ASD Essential Eight Maturity Levels Explained

The ASD Essential Eight is designed to make organisations more resilient against cyber threats. But knowing what to implement is only half the story - the real challenge is understanding how well the eight strategies have been put into practice. That’s where the Essential Eight Maturity Model comes in.

The maturity model helps organisations measure their current level of implementation and plan a path toward stronger defences. In this guide, we explain each maturity level in plain language and outline what it means in practice.

Why Maturity Levels Matter

Cybersecurity isn’t just about having controls in place; it’s about how effective they are. An organisation might have multi-factor authentication enabled, for example, but if it only applies to a handful of accounts, the protection is limited. The maturity model recognises this gap by measuring not just whether controls exist, but how consistently and comprehensively they are applied.

The Australian Cyber Security Centre (ACSC) recommends aiming for the same maturity level across all of the eight strategies in their guidance before moving to the next level. This ensures balanced protection and avoids weak links in your security posture.

Maturity Level 0 – Not Implemented

At Level 0, one or more of the eight strategies are not in place. This means your organisation is highly vulnerable to common cyber threats. Attackers can exploit unpatched systems, weak controls, or poor configurations with little resistance.

Level 0 isn’t where any organisation should stay for long. It’s essentially a starting point that highlights significant gaps to address.

Maturity Level 1 – Partially Aligned

Level 1 means you have made progress but the implementation is incomplete. For example, you might be patching operating systems but only on certain servers, or using multi-factor authentication for administrators but not for remote access users.

While Level 1 does reduce some risk, attackers who are more sophisticated or persistent can still bypass the partial protections. This level is better than nothing, but it shouldn’t be the goal.

Maturity Level 2 – Mostly Aligned

At Level 2, the Essential Eight strategies are largely implemented across the organisation, though there may still be some gaps or inconsistencies. For example, patching is applied within recommended timeframes, macros are restricted, and backups are tested - but perhaps not all business units are fully covered, or legacy systems still require exceptions.

Organisations at Level 2 have stronger protection against common cybercrime techniques and opportunistic attacks. However, motivated attackers with more advanced methods may still find weaknesses to exploit.

Maturity Level 3 – Fully Aligned

Level 3 represents the strongest and most complete implementation of the Essential Eight. All eight strategies are applied consistently across the organisation, with appropriate governance and monitoring in place. Patching is done within strict timeframes, administrative privileges are tightly controlled, and multi-factor authentication covers all relevant accounts and systems.

At this level, organisations are significantly more resilient to both common cybercriminal attacks and more sophisticated intrusions. While best practice guidance does not guarantee complete security, Level 3 demonstrates a robust, disciplined approach that aligns with best practice expectations.

Choosing the Right Level for Your Organisation

Not every organisation needs to aim for Level 3 immediately. The right target level depends on your risk environment, the sensitivity of your information, and the resources available. For some, reaching Level 1 or 2 quickly may provide enough short-term protection while planning for higher maturity over time.

What matters most is progressing consistently, ensuring that all eight strategies are implemented to the same maturity level before moving forward. This balanced approach avoids creating single points of weakness that attackers can exploit.

Taking the Next Step

Understanding maturity levels helps you benchmark where you are and plan where you want to be. Moving up the model requires ongoing effort - reviewing policies, closing gaps, and ensuring controls remain effective as technology and threats evolve.

At Kaon Security, we work with organisations to assess their current maturity against the Essential Eight and create a roadmap for improvement. Our team can help you prioritise actions, strengthen governance, and embed these strategies in day-to-day operations.