Cyber security compliance is not optional. For Australian businesses, it’s a board-level issue. The ASD Essential 8 is a practical, Australian Government-endorsed framework designed to reduce risk and harden systems against cyber attacks. It’s not theory; it’s a security baseline.
CFOs need to understand how these controls protect sensitive data and reduce liability. IT managers need a clear roadmap to implement and maintain them. That’s where this Essential 8 checklist comes in. It breaks down each control into action items you can track and measure.
This isn’t just about passing audits; it’s about reducing exposure, avoiding operational downtime, and building trust with stakeholders. The sooner you align with the Essential Eight compliance standards, the stronger your security posture becomes.
What is the Essential 8?
The Australian Signals Directorate (ASD) cyber security lead, the Australian Cyber Security Centre (ACSC), developed the Essential 8 as a set of cyber mitigation strategies. It’s used to assess and improve the resilience of business systems against cyber threats.
There are eight core controls. Each one addresses a specific vulnerability area, like patching applications, restricting admin privileges, or enforcing multi factor authentication (MFA).
The goal is to make it harder for attackers to gain access, move laterally, and cause damage. These aren’t advanced tactics for elite IT teams. They’re baseline protections every mid-sized business should have.
Each control is measured using a maturity model. Levels range from 0 (not implemented) to 3 (fully aligned and monitored). Most insurers and regulators now expect businesses to meet at least Maturity Level 2.
If you’re not sure where you stand, this Essential 8 compliance guide will help. Use it to identify gaps, track improvements, and demonstrate a proactive security strategy. Compliance doesn’t guarantee safety, but it puts you in a far better position to respond when a cyber-attack happens.
The Essential 8 Checklist: Assess Your Safeguards
Each item in the Essential 8 is a specific, actionable mitigation strategy. Use this checklist to assess where you stand and what still needs work.
1. Application Control
Stop unauthorised applications from running on desktops, laptops, and servers.
How to check:
- Review your allowlist policy. Are only approved apps permitted to run?
- Check for unauthorised scripts or executables using audit logs or endpoint tools.
- Use a software restriction tool like Microsoft AppLocker or WDAC. Verify it's actively enforced on all endpoints.
Common gaps: Too many users with install rights. Missing enforcement on legacy systems. No central visibility of software activity.
Why it matters: Application control is your first line of defence. It limits what malicious code can do, even if it gets in.
2. Patch Applications
Ensure security patches for third-party software are applied quickly (usually within 48 hours.)
How to check:
- Review patching tools or reports. Are updates deployed consistently across all endpoints?
- Audit a sample of machines for current patch levels on apps like Chrome, Adobe Reader, Java, and Office.
- Track patch release dates vs. your deployment timelines.
Common gaps: Lack of patch management for remote devices. Delayed updates due to legacy software or integration risk.
Why it matters: Unpatched apps are a known entry point for cyber threats. Patching applications closes those gaps fast.
3. Configure Microsoft Office Macros
Control the use of Microsoft Office 365 macros to prevent them from launching malicious code.
How to check:
- Open Group Policy settings. Are macros from the internet blocked by default?
- Check if unsigned or untrusted macros can run (they shouldn’t.)
- Review Office Trust Center settings across user profiles.
Common gaps: Macros enabled for legacy workflows. Inconsistent enforcement across departments.
Why it matters: Macros are still a top vector for malware. Harden this weak spot to reduce your exposure.
4. User Application Hardening
Disable risky features in common apps like browsers and PDF readers.
How to check:
- Confirm Flash is uninstalled or disabled.
- Use browser management policies to block Java, ads, and untrusted scripts.
- Review PDF reader settings. Are JavaScript and external content blocked?
Common gaps: Default settings left unchanged. Hardening not applied on BYOD or remote machines.
Why it matters: Hardened user apps limit how attackers can exploit everyday tools.
5. Restrict Administrative Privileges
Limit admin rights to users who genuinely need them, and only for the time required.
How to check:
- Audit Active Directory groups for local admin rights.
- Check how privilege escalation is managed. Is there a just-in-time or approval-based process?
- Review logging and monitoring of admin activity.
Common gaps: Permanent admin access. No regular privilege review. Admin accounts used for everyday work.
Why it matters: If an attacker gets admin access, they own your environment. Limit it to limit your risk.
6. Patch Operating Systems
Apply OS updates within 48 hours, and make sure no unsupported versions are in use.
How to check:
- Use system management tools (like SCCM, Intune, or RMM tools) to report on OS versions and patch status.
- Compare patch dates to Microsoft’s release schedule.
- Flag and isolate any machines still running unsupported systems (like Windows 7).
Common gaps: Manual update processes. Patch failures going unnoticed. Unsupported servers still online.
Why it matters: Operating systems are prime targets. Patching them quickly reduces your attack surface.
7. Multi-Factor Authentication (MFA)
Require MFA for remote access, admin accounts, and critical business apps.
How to check:
- Verify that MFA is enabled for all remote logins, email accounts, and admin portals.
- Use identity management dashboards to confirm enforcement.
- Test login processes yourself to confirm MFA is required.
Common gaps: MFA exemptions for executives or legacy systems. SMS-based MFA still in use.
Why it matters: MFA stops most credential-based attacks. It’s one of the most effective mitigation strategies available.
8. Regular Backups
Back up critical data regularly and test your ability to restore it.
How to check:
- Review backup schedules. Are daily backups in place?
- Inspect storage locations. Are backups stored offline, or with immutability enabled?
- Conduct a test restore of a system or data set. Measure time to recovery.
Common gaps: Unverified backups. No air-gapped copies. Recovery process untested under real conditions.
Why it matters: When a cyber attack hits, backups are your insurance policy. But only if they work.
How to Assess Your Target Maturity Level
The ASD Essential 8 Maturity Model has four levels, from 0 to 3. Each level reflects how effectively the eight controls are implemented.
- Level 0: Nothing is in place. There are gaps in visibility, tools, and policy.
- Level 1: Basic controls are present, but not consistently applied. Attackers can still bypass them easily.
- Level 2: Controls are enforced and monitored. This is the minimum most insurers and compliance bodies now expect.
- Level 3: Strongest level. Controls are integrated across systems and actively tested to stop targeted attacks.
Assessing Your Maturity Level
- Start by reviewing the above checklist.
- For each control, ask: Is it in place? Is it enforced? Is it monitored?
- Document evidence: screenshots, reports, policy links.
- Identify controls sitting below your desired maturity level.
Assess Your Risk Controls Now
This Essential 8 compliance checklist gives you a practical way to assess, plan, and improve. The controls are clear. The benefits are measurable. The risk of inaction is growing.
But you’re not alone.
Planet6 can guide you on a road to stronger security.
We help Australian businesses of all sizes build cyber maturity with practical support, Essential 8 assessments, and ongoing implementation guidance.
If you want to know where your organisation stands, reach out for a review. No pushy sales talk, no strings attached. Just straightforward answers from people who know what they’re talking about.
