Essential Eight Compliance & Maturity Assessment
Discover
Map goals, users, constraints, existing systems, and the business case before scope locks in.
Design
Shape the architecture, delivery plan, risk register, and success measures around your operating reality.
Build
Ship focused increments with working demos, testing, accessibility checks, and security review.
Support
Monitor, maintain, document, and improve the platform so your team can rely on it long term.
Nano Solutions assesses your Essential Eight maturity across all eight mitigation strategies, shows you exactly where you stand, builds a costed roadmap to your target level, and does the remediation — patching, application control, multi-factor authentication, hardening and backups. Established 2013, WA Government CUAICTS2021 panel supplier (Contractor #225). Assessment to compliant, with one team.
The ACSC Essential Eight is the baseline for Australian government and a fast-becoming standard for everyone who works with them. We don't just hand you a report — the same team that scores your maturity does the uplift work to close the gaps.
Who it's for
Essential Eight compliance matters most to:
- Government suppliers — organisations bidding for or holding WA and federal government contracts where an Essential Eight baseline is expected.
- WA mining & resources — operators and service providers protecting operational technology and corporate systems.
- Community-services organisations handling sensitive personal data.
- Any business that needs to prove its security baseline to win or keep contracts.
What the Essential Eight assesses
The Essential Eight is a set of eight baseline mitigation strategies defined by the Australian Signals Directorate. We assess your current maturity level (0–3) for each, against your target:
- Application control — preventing unapproved executables, scripts and installers from running.
- Patch applications — closing known vulnerabilities in internet-facing and productivity software promptly.
- Configure Microsoft Office macro settings — blocking macros from the internet and untrusted sources.
- User application hardening — disabling risky features in browsers, PDF readers and Office.
- Restrict administrative privileges — least-privilege access and controlled, audited admin accounts.
- Patch operating systems — keeping servers and workstations current and unsupported systems out of production.
- Multi-factor authentication — MFA across remote access, privileged accounts and sensitive data systems.
- Regular backups — tested, isolated backups that support recovery within business requirements.
Essential Eight maturity levels
The ACSC defines four maturity levels (Zero through Three), increasing with adversary sophistication. For most organisations the practical target is Maturity Level One or Two:
- Maturity Level One — mitigates opportunistic attackers using publicly available exploits and commodity tooling. Suitable for lower-criticality workloads.
- Maturity Level Two — mitigates attackers willing to invest more time and effort, including custom tooling and limited social engineering. The typical baseline for non-classified government workloads and most enterprise targets.
- Maturity Level Three — mitigates well-resourced, adaptive attackers with novel exploits and persistence. Required for sensitive government workloads and critical infrastructure.
You can target a different maturity level per strategy — we help you set the right target based on your risk and obligations, then build a remediation roadmap with effort and risk reduction quantified. For the authoritative detail, see the ACSC's Maturity Model and Essential Eight explained.
How we work
- Assessment (1–2 weeks, fixed) — evidence review and interviews produce a maturity scorecard across all eight strategies, plus a target-level gap analysis.
- Roadmap — a prioritised, costed uplift plan to your target maturity level, sequenced by risk reduction.
- Uplift (we do it) — patching, MFA rollout, application control, server hardening and a tested backup regime. We use automation tools like Ansible to keep systems hardened and consistent.
- Annual re-assessment retainer — maturity drifts as systems and people change; we keep you compliant and re-score on a cadence.
Where the Essential Eight is heading
ASD has opened a consultation on the evolution of the Essential Eight — a broader, ISM-based "Essentials" series ("Essentials for enterprise IT"), designed to be more flexible and threat-informed for cloud, SaaS and identity-driven environments. The consultation is open until 12 July 2026.
Nothing has changed yet, and the current Essential Eight and its Maturity Model still apply. The important point: the foundational controls — patching, MFA, admin restriction, application control and tested backups — carry forward regardless of what the framework is renamed. We track the consultation and align your roadmap as the new guidance is finalised.
Why Nano Solutions
We're a Fremantle-based custom software and cyber team — a WA Government CUAICTS2021 panel supplier (Contractor #225) — so we work with the exact organisations these obligations apply to, including government agencies. With 13 years running secure production systems for government and enterprise, Linux and server hardening is home turf. Critically, we advise, build, and run it: assessment, remediation and ongoing maintenance from one accountable team.
A note on scope
We provide Essential Eight assessment, roadmap and remediation services. Maturity ratings reflect the evidence reviewed at the time of assessment; maintaining a maturity level depends on your ongoing operations, which is what the re-assessment retainer is for.
Typical investment
- Essential Eight assessment: from $4,500 fixed — current-vs-target maturity scorecard across all eight strategies with a prioritised uplift plan.
- Uplift / remediation: scoped from the roadmap, based on the gaps found and your target maturity level.
- Annual re-assessment retainer: from ~$2,000/month — keeps your maturity from drifting and re-scores on a cadence.
Every engagement begins with a free 30-minute scoping call. Book an Essential Eight assessment and we'll tell you exactly where you stand — then close the gap.
Frequently Asked Questions
What is the Essential Eight?
The Essential Eight is the Australian Cyber Security Centre's set of eight baseline mitigation strategies that protect organisations against the most common cyber threats. The eight are: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Maturity is measured across four levels (Maturity Level Zero through Three).
Who needs to comply with the Essential Eight?
Australian Government entities are directed to implement the Essential Eight, and — increasingly — so are their suppliers and any organisation that needs a defensible security baseline to win or keep contracts. For many WA Government and mining/resources contracts, achieving Maturity Level Two is becoming a practical requirement.
What maturity level do we need?
It depends on your risk profile and contractual obligations. Most organisations start by targeting Maturity Level One or Two; sensitive government and critical-infrastructure workloads target Level Three. We help you set the right target per strategy (they need not all be the same) and build the roadmap to reach it.
Can you remediate, not just assess?
Yes. We are a custom software and cyber team, not report-writers — the same team that scores your maturity does the patching, MFA rollout, application control, server hardening and backup work to close the gaps. Assessment to compliant, with one team.
How long does an Essential Eight assessment take?
Typically one to two weeks for the assessment and maturity scorecard across all eight strategies, including evidence review and interviews. Remediation timeframes depend on the gaps found and your target maturity level, and are costed in the roadmap.
Is the Essential Eight changing?
ASD is consulting on its evolution — a broader, ISM-based "Essentials" series for contemporary IT (consultation open until 12 July 2026). The current Essential Eight and its Maturity Model (levels 0–3) still apply today. We track the changes and align your roadmap as the new guidance is finalised — the foundational controls carry forward regardless of what the framework is called.
Have a question that's not listed here? We're happy to help.
Ask Us AnythingRelated Projects
Further Reading
- The Essential Eight is evolving: what ASD's new "Essentials" series means — what's proposed, what it means for Australian business, and what to do before it changes.
- Cybersecurity in Australia: key insights from FY2023-24 — the ASD threat report, an Essential Eight checklist, and critical-infrastructure protection.
- Secure code review — OWASP Top 10 and ASVS assessment of your application source code.
- Cloud maintenance & monitoring — 24/7 patching, monitoring and incident response to keep systems hardened and compliant.
"Working with Nano Solutions was a game-changer for our digital transformation journey. They understood our needs and delivered solutions that truly made a difference."
— Sarah Mitchell, CEO, Xcepcion
Last reviewed: June 2026
Ready to Get Started?
Book a free discovery call to discuss your project. No obligation, no jargon — just a conversation about what you need.