June 11, 2026
What the Essential Eight Actually Is
Why More Perth Businesses Are Being Asked About It
What Maturity Level Means in Practice
The Gap Between Having Controls and Demonstrating Them
What a Proper Essential Eight Assessment Involves
Most Perth businesses already have some form of cyber security in place. Antivirus. Email filters. Maybe multi-factor authentication rolled out across the team.
What most don't have is a clear picture of where they actually stand.
Not in general terms — but specifically, against the Essential Eight: the cyber security framework developed by the Australian Signals Directorate that has become the baseline standard for businesses in government supply chains, applying for cyber insurance, or working toward compliance obligations under the Cyber Security Act 2024.
That gap between "we have security in place" and "we can demonstrate our maturity level" is increasingly where business risk sits.
The Essential Eight is a set of eight cyber security controls recommended by the ASD as a baseline for protecting Australian businesses.
The eight controls are:
Each control is assessed at one of four maturity levels — Level 0 through Level 3. The level doesn't just measure whether a control is present. It measures how consistently and completely it's applied.
A business might have MFA deployed — but if it's not enforced for privileged accounts, or if legacy authentication protocols are still active, that's not Level 2. A business might back up its data — but if those backups aren't tested and stored offline, that's not Level 2 either.
This distinction — between having something and demonstrating it properly — is where most businesses discover gaps they didn't know existed.
The Essential Eight isn't new, but the pressure to demonstrate compliance is growing in ways that directly affect small and mid-sized businesses.
If your business supplies goods or services to Australian Government agencies or to a prime contractor that does — Maturity Level 2 is the expected standard. The ASD's Commonwealth Cyber Security Posture Report 2025 confirms that supply chain risk assessments are now a core expectation in procurement. Businesses that can't evidence their maturity level are finding themselves at a disadvantage in tender processes and contract renewals.
Australian cyber insurers are looking more closely at the controls businesses have in place — not just whether they exist, but whether they're properly configured and documented. Marsh's 2024 Australian Cyber Insurance Market Trends report notes that insurers are increasingly focused on internal controls rather than revenue or industry type. Businesses with documented Essential Eight maturity are better positioned on both premium and claims outcomes.
According to the ASD Annual Cyber Threat Report 2024–25, the average self-reported cost of a cyber incident for Australian businesses reached $80,850 in FY2024–25 — a 50% increase in a single year. The Essential Eight controls exist specifically to reduce the likelihood and impact of the most common attack types. Knowing your maturity level is knowing your exposure.
Businesses working in the defence supply chain need to meet the Defence Industry Security Program (DISP) requirements, which include cyber security expectations aligned directly to the Essential Eight. If your business works with Defence — directly or as a sub-contractor — Essential Eight maturity is part of what DISP membership requires.
Understanding the maturity levels helps set realistic expectations for what compliance actually involves.
Maturity Level 1 addresses the most common, opportunistic attacks. Controls are in place but may be inconsistently applied. For many businesses, this is where they actually sit — even if they believe they're higher.
Maturity Level 2 is the benchmark for most compliance obligations. Controls are applied consistently across the environment and are designed to resist more targeted adversaries. This is what government supply chains, most insurers, and the DISP framework expect.
Maturity Level 3 applies to organisations handling sensitive data or operating in high-risk environments. Controls are fully implemented and actively maintained against sophisticated, targeted threats.
Most SMBs should be targeting Maturity Level 2. Getting there requires a baseline assessment to understand the starting point, a structured remediation plan, and ongoing maintenance to keep controls current as the environment changes.
This is the part that catches most businesses off guard.
A managed IT environment typically has many of the Essential Eight controls already deployed in some form. The question isn't whether those controls exist — it's whether they've been applied to the standard the maturity model requires, and whether there's evidence to demonstrate it.
A few common examples of where the gap appears:
None of these are unusual. They're typical of environments that have grown organically without a framework-based review. The assessment is what surfaces them.
An Essential Eight assessment is not a questionnaire you fill out yourself. Done properly, it's a structured technical review of your actual environment — not what your policies say, but what your systems are actually doing.
A proper assessment produces three outputs:
1. Maturity Score: A Level 0–3 score across all eight controls, assessed against the ACSC standard. This gives you an accurate, defensible starting point — the kind of score you can present to an insurer, a procurement team, or a DISP assessor with confidence.
2. Gap Analysis: Every finding tied to a specific control and maturity level, with clarity on what needs to change and why. Not a generic report, but a precise picture of your environment.
3. Remediation Roadmap: A prioritised plan that addresses the highest-risk gaps first, with a realistic timeline for reaching your target maturity level. For most businesses, reaching Level 2 from a typical starting point takes between four and twelve weeks with active implementation support.
For our managed IT clients, Essential Eight readiness isn't a separate compliance project — it's an extension of the work we're already doing.
When we manage a client's IT environment, we're already responsible for patching, endpoint security, identity management, and backup. The question of Essential Eight maturity is largely a question of whether those services are configured and documented to the standard the framework requires.
For new clients, we start with an assessment to understand where the environment actually sits. That gives us — and the business — an accurate baseline, and it informs how we structure the managed service from day one.
For existing clients, we can conduct an Essential Eight review against the current environment to identify any gaps between what's in place and what the maturity model requires.
For businesses that need a formal, structured compliance program — with a documented maturity score, ongoing evidence generation, and reporting that satisfies insurers, procurement teams, or DISP requirements — we recommend DefenderSuite, our dedicated cyber security and compliance platform.
DefenderSuite's Essential Eight Assessment delivers a full maturity score across all eight ASD controls, a vulnerability report mapped to your environment, and a prioritised remediation roadmap — all completed within five business days, and included at no cost on a 12-month plan.
It's purpose-built for businesses that need more than IT management. It's for businesses that need to demonstrate compliance.
If you're unsure where your business sits on the Essential Eight, these questions are a useful starting point:
Whether you need your IT environment brought into Essential Eight alignment, or you're ready to pursue a formal assessment and compliance program, we can point you in the right direction.
Book a free Essential Eight assessment with DefenderSuite →
Or speak to the Superior IT team about how Essential Eight fits into your managed IT service: +61 1300 93 77 49
Australian Signals Directorate – Essential Eight Explained: https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight/essential-eight-explained
Australian Signals Directorate – Essential Eight Maturity Model: https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight/essential-eight-maturity-model
Australian Signals Directorate – Annual Cyber Threat Report 2024–25: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025
Australian Signals Directorate – Commonwealth Cyber Security Posture in 2025: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/the-commonwealth-cyber-security-posture-in-2025
Australian Signals Directorate – Cyber Security Act 2024: https://www.cyber.gov.au/about-us/news/cyber-security-act-2024
Department of Defence – Defence Industry Security Program: https://www.defence.gov.au/business-industry/industry-governance/industry-regulators/defence-industry-security-program
Marsh Australia – Cyber Insurance Market Trends 2024: https://www.au.marsh.com/products-services/cyber-insurance/insights/cyber-insurance-market-trends-2024.html
If you're looking for more info or assistance, we're a call, email or message away.
App Development, Business & Tax, and Digital Marketing. Super Charge Your Growth.
Existing Customer Support Portal, speak to one of our experts in no time.
