Essential Eight Maturity Level 1 is the baseline that most Australian SMEs are working toward — and more importantly, the baseline that insurers, government procurement, and enterprise supply chains are starting to require. Here is exactly what ML1 requires across all eight controls, and what getting there looks like in practice.
What ML1 means
Maturity Level 1 requires that each of the eight controls is partially implemented, targeting adversaries using commodity tools and techniques — the automated, opportunistic attacks that make up the majority of incidents against SMEs. It is not a passing grade. It is the beginning of a structured programme.
ML1 does not require perfection. It requires that each control is implemented for the assets that matter most — internet-facing systems, privileged accounts, cloud services — and that the implementation is documented and repeatable, not ad hoc.
The eight controls at ML1
Application Control
An application control solution is deployed on internet-facing servers and workstations. Allowed applications are documented. Unauthorised applications are prevented from executing. The allowlist is reviewed and updated at least annually.
Patch Applications
Applications with critical vulnerabilities are patched within one month of release. Internet-facing services with actively exploited vulnerabilities are patched within two weeks. A documented patch management process exists.
Configure Microsoft Office Macros
Macros are disabled for users who do not have a documented business need. Where macros are permitted, they run only from trusted, digitally signed sources. Macro settings are managed via policy — not individual user preference.
User Application Hardening
Internet browsers and PDF viewers are configured to disable Flash, Java, and other unsupported plugins. Web advertisements are blocked. Browser security settings cannot be changed by users.
Restrict Administrative Privileges
Privileged accounts are used only for tasks requiring elevated access. Standard accounts are used for email and general browsing. The list of users with admin rights is reviewed and validated at least annually.
Patch Operating Systems
Operating systems without vendor support are replaced or have compensating controls in place. Critical patches are applied within one month of release. OS vulnerabilities being actively exploited in the wild are patched within two weeks.
Multi-Factor Authentication
MFA is enabled for all users accessing internet-facing services — email, cloud applications, remote desktop, VPN. MFA is enabled for all privileged accounts regardless of network location.
Regular Backups
Important data, software, and configuration settings are backed up at least daily. Backups are stored in a separate location from the primary system — disconnected from the network where possible. Backups are tested at least annually to confirm they can be restored.
Evidence assessors look for
When IronSights or an external assessor reviews your ML1 status, they will ask for evidence against each control. Typically that means:
- Application control policy documentation and a sample of blocked execution logs.
- Patch management records showing dates and versions for recent cycles.
- Group policy or MDM screenshots showing macro and browser hardening configurations.
- A current list of users with administrative access and evidence of last review.
- MFA configuration screenshots from your identity provider.
- Backup solution configuration, last successful backup logs, and evidence of a restore test.
The gap between having the controls and being able to evidence them is where most ML1 assessments reveal the most work to do.
Common gaps we find at ML1
- MFA enforced for some services but not all — cloud storage and collaboration tools are often missed.
- Application control deployed on workstations but not on servers or remote worker machines.
- Backups that exist but have never been tested against an actual restore scenario.
- Admin accounts used for daily tasks including email by IT staff.
- Macro settings configured at the user level, not enforced via policy.
How long does it take to reach ML1?
A focused programme with proper resourcing and no significant architectural changes required typically reaches ML1 in three to six months. The hardest controls are application control — because it requires careful allowlist development before enforcement — and macro management, because it surfaces workflow dependencies that need to be resolved before the control can be tightened.
The organisations that get there fastest treat it as a project with a named owner, a deadline, and a weekly review — rather than a background initiative that competes with operational work.
Frequently asked questions
What is the difference between ML1 and ML2?
ML2 tightens patch timeframes to 48 hours for critical vulnerabilities on internet-facing systems, adds stronger requirements around MFA including phishing-resistant methods for admin accounts, and requires more rigorous logging and event monitoring. ML2 is the level targeted by most government contractors and regulated entities.
Do we need to implement all eight controls?
Yes. ML1 requires all eight. An organisation with seven controls at ML2 and one at ML0 is assessed at ML0 overall. The maturity level is determined by the weakest control across all eight.
Can we self-assess for ML1?
You can self-assess, but independent assessment by a qualified security consultancy carries more weight with insurers, government agencies, and enterprise procurement. Self-assessment is a useful internal tool. Third-party assessment is what creates confidence for external stakeholders.
