Australian Cyber Security Centre (ACSC) Essential 8 Maturity Levels Explained
Our Free Essential 8 Audit Tool aims to address different types of threat actors depending on the security controls implemented. Maturity Level 1 focuses on basic, opportunistic attackers; Maturity Level 2 targets more advanced cybercriminals and low-level nation-state actors; and Maturity Level 3 aims to mitigate against highly skilled, well-funded adversaries like APT groups and nation-state actors.
Which Essential 8 Maturity Level Is Right For My Business?
Maturity Level 1
This level is focused on basic cybersecurity practices and is most suitable for small businesses or organizations with limited resources and low-risk profiles. The primary goal at this level is to establish foundational security controls, such as patching applications and operating systems, restricting administrative privileges, and implementing multi-factor authentication.
Maturity Level 2
This level is intended for medium-sized businesses or organizations with a moderate risk profile. At this level, organizations should have already implemented the basic controls from Maturity Level 1 and are now looking to further enhance their security posture. This may include more advanced controls like daily backups, application control to prevent unauthorized software execution, and regular reviews of administrative privileges.
Maturity Level 3
This level is focused on basic cybersecurity practices and is most suitable for small businesses or organizations with limited resources and low-risk profiles. The primary goal at this level is to establish foundational security controls, such as patching applications and operating systems, restricting administrative privileges, and implementing multi-factor authentication.
Does this sound like your business?
Level 1 -Suburban café
A local coffee shop with a basic website and Wi-Fi network for customers. The coffee shop has limited customer data and a relatively low risk profile.
Level 2 -A regional healthcare clinic
A regional healthcare clinic that manages electronic health records and personal information for patients. The clinic needs to ensure data protection and privacy legislation compliance, but the risk profile is not as high as a large hospital.
Level 3 -Financial Institution
A large financial institution like a bank or an insurance company, which handles sensitive financial data and is subject to strict regulatory requirements. The risk profile is high, and a robust cybersecurity strategy is essential.
In summary, the appropriate level of the Essential 8 framework for a business depends on its size, risk profile, and resources. Small businesses with low-risk profiles should aim for Maturity Level 1, medium-sized businesses with moderate risk profiles should target Maturity Level 2, and larger organizations or those with high-risk profiles should strive for Maturity Level 3. However, it’s important to note that the specific needs and circumstances of each organization may vary, and a tailored approach to implementing the Essential 8 is recommended.
Some organisation’s risks may warrant a higher Maturity Level in some areas, especially where they are easy to implement. Other organisations may look at other risk mitigations or be forced to tolerate the risk if they do not have the resources to implement the suggested level.