Essential Eight Assessment · ASD Maturity Model · Sydney & Australia

Essential Eight Maturity Assessment for Australian Organisations.

Independent assessment of your organisation's cybersecurity posture against the ASD Essential Eight, with evidence-based reporting for executive leadership, board oversight, cyber insurance, and procurement.

This is not a checklist exercise and it is not a self-attestation workshop. We assess the implementation and effectiveness of each Essential Eight control using the ASD assessment model, evidence hierarchy, and practical verification methods that stand up under governance, insurance, and procurement scrutiny.

You will leave with a clear maturity position, control-by-control findings, and a remediation roadmap built for delivery.

— What the assessment produces

Maturity score per control, assessed against the ASD Essential Eight maturity model
Executive summary suitable for leadership, board, insurance, and procurement use
Risk-prioritised remediation roadmap with effort, sequencing, and dependency clearly mapped
Exceptions register where full implementation is not currently practical, with compensating controls documented
Evidence package structured for cyber insurance, procurement responses, and ongoing governance

$56.6K

Average cybercrime cost per incident

Small business, FY2024-25. ASD reports one cybercrime every 6 minutes.

ML₂

The 2026 commercial baseline

Mandatory for government supply chain (PSPF) and Defence DISP members

$2.5M

FIIG Securities civil penalty

First civil penalties under AFS licence obligations for cyber failures.

3×

AI-powered phishing effectiveness

More effective than traditional campaigns. Cited by Microsoft Digital 2025 Defense Report

— Evidence-based vs self-attestation

An Essential Eight assessment is not a checklist. Regulators, insurers and procurement teams can tell the difference.

The ASD assessment process is clear on this point. Interviews, policy documents, reports, and screenshots may contribute to an assessment, but they are weaker forms of evidence than scripts, tools, and simulated testing. Stronger evidence tests whether a control is actually implemented and operating as intended across the environment.

That distinction matters when an organisation is making maturity claims that may be tested by a regulator, an insurer, or a customer conducting due diligence.

Self-attestation can still be useful for internal reporting. It is not the standard you want to rely on when the question is whether your Essential Eight position is defensible.

"Excellent evidence includes testing a control with a simulated activity... relying on interviews and screenshots is always inferior to using scripts and tools."
ASD Essential Eight Assessment Process Guide

Evidence-based assessment

What ASD considers stronger evidence

Configuration verified using scripts and tools across representative systems
Testing that confirms controls actually block, restrict, or detect as intended
Population-level assessment, not a single device or isolated screenshot
Evidence quality documented clearly, including limitations where relevant
Exceptions and compensating controls formally recorded
Output suitable for regulators, insurers, and procurement due diligence

Self-attestation

What ASD considers weaker evidence

Policy documents and internal questionnaires reviewed and ticked off
Screenshots from a single device or tenant used as a proof
Interviews relied on to confirm implementation
Tool reports assumed to mean controls are effective
No active testing to confirm controls work under real conditions
Limited value under regulatory, insurance, or procurement scrutiny

— The eight controls

What we assess, and where organisations typically fail.

Every control is assessed with the same standard of rigour. We do not rely on a single-device review or a paper-based maturity claim. These are the control areas we assess, and the failure patterns we see most often.

01 Application Control

Restricts execution to approved executables, scripts, and software libraries so unauthorised code cannot run freely across the environment.

Common failure
‍Allowlisting is configured for servers only, while user profile paths, temporary locations, or scripting pathways remain open.

02 Patch Applications

Reduces one of the fastest paths to compromise by ensuring supported applications are updated in line with risk and exposure.

Common failure
‍
Patch dashboards look healthy, but third-party applications such as browsers, PDF tools, Java runtimes, and utilities are inconsistently covered.

03 Office Macro Settings

Reduces risk from malicious documents and phishing-based payload delivery.

Common failure
‍Macros remain enabled too broadly because a small number of business files depend on them, and users retain the ability to bypass restrictions.

04 User Application Hardening

Restricts risky features in common user applications that are frequently abused for initial access.

Common failure
‍
Default configurations are left in place, scripting is too permissive, and browser or Office hardening has not been applied consistently.

05 Restrict administrative privileges

Limits the spread and impact of credential compromise by reducing privileged exposure.

Common failure
‍Too many privileged accounts exist, admin access is used for everyday work, and stale or unnecessary privileged identities remain active.

06 Patch Operating Systems

Ensures supported operating systems are maintained and legacy platforms do not remain as soft targets in production.

Common failure
‍Legacy servers, edge devices, or frozen systems fall out of patch cycles and become long-lived exposure points.

07 Multi-factor authentication

Provides one of the highest-leverage controls against credential theft and account compromise.

Common failure
‍SMS-based MFA is treated as sufficient, phishing-resistant methods are not enforced, and privileged accounts are not consistently protected.

08 Regular Backups

Determines whether the organisation can actually recover after ransomware, destructive attack, or major operational failure.

Common failure
‍Backups exist, but recovery has not been tested realistically, immutability is weak, or repositories are still reachable from compromised accounts.

— Assessment deliverables

Six artefacts. Each one designed to be used.

The assessment is designed to support action, not just reporting. Each deliverable has a clear operational, governance, insurance, or procurement purpose.

Maturity scorecard, evidence-graded

A maturity score for each of the eight controls, with evidence quality clearly stated against ASD's hierarchy. Where evidence is weaker, limitations are documented explicitly. The assessment reflects actual control effectiveness, not stated intent.

Board executive summary

A non-technical summary that translates the findings into business risk, likely exposure, and the decisions leadership needs to make. Suitable for board packs, governance reporting, and senior stakeholder review.

Risk-prioritised remediation roadmap

A sequenced remediation backlog grouped by risk impact, control dependency, effort, and delivery timing. Quick wins are separated from larger platform or policy changes, with leadership decisions surfaced clearly.

Exceptions and compensating controls register

Formal documentation of constraints, scope limitations, compensating controls, review dates, and required risk acceptance where full implementation is not currently practical.

Cyber insurance evidence package

Configuration evidence, control verification records, and testing documentation structured for underwriting review, renewal discussions, and premium negotiation.

Tender and procurement readiness summary

A concise summary of Essential Eight maturity, material gaps, and uplift priorities suitable for customer due diligence, government responses, and supply chain assurance.

— How the assessment works

Fixed scope, fixed timeline,
‍delivered by senior engineers.

The assessment follows the ASD assessment process, but it is delivered in a commercial format that is practical for real organisations. Scope is agreed up front. Timeline is fixed. Evidence collection is engineering-led throughout.

01 Plan & Scope

Scope definition and approach

We define the assessment boundary, confirm the target maturity level, identify constraints early, and document what is in scope and what is not.

02 Collect Evidence

Technical verification across all controls

We verify control implementation using scripts, tools, and selective testing across endpoints, servers, identity platforms, and key SaaS environments.

03 Analyse & Score

Gap analysis and maturity determination

We assess each control against the ASD maturity criteria, identify exceptions, evaluate compensating controls, and determine where the organisation can and cannot credibly claim maturity.

04 Report & Roadmap

Board-grade output and remediation delivery

We produce the full assessment pack, present the findings in both technical and leadership formats, and provide a roadmap built for execution.

— Common questions

Frequently asked about the Essential Eight Assessment

Q

What is an Essential Eight maturity assessment?

An Essential Eight maturity assessment evaluates how effectively your organisation has implemented the eight ASD controls. It does not stop at policy review or questionnaire responses. It uses technical verification to determine current maturity, identify gaps, and establish what is required to improve.

Q

What maturity level should we target?

For many Australian organisations, ML2 is now the practical commercial target. It is a meaningful baseline for environments facing phishing, credential compromise, ransomware risk, insurance scrutiny, and supply-chain due diligence.

Q

How long does the assessment take?

For a typical mid-market environment, an evidence-based assessment usually takes two to four weeks from scope confirmation to final report, depending on complexity, scale, and the mix of platforms in scope.

Q

What happens after the assessment?

You receive a remediation roadmap that can be executed. Some organisations use it internally. Others engage us to deliver the uplift program, close gaps, and establish ongoing monitoring and evidence maintenance.

— Book the assessment

Know exactly where you stand, before someone else asks the question.

Regulators, insurers, customers, and procurement teams are increasingly asking for evidence, not self-declared statements. A structured Essential Eight assessment gives you a defensible view of your current posture, the priority gaps, and the next steps required to improve it. Fixed scope. Fixed timeline. Senior engineers. Evidence that stands up.

— Essential Eight Maturity Assessment

Evidence-based technical validation across all eight ASD controls
Maturity scorecard with evidence grade per control
Executive summary for leadership and governance use
Risk-prioritised remediation roadmap
Exceptions register with compensating controls documented
Insurance and procurement-ready evidence pack

Fixed scope · Fixed timeline · Senior engineers · Not a checklist audit

— Contact us

Request an Essential Eight Discussion

Discuss your current posture, target maturity level, and assessment scope with our team.

hello@inlightit.com.au

1300 926 981

Level 25 100 Mount Street,
North Sydney NSW 2060

Request an Essential Eight Assessment

Have a question about your current posture or target maturity level? Book a free 30-minute discussion with our team to understand scope, likely gaps, and what an evidence-based assessment would involve.