The Essential Eight Checklist for Australian Small Business
A friendly self-check across the eight strategies at Maturity Level One. Walk through it and you'll likely find you're further along than you thought.
The short version
- What it is: The Essential Eight is the ACSC's set of eight mitigation strategies, measured at Maturity Levels One to Three. This checklist covers the Maturity Level One expectations — the sensible starting point for most small businesses.
- How to use it: Walk each strategy and ask 'can we honestly say yes to this?'. A 'no' isn't a failure. It's just the next thing to sort, and most owners find more greens than they expected.
- The numbers that matter: At ML1, the everyday software that handles internet content is patched within two weeks (within 48 hours if it's a critical flaw with a working exploit), and multi-factor authentication protects your internet-facing logins.
- Where to go next: Use this to find your gaps, then read the maturity levels explainer to understand what ML1 really asks for, versus ML2 and ML3.
If you run a small business in Australia and someone’s mentioned the Essential Eight, it can sound like a mountain. Eight technical strategies, three maturity levels, government-grade language. The good news is that working through an essential eight checklist at the starting level is far more approachable than it first appears, and most owners discover they’re already doing a good chunk of it without realising.
This piece gives you a plain-English self-check across all eight strategies at Maturity Level One (ML1), the sensible baseline for a typical small business. For each one there’s a simple “can you honestly say yes to this?” prompt. Treat it as a map, not a marking scheme: a “no” just tells you the next useful thing to sort.
A note on honesty
A self-check is only useful if you tick the boxes you can genuinely back up. The ACSC publishes a formal Essential Eight Assessment Process Guide for audit-grade results. This checklist is for your own clarity: to find the gaps before anyone else does.
What the Essential Eight checklist actually covers
The Essential Eight checklist covers eight mitigation strategies defined by the Australian Signals Directorate’s ACSC, each assessed at a maturity level from One to Three.
The eight strategies are: application control, patching applications, restricting Microsoft Office macros, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups. They cluster around three goals: stop dodgy software running, keep things patched and locked down, and be able to recover if something goes wrong.
There are three maturity levels. ML1 targets the everyday, opportunistic attacks that hit small businesses most; ML2 and ML3 step up for more determined adversaries. The ACSC’s advice is to reach a consistent level across all eight before pushing any single strategy higher, because attackers go for the weakest link and an uneven set leaves an obvious door open. If the levels are new to you, our maturity levels explainer walks through ML1 to ML3, and the eight strategies explained covers each one in plain terms.
The checklist: can you say yes to these?
Walk each of the eight strategies below and answer honestly. Most small businesses find more “yes” answers than they expected.
1. Patch your applications
The single most impactful habit. At ML1, the ACSC puts the emphasis on the everyday software that handles content from the internet, and on faster patching when the flaw is serious.
- Can you say your web browsers, email clients, office productivity software, PDF readers and security products get updates installed within two weeks of release?
- For those same internet-exposed applications, are critical patches (where a working exploit exists) applied within 48 hours?
- Have you removed any software the vendor no longer supports with security updates?
A “yes” here usually just means automatic updates are switched on and old, unsupported apps have been retired.
2. Patch your operating systems
The same logic, applied to Windows, macOS and the firmware on your network gear.
- Are your everyday computers and non-internet-facing servers set to install operating-system updates within one month of release?
- For internet-facing servers and network devices, are updates applied within two weeks — and critical ones (with a working exploit) within 48 hours?
- Are you still running any operating system the vendor has stopped supporting? (If so, that’s the gap to close.)
3. Multi-factor authentication (MFA)
MFA is the cheapest, highest-value control on the list. A stolen password alone shouldn’t get anyone in.
- Is MFA turned on for the internet-facing services your business logs in to (email, accounting, file storage and the like)?
- Where a third-party online service holds your business’s sensitive data, is MFA enabled there too?
- If you offer your own online service to customers that stores sensitive customer information, does it enforce MFA?
- Does your MFA use a genuine second factor (something you have, like an app prompt or code, on top of something you know, your password) rather than a security question?
If you do only one thing off this entire list, turn on MFA everywhere you can. It quietly defeats the most common attack against small businesses: the reused, leaked password.
4. Restrict administrative privileges
Admin accounts are the keys to the kingdom. The fewer that exist, and the less they’re used for day-to-day work, the better.
- Is the number of people with admin or “owner” access kept small, and validated before it’s granted?
- Do you do your everyday work (email, web browsing) on a standard account, not an admin one?
- Are privileged accounts kept off general internet, email and web browsing?
5. Application control
This sounds technical, but at ML1 it’s about stopping unknown programs running from the everyday corners of a computer where malware likes to hide.
- On your computers, is execution of software blocked from user profile folders and temporary folders, the spots where downloaded malware typically tries to run?
- Where you can, are you relying on file-system permissions so staff can’t simply run anything they download?
This is often the item small businesses haven’t formally addressed — and that’s completely normal at the starting line.
6. Restrict Microsoft Office macros
Macros are a classic delivery method for malware hidden in documents.
- Are macros in Office files that came from the internet blocked?
- Is antivirus scanning of macros switched on?
- Can ordinary staff not change the macro security settings themselves?
7. User application hardening
Hardening means turning off the risky bits of everyday software you don’t actually need.
- Are your web browsers configured so they don’t process Java from the internet?
- Do your web browsers not process web advertisements from the internet, a common malware-delivery route?
- Have you disabled or removed Internet Explorer 11 and other browser features and old plug-ins you don’t use?
8. Regular backups
The safety net. If everything else fails, good backups are what get you trading again.
- Do you take regular backups of important data, software and settings, in line with how much downtime your business could tolerate?
- Are backups stored so that an everyday user account can’t modify or delete them (protecting against ransomware that hunts down backups)?
- Have you actually tested restoring from a backup, rather than assuming it works?
Working through it offline
You don't need any special tool to do an honest first pass. The prompts above are the whole checklist. Jot a "yes", "no" or "partly" against each one in a notebook or a shared doc, and that single page becomes your starting map for what to tackle first.
What to do with your answers
Count your “yes” answers, treat each “no” as a next step, and aim for a consistent Maturity Level One across all eight before pushing any single strategy further.
You’re very likely closer than you feared. Plenty of small businesses already have automatic updates, MFA on their email, and some form of backup running. That’s four of the eight well underway. The remaining gaps are usually a handful of settings (macros, browser hardening, application control) and a bit of tidying around who holds admin access.
The point of an essential eight assessment isn’t a perfect score on day one. It’s to see your real position clearly, then close the gaps in a sensible order. A few principles help:
- Start with the cheap, high-value wins. MFA and patching protect you fastest for the least effort.
- Aim for even coverage. A business that’s brilliant at backups but ignores MFA is still exposed; the ACSC’s own advice is to lift all eight together rather than perfect one.
- Write down what you’ve done. Even a simple record of “MFA enabled on email, March” makes the next review easier and helps if a customer, insurer or partner ever asks.
Getting the controls in place is genuinely achievable for a small team, and it’s the kind of work that compounds: each step makes the next attack less likely to land. SecurSentry is building tools to make walking through this kind of self-assessment and getting the controls in place more straightforward for Australian small businesses, but you don’t need to wait for anything to start. The checklist above is the whole first pass.
If you’re weighing the Essential Eight against the SMB1001 certification path, our guide on which an Australian SME should start with lays out the trade-offs. And whenever you want the bigger picture, the Essential Eight topic guide ties all of this together.