ASD Essential Eight Maturity Assessment — A 2026 Guide for Australian MSPs

The Essential Eight in one paragraph

The Essential Eight is a set of eight mitigation strategies published by ASD (via cyber.gov.au) to reduce the impact of cyber intrusions targeting internet-connected IT networks. Think of it as the "if you do only eight things, do these" list — originally derived from incident data showing which controls would have prevented the most real-world breaches.

The eight mitigations

1. Application control — only approved executables, scripts, and installers can run. Stops ransomware dead in its tracks.
2. Patch applications — keep software like Office, browsers, and PDF readers up to date within defined windows.
3. Configure Microsoft Office macro settings — disable macros from the internet, limit macros in general.
4. User application hardening — disable Java in browsers, disable Flash (if still there), block ads, restrict risky browser features.
5. Restrict administrative privileges — separate admin accounts from daily-driver accounts, revalidate privileges periodically.
6. Patch operating systems — keep Windows, macOS, Linux up to date within defined windows.
7. Multi-factor authentication (MFA) — on all privileged access, all remote access, and increasingly, all access to sensitive data.
8. Regular backups — daily backups, tested, stored offline/immutable, quickly restorable.

Maturity Levels 0 through 3

ASD defines four maturity levels per mitigation. The levels are cumulative: Level 3 includes everything from Level 2, which includes everything from Level 1.

• Level 0 — weaknesses exist that make compromise trivial. This is where you'd be if you hadn't deliberately implemented the control.
• Level 1 — mitigates adversaries using common tradecraft. Suitable for opportunistic cybercriminals.
• Level 2 — mitigates adversaries willing to invest more time. State-affiliated espionage territory.
• Level 3 — mitigates adversaries with significant resources, willing to use zero-day exploits. This is genuinely hard.

Most Australian SMBs aim for Level 1. Regulated industries (government, defence, critical infrastructure) increasingly require Level 2 across all eight. Level 3 is a standing commitment that requires ongoing investment.

What each level actually looks like — application control as an example

• Level 1: Application control on workstations, based on path or publisher.
• Level 2: Application control on workstations and servers, based on publisher certificate and file hash.
• Level 3: Level 2 plus Microsoft's recommended block rules, driver and script signing verification, and annual ruleset review.

The gap between "we run AppLocker" and Level 2 is typically 6-12 months of work. Between Level 2 and Level 3, another 6-12 months. This is why the maturity model is useful — it gives you a roadmap.

How to actually assess maturity

ASD's own ISM assessment approach is structured but labour-intensive. For an MSP servicing multiple customers, you can't do hundreds of manual reviews per year by hand.

The practical approach is evidence-based assessment driven by your RMM:

1. Patching — pull patch status from Tactical RMM / Atera. Calculate "days since last patch" per endpoint, aggregate per mitigation.
2. MFA — query Microsoft 365 / Google Workspace admin APIs for MFA registration status per account.
3. Application control — run a one-liner script to check AppLocker / WDAC policy presence. Collect from all endpoints.
4. Macros — registry-based audit script checking macro security policy.
5. Admin privileges — enumerate local admin groups, compare against sanctioned list.
6. Backups — check backup agent last-success timestamp, verify restore test logs exist.

Each piece of evidence scores the mitigation against the ASD level definitions. Aggregate across customer endpoints → maturity level per mitigation → overall posture.

What auditors look for in a maturity report

A credible maturity report has five things:

1. Scope statement — which systems are in scope, which aren't, why.
2. Evidence trail — per control, per endpoint, what was checked and when.
3. Gap analysis — which controls are below target, with remediation recommendations.
4. Exception register — controls where the target isn't feasible, with compensating controls documented.
5. Attestation — signed off by someone accountable. Not a CIO rubber-stamping; an engineer who can defend the numbers.

Auditors don't expect perfection. They expect evidence that you've measured objectively and are working on the gaps.

Common mistakes

• Claiming Level 2 application control without hash verification — path-based rules are Level 1, not 2. Easy to miss.
• Measuring MFA at account-creation but not ongoing enforcement — MFA only counts if it's enforced at every sign-in.
• Treating "we have backups" as Level 2 — Level 2 requires testing restore. Untested backups are Level 1 at best.
• Mixing maturity levels across controls and reporting a single number — ASD's model is per-control. A customer can legitimately be Level 2 on patching but Level 1 on macros.

How BBN Helpdesk automates this

The BBN Helpdesk module includes an Essential Eight Maturity Assessment workflow that:

• Pulls evidence automatically from Tactical RMM and Atera APIs
• Runs scheduled audit scripts on endpoints to collect on-device evidence
• Maps evidence to ASD level definitions per mitigation
• Produces a per-customer maturity report with gap analysis and remediation recommendations
• Tracks improvement over time — point-in-time snapshots you can compare quarter-over-quarter

You're still the accountable engineer making the calls. The tool just saves you 20 hours per assessment.

See BBN Helpdesk · Our honest compliance stance

Further reading

• ASD Essential Eight Maturity Model (official)
• ASD Information Security Manual
• STP Phase 2 Requirements Explained — related: what ATO digital compliance looks like in 2026