In plain English
The Essential Eight is Australia's de-facto cyber security standard for businesses. It covers eight specific controls — from patching software to enabling multi-factor authentication — each scored across four maturity levels (0 to 3). Achieving Maturity Level 2 or above is increasingly required for government contracts and cyber insurance.
Full definition
The Essential Eight mitigation strategies are: Application control, Patch applications, Configure Microsoft Office macro settings, User application hardening, Restrict administrative privileges, Patch operating systems, , and Regular backups.
The assigns each control a from 0 (not implemented) to 3 (fully implemented). Each level builds on the previous, and organisations should aim to achieve the same maturity level across all eight controls before progressing — a mixed-level posture creates exploitable gaps.
Essential Eight assessments are now commonly required for Australian Government suppliers under contracts referencing the Protective Security Policy Framework (PSPF) or the Defence Industry Security Program (DISP). Many cyber insurers also reference the framework when setting premiums or coverage terms.