Essential Eight Compliance Checklist

Keep your SME compliant with the ACSC approved cyber security framework.


Developed by the Australian Cyber Security Centre (ACSC), the Essential Eight framework was originally created to provide government departments and organisations with a structured approach to mitigating cyber risks and to fortify defences against the ever-expanding array of cyber threats.

This pragmatic and adaptable framework is now considered a baseline for all private enterprises and SMEs in Australia, empowering businesses to proactively address vulnerabilities and bolster their cyber security posture to limit their risk.

To learn more about the ACSC Essential Eight compliance, download the Essential 8 Compliance checklist for SMEs here.


How to achieve Essential Eight Compliance for your SME.

To comply with the Essential Eight framework for mitigating cyber security threats, we’ve perfected a simplified 5 step process which you can use to manage your process towards compliance.

Step 1:  Assess your Cybersecurity Posture

Essential Eight compliance can take several phases and iterations. The ACSC defines four maturity levels based on mitigating increasing levels of tools, tactics, techniques and procedures and targeting by malicious actors. These actors can include “hackers”, activists, cybercriminals, cyberterrorists, insiders with malicious intent, and cybersecurity-savvy thrill seekers and mischief makers.

Understanding a business's cybersecurity maturity level provides context from which to approach Essential Eight compliance.

  • Maturity Level Zero: signifies that there are weaknesses in an organisation’s overall cybersecurity posture that if exploited are likely to compromise data integrity and confidence. If an organisation is at Maturity Level Zero, we can take immediate actions to mitigate these threats. 

  • Maturity Level One: focuses on identifying, patching up and creating resilience against wide-spread exploits, vulnerabilities and techniques used by malicious actors who use a mixture of social engineering techniques and stolen, guessed, reused or “brute-force” authentication to weaken IT security and disrupt, corrupt and in some cases delete data and operations from their targets.

  • Maturity Level Two: guards against malicious actors who are willing to invest more time in a target in an attempt to take control, and systematically weaken it, adding malicious programs such as ransomware and other ways to exploit or disrupt access while evading detection. Users with special permissions are often the focus of these threats.

  • Maturity Level Three: indicates an organisation’s ability to mitigate threats from more advanced and adaptive malicious actors who may be less reliant on public tools and techniques, instead relying on sophisticated techniques, rare, legacy or unused legacy exploits to gain access to IT infrastructure. These actors tend to more targeted and focused on their efforts to exploit vulnerabilities, and in some instances, they will maintain a foothold within systems, impersonate users, and cover their tracks to remain undetected for some time to achieve their goals. 

Step 2: Secure Your Accounts

For SMEs, securing user accounts with practices such as enforcing strong password hygiene practices, implementing a password management system, enforcing multi-factor authentication and whitelisting access to sensitive databases, devices or applications across all servers are some of the most basic but pragmatic ways to protect sensitive data and to mitigate other cyber threats.

Step 3: Patch Your Applications

As part of routine maintenance, organisations should ensure that any vulnerabilities that are discovered are secured with the latest patch releases for operating systems, applications and devices promptly. When alerted, higher-risk and critical patches should always be given a priority and implemented immediately.

Another area of vulnerability are macros; programmed processes that enable automation of tasks and calculations that are commonly found in Microsoft software. Many macros can be quite useful for a business, so taking the time to understand how these are created and the implications if they are blocked can help you to take the right actions.

Step 4: Protect Your Ecosystem

The Essential Eight framework recommends several all-of-ecosystem cybersecurity best practices, including “application hardening”. As the name suggests, application hardening is the process of ensuring digital applications have the highest degree of protection and resilience as possible. 

Keeping applications updated with the latest patches is the first step and the process is supplemented by implementing specialised security solutions that are designed to detect, block, obfuscate and prevent malware from being introduced. Some application hardening techniques include:

  • Blocking or limiting settings for certain web browser and applications for users 

  • Sunsetting or expiring legacy systems and unused accounts

  • Restrict administrative privileges and controls, preventing users from accessing certain areas or files from internet and other online services.

  • Implementing integrity checking protocols

  • Creating secure and automated backups

  • Implementing end-point detection and response mechanisms

  • Installing or updating the latest anti-spam and anti-phishing software

  • Adding encryptions and other forms of tamper protection to form and data submissions

  • And more.   

Step 5: Educate Your Team

The stark reality is that most severe cyber security vulnerabilities are human-originated. The best protection is therefore, education. 

A well-trained and compliant workforce can recognise suspicious activities, practice secure behaviours, and adhere to established protocol that reduce the likelihood of breaches and mitigating against the potential damages to an organisation's data, reputation and equity. Additionally, cybersecurity training fosters a culture of awareness and accountability, where employees understand their role in maintaining a secure digital environment, ultimately contributing to the overall resilience of the organisation against cyber threats.

Looking for a cyber security training? We’ve partnered with specialists to offer self-paced cyber security training and year-round testing that your team can undertake and that your organisation can monitor to round out your Essential Eight compliance.  Learn more about our Cyber Security Awareness & Testing for your whole organisation.

Gain complete confidence in your Essential Eight compliance with IT Strategic

As a member of the ACSC, IT Strategic proudly advocates and specialises in Essential Eight compliance for small and mid-sized data-driven organisations such as NFPs, education, recruitment and businesses servicing professional services industries. 

Need help with Essential Eight compliance? Contact us today for a FREE initial consultation.