Nano Solutions

Essential Eight Compliance & Maturity Assessment

1

Discover

Map goals, users, constraints, existing systems, and the business case before scope locks in.

2

Design

Shape the architecture, delivery plan, risk register, and success measures around your operating reality.

3

Build

Ship focused increments with working demos, testing, accessibility checks, and security review.

4

Support

Monitor, maintain, document, and improve the platform so your team can rely on it long term.

Nano Solutions assesses your Essential Eight maturity across all eight mitigation strategies, shows you exactly where you stand, builds a costed roadmap to your target level, and does the remediation — patching, application control, multi-factor authentication, hardening and backups. Established 2013, WA Government CUAICTS2021 panel supplier (Contractor #225). Assessment to compliant, with one team.

The ACSC Essential Eight is the baseline for Australian government and a fast-becoming standard for everyone who works with them. We don't just hand you a report — the same team that scores your maturity does the uplift work to close the gaps.

Who it's for

Essential Eight compliance matters most to:

  • Government suppliers — organisations bidding for or holding WA and federal government contracts where an Essential Eight baseline is expected.
  • WA mining & resources — operators and service providers protecting operational technology and corporate systems.
  • Community-services organisations handling sensitive personal data.
  • Any business that needs to prove its security baseline to win or keep contracts.

What is the Essential Eight?

The Essential Eight is a set of eight baseline cyber security mitigation strategies defined by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre. It is the most widely adopted security baseline in Australia: mandatory for non-corporate Commonwealth entities and, increasingly, an expectation placed on their suppliers. The eight strategies group into three objectives — prevent malware delivery and execution, limit the extent of cyber security incidents, and recover data and system availability. We assess your current maturity level (0–3) for each strategy against the level you need.

1. Application control

Application control prevents unapproved executables, software libraries, scripts, installers and other code from running on workstations and servers. By allowing only approved applications to execute, it stops most malware before it can start — including ransomware delivered by email or a compromised website. Stronger maturity levels extend control to scripts and drivers and validate the ruleset against the latest ASD-published malicious executables.

2. Patch applications

Patching applications closes known, exploited vulnerabilities in internet-facing services and everyday productivity software (browsers, email clients, PDF readers, Office). The Essential Eight sets timeframes — critical vulnerabilities in internet-facing software patched within 48 hours at higher maturity — and requires removing software that is no longer supported by its vendor. Unpatched applications are one of the most common initial-access routes for attackers.

3. Configure Microsoft Office macro settings

Microsoft Office macros are a long-standing malware delivery mechanism. This strategy blocks macros from the internet, allows them only for users with a demonstrated business need, and — at higher maturity — only permits macros that are digitally signed by a trusted publisher, with macro execution events logged and monitored.

4. User application hardening

User application hardening disables or restricts the risky features attackers exploit: blocking web browsers from processing Java and web advertisements from the internet, disabling unneeded features in Office, PDF readers and browsers, and removing Internet Explorer 11. It shrinks the attack surface exposed by the software users run every day.

5. Restrict administrative privileges

Administrative accounts are the keys to the kingdom, so the Essential Eight restricts them to the minimum required, validates requests on first use and re-validates them periodically. Privileged accounts are prevented from accessing the internet, email and web services, and privileged activity is logged. This limits how far an attacker can move once they gain a foothold.

6. Patch operating systems

Operating systems on workstations, servers and network devices are kept current, with critical vulnerabilities in internet-facing systems patched quickly and unsupported operating systems removed from production. Like application patching, it closes a primary route attackers use to gain and escalate access.

7. Multi-factor authentication

Multi-factor authentication (MFA) requires more than just a password, defeating the credential theft and password-spray attacks behind a large share of breaches. The Essential Eight applies MFA to remote access, to users of internet-facing and important data systems, and — at higher maturity — to all users, using phishing-resistant methods.

8. Regular backups

Regular backups of important data, software and configuration are performed and retained in line with business continuity requirements, kept synchronised, and — critically — protected so that an attacker who compromises an account cannot delete or modify them. Restoration is tested so that recovery actually works when ransomware or a major incident strikes. This is the strategy that lets an organisation recover.

Essential Eight maturity levels

The ACSC defines four maturity levels (Zero through Three), each aligned to a level of adversary sophistication, called tradecraft. You are measured per strategy — you can hold different maturity levels for different strategies. For most organisations the practical target is Maturity Level One or Two.

Maturity level Adversary it mitigates Typical target
Level Zero Weaknesses in the organisation's overall security posture; the baseline before controls are effectively in place. Not a target — the starting point most assessments uncover.
Level One Opportunistic attackers using publicly available exploits and commodity tooling against any vulnerable target. Lower-criticality workloads and small organisations.
Level Two Attackers willing to invest more time and effort, with modest custom tooling and limited social engineering. Non-classified government workloads and most enterprise targets — the common contractual baseline.
Level Three Well-resourced, adaptive attackers exploiting novel weaknesses and focused on evading detection and maintaining persistence. Sensitive government workloads and critical infrastructure.

You can target a different maturity level per strategy — we help you set the right target based on your risk and obligations, then build a remediation roadmap with effort and risk reduction quantified. For the authoritative detail, see the ACSC's Maturity Model and Essential Eight explained.

Is the Essential Eight mandatory for my organisation?

It depends on who you are and who you work with:

  • Non-corporate Commonwealth entities are directed to implement the Essential Eight — for them it is mandatory.
  • WA Government agencies and their suppliers are increasingly required to demonstrate a defined maturity level, often Maturity Level Two, as a condition of contracts under arrangements such as the CUAICTS2021 ICT panel.
  • Mining, resources and critical-infrastructure operators may fall under the Security of Critical Infrastructure (SOCI) Act, where the Essential Eight is a practical way to meet risk-management obligations.
  • Everyone else — the Essential Eight is not law for private business generally, but it is the clearest, cheapest way to prove a security baseline to insurers, partners and prospects, and to reduce the risk that ends most small-business breaches.

If you are unsure which applies, that is exactly what the assessment answers: where you stand today, what level you actually need, and how to get there. Read our explainer on where the framework is heading for the wider context.

How we work

  1. Assessment (1–2 weeks, fixed) — evidence review and interviews produce a maturity scorecard across all eight strategies, plus a target-level gap analysis.
  2. Roadmap — a prioritised, costed uplift plan to your target maturity level, sequenced by risk reduction.
  3. Uplift (we do it) — patching, MFA rollout, application control, server hardening and a tested backup regime. We use automation tools like Ansible to keep systems hardened and consistent.
  4. Annual re-assessment retainer — maturity drifts as systems and people change; we keep you compliant and re-score on a cadence.

Where the Essential Eight is heading

ASD has opened a consultation on the evolution of the Essential Eight — a broader, ISM-based "Essentials" series ("Essentials for enterprise IT"), designed to be more flexible and threat-informed for cloud, SaaS and identity-driven environments. The consultation is open until 12 July 2026.

Nothing has changed yet, and the current Essential Eight and its Maturity Model still apply. The important point: the foundational controls — patching, MFA, admin restriction, application control and tested backups — carry forward regardless of what the framework is renamed. We track the consultation and align your roadmap as the new guidance is finalised.

Why Nano Solutions

We're a Fremantle-based custom software and cyber team — a WA Government CUAICTS2021 panel supplier (Contractor #225) — so we work with the exact organisations these obligations apply to, including government agencies. With 13 years running secure production systems for government and enterprise, Linux and server hardening is home turf. Critically, we advise, build, and run it: assessment, remediation and ongoing maintenance from one accountable team.

A note on scope

We provide Essential Eight assessment, roadmap and remediation services. Maturity ratings reflect the evidence reviewed at the time of assessment; maintaining a maturity level depends on your ongoing operations, which is what the re-assessment retainer is for.

Typical investment

  • Essential Eight assessment: from $4,500 fixed — current-vs-target maturity scorecard across all eight strategies with a prioritised uplift plan.
  • Uplift / remediation: scoped from the roadmap, based on the gaps found and your target maturity level.
  • Annual re-assessment retainer: from ~$2,000/month — keeps your maturity from drifting and re-scores on a cadence.

Every engagement begins with a free 30-minute scoping call. Book an Essential Eight assessment and we'll tell you exactly where you stand — then close the gap.

Frequently Asked Questions

What is the Essential Eight?

The Essential Eight is the Australian Cyber Security Centre's set of eight baseline mitigation strategies that protect organisations against the most common cyber threats. The eight are: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Maturity is measured across four levels (Maturity Level Zero through Three).

Who needs to comply with the Essential Eight?

Australian Government entities are directed to implement the Essential Eight, and — increasingly — so are their suppliers and any organisation that needs a defensible security baseline to win or keep contracts. For many WA Government and mining/resources contracts, achieving Maturity Level Two is becoming a practical requirement.

What maturity level do we need?

It depends on your risk profile and contractual obligations. Most organisations start by targeting Maturity Level One or Two; sensitive government and critical-infrastructure workloads target Level Three. We help you set the right target per strategy (they need not all be the same) and build the roadmap to reach it.

Can you remediate, not just assess?

Yes. We are a custom software and cyber team, not report-writers — the same team that scores your maturity does the patching, MFA rollout, application control, server hardening and backup work to close the gaps. Assessment to compliant, with one team.

How long does an Essential Eight assessment take?

Typically one to two weeks for the assessment and maturity scorecard across all eight strategies, including evidence review and interviews. Remediation timeframes depend on the gaps found and your target maturity level, and are costed in the roadmap.

Is the Essential Eight changing?

ASD is consulting on its evolution — a broader, ISM-based "Essentials" series for contemporary IT (consultation open until 12 July 2026). The current Essential Eight and its Maturity Model (levels 0–3) still apply today. We track the changes and align your roadmap as the new guidance is finalised — the foundational controls carry forward regardless of what the framework is called.

Have a question that's not listed here? We're happy to help.

Ask Us Anything

Further Reading

"Working with Nano Solutions was a game-changer for our digital transformation journey. They understood our needs and delivered solutions that truly made a difference."

— Sarah Mitchell, CEO, Xcepcion

Last reviewed: July 2026

Ready to Get Started?

Book a free discovery call to discuss your project. No obligation, no jargon — just a conversation about what you need.