Essential Eight Assessment
Assurance Bureau delivers independent Essential Eight maturity assessments for organisations that need to know exactly where they stand against the Australian Signals Directorate (ASD) baseline, and what it will take to reach their target maturity level. Whether the driver is a state or federal government policy such as Queensland's IS18, a Defence supply chain obligation, a tender requirement, or board-level assurance, our assessments give you a clear, evidence-based picture of your current posture and a prioritised path forward.
Assurance Bureau is led by a Principal Consultant who is an ASD-endorsed IRAP Assessor and holds an active Australian Government NV1 security clearance. IRAP Assessors are endorsed by ASD to assess systems against the Information Security Manual (ISM), and the Essential Eight is drawn from that same body of ASD controls.
What is the Essential Eight?
The Essential Eight is a set of eight prioritised mitigation strategies developed by the ASD and promoted through the Australian Cyber Security Centre (ACSC). Together they form Australia's de facto baseline for defending internet-connected systems against the most common cyber threats. The eight strategies are:
Application control
Patch applications
Configure Microsoft Office macro settings
User application hardening
Restrict administrative privileges
Patch operating systems
Multi-factor authentication
Regular backups
Implementation is measured against the Essential Eight Maturity Model, which defines four maturity levels. Maturity Levels Zero, One, Two, and Three reflect the mitigation of increasing levels of adversary tradecraft and targeting, with Level Three offering the most robust posture. ASD guidance is to reach the same maturity level across all eight strategies before progressing to a higher one, so a single weak strategy holds back your overall result. The Essential Eight is assessed and reported as a package.
Why organisations need an Essential Eight assessment
State and territory government policies. Most Australian states and territories require their agencies to implement and report against the Essential Eight. In Queensland, the Information and cyber security policy (IS18) requires agencies to implement the strategies and select a maturity target based on risk, alongside an ISO 27001-based information security management system, with annual attestation. New South Wales (Cyber Security Policy), Western Australia (Cyber Security Policy 2024), and South Australia (SACSF) all centre on Maturity Level One as the baseline, and Victoria's Protective Data Security Standards incorporate the Essential Eight within their controls.
Protective Security Policy Framework (PSPF). At the federal level, non-corporate Commonwealth entities are required to implement the Essential Eight to at least Maturity Level Two.
Defence Industry Security Program (DISP). Under the Defence Security Principles Framework (DSPF), all DISP members are required to achieve and maintain the full Essential Eight at Maturity Level Two across the ICT systems used to correspond with Defence.
Government tenders and supply chain. Many requests for tender specify an Essential Eight maturity level as a prerequisite to bid, and suppliers to government and to Defence primes are increasingly asked to evidence their maturity before work is awarded.
What we assess
Implementation and effectiveness of each of the eight mitigation strategies across the systems within your assessment boundary
The quality of evidence behind each control, tested against the ACSC evidence standards rather than accepted on policy statements alone
Your current maturity level for each strategy, the gaps to your target level, and prioritised remediation documented in a clear assessment report to support your uplift planning
How an engagement works
Scope. We agree your target maturity level, the systems in scope, and your drivers, whether that is insurance, a tender, DISP, or board assurance.
Assess. We review configuration, documentation, and evidence across all eight strategies, validating that controls are implemented and operating rather than simply documented.
Report. You receive a clear assessment report stating your current maturity for each strategy, the gaps to your target, and a remediation roadmap prioritised by risk and effort.
Support uplift. We remain available to clarify findings and guide remediation, so the report drives action rather than sitting on a shelf.
Important to understand
An Essential Eight assessment is an independent, point-in-time evaluation of your maturity against the ASD model. It is not a certification or registration, and a reported maturity level is a measurement rather than a guarantee. Maturity must be maintained through ongoing patching, monitoring, access review, and restore testing, so we frame our findings to support continuous improvement rather than a one-off result. Where a contract or regulatory condition calls for a specific maturity level, the assessment gives you the evidence base to demonstrate and defend it.
Why Assurance Bureau
Led by an ASD-endorsed IRAP Assessor. The Essential Eight is drawn from the Information Security Manual (ISM), so the controls our Principal is credentialed to assess for IRAP are the same ones that underpin the Essential Eight
Principal holds an active Australian Government NV1 security clearance
Control assessment experience drawn from ISO 27001 and ISM-aligned engagements
Independent and vendor neutral. We are not resellers, so our findings and remediation advice carry no product agenda
Able to align your Essential Eight work with ISO 27001 and other frameworks to reduce duplication
Based in Brisbane, working with clients across Queensland, Australia, and APAC
Practical and outcome-focused assessments, not checkbox exercises
Frequently asked questions
How long does an Essential Eight assessment take? It depends on the size of your environment, the maturity level being assessed, and the quality of evidence available. Most of the work is conducted remotely, with limited or no time required onsite. As a guide, allow around one to two months for a comprehensive assessment and report, with smaller or simpler environments completed more quickly.
Is the assessment done remotely or onsite? Most assessments are conducted remotely. For organisations in Brisbane and across South East Queensland, onsite work can be arranged where it adds value.
What maturity level should we target? The right target is risk-based rather than one size fits all. Maturity Level Two is the baseline required of non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF), is mandated for DISP members, and is commonly specified in government contracts. It also aligns closely with what cyber insurers look for. Higher-risk environments may target Maturity Level Three. We help you set a defensible target before assessing against it.
Do you tell us our current level, or audit against a target? Either, depending on your objective. If you need to provide assurance to a third party, we assess against your target maturity level. If you want to understand where you stand, we determine and report your current level for each strategy.
How often should we reassess? There is no single universally mandated frequency, but annual reassessment is standard practice. The government, Defence, and critical infrastructure regimes that reference the Essential Eight all operate on annual reporting cycles, and insurers and contracts commonly expect the same. Reassessment is also worthwhile after significant infrastructure or organisational change.
How does the Essential Eight relate to ISO 27001? The Essential Eight is a baseline set of technical mitigation strategies, not a full management system like ISO 27001. The two complement each other, and several Essential Eight controls map to ISO 27001 Annex A. With experience across both, we can align your Essential Eight work with broader compliance efforts to avoid duplication.
Get in touch
Ready to find out where you stand against the Essential Eight? Contact us to arrange a no-obligation scoping conversation about your target maturity level and what reaching it involves.