Essential Eight Changes July 2021

November 12, 2022

Changes to the Essential Eight

Throughout 2020, the ACSC undertook an extensive review of the Essential Eight Maturity Model to ensure that it continues to be relevant in our current cyber threat environments.

This review was based on the ACSC’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing, and assisting organisations to implement the Essential Eight. As part of this review, they sought feedback from across Federal and State/Territory governments and other ACSC network partners.

Key changes introduced in July 2021

The reintroduction of Maturity Level Zero.

The redefinition of existing maturity levels based on degrees of adversary tradecraft sophistication and targeting rather than degrees of alignment with the corresponding mitigation strategy.

No longer expecting all organisations to meet Maturity Level Three. Rather, encouraging organisations to assess their threat environment and select the appropriate maturity level.

A strengthened focus on using a risk-based approach rather than a compliance-based approach, as ASD recognise many organisations have legacy systems, carry technical debt or have systems that aren’t based upon secure-by-design principles which inhibits full implementation of our advice.

An increased emphasis on implementing the mitigation strategies as a package due to their complementary nature and focus on various cyber threats. For example, by implementing all Essential Eight mitigation strategies to Maturity Level One before moving onto Maturity Level Two.

Ensuring all technical guidance for each maturity level was robustly contested and guided by lessons learnt from 2019 Essential Eight sprints for Federal Government and major cyber security incidents (such as Copy-Paste Compromises) that the ACSC responded to throughout 2020.

Volume of Controls increased but more specific

Contrary to its title the Essential Eight has more than eight controls defined within its framework. Essential Eight refers to “Mitigation Strategies”.  Each mitigation strategy has one or more controls.

The table below shows the volume of controls required to achieve the old Essential Eight Mitigation Strategy Maturity Levels vs. the revised Essential Eight Mitigation Strategy Maturity Levels.

Volume of controls required to achieve the old Essential Eight Mitigation Strategy Maturity Levels vs. the revised Essential Eight Mitigation Strategy Maturity Levels.

What are the Maturity Levels?

Maturity Level Zero

This maturity level signifies that there are weaknesses in an organisation’s overall cyber security posture. You achieve this level if you don’t implement all the controls in Maturity Level 1. When exploited, weaknesses in your systems could compromise the confidentiality, integrity or availability of information assets or systems.

Controls: Anything less than all of the controls listed under Maturity Level 1.

Suits: Business managing photos of cats or other data assets that do not need to be protected.

What does this level defend against?
Maybe some kids, maybe not?

Maturity Level One

The focus of this maturity level is to out in place the key controls to combat against adversaries who are looking for any victim rather than a specific victim.

Controls: Read full list of Controls

Suits: ASD state that generally, Maturity Level One may be suitable for small to medium enterprises.

What does this level defend against?

Threat actors who can leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, systems. For example, exploiting a security vulnerability in an internet-facing service which has not been patched, or authenticating to an internet-facing service using credentials that were stolen or guessed.

Maturity Level Two

The focus of this maturity level is enhance controls for companies who have valuable enough data or market presences that makes investment by threat actors in developing tools and deploying more advanced techniques worthwhile.

Controls: Read full list of Controls

Suits: ASD state that generally, Maturity Level Two may be suitable for large enterprises.

What does this level defend against?

Threat actors who are willing to invest more time and money breaching your companies security controls. This includes actively targeting credentials using phishing and employing technical and social engineering techniques to circumvent weak multi-factor authentication. They may target your privileged access users or depending on their intent, also destroy all data (including backups) accessible to an account with special privileges.

Maturity Level Three

The focus of this maturity level is enhance controls for companies who have valuable enough data or market presence where threat actors are a significant concern and are likely to be deploying adaptive techniques.

Controls: Read full list of Controls

Suits: ASD state that generally, Maturity Level Three may be suitable for critical infrastructure providers and other organisations that operate in high threat environments.

What does this level defend against?

Threat actors who may be looking to exploit weaknesses in the existence of older software or inadequate logging and monitoring. These adversaries will likely focus on particular targets, invest in circumventing the particular policy and technical security controls you may have in place and look to evade detection and solidify their presence in your systems for a period of time to achieve their goals.  Once a foothold is gained in your system, they may seek to gain privileged credentials or password hashes, move on to other parts of your network, and cover their tracks. Depending on their intent, adversaries may also destroy all data (including backups).

Secure your business.

"assurance"

confidence or certainty in one's own abilities.

“The business has given us assurance that they have security in place to protect our information”

Our Difference

Established and lead by industry experts.

At the helm of our privately owned, global RegTech firm are industry experts who understand that security controls should never get in the way of business growth. We empower companies large and small to remain resilient against potential threats with easily accessible software solutions for implementing information security governance, risk or compliance measures.

We support businesses every step of the way.

We don't just throw a bunch of standards at you and let you try and figure it out! We have designed a thoughtful way of supporting all businesses consider, articulate and develop security controls that suit the needs of the organisation and provide clever reporting capability to allow insights and outcomes from security assessments to be leveraged by the business and shared with third parties.

Our customers are the heart of our company.

Our platform places customers at the heart of our design process, while providing access to expert knowledge. With simple navigation and tangible results, we guarantee that all data is securely encrypted at-rest and in transit with no exceptions – meeting international standards with annual security penetration testing and ISO 27001 Certification.