SecurSentry
← Essential Eight hub
Essential Eight

The Essential Eight Checklist for Australian Small Business

A friendly self-check across the eight strategies at Maturity Level One. Walk through it and you'll likely find you're further along than you thought.

The short version

If you run a small business in Australia and someone’s mentioned the Essential Eight, it can sound like a mountain. Eight technical strategies, three maturity levels, government-grade language. The good news is that working through an essential eight checklist at the starting level is far more approachable than it first appears, and most owners discover they’re already doing a good chunk of it without realising.

This piece gives you a plain-English self-check across all eight strategies at Maturity Level One (ML1), the sensible baseline for a typical small business. For each one there’s a simple “can you honestly say yes to this?” prompt. Treat it as a map, not a marking scheme: a “no” just tells you the next useful thing to sort.

A note on honesty

A self-check is only useful if you tick the boxes you can genuinely back up. The ACSC publishes a formal Essential Eight Assessment Process Guide for audit-grade results. This checklist is for your own clarity: to find the gaps before anyone else does.

What the Essential Eight checklist actually covers

The Essential Eight checklist covers eight mitigation strategies defined by the Australian Signals Directorate’s ACSC, each assessed at a maturity level from One to Three.

The eight strategies are: application control, patching applications, restricting Microsoft Office macros, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups. They cluster around three goals: stop dodgy software running, keep things patched and locked down, and be able to recover if something goes wrong.

There are three maturity levels. ML1 targets the everyday, opportunistic attacks that hit small businesses most; ML2 and ML3 step up for more determined adversaries. The ACSC’s advice is to reach a consistent level across all eight before pushing any single strategy higher, because attackers go for the weakest link and an uneven set leaves an obvious door open. If the levels are new to you, our maturity levels explainer walks through ML1 to ML3, and the eight strategies explained covers each one in plain terms.

The checklist: can you say yes to these?

Walk each of the eight strategies below and answer honestly. Most small businesses find more “yes” answers than they expected.

1. Patch your applications

The single most impactful habit. At ML1, the ACSC puts the emphasis on the everyday software that handles content from the internet, and on faster patching when the flaw is serious.

A “yes” here usually just means automatic updates are switched on and old, unsupported apps have been retired.

2. Patch your operating systems

The same logic, applied to Windows, macOS and the firmware on your network gear.

3. Multi-factor authentication (MFA)

MFA is the cheapest, highest-value control on the list. A stolen password alone shouldn’t get anyone in.

If you do only one thing off this entire list, turn on MFA everywhere you can. It quietly defeats the most common attack against small businesses: the reused, leaked password.

4. Restrict administrative privileges

Admin accounts are the keys to the kingdom. The fewer that exist, and the less they’re used for day-to-day work, the better.

5. Application control

This sounds technical, but at ML1 it’s about stopping unknown programs running from the everyday corners of a computer where malware likes to hide.

This is often the item small businesses haven’t formally addressed — and that’s completely normal at the starting line.

6. Restrict Microsoft Office macros

Macros are a classic delivery method for malware hidden in documents.

7. User application hardening

Hardening means turning off the risky bits of everyday software you don’t actually need.

8. Regular backups

The safety net. If everything else fails, good backups are what get you trading again.

Working through it offline

You don't need any special tool to do an honest first pass. The prompts above are the whole checklist. Jot a "yes", "no" or "partly" against each one in a notebook or a shared doc, and that single page becomes your starting map for what to tackle first.

What to do with your answers

Count your “yes” answers, treat each “no” as a next step, and aim for a consistent Maturity Level One across all eight before pushing any single strategy further.

You’re very likely closer than you feared. Plenty of small businesses already have automatic updates, MFA on their email, and some form of backup running. That’s four of the eight well underway. The remaining gaps are usually a handful of settings (macros, browser hardening, application control) and a bit of tidying around who holds admin access.

The point of an essential eight assessment isn’t a perfect score on day one. It’s to see your real position clearly, then close the gaps in a sensible order. A few principles help:

Getting the controls in place is genuinely achievable for a small team, and it’s the kind of work that compounds: each step makes the next attack less likely to land. SecurSentry is building tools to make walking through this kind of self-assessment and getting the controls in place more straightforward for Australian small businesses, but you don’t need to wait for anything to start. The checklist above is the whole first pass.

If you’re weighing the Essential Eight against the SMB1001 certification path, our guide on which an Australian SME should start with lays out the trade-offs. And whenever you want the bigger picture, the Essential Eight topic guide ties all of this together.

Frequently asked questions

What is an Essential Eight checklist?

An Essential Eight checklist is a plain-language set of yes/no prompts that lets you self-assess your business against the ACSC's eight mitigation strategies. It's not a formal audit. It's a way to see roughly where you stand and which gaps to close first. This one is written against the Maturity Level One expectations, which suit most small businesses starting out.

Can I do an Essential Eight self assessment myself?

Yes. A self assessment is a reasonable starting point to understand your position, and many small businesses do exactly that before deciding whether to bring in help. The ACSC also publishes a formal assessment process guide for when you need an independent or audit-grade result. A self-check is honest as long as you only tick the boxes you can genuinely evidence.

What maturity level should a small business aim for?

Most small businesses start by targeting Maturity Level One, which is designed to mitigate the most common, opportunistic attacks. The ACSC recommends reaching a consistent level across all eight strategies before pushing any single one higher, because attackers look for the weakest link. ML2 and ML3 raise the bar for organisations facing more capable adversaries.

Is the Essential Eight mandatory for small business?

The Essential Eight is mandated for many Australian Government entities, but it is not legally mandatory for private small businesses. Even so, it has become the common reference point for 'good baseline cyber security' in Australia, and customers, insurers and larger partners increasingly ask about it. Working through the checklist is worthwhile regardless of any obligation.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Essential Eight

The Essential Eight Controls, Explained Simply

28 Jun 2026 · 7 min
Essential Eight

Essential Eight Maturity Levels (ML1–ML3), Explained

28 Jun 2026 · 7 min
Essential Eight

Essential Eight vs SMB1001: Where Should You Start?

28 Jun 2026 · 7 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.