ACSC Essential Eight

Australia

8 domains

24 controls

Australian Cyber Security Centre Essential Eight Maturity Model: eight prioritised mitigation strategies with three maturity levels.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (8)

Application Control

3 controls

Controls in the Application Control domain of ACSC Essential Eight — 3 controls
Code	Title	Description
E8-APP-ML1	Application Control (ML1)	Application control is implemented on workstations. Application control is applied to user profiles and temporary folder...
E8-APP-ML2	Application Control (ML2)	All ML1 requirements plus: Application control is implemented on internet-facing servers. Application control is applied...
E8-APP-ML3	Application Control (ML3)	All ML2 requirements plus: Application control is implemented on non-internet-facing servers. Application control restri...

Configure Microsoft Office Macro Settings

3 controls

Controls in the Configure Microsoft Office Macro Settings domain of ACSC Essential Eight — 3 controls
Code	Title	Description
E8-MACRO-ML1	Configure Microsoft Office Macro Settings (ML1)	Microsoft Office macros are disabled for users that do not have a demonstrated business requirement. Microsoft Office ma...
E8-MACRO-ML2	Configure Microsoft Office Macro Settings (ML2)	All ML1 requirements plus: Microsoft Office macros are blocked from making Win32 API calls.
E8-MACRO-ML3	Configure Microsoft Office Macro Settings (ML3)	All ML2 requirements plus: Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location...

Multi-factor Authentication

3 controls

Controls in the Multi-factor Authentication domain of ACSC Essential Eight — 3 controls
Code	Title	Description
E8-MFA-ML1	Multi-Factor Authentication - Maturity Level 1	MFA on internet-facing services, third-party services that process org data, and customer-facing services.
E8-MFA-ML2	Multi-Factor Authentication - Maturity Level 2	MFA on privileged users and important data repositories; phishing-resistant where possible.
E8-MFA-ML3	Multi-Factor Authentication - Maturity Level 3	Phishing-resistant MFA for all users; verifier impersonation resistant; central authentication event logs.

Patch Applications

3 controls

Controls in the Patch Applications domain of ACSC Essential Eight — 3 controls
Code	Title	Description
E8-PATCHAPP-ML1	Patch Applications (ML1)	An automated method of asset discovery is used at least fortnightly to support detection of assets for subsequent vulner...
E8-PATCHAPP-ML2	Patch Applications (ML2)	All ML1 requirements plus: A vulnerability scanner is used at least fortnightly to identify missing patches in applicati...
E8-PATCHAPP-ML3	Patch Applications (ML3)	All ML2 requirements plus: Patches or vendor mitigations for office productivity suites, web browsers and their extensio...

Patch Operating Systems

3 controls

Controls in the Patch Operating Systems domain of ACSC Essential Eight — 3 controls
Code	Title	Description
E8-PATCHOS-ML1	Patch Operating Systems (ML1)	An automated method of asset discovery is used at least fortnightly. A vulnerability scanner with an up-to-date vulnerab...
E8-PATCHOS-ML2	Patch Operating Systems (ML2)	The same set of requirements as ML1, applied consistently across the in-scope estate. ACSC defines ML2 for Patch Operati...
E8-PATCHOS-ML3	Patch Operating Systems (ML3)	All ML2 requirements plus: A vulnerability scanner is used at least fortnightly to identify missing patches in drivers a...

Regular Backups

3 controls

Controls in the Regular Backups domain of ACSC Essential Eight — 3 controls
Code	Title	Description
E8-BACKUP-ML1	Regular Backups (ML1)	Backups of data, applications and settings are performed and retained in accordance with business criticality and busine...
E8-BACKUP-ML2	Regular Backups (ML2)	All ML1 requirements plus: Privileged user accounts (excluding backup administrator accounts) cannot access backups belo...
E8-BACKUP-ML3	Regular Backups (ML3)	All ML2 requirements plus: Unprivileged user accounts cannot access their own backups. Privileged user accounts (excludi...

Restrict Administrative Privileges

3 controls

Controls in the Restrict Administrative Privileges domain of ACSC Essential Eight — 3 controls
Code	Title	Description
E8-ADMIN-ML1	Restrict Administrative Privileges (ML1)	Requests for privileged access to systems, applications and data repositories are validated when first requested. Privil...
E8-ADMIN-ML2	Restrict Administrative Privileges (ML2)	All ML1 requirements plus: Privileged access to systems, applications and data repositories is disabled after 12 months...
E8-ADMIN-ML3	Restrict Administrative Privileges (ML3)	All ML2 requirements plus: Privileged access to systems, applications and data repositories is limited to only what is r...

User Application Hardening

3 controls

Controls in the User Application Hardening domain of ACSC Essential Eight — 3 controls
Code	Title	Description
E8-UAH-ML1	User Application Hardening - Maturity Level 1	Web browsers do not process Java or web ads from Internet; IE11 disabled or removed; users cannot change settings.
E8-UAH-ML2	User Application Hardening - Maturity Level 2	Browsers, Office, PDF readers hardened per ASD guides; logged; users cannot disable.
E8-UAH-ML3	User Application Hardening - Maturity Level 3	Add PowerShell logging (module, script block, transcription), .NET Framework 3.5 disabled; logs centrally collected.

Your Compliance Coverage

If you comply with ACSC Essential Eight, you already cover:

ASD Strategies to Mitigate Cyber Security Incidents

100%

24 controls mapped

Compare →

NIST SP 800-53 Rev 5

100%

24 controls mapped

Compare →

Australian Information Security Manual

63%

15 controls mapped

Compare →

+ 11 more: NIST SP 800-171 (63%), ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence (38%)

See all 14 mapped frameworks ↓

Maps to 14 other frameworks

24 total controls

ASD Strategies to Mitigate Cyber Security Incidents

24 source controls mapped|8 target controls covered

100%

NIST SP 800-53 Rev 5

24 source controls mapped|8 target controls covered

100%

Australian Information Security Manual

15 source controls mapped|57 target controls covered

63%

NIST SP 800-171

15 source controls mapped|4 target controls covered

63%

ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence

9 source controls mapped|2 target controls covered

38%

SWIFT CSCF

9 source controls mapped|3 target controls covered

38%

Defence Industry Security Program (DISP)

8 source controls mapped|1 target controls covered

33%

ASIC Cyber Resilience Good Practices

8 source controls mapped|1 target controls covered

33%

Critical Infrastructure Risk Management Program (CIRMP) Rules 2023

7 source controls mapped|1 target controls covered

29%

Australia Consumer Data Right - Banking (CDR)

5 source controls mapped|3 target controls covered

21%

SQF Code Edition 9 - Safe Quality Food

3 source controls mapped|1 target controls covered

13%

ISO 19011

3 source controls mapped|1 target controls covered

13%

Australian Energy Sector Cyber Security Framework (AESCSF)

3 source controls mapped|2 target controls covered

13%

BRCGS Global Standard for Food Safety Issue 9

3 source controls mapped|1 target controls covered

13%

Compare ACSC Essential Eight with ASD Strategies to Mitigate Cyber Security Incidents

Frequently Asked Questions

What is ACSC Essential Eight?

ACSC Essential Eight is a compliance framework from Australia with 8 domains and 24 controls. Australian Cyber Security Centre Essential Eight Maturity Model: eight prioritised mitigation strategies with three maturity levels. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does ACSC Essential Eight have?

ACSC Essential Eight has 24 controls organised across 8 domains. The largest domains are Application Control (3 controls), Configure Microsoft Office Macro Settings (3 controls), Multi-factor Authentication (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does ACSC Essential Eight map to?

ACSC Essential Eight maps to 14 other compliance frameworks. The top mapping partners are ASD Strategies to Mitigate Cyber Security Incidents (100% coverage), NIST SP 800-53 Rev 5 (100% coverage), Australian Information Security Manual (63% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with ACSC Essential Eight compliance?

Start your ACSC Essential Eight compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ACSC Essential Eight requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 24 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required