Essential Eight maturity levels explained (ML1, ML2, ML3)

What the Essential Eight is

The Essential Eight is the Australian Signals Directorate (ASD) baseline set of eight mitigation strategies against cyber threats. These strategies are designed to reduce the risk of successful cyber attacks.

The eight strategies include application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Organisations can assess their implementation of these strategies using a maturity model. Essential Eight maturity check

Your overall maturity level is determined by the lowest maturity achieved across all eight strategies. This means that even if an organisation has implemented several strategies effectively, a weakness in a single area will dictate the overall maturity level.

The maturity levels

The Essential Eight maturity levels describe an entity’s cyber security posture and ability to defend against cyber threats. These levels range from ML0 to ML3, with each level representing an increasing level of sophistication in defensive capabilities. ML0 indicates substantial vulnerabilities exist within an entity’s cyber security arrangements.

ML1 focuses on mitigating threats from adversaries employing commonly available techniques. ML2 addresses adversaries who are prepared to dedicate more resources and utilise more potent tools to achieve their objectives. Finally, ML3 is designed to defend against adversaries demonstrating adaptability and a willingness to invest considerable effort and leverage advanced methods.

The progression through these levels signifies a strengthening of cyber security controls and an improved capacity to recognise and respond to evolving threats.

Which level applies to me

The appropriate maturity level for your organisation depends on your individual risk profile and any obligations you hold. Non-corporate Commonwealth entities are required to meet Essential Eight obligations. This means they must adhere to a defined level of implementation and ongoing management.

Businesses that handle government data, often operating under frameworks like the Right Fit For Risk approach, are frequently required to demonstrate Essential Eight maturity level 2 (ML2). This indicates a certain level of sophistication in security controls and processes.

Ultimately, the definitive maturity level you must achieve will be specified within your contractual agreements or relevant frameworks. Always refer to these documents to confirm the required standard. You can use the Essential Eight maturity check to assist with this assessment.

How to lift your maturity

Improving your Essential Eight maturity requires a focused approach. Given that overall maturity is typically the lowest across the eight strategies, prioritising the strategy with the weakest implementation is the most effective starting point. Addressing this foundational weakness will likely yield the greatest improvement in overall maturity.

Commonly, organisations can achieve relatively rapid gains in maturity through implementing multi-factor authentication and consistently applying patching. These actions provide immediate improvements and build momentum for further enhancements. It is important to recognise that achieving higher maturity levels requires ongoing effort and refinement of processes.

Should a cyber incident occur, it may necessitate multiple notifications to regulators. To manage this effectively, it is beneficial to map the required notifications using the cyber incident notification tool. cyber incident notification tool