Assurance Bureau delivers independent Essential Eight maturity assessments for organisations that need to know exactly where they stand against the Australian Signals Directorate (ASD) baseline, and what it will take to reach their target maturity level. Whether the driver is a government tender, a cyber insurance renewal, Defence supply chain membership, or board-level assurance, our assessments give you a clear, evidence-based picture of your current posture and a prioritised path forward.

Assessments are led by an IRAP Assessor holding an active Australian Government NV1 security clearance, with control assessment experience across regulated healthcare, education, and government-adjacent environments.

What is the Essential Eight?

The Essential Eight is a set of eight prioritised mitigation strategies developed by the ASD and promoted through the Australian Cyber Security Centre (ACSC). Together they form Australia's de facto baseline for defending internet-connected systems against the most common cyber threats. The eight strategies are:

• Application control

• Patch applications

• Configure Microsoft Office macro settings

• User application hardening

• Restrict administrative privileges

• Patch operating systems

• Multi-factor authentication

• Regular backups

Implementation is measured against the Essential Eight Maturity Model, which defines four maturity levels. Maturity Levels One, Two, and Three reflect the mitigation of increasing levels of adversary tradecraft and targeting, with Level Three offering the most robust posture. Maturity Level Zero is not a target in itself. It applies to any organisation that does not yet meet Maturity Level One. ASD guidance is to reach the same maturity level across all eight strategies before progressing to a higher one, so a single weak strategy holds back your overall result. The Essential Eight is assessed and reported as a package.

Why organisations need an Essential Eight assessment

• Cyber insurance. Insurers increasingly ask for evidence of Essential Eight maturity, commonly around Maturity Level Two, as a condition of cover or to secure reasonable premiums.

• Government contracts and tenders. Many Australian Government and state government requests for tender specify an Essential Eight maturity level as a prerequisite to bid.

• Defence Industry Security Program (DISP). All DISP members are now required to achieve and maintain the full Essential Eight at Maturity Level Two across the ICT systems used to correspond with Defence.

• Defence and government supply chain. Suppliers to Defence primes and to government are increasingly asked to evidence their maturity before work is awarded.

• Critical infrastructure. The Essential Eight is one of the recognised frameworks responsible entities can adopt to manage the cyber and information security hazard under the Security of Critical Infrastructure (SOCI) risk management program rules.

• Board and executive assurance. Independent validation of your posture against a recognised national baseline, reported with clear risk metrics.

What we assess

• Implementation and effectiveness of each of the eight mitigation strategies across the systems within your assessment boundary

• The quality of evidence behind each control, tested against the ACSC evidence standards rather than accepted on policy statements alone

• Your current maturity level for each strategy, the gaps to your target level, and prioritised remediation documented in a clear assessment report to support your uplift planning

How an engagement works

1. Scope. We agree your target maturity level, the systems in scope, and your drivers, whether that is insurance, a tender, DISP, or board assurance.

2. Assess. We review configuration, documentation, and evidence across all eight strategies, validating that controls are implemented and operating rather than simply documented.

3. Report. You receive a clear assessment report stating your current maturity for each strategy, the gaps to your target, and a remediation roadmap prioritised by risk and effort.

Important to understand

An Essential Eight assessment is an independent, point-in-time evaluation of your maturity against the ASD model. It is not a certification or registration, and a reported maturity level is a measurement rather than a guarantee. Maturity must be maintained through ongoing patching, monitoring, access review, and restore testing, so we frame our findings to support continuous improvement rather than a one-off result. Where a contract or regulatory condition calls for a specific maturity level, the assessment gives you the evidence base to demonstrate and defend it.

Why Assurance Bureau

• IRAP Assessor, bringing Information Security Manual (ISM) aligned assessment rigour to every engagement

• Active Australian Government NV1 security clearance

• ISM and control assessment experience drawn from ISO 27001 engagements with a large national healthcare provider and a state government education provider

• Independent and vendor neutral. We are not resellers, so our findings and remediation advice carry no product agenda

• Able to align your Essential Eight work with ISO 27001 and other frameworks to reduce duplication

• Based in Brisbane, working with clients across Queensland, Australia, and APAC

• Practical and outcome-focused assessments, not checkbox exercises

Frequently asked questions

How long does an Essential Eight assessment take? It depends on the size of your environment, the maturity level being assessed, and the quality of evidence available. Most of the work is conducted remotely, with limited or no time required onsite. As a guide, the assessment and reporting are typically completed within one to two weeks, though larger or more complex environments can take longer.

Is the assessment done remotely or onsite? Most assessments are conducted remotely. For organisations in Brisbane and across South East Queensland, onsite work can be arranged where it adds value.

What maturity level should we target? The right target is risk-based rather than one size fits all. Maturity Level Two is the baseline expected of non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF) and is commonly required for government contracts and cyber insurance. Higher-risk environments may target Maturity Level Three. We help you set a defensible target before assessing against it.

Do you tell us our current level, or audit against a target? Either, depending on your objective. If you need to provide assurance to a third party, we assess against your target maturity level. If you want to understand where you stand, we determine and report your current level for each strategy.

How often should we reassess? There is no single universally mandated frequency, but annual reassessment is standard practice. The government, Defence, and critical infrastructure regimes that reference the Essential Eight all operate on annual reporting cycles, and insurers and contracts commonly expect the same. Reassessment is also worthwhile after significant infrastructure or organisational change.

How does the Essential Eight relate to ISO 27001? The Essential Eight is a baseline set of technical mitigation strategies, not a full management system like ISO 27001. The two complement each other, and several Essential Eight controls map to ISO 27001 Annex A. With experience across both, we can align your Essential Eight work with broader compliance efforts to avoid duplication.

Get in touch

Ready to find out where you stand against the Essential Eight? Contact us to arrange a no-obligation scoping conversation about your target maturity level and what reaching it involves.