Essential Eight Assessment · ASD Maturity Model · Sydney & Australia

Essential Eight Maturity Assessment for Australian Organisations.

Essential Eight Assessment · Essential Eight Gap Analysis · ASD Compliance · Essential Eight Maturity Model · Essential 8 Maturity Level 2

Independent evaluation of your organisation's cybersecurity posture against the Australian Signals Directorate Essential Eight framework, with evidence-based reporting suitable for executive leadership and board oversight. Identify control gaps, understand your maturity level, and receive a practical remediation roadmap.

— What the assessment produces

Maturity score per control, evidence-graded per ASD's evidence hierarchy, not self-declared
Executive summary suitable for board reporting, insurance renewal and procurement responses
Risk-prioritised remediation roadmap, sequenced by impact, dependency and effort
Exceptions register where legacy constraints apply, with compensating controls documented
Evidence package structured for cyber insurance underwriting, not assembled at renewal time

$56.6K

Average cybercrime cost per incident

Small business, FY2024-25. ASD reports one cybercrime every 6 minutes.

ML₂

The 2026 commercial baseline

Mandatory for government supply chain (PSPF) and Defence DISP members

$2.5M

FIIG Securities civil penalty

First civil penalties under AFS licence obligations for cyber failures. Feb 2026

3×

AI-powered phishing effectiveness

More effective than traditional campaigns. Source: Microsoft Digital Defense Report 2025

— Evidence-based vs self-attestation

An Essential Eight assessment is not a checklist, and regulators, insurers or procurement teams can tell the difference.

ASD's own assessment process guide is explicit on this point: relying on interviews, reports and screenshots to validate control implementation is always inferior to using scripts and tools, because scripts can assess broader populations and surface issues that human review misses.

"Excellent evidence includes testing a control with a simulated activity... relying on interviews and screenshots is always inferior to using scripts and tools." — ASD Essential Eight Assessment Process Guide

Self-attestation has a legitimate role in internal governance reporting. It is not the appropriate standard when a regulator is assessing whether adequate systems were in place, when an underwriter is evaluating your controls, or when a procurement team is verifying your ML2 claim.

Evidence-based assessment

What ASD classifies as defensible

Configuration verification via scripts and tools across representative sample
Active testing, simulated activities that confirm controls actually block or detect
Population-level assessment, not a single "golden device"
Evidence graded as excellent, good or fair with limitations documented
Exceptions register with compensating controls formally documented and approved
Output suitable for regulators, insurers and procurement due diligence

Self-attestation

What ASD considers inferior evidence

Policy documents and internal questionnaires reviewed and ticked
Screenshots of a single device or tenant reviewed
Interviews with IT staff about what controls are in place
Tool completion reports assumed to equal successful implementation
No active testing to confirm controls actually function under real conditions
Cannot withstand regulatory, insurance or procurement scrutiny

— The eight controls

What we assess, and where organisations typically fail.

Every control is assessed with the same rigour: configuration verification at scale using scripts and tools, not a single-device review. These are the most common failure patterns we find across Australian mid-market environments.

01 Application Control

Restricts execution to approved executables, scripts and software libraries. Prevents attackers running unauthorised code in the first place.

Common failure
‍Allowlisting deployed on servers only, user profile and temp directories left permissive. Exactly the paths attackers exploit most.

02 Patch Applications

Software vulnerabilities are one of the fastest compromise paths. Exploit code can appear within 48 hours of a vulnerability becoming public.

Common failure
‍Assuming patch tool reports equal successful patching — they often don't. Third-party applications (browsers, PDF tools) routinely missed.

03 Office Macro Settings

Macros are a common payload delivery mechanism. Malicious documents combined with phishing remain among the dominant causes of initial compromise.

Common failure
‍Macros left enabled organisation-wide because one department uses a macro-enabled spreadsheet, users allowed to override security settings.

04 User Application Hardening

Removes or restricts dangerous features in common applications — web browsers, PDF readers, Office — that are routinely exploited for initial access.

Common failure
‍Default browser and Office configurations accepted, Flash, Java web plugins, PowerShell execution unrestricted for standard users.

05 Restrict Admin Privileges

Limits who has privileged access to systems and data. Privileged accounts are the primary target once attackers have initial access, restricting them limits the blast radius.

Common failure
‍Excessive domain admin accounts, staff using privileged accounts for daily tasks. No privileged access workstations. Stale admin accounts never removed.

06 Patch Operating Systems

Keeps operating systems patched and removes unsupported legacy OS versions. Edge devices and legacy OS are among the most consistently exploited surfaces in 2026.

Common failure
‍Unsupported OS in production (Windows Server 2012, legacy workstations). Change freezes blocking critical patches. Edge devices forgotten in patch cycles.

07 Multi-Factor Authentication

The single highest-leverage control against credential compromise. AI-powered phishing is now 3× more effective — MFA quality and enforcement is the primary defence.

Common failure
‍SMS MFA accepted as sufficient at ML2. Insurers and ASD now expect phishing-resistant MFA (FIDO2, hardware keys). Admin accounts without MFA a critical gap.

08 Regular Backups

Ensures recovery is possible after ransomware or destructive attack. The control that determines whether you can recover at all, and how long it takes.

Common failure
‍Backups never tested under real recovery conditions. Backup repositories accessible from the same accounts ransomware would compromise. Microsoft 365 data assumed protected.

— Assessment deliverables

Six artefacts. Each one designed to be used.

The assessment produces artefacts built for the decisions that follow — board reporting, insurance renewal, procurement responses, remediation planning, and regulatory scrutiny. Not a thick PDF that gets filed.

Maturity scorecard, evidence-graded

A maturity score for each of the eight controls, with evidence grade (excellent / good / fair) per ASD's evidence hierarchy. Where evidence is weaker, limitations are documented explicitly, not hidden. The overall maturity assessment reflects actual control effectiveness, not stated intent.

Board executive summary

A non-technical summary translating maturity scores into business risk language — which attack types are now realistic given the current posture, what the commercial and regulatory exposure is, and what decisions leadership needs to make. Suitable for board packs, AFSL governance reporting and senior stakeholder briefings.

Risk-prioritised remediation roadmap

A sequenced remediation backlog, prioritised by risk impact, control dependency, effort bands and timeline. Quick wins versus platform changes identified separately. Leadership decisions required (risk acceptance, funding, downtime windows, legacy replacement) surfaced explicitly rather than buried in technical findings.

Exceptions and compensating controls register

Where legacy systems or operational constraints prevent full implementation, each exception is documented with scope, justification, the compensating control set, expected lifetime, review dates, and formal risk acceptance. Structured to meet ASD's own expectations for exception documentation.

Cyber insurance evidence package

Configuration evidence, control verification records, and testing documentation packaged in the format that underwriters can use in renewals and premium negotiations. Designed to be maintained as a continuous evidence stream, not assembled under pressure at renewal time.

Tender and procurement readiness summary

A structured summary of Essential Eight maturity suitable for government procurement responses, PSPF self-assessment reporting, and DISP assurance submissions. Identifies which controls satisfy ML2 requirements and where uplift is required before a procurement deadline.

— How the assessment works

Fixed scope, fixed timeline,
‍delivered by senior engineers.

The assessment follows ASD's four-stage process with engineering-led evidence collection throughout. You receive a fixed scope and timeline at the outset. No open-ended engagements, no surprises. Senior engineers conduct the assessment, not analysts running tools and handing off to a report writer.

01 Plan & Scope

Scope definition and approach

Assessment boundary defined — which systems, platforms, users and SaaS tenants are in scope. Target maturity level agreed with leadership. Out-of-scope items documented with justification. OT, legacy systems and known constraints identified before assessment begins. Fixed timeline confirmed. No scope creep once agreed.

02 Collect Evidence

Technical verification across all controls

Configuration verification using scripts and tools across endpoints, servers, identity platform (Entra ID / Active Directory), and key SaaS tenants. Representative sampling, not a single device review. Selective active testing for controls where effectiveness validation is the ASD "excellent evidence" standard. Evidence graded during collection, not retrospectively.

03 Analyse & Score

Gap analysis and maturity determination

Maturity level determined per control against ASD's criteria — all controls must be Effective or Alternate for a level to be claimed. Gaps mapped to attack tradecraft. Exceptions identified, compensating controls assessed, and blast radius estimated per gap. Risk-weighted prioritisation applied to the findings.

04 Report & Roadmap

Board-grade output and remediation delivery

Complete assessment report produced: scorecard, executive summary, exceptions register, evidence package, and remediation roadmap. Findings presented to IT and leadership separately — technical detail for implementation teams, board-appropriate summary for governance. Assessment artefacts structured for insurance underwriting, procurement responses and ongoing evidence maintenance.

— Common questions

Frequently asked about the Essential Eight Assessment

Q

What is an Essential Eight maturity assessment?

An Essential Eight maturity assessment evaluates your organisation's implementation of the eight ASD-recommended controls using scripts, tools and configuration verification — not just interviews and screenshots. It determines your current maturity level per control, identifies gaps, and produces a risk-prioritised remediation roadmap. ASD is explicit: evidence-based validation is always superior to self-attestation.

Q

What maturity level should we target?

For most mid-market Australian organisations, Maturity Level 2 is the practical 2026 target. ML2 is now mandatory for government supply chain (PSPF) and DISP members, and reflects how real attacks occur — phishing, credential compromise, targeted exploitation. Most cyber insurers also expect controls consistent with ML2 for reasonable premium treatment.

Q

How long does the assessment take?

A thorough evidence-based assessment for a mid-market organisation typically takes two to four weeks from scoping to final report — including technical evidence collection across endpoints, servers, identity platforms and key SaaS tenants, gap analysis, and report production. We provide a fixed scope and timeline at the outset, not an open-ended engagement.

Q

What happens after the assessment?

The remediation roadmap is designed for execution — a prioritised backlog with quick wins, platform changes, effort bands and the decisions required from leadership. Most clients move directly into a managed remediation programme, with Inlight engineers owning implementation against the agreed roadmap. The assessment also establishes the baseline for ongoing Essential Eight monitoring.

— Book the assessment

Know exactly where you stand, before someone else finds out first.

Regulators, insurers and procurement teams are increasingly asking for evidence of Essential Eight compliance, not self-declared statements. A structured assessment gives you a defensible picture of your current posture, the priority gaps, and a roadmap you can execute. Fixed scope. Fixed timeline. Senior engineers, not analysts.

— Essential Eight Maturity Assessment

Evidence-based technical validation across all eight ASD controls
Maturity scorecard with evidence grade per control, not self-declared
Board executive summary, suitable for governance reporting and insurance renewal
Risk-prioritised remediation roadmap sequenced for delivery
Exceptions register with compensating controls formally documented
Cyber insurance evidence package structured for underwriting

Fixed scope · Fixed timeline · Senior engineers · Not a checklist audit

ASD-aligned evidence hierarchy — scripts and tools, not screenshots
PSPF and DISP ML2 readiness, government supply chain eligibility

Output defensible under regulatory, insurance and procurement scrutiny
Continuous monitoring programme available post-assessment

— Contact us

Let's connect and make IT happen

Ready to talk through your IT environment? Reach out — we'd love to help.

hello@inlightit.com.au

1300 926 981

Level 25 100 Mount Street,
North Sydney NSW 2060

Schedule a Free Consultation

Have a quick tech question or just want to see if we’re the right fit? Book a free 30-minute chat with our team. No pressure, no sales pitch. Just real answers from real people who know IT inside-out.