.
The qualifier
Seven questions, one moment of your time. We'd rather tell you now than three months in.
