The Essential Eight Is Evolving: What ASD's New 'Essentials' Series Means for Australian Business

The Essential Eight has been the baseline of Australian cyber security advice since 2017. Now the Australian Signals Directorate (ASD) is consulting on its biggest change yet — and if your organisation works with government, or just uses the Essential Eight as its security yardstick, it's worth understanding where this is heading.

What's happening

ASD has opened a consultation on the evolution of the Essential Eight. The proposal: expand the current eight mitigation strategies into a broader "Essentials" series, starting with "Essentials for enterprise IT".

The headline ideas in the consultation are:

• More flexibility in how organisations implement cyber security, while still giving a clear path to strong cyber resilience.
• Grounded in the Information Security Manual (ISM) — prioritised, threat‑informed mitigations for contemporary technology environments (cloud, SaaS and identity, not just the on‑prem world the original eight were written for).
• Practical tools and clearer implementation guidance to go with it.

The consultation is open until 12 July 2026 via ASD's Cyber Security Partnership Program. Nothing has changed yet — this is a proposal, and the current framework still stands.

A quick recap: the Essential Eight today

Until the new guidance is finalised, the Essential Eight and its Maturity Model remain the standard. The eight strategies are:

1. Application control
2. Patch applications
3. Configure Microsoft Office macro settings
4. User application hardening
5. Restrict administrative privileges
6. Patch operating systems
7. Multi-factor authentication
8. Regular backups

Maturity is measured across four levels (Maturity Level Zero through Three). For most organisations the practical target is Maturity Level One or Two. (For the detail, ASD's Essential Eight explained is the authoritative reference.)

What it means for your organisation

The most important thing to understand: the underlying work doesn't change. Whether the framework is called the Essential Eight or the Essentials series, the controls that actually reduce your risk — patching, multi-factor authentication, restricting admin rights, application control, tested backups and server hardening — are the same. An organisation that has done that work is in a strong position regardless of how the model is repackaged.

What the evolution adds is flexibility and modern relevance. The original eight were written for a Windows-and-on-prem world. An ISM-grounded Essentials series is better suited to the cloud, SaaS and identity-driven environments most Australian businesses actually run today.

So the sensible response is not to wait for the consultation to close — it's to:

• Know where you stand now. A maturity assessment against the current Essential Eight tells you your real position and the gaps.
• Do the foundational work. Patching, MFA, admin restriction, application control and backups carry forward into whatever the Essentials series becomes.
• Stay ISM-aware. Because the new guidance is grounded in the ISM, aligning to ISM controls now is a safe bet.

How Nano Solutions helps

We're a Fremantle-based custom software and cyber team, and a WA Government CUAICTS2021 panel supplier (Contractor #225) — so we work with the exact organisations these obligations apply to, including government agencies. We don't just write you a report; we do the remediation.

• Essential Eight compliance & assessment: maturity assessment, gap analysis, remediation planning and uplift to Maturity Level 2 readiness.
• Cloud security architecture: IAM, network segmentation, encryption and monitoring across AWS, Azure and hybrid environments.
• Secure code review: OWASP Top 10 and ASVS assessment of your application source code.
• Cloud maintenance & monitoring: 24/7 patching, monitoring and incident response — backed by automation tools like Ansible to keep systems hardened and compliant.

The point is simple: we advise, build, and run it. The same team that assesses your maturity does the patching, MFA rollout, hardening and backup work to close the gaps.

What happens next

We'll be watching the consultation closely and will update our guidance once ASD finalises the Essentials series. If the evolution of the Essential Eight has prompted you to reassess your security posture — or you simply want to know your current maturity level — get in touch for a scoping conversation. The work you do now counts no matter what the framework ends up being called.

Sources: Consultation on evolution of Essential Eight, Essential Eight maturity model — Australian Signals Directorate, cyber.gov.au.