Essential 8 Summary
Hover over the boxes to see an estimated maturity level for each question.
​
How does your organisation manage software installation and patching?
Anyone can install software; patching is ad-hoc or manual
Maturity Level 0
Admins control software installs; critical patches applied within 30 days
Maturity Level 1
Application allowlisting is enforced; critical patches applied within 2 weeks
Maturity Level 2
Allowlisting is fully enforced across all systems; critical patches applied within 48 hours with automated scanning
Maturity Level 3
How does your organisation handle Microsoft Office macros?
Anyone can install software; patching is ad-hoc or manual
Maturity Level 0
Users are warned before macros run, but can override
Maturity Level 1
Only signed/trusted macros are permitted; untrusted macros are blocked
Maturity Level 2
Macros are disabled organisation-wide or only permitted from trusted, centrally managed locations
Maturity Level 3
Where does your organisation require multi-factor authentication?
MFA is not used
Maturity Level 0
MFA is used for some remote access (e.g. VPN)
Maturity Level 1
MFA is required for all remote access and privileged accounts
Maturity Level 2
MFA is required for all users on all systems, including cloud services and internet-facing applications, using phishing-resistant methods
Maturity Level 3
How does your organisation manage privileged/admin accounts?
Admin accounts are used for everyday tasks; access is not regularly reviewed
Maturity Level 0
Admin accounts are separate from standard accounts but not tightly controlled
Maturity Level 1
Privileged access is formally managed; just-in-time or time-limited admin access is partially implemented
Maturity Level 2
Privileged access is strictly controlled, regularly audited, and admin accounts are prevented from accessing the internet and email
Maturity Level 3
How does your organisation manage data backups?
Backups are infrequent, untested, or stored on the same network as production data
Maturity Level 0
Backups are performed regularly but restoration is rarely tested
Maturity Level 1
Backups are performed daily, stored offline or offsite, and tested periodically
Maturity Level 2
Backups are comprehensive, tested regularly, stored offline/offsite, and recovery time objectives are verified
Maturity Level 3