IronSights
All insights

essential eight

Essential Eight Maturity Level 2: what it takes to get there

ML1 defends against opportunistic attacks. ML2 is where the Essential Eight starts stopping adversaries who are targeting you specifically. Here is what changes across the eight controls, and how to plan the uplift.

By IronSights Editorial, Practitioner team7 July 20264 min read
ByIronSights Editorial7 July 20264 min read

1 gets most of the attention in conversations, because it is the level insurers and supply-chain questionnaires most commonly ask for. But ML1 is calibrated against opportunistic attackers using commodity techniques. The moment someone is willing to spend effort on your business specifically, researching your staff and crafting payloads to get around your controls, ML1 is not designed to hold. That is what Maturity Level 2 is for.

More organisations are being asked for ML2 than a couple of years ago: Defence-adjacent supply chains, government buyers, larger enterprise customers, and some insurers for higher-risk sectors. This article covers what actually changes between ML1 and ML2, and how to plan the jump without stalling the business.

The shift in mindset: from 'controls exist' to 'controls resist'

Across all eight strategies, the pattern from ML1 to ML2 is the same: the control stops being merely present and starts being hardened against an adversary who is trying to get around it. Windows for action get shorter, exceptions get narrower, weaker fallback options get removed, and you start having to prove things with logs rather than intentions.

Where the real work concentrates

In the uplifts we run, four areas consistently generate most of the effort and most of the business friction. Plan around these and the rest tends to follow.

  • gets serious. ML2 pushes MFA to more users and more systems, and pushes the method toward -resistant options. SMS codes and simple push approvals stop being good enough in key places, which usually means rolling out authenticator changes or hardware keys to real humans, which is as much a change-management job as a technical one.
  • Patching windows tighten. The two-week and 48-hour expectations at ML2 assume you can actually see your whole fleet and act on it. Businesses without solid asset and visibility discover that gap here, and closing it is usually the prerequisite project.
  • Privileged access gets uncomfortable before it gets better. Separate admin accounts, restrictions on where privileged accounts can log in from, and time-bound privilege all land at ML2. This is the control set that most reliably annoys senior technical staff, and most reliably stops a compromise becoming a takeover.
  • Logging becomes an obligation. ML2 expects centralised logging of key events across several controls, so that compromises can be detected and investigated. If nothing today collects and keeps those logs, that is a platform decision. It is also the natural point to consider managed monitoring, because logs nobody reads satisfy an auditor and nobody else.

The parts people underestimate

Application control at ML2 moves beyond 'a product is installed' to rules someone maintains, with annual (or better) reviews of what is allowed to run. Office macro and user application hardening settings must be locked so users cannot switch them off, which surfaces every workflow that was quietly depending on the insecure behaviour. Backups must be provably restorable and protected from the very admin accounts an attacker would steal. None of this is exotic. All of it takes calendar time.

How long ML1 to ML2 really takes

For a typical Australian SME with a competent IT function, plan on three to six months of steady work, driven mostly by MFA rollout logistics, patching process maturity, and the privileged access changes. It compresses if your environment is heavily -based and modern, and stretches if there is legacy infrastructure or an application estate that resists control.

Do you actually need ML2?

The honest answer is: only if someone who matters to your revenue or risk says so. If your contracts, insurer, and sector expectations are satisfied at ML1, the marginal budget usually does more good on detection and response than on ML2 uplift. If you are being asked for ML2, or expect to be, the sequencing above is the plan. And with the retiring the Essential Eight in favour of ASD Essentials by 2027, uplift work should be done with one eye on the transition; the controls carry forward, so none of the work is wasted.

The starting point either way is knowing where you sit today. A formal Essential Eight assessment rates every control at ML0 through ML3 with evidence, and gives you the gap list in priority order. That is exactly what our assessment service does, and if you want a rough sense first, our free self-assessment takes five minutes.

Keep reading

More from the IronSights team.