The Essential Eight Maturity Model provides a structured way to assess how well each of the eight controls is implemented. The model uses four levels — Maturity Level Zero through Maturity Level Three — with each level building on the previous.
Maturity Level Zero
Not implementing the control in a way that addresses the intent of the mitigation strategy. Many businesses are at Level Zero for several controls when first assessed — not because they have ignored security entirely, but because informal or incomplete implementation does not meet the structured requirements of the framework.
Maturity Level One
Targeted at adversaries using commodity tools: script kiddies, automated scanning, basic phishing kits. Level One addresses the most prevalent attack types requiring minimal sophistication. Reaching Level One across all eight controls is a meaningful achievement that significantly reduces exposure to common attacks.
Maturity Level Two
Targeted at more capable adversaries investing in their attacks — spear phishing, living-off-the-land, supply chain compromise. This is the current minimum expectation for Australian government suppliers and an increasing number of commercial requirements. The gap between Level One and Two is where most organisations find the most work.
Maturity Level Three
Targeted at sophisticated adversaries — nation-state actors, advanced persistent threat groups. Relevant primarily for government agencies, critical infrastructure operators, and organisations holding data of national security interest. Not a realistic near-term target for most small businesses.
How do we prove our Essential Eight maturity to clients or insurers?
An independent assessment report from a qualified provider is the most credible evidence. Some insurers and procurement teams specify accepted assessor qualifications or formats. Check what is required before commissioning an assessment — a self-assessment is generally not accepted.
