New announcement. Learn more

Sales & Support | 1300 626 243

Digital Office

Your source of IT news, alerts and updates.


The Essential Eight Maturity Model

The essential eight maturity model

The Federal Government’s Australian Cyber Security Centre has compiled The Essential Eight mitigation strategies as a starting point to improve cybersecurity. 

The Essential Eight are split into three categories:

  • Preventing malware delivery and execution 
  • Limiting the extent of cyber security incidents 
  • Recovering data and system availability. 

This week’s blog discusses the Maturity Model of the Essential Eight. The Maturity Model addresses how organisations who have implemented their desired mitigation strategies to an initial level can increase their implementation’s maturity. The aim being to eventually reach full alignment with the intent of each mitigation strategy. 

Maturity Levels

The ACSC has defined three maturity levels for each of the Essential Eight. These categorisations are designed to assist organisations to determine the maturity of their Essential Eight implementation. 

The maturity levels are: 

  • Maturity Level One: Partly aligned with the intent of mitigation strategy 
  • Maturity Level Two: Mostly aligned with the intent of mitigation strategy 
  • Maturity Level Three: Fully aligned with the intent of mitigation strategy. 

You can review the Maturity Model here: 
Essential Eight Maturity Model (July 2019)

What Maturity Level does my Organisation Need? 

Naturally enough, ACSC recommends that, as a baseline, an organisation aims to reach Maturity Level Three for each of the Essential Eight. 
Let’s look at this from a slightly more ‘helicopter’ perspective. As we’ve noted previously, cybersecurity or security governance is a subpart of information governance. In turn, information governance is a subpart of corporate governance. 

"There is a strong correlation between the maturity curve of IT governance and overall effectiveness of IT. You need to assess where your organisation sits on the maturity curve in terms of capability: initial/ad hoc, repeatable, defined, managed or optimised."But which Maturity Level you need does not necessarily reflect your organisation’s IT capability. There are external factors in play, be they legislative, regulatory or your organisation’s existing frameworks – ie, doing what your organisation has committed itself to doing. At a commercial level, the cost and coverage of cybersecurity insurance may be severely impacted by those requirements.