IronSights
Book Assessment

Essential Eight Assessment · Australia

Know exactly where you stand on the Essential Eight.

A formal Essential Eight maturity assessment for Australian businesses. We rate you against all eight ACSC controls, show you the gaps that matter, and hand you a prioritised plan to reach the maturity level your contracts, insurer, or board require.

  • Rated against all eight ACSC controls
  • Clear maturity level (ML0–ML3)
  • Prioritised remediation plan
  • Australian assessors, no offshoring
8
ACSC controls assessed
ML0–3
Maturity rating
ISO 27001
Certified practice
AU
Australian assessors

Book your assessment

Tell us a little about your environment. We'll reply within one Australian business day to scope it with you.

No cost to scope. No obligation. We reply within one Australian business day.

5.0 on Google
Microsoft Certified
ISO 27001 CertifiedISO 9001 CertifiedNSW Master Security Licence
The IronSights cyber security team in Sydney

Why IronSights

A specialist, not a generalist.

IronSights is an Australian cyber security firm. Your assessment is run by the same Sydney team that monitors and defends Australian organisations every day — so the findings come with advice that actually fits how your business runs.

  • Australian assessors, no offshoring
  • Vendor-independent advice
  • Hands-on security engineers
  • ISO 27001 certified practice
  • Plain-English board reporting
  • Backed by Fortify, our managed service

Why it matters

The Essential Eight is becoming the price of doing business.

Cyber insurers, government contracts, and enterprise customers increasingly ask the same question: what Essential Eight maturity level are you at? Guessing is risky. An assessment replaces the guess with an evidence-based answer — and a plan to close the gap.

What we assess

All eight ACSC mitigation strategies.

Application control

Whether unapproved programs — and the malware that hides among them — can run on your systems.

Patch applications

How quickly known holes in apps and browsers are closed before they can be exploited.

Restrict Office macros

Whether the macro-borne malware still landing in inboxes is actually blocked.

User application hardening

How well browsers, Office, and PDF readers are locked down against common attack paths.

Restrict admin privileges

Whether one compromised account can quietly take over your whole environment.

Patch operating systems

How current your Windows and server fleet is, and how long unpatched holes stay open.

Multi-factor authentication

Whether a stolen password is enough to get in — across staff, admins, and remote access.

Regular backups

Whether your backups are complete, tested, and able to bring you back after ransomware.

The maturity model

Four levels. We tell you which one you're at.

The ACSC rates Essential Eight maturity from ML0 to ML3, based on how determined an attacker your controls can withstand. We assess each of the eight controls against this model.

ML0

Significant gaps

Controls are missing or not working. Common, and usually invisible until something goes wrong.

ML1

Baseline protection

Defends against opportunistic, untargeted attacks. The minimum many contracts and cyber insurers now expect.

ML2

Stronger posture

Holds up against attackers willing to put in more effort and target your business specifically.

ML3

Hardened

Resilient against adaptive, determined adversaries who adjust to get past your defences.

What you walk away with

A clear rating, and a plan to lift it.

Maturity rating per control

Where you sit on the ACSC model (ML0–ML3) for each of the eight strategies, with the evidence behind it.

Prioritised gap register

Every gap ranked by real risk and how easily it can be closed — not a flat checklist.

Immediate quick wins

The changes you can make this week to lift your weakest controls fast.

Roadmap to your target level

A sequenced plan to reach the maturity level your contracts, insurer, or board require.

Board-ready summary

A one-page read of where you stand and what it means, written for leadership — not the helpdesk.

Evidence-based findings

Conclusions drawn from your real configuration and your IT team, not a generic questionnaire.

How it works

From scoping call to roadmap.

  1. Scoping call

    A short call to confirm your environment, your target maturity level, and what's driving the assessment.

  2. Evidence review

    We examine your real configuration across all eight controls — with your IT team, not a tick-box survey.

  3. Maturity rating

    Each control is rated ML0–ML3 against the ACSC model, and gaps are ranked by business risk.

  4. Executive walkthrough

    We walk your leadership through what we found, in language the board understands.

  5. Roadmap

    You leave with quick wins and a sequenced plan to reach and hold your target level.

Not ready to talk yet?

Try the free 5-minute self-assessment.

Forty plain-English questions, an instant maturity estimate on screen, and no signup. It's a useful starting point — though a formal assessment is what insurers and contracts actually ask for.

Start the free self-assessment →

Get started

Book your Essential Eight assessment.

A short scoping call, an evidence-based maturity rating, and a clear plan to reach your target level. We reply within one Australian business day.

  • Rated against all eight ACSC controls
  • Australian assessors, no offshoring
  • Board-ready findings within days

No cost to scope. No obligation. We reply within one Australian business day.