IronSights
All insights

essential eight

Essentials for Cloud: what the Essential Eight replacement means for cloud

The Essentials series has a dedicated cloud chapter, because the Essential Eight was never built for shared-responsibility environments. What Essentials for Cloud is likely to cover, and what to do now.

By IronSights Editorial, Practitioner team17 July 20263 min read
ByIronSights Editorial17 July 20263 min read

The 's Essentials series, which is replacing the , has a chapter built specifically for cloud environments: Essentials for Cloud. It exists because the Essential Eight was designed for on-premises IT, and its controls do not map cleanly onto cloud and shared-responsibility models. For any business running significant workloads in Azure or AWS, or on a stack of SaaS platforms, this is the chapter to watch.

Why cloud needs its own chapter

The Essential Eight assumes you own and control the environment: the servers, the operating systems, the network boundary. In the cloud you often do not. On a shared-responsibility platform, the provider secures the underlying infrastructure and you secure your configuration, your identities and your data. A control that says patch your operating systems does not translate to a SaaS product you do not run. Essentials for Cloud is the ASD's answer to that mismatch, an outcomes-based framework that fits how cloud actually works.

What it is likely to cover

The chapter is confirmed but not yet published in detail, so this is informed expectation rather than fact. Based on the direction the series is taking and where cloud risk actually sits, expect the focus to land on a few things. Identity and access management, because in the cloud identity is the perimeter. Configuration of cloud and SaaS platforms, because most cloud breaches come from misconfiguration rather than clever exploits. Logging and monitoring across cloud services, which is often switched off by default. And clarity on the shared-responsibility line, so it is clear what you are accountable for. As with the rest of the series, the measure will be outcomes rather than prescribed steps, because cloud environments vary too much for one method to fit them all.

Who should pay attention

If your business runs mostly on and a handful of SaaS tools, you are already a cloud business, whether or not you think of yourself that way. The controls that matter for you, everywhere, , correctly configured tenants, sensible sharing settings, are cloud controls, and they are exactly where Essentials for Cloud will land. Businesses with workloads in Azure or AWS carry a larger surface, but the principle holds: your security now lives in your configuration, not your server room.

What to do now

There is no draft to act on yet, but there is plenty to do that will carry forward.

  • Keep working to the Essential Eight. It remains current until at least 2028, and its identity and configuration disciplines map straight into the cloud chapter.
  • Get your cloud configuration reviewed. Most cloud risk is misconfiguration: over-shared files, dormant admin accounts, multi-factor gaps, logging turned off. These are the same things Essentials for Cloud will measure.
  • Know your shared-responsibility line. Be clear about what your provider secures and what you secure. The gap between the two is where incidents happen.

A cloud posture review, against how you actually run today and against where Essentials for Cloud is heading, is the practical starting point. We look at your Microsoft 365 and cloud configuration, your identity controls and your logging, and give you an ordered list of what to fix first. It carries forward whichever way the framework lands.

General guidance based on ASD material current at July 2026. Essentials for Cloud is confirmed as a chapter but not yet published in detail, and specifics may change.

Keep reading

More from the IronSights team.