We have received requests to share information about the Essential Eight assessment process.
As a result, we'll be posting relevant details about the Essential Eight assessment and its approach.
Assessments for the Essential Eight are conducted using the Essential Eight Maturity Model.
This model describes three target maturity levels (Maturity Level One to Maturity Level Three), which are based on mitigating increasing levels of adversary targeting and tradecraft.
The maturity model also includes Maturity Level Zero, which is used to capture instances where the requirements of Maturity Level One are not met.
While the approach to conducting an assessment depends on the size and complexity of a system, there are foundational principles common to each assessment.
Although the Essential Eight can be applied to non-Microsoft Windows systems, specific mitigation strategies or parts of them might not be applicable or effective for certain situations.
In cases such as Linux workstations and servers, cloud computing, or enterprise mobility, organisations should consider alternative guidance provided by the ACSC.
Lastly, when assessing the effectiveness of compensating controls, assessors should ensure that any implemented compensating controls provide an equivalent level of protection to those recommended under the Essential Eight.
This will help ensure that an equal level of overall protection against a specific level of adversary targeting and tradecraft can be achieved and maintained.