Essential Eight
ACSC Essential Eight
Eight prioritised mitigation strategies the Australian Cyber Security Centre considers the most effective baseline against common attacks. Assessed by maturity level rather than as pass/fail controls.
Who it applies to
Recommended for all Australian organizations and mandatory for non-corporate Commonwealth entities. A pragmatic baseline measured across maturity levels ML1 to ML3.
Mitigation strategies
- E8-1 Patch applications10 mapped
Patch or mitigate application vulnerabilities, prioritising internet-facing services.
- E8-2 Patch operating systems10 mapped
Patch or mitigate operating-system vulnerabilities within defined timeframes.
- E8-3 Multi-factor authentication16 mapped
Enforce multi-factor authentication for users, remote access and privileged actions.
- E8-4 Restrict administrative privileges16 mapped
Restrict, validate and regularly revalidate administrative privileges.
- E8-5 Application control10 mapped
Allow only approved applications to execute.
- E8-6 Restrict Microsoft Office macros10 mapped
Disable or restrict macros, allowing only vetted ones from trusted locations.
- E8-7 User application hardening10 mapped
Harden user applications such as browsers, disabling unneeded features like Flash, ads and Java.
- E8-8 Regular backups6 mapped
Perform and test regular backups of important data, software and configuration settings.