Essential Eight Maturity Model Changes

Updates to the Essential Eight Maturity Model.

All you need to know to stay up to date and compliant.

Cyber Security had another year in the spotlight in 2023. Continued high profile attacks on Australian organisations have triggered a response from the highest level of the Australian Federal Government.

In this update, we provide an overview of the changes to the Essential Eight Maturity Model, and provide you with an effective roadmap to maintaining compliance.

Essential Eight updates – at a glance

The Australian Signals Directorate (ASD), through its Australian Cyber Security Centre (ACSC), has made significant and far-reaching changes to the Essential 8 Maturity Model (E8MM).  

The updates, which apply to each level of the Maturity Model, have a firm emphasis on patching, multi-factor authentication (MFA), administration privileges, application control, and incident protection and response.

The key action resulting from the changes is the assessment of your existing cyber security maturity against the updated standards, and the implementation of these updates to ensure you have the right level of defence for your organisation.

Read on to see more details of the changes. Or jump ahead and book your Essential Eight Maturity Assessment with Tecala today! 

What the updates mean to you


The updates to patching are in response to an ASD assessment of the average time taken by malicious actors to exploit vulnerabilities. When a vulnerability is assessed to be of a critical nature, organisations should patch, update, or generally mitigate the vulnerability within 48 hours. This update impacts Maturity Levels 1, 2 and 3.  

The ASD has also provided guidance on where patching should be prioritised. They place emphasis on applications that, ‘routinely interact with untrusted content from the internet, such as office productivity suites, web browsers, email clients, PDF software and security software1'. This change impacts Level 1.

Patching operating systems for less important devices, such as workstations and non-internet-facing servers, for example, have been rebalanced from within two weeks to within one month (impacting Levels 2 and 3).

Multi-factor authentication (MFA)

MFA has also come under the spotlight, in part because Maturity Level 1 didn’t specify the types of authentication factors that could be used. Also, some organisations were able to opt out of MFA and use very weak password-based authentication.

Organisations that do use MFA are applying it in its weaker forms, often using security questions, SMS, or ‘Trusted Signals’, none of which are recognised as valid authentication factors within standards.

The new updates resolve these issues by requiring a minimum standard of MFA that requests ‘something users have’ in addition to ‘something users know’.

Also, a requirement has been added for users at all Maturity Levels to authenticate to their workstations using a form of phishing-resistant MFA.

The MFA changes impact E8MM Levels 1-3, so they’re wide-reaching.

Restrict administrative privileges

Requirements relating to administration privileges have been applied to different activities. This includes requirements for granting, controlling, and rescinding privileged access to systems and applications to ensure consistency with governance processes (impacting Levels 1-3).

The other administration privilege restrictions are: preventing access to the internet by privileged accounts; and ensuring that credentials for local administrator accounts and service accounts are ‘long, unique, unpredictable and managed’, which includes an expansion to include break glass accounts (impacting Levels 2 and 3).

Finally, additional requirements focused on the hardening of administrative infrastructure used by privileged users have been added (impacting Level 3).

1. Essential Eight Maturity Model Changes


Application control

Cyber criminals are increasingly using genuine system tools and functionalities inherent in targeted environments for malicious purposes. This approach, known as ‘living off the land,’ involves the use of trusted applications like PowerShell, Windows Management Instrumentation (WMI), or other built-in utilities, sidestepping detection by conventional security measures.

In response, changes in application control are concentrating on the performance of annual reviews of application control rulesets and implementing Microsoft’s recommended application blocklist at a lower maturity level. This impacts Level 2.

Restrict Microsoft Office macros

The requirement to collect and analyse Microsoft Office macro events for signs of compromise has been removed (impacting Levels 2 and 3).

But due to a ‘vulnerability in digitally signed macros that allow for tampering of macro code without invalidating a file’s digital signature,’ the E8MM updates now require the use of newer and more secure V3 digital signatures for macros. This impacts Level 3.

User application hardening

With Internet Explorer 11 no longer supported by Microsoft, organisations should now disable or uninstall it (impacting Levels 1 and 2).

Organisations are required to implement both ASD and vendor hardening guidance, ‘with the more stringent requirements taking precedence when conflicts occur’ – impacting Levels 2 and 3.  

Also, the PowerShell logging requirement has been amended to avoid duplicating application control logging, and instead focus on leveraging native PowerShell logging functionality (impacting Levels 2 and 3).

Regular backups

No significant changes here. But organisations are encouraged to consider the business criticality of their data when prioritising backups. 

Cross-cutting measures

Organisations are now required to adopt a policy of ‘centralisation’ on how they collect, protect, and analyse event blogs so they can detect signs of compromise. This centralised approach enhances an organisation's ability to detect signs of compromise, especially concerning stealthy attacks like those employing 'living off the land' techniques.

Changes by Maturity Level

The changes should be applied to each layer of the Maturity Model. Here’s a summary of the things you’ll need to be aware of.

Maturity Level One

Patching: Timeframes for addressing critical vulnerabilities has been reduced. Patching, updates, or mitigation must be completed within 48 hours of the vulnerability being identified.  

MFA: Organisations can no longer easily opt-out of MFA. New standards require a minimum standard of MFA that requests ‘something users have’, in addition to ‘something users know’, and phishing-resistant MFA.

Restricting admin privileges: More stringent requirements for validating requests for privileged access to data repositories, and stricter controls and monitoring for admin access.

User application hardening: Internet Explorer 11 is no longer supported by Microsoft, so organisations should now disable or uninstall it. 

Maturity Level Two

Enhanced Patching: Applies to applications that routinely interact with untrusted content from the internet, such as office productivity suites, web browsers, email clients, PDF software and security software.

Mid-Level MFA: Requirements have been bolstered to require the use of phishing-resistant MFA by organisations at lower maturity levels.

Extended admin privileges: Controls around admin privileges are far reaching, from preventing access to the hardening of administrative infrastructure.

Maturity Level Three

Patch Management: Requirements to apply patches, updates, or other vendor mitigations for vulnerabilities in drivers and firmware to mitigate known vulnerabilities.

Advanced MFA: Enforced use of MFA for protecting web portals that store sensitive customer data and mandatory phishing resistant MFA.

Restrict Microsoft Office macros: Updates now require the use of newer, and more secure, V3 digital signatures for macros.

User Application Handling: PowerShell logging requirement has been amended to avoid duplicating application control logging, and instead focus on leveraging native PowerShell logging functionality.

For further reading, please refer to the two Australian Government articles used to develop this blog.

Essential Eight Maturity Model Changes

Essential Eight Maturity Model

Register for your Essential Eight Maturity Assessment

Tecala is an ISO27001 Information Security Standard Accredited Managed Service Provider, with a strong heritage in providing Essential Eight cyber security consulting services to highly regulated organisations.

Our Cyber Security Team have reviewed the updates, and we’re ready to help you evaluate your current cyber security posture across the E8MM layers. We can then apply these new updates to your cyber framework.

Our approach follows 3 steps:

  1. Determine your current cyber security maturity and review the updates that are relevant to you.
  2. Set your priorities for improvement, based on the recent updates.
  3. Put a Strategic Security Roadmap in place for implementing these updates, to an agreed budget and timeline, to ensure your ongoing compliance with the Essential Eight Model.

Book your session today!



5 Things IT Managers are focusing on as we head towards 2024

With agility and speed becoming highly valued characteristics in the digital era, we look at the 5 things IT Managers need to focus on in 2024.



Is your data ready to ensure success in automation and AI?

In this blog we put a spotlight on the importance of high quality, processed data to be the foundational resource for your automation and AI initiatives.