The Essential Eight is a set of eight prioritised cybersecurity mitigation strategies published by the Australian Cyber Security Centre (ACSC). It is the most widely cited cybersecurity baseline for Australian organisations and the framework that APRA, internal audit and cyber-insurance underwriters most often reference when they ask 'are you secure?'.
The eight strategies are: application control; patch applications; configure Microsoft Office macros; user-application hardening; restrict administrative privileges; patch operating systems; multi-factor authentication; and regular backups. Each is rated across three maturity levels (ML1, ML2, ML3).
Essential Eight is mandated for non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF). For private mid-market firms it is not legally required, but APRA references it in CPS 234 reviews, cyber-insurance underwriters use it as an underwriting checklist, and most boards now treat ML2 as a de facto expectation.