The Essential Eight Self-Assessment Guide for Small Businesses (2026 Edition)

TL;DR: The ACSC Essential Eight is the Australian government's baseline for cyber risk reduction. It covers 8 controls, each scored 0–3. Most small businesses score between 0 and 1 across the board — often without realising it. This guide helps you self-assess, understand where the real risks are, and prioritise what to fix first. Reaching Level 1 across all 8 controls is achievable in a few weeks and significantly reduces your exposure to the ransomware and phishing attacks hitting Australian businesses right now.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌

If you run a small business in Australia, the Essential Eight is the most practical cybersecurity framework you're not using.

It was designed by the Australian Cyber Security Centre (ACSC) specifically to reduce cyber risk for Australian organisations. It's not an academic standard. It's not designed for enterprise security teams. It's 8 specific controls, each with a clear maturity scale, developed because the ACSC looked at real cyber incidents hitting real businesses and asked: what would have stopped most of these?​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌

The answer was 8 things.

This guide walks you through all 8 controls, explains what each one means for a 10–20 person business, and gives you a self-assessment framework you can complete in under an hour.

What Is the Essential Eight?

The Essential Eight is a set of mitigation strategies developed by the ACSC. They're not exhaustive — they're specifically chosen because implementing them stops the majority of common cyber attacks:

  • Business email compromise (your accountant gets tricked into sending money)
  • Ransomware (your files get encrypted, attacker demands payment)
  • Phishing (staff click a link, credentials get stolen)
  • Opportunistic malware (automated attacks targeting known vulnerabilities)

Each control is measured at four maturity levels:

Level What It Means
0 Not implemented — you have no meaningful protection from this attack type
1 Basic — protects against commodity, automated threats
2 Intermediate — protects against more capable, persistent attackers
3 Advanced — protects against sophisticated, targeted attacks

For most SMBs, reaching Level 2 across all 8 controls is the realistic target. Level 3 is for organisations with dedicated security teams. Let's start with Level 1.

How to Self-Assess

Go through each control below. For each one, honestly answer the questions. Give yourself the level that describes where you actually are — not where you intend to be.

At the end, you'll have a baseline maturity score you can act on.

Control 1: Patch Applications

What it means: Keeping your software up to date. Applications include: web browsers, PDF readers, Microsoft Office, email clients, and any other software your staff use daily.

Why It Matters

Outdated software is one of the most common attack vectors. Attackers routinely exploit known vulnerabilities in unpatched software — vulnerabilities that have been fixed by the vendor, but not applied by the user. I

n many ransomware incidents investigated by the ACSC, the initial entry point was an unpatched application that had been running for months.

What Level 1 Looks Like for a 10-Person Business

  • Automatic updates are turned on for all web browsers
  • Microsoft Office updates are applied within a month of release
  • You have some awareness of what software is running on staff machines
  • You don't have a formal patch timeline, but critical updates generally get applied eventually

Self-Assessment Questions

  • Do you have automatic updates enabled for browsers (Chrome, Firefox, Edge, Safari)?
  • Is Microsoft Office set to update automatically?
  • Are other commonly used applications (Zoom, Adobe, Slack) updated within 30 days of a release?
  • Do you have any visibility across all machines on what's installed?

If most boxes are checked: Level 1 If some but not all: Partial Level 1 If you're not sure what's installed where: Level 0

Control 2: Patch Operating Systems

What it means: Keeping Windows, macOS, and any server operating systems up to date.

Why It Matters

OS vulnerabilities are particularly serious because they affect everything running on that machine. An unpatched OS can be compromised even if every application is fully up to date.

What Level 1 Looks Like for a 10-Person Business

  • Windows Update or macOS Software Update is enabled on all machines
  • Critical security updates are applied within a month (not six months)
  • You're running a supported OS version (not Windows 8, not macOS versions that stopped receiving security updates)

Self-Assessment Questions

  • Is automatic OS updates enabled on all Windows and Mac machines?
  • Are all machines running a currently-supported OS version?
  • Do critical security patches get applied within 30 days?
  • Are you aware of any machines that haven't received updates in over 60 days?

Common finding in SMBs: Machines are running Windows 10 21H2 (end of support November 2024) with no update schedule. Staff disable update prompts because they're inconvenient. This is Level 0.

Control 3: Multi-Factor Authentication (MFA)

What it means: Requiring a second verification step (usually a phone app code) in addition to a password.

Why It Matters

MFA is the single most impactful control for preventing account takeovers. Microsoft reports that MFA stops 99.9% of automated account attacks. Business email compromise — where an attacker gets into your email and intercepts invoices, requests fraudulent transfers, or impersonates you to clients — is almost entirely preventable with MFA.

What Level 1 Looks Like for a 10-Person Business

  • MFA is enabled on email (Microsoft 365 or Google Workspace)
  • MFA is enabled on cloud accounting software (Xero, MYOB)
  • Staff use an authenticator app (Microsoft Authenticator, Google Authenticator), not just SMS
  • MFA is enforced — staff can't choose to bypass it

Self-Assessment Questions

  • Is MFA enabled and enforced on email for all staff accounts?
  • Is MFA enabled on accounting and financial systems?
  • Are staff using an authenticator app (not just SMS)?
  • Can staff bypass MFA if they find it inconvenient?

Common finding: MFA is available on the Microsoft 365 tenant but not enforced. Roughly 40% of staff have it enabled because they set it up at one point; 60% skipped it. This is Level 0. If it's not enforced, it doesn't count.

This is almost always free. MFA is included in Microsoft 365 Business Basic and Google Workspace Starter. If you're paying for email and not using MFA, you're leaving your most important protection unused.

Control 4: Application Control (Whitelisting)

What it means: Restricting which applications can run on staff machines — only approved software is allowed to execute.

Why It Matters

Malware, ransomware, and attacker tools are all applications. If only approved software can run, malicious code simply can't execute — even if it gets onto the machine.

What Level 1 Looks Like for a 10-Person Business

At Level 1, you're preventing execution of common malicious file types in user-writable locations. For most SMBs, this means:

  • Users cannot run .exe files downloaded to their Downloads folder without admin approval
  • Script execution is restricted (PowerShell scripts require approval)
  • Microsoft AppLocker, Windows Defender Application Control, or similar is configured

Honest SMB reality: This is often the hardest control to reach Level 1 on. Full application whitelisting requires some IT overhead. Many SMBs are at Level 0 and should focus on other controls first.

Self-Assessment Questions

  • Can staff download and run .exe files from the internet without admin approval?
  • Is PowerShell execution policy set to anything other than "Unrestricted"?
  • Is any application control solution (AppLocker, Defender App Control) configured?

Control 5: Restrict Microsoft Office Macros

What it means: Disabling or restricting the ability to run macros in Word, Excel, and other Office documents.

Why It Matters

Malicious Office macros are one of the most common malware delivery mechanisms in Australia. A staff member receives a "invoice" or "contract" that says "Enable Macros to view this document." They click enable. The macro runs, downloads malware, and within minutes the network is compromised.

The ACSC specifically calls this out because it's so common and so preventable.

What Level 1 Looks Like for a 10-Person Business

  • Macros are disabled by default for documents downloaded from the internet
  • Only macros signed by a trusted publisher can run (if macros are needed at all)
  • The Microsoft 365 admin policy enforces this — it's not just a setting users can change

Self-Assessment Questions

  • Are macros disabled by default in your Microsoft 365 tenant policy?
  • Can staff enable macros on any document they receive?
  • Does your business actually need macros? (Many don't — but think carefully before blocking if you do)

This takes about 20 minutes to configure in Microsoft 365 admin and costs nothing. It's one of the highest-impact, lowest-effort controls available.

Control 6: Harden User Applications

What it means: Configuring applications to reduce their attack surface — disabling features that aren't needed, applying security settings.

What Level 1 Looks Like for a 10-Person Business

  • Web browsers have security settings applied (blocking dangerous content, restricting extensions)
  • Unneeded browser plugins and extensions are removed
  • PDF readers are configured not to run scripts or connect to the internet
  • Advertising/tracking protection is enabled in browsers

Self-Assessment Questions

  • Is your browser configured with basic security settings (safe browsing enabled, extensions reviewed)?
  • Have you removed browser extensions that staff installed but don't use?
  • Is your PDF reader (Adobe Acrobat, browser PDF viewer) up to date and configured to not auto-open external links?

Control 7: Regular Backups

What it means: Backing up data regularly and testing that it can be restored.

Why It Matters

Ransomware encrypts your files and demands payment. The only reliable defence is a tested backup. If your backup works, you restore and get back to work. If it doesn't, you're choosing between paying the ransom and losing everything.

What Level 1 Looks Like for a 10-Person Business

  • Critical business data is backed up at least daily
  • Backups are stored somewhere separate from the main system (cloud backup, external drive, both)
  • The backup has been tested at least once — you've actually restored a file from it
  • Backups include all critical data: files, email (if self-hosted), accounting data, client records

Self-Assessment Questions

  • Is critical business data backed up daily (or more frequently)?
  • Are backups stored somewhere separate from the original (offsite or cloud)?
  • Have you tested restoring from backup in the last 6 months?
  • Does your backup cover all critical data — including email, financial records, and client files?

Common finding: Backups exist and run automatically, but the restore process has never been tested. The backup software reports success every night, but when we look closely, the backup is incomplete — it's backing up the "Documents" folder but not the shared drive or the accounting software database. This is Partial Level 1 at best.

Control 8: Restrict Administrative Privileges

What it means: Limiting who has administrator access to systems, and ensuring that admin accounts are only used for administrative tasks.

Why It Matters

Most malware runs with the same permissions as the logged-in user. If your staff log in as local administrators (which is common in small businesses because it's convenient), any malware that runs on their machine has full administrator access — it can install itself permanently, access all files, disable security software, and spread to other systems.

What Level 1 Looks Like for a 10-Person Business

  • Staff have standard user accounts for daily work (email, browsing, productivity)
  • A separate admin account exists for IT tasks (installing software, changing settings)
  • The business owner doesn't use their admin account for daily email

Self-Assessment Questions

  • Do staff log into their daily-use computers as standard users (not local admins)?
  • Is there a separate account for administrative tasks?
  • Does the same account used for email also have local admin rights?

This is the most common gap in SMBs. Almost universally, small business owners set up their machines with admin accounts because it was easier at the time — and that's still the account they use every day. It's a straightforward fix, but it requires someone to actually do the work of creating a standard account and migrating the profile.

Your Self-Assessment Score

Add up your scores (0–3 for each control) and divide by 8 to get your average maturity level.

Your Average What It Means
0.0–0.5 Significant exposure. Start with MFA, backups, and macro restrictions immediately.
0.5–1.0 Basic foundation with major gaps. MFA and patching are your first priorities.
1.0–1.5 Reasonable baseline. Focus on the specific controls below Level 1 first.
1.5–2.0 Above average for an SMB. Work toward Level 2 consistency.
2.0+ Strong posture. Consider a formal ISO 27001 gap assessment for the next level.

Where to Start: The Priority Order

If you're starting from scratch or near-zero, this is the order that gives you the most protection per hour invested:

  1. MFA everywhere — email, accounting, banking. Free. 30–60 minutes to implement.
  2. Restrict Office macros — 20 minutes in Microsoft 365 admin. Free. Blocks a huge category of attacks.
  3. Enable automatic OS and app updates — 15 minutes per machine. Free.
  4. Test your backups — Schedule a restore test. Free.
  5. Remove local admin from daily accounts — 1–2 hours of IT work per machine.
  6. Browser security settings — 30 minutes to configure, deploy via policy if you have Microsoft 365.

Controls 4 (Application Control) and 6 (Harden Applications) are harder to implement without IT support. Get controls 1–3 right first.

FAQ

Do I need to be ISO 27001 certified to implement the Essential Eight? No. The Essential Eight is independent of ISO 27001. They complement each other, but you can implement either without the other.

Is the Essential Eight mandatory for Australian businesses? It's mandatory for Australian Government agencies. For private businesses, it's a strong recommendation — and increasingly, large enterprise clients and cyber insurers are asking suppliers to demonstrate compliance.

What does Maturity Level 2 take? Level 2 requires more formal processes, better coverage, and some tooling investment. Budget 2–4 months and $5,000–$20,000 depending on your current state and staff count.

Can I self-assess or do I need a consultant? This guide gives you a self-assessment. A formal assessment from a consultant gives you a written report, independent verification, and specific remediation guidance. The ACSC also publishes official assessment guides at cyber.gov.au.

What if I use Macs instead of Windows? The Essential Eight applies to all platforms. The specific tools differ (macOS has its own equivalents for patching, application control, etc.), but the maturity model is the same.

How often should I reassess? At minimum annually. After any significant infrastructure change (new cloud service, new staff, significant software change). After any security incident.

Get a Professional Assessment

The self-assessment above is a starting point. A professional assessment gives you:

  • A written report suitable for your board, insurer, or enterprise clients
  • Per-control findings with specific remediation steps
  • ISO 27001 gap analysis alongside the Essential Eight
  • An external perspective that catches what internal self-assessment misses

lilMONSTER's AI Security Baseline Assessment ($1,500) covers both the Essential Eight and ISO 27001 gap analysis, delivered as a professional PDF report within 5 business days. Includes a 60-minute findings walkthrough call.

Book a free 20-min discovery call →

The ACSC Essential Eight was developed by the Australian Cyber Security Centre. Official resources and assessment guides are available at cyber.gov.au. The maturity model described in this article is based on the ACSC Essential Eight Maturity Model (v3.5, 2023).

References

  1. Australian Cyber Security Centre (ACSC)Essential Eight Maturity Model (v3.5). The official Australian government framework for baseline cybersecurity controls, with detailed maturity level definitions for each of the eight mitigation strategies.

  2. Australian Cyber Security Centre (ACSC)Essential Eight Implementation Guides. Platform-specific guidance for implementing the Essential Eight on Windows, macOS, Linux, and cloud platforms.

  3. MicrosoftMFA blocks 99.9% of automated account attacks. Microsoft security research demonstrating the effectiveness of multi-factor authentication against account compromise.

  4. Australian Cyber Security Centre (ACSC)Small Business Cyber Security Guide. Practical cybersecurity guidance specifically tailored for Australian small businesses, including Essential Eight context.

  5. Australian Signals Directorate (ASD)ACSC Annual Cyber Threat Report 2024-2025. Current threat landscape affecting Australian organisations, including statistics on ransomware, business email compromise, and phishing.

  6. National Institute of Standards and Technology (NIST)Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF 2.0). US framework that complements the Essential Eight, useful for organisations pursuing both Australian and international compliance.

  7. Australian GovernmentSecurity of Critical Infrastructure Act 2018 (Cth). Legislation that references the Essential Eight as a risk management framework for critical infrastructure entities.

  8. Office of the Australian Information Commissioner (OAIC)Notifiable Data Breaches scheme. Australian data breach notification requirements that the Essential Eight helps organisations meet by reducing breach likelihood.

TL;DR

  • TL;DR: The ACSC Essential Eight is the Australian government's baseline for cyber risk reduction. It covers 8 contro
  • It was designed by the Australian Cyber Security Centre (ACSC) specifically to reduce cyber risk for Australian organisa
  • Action required — see the post for details

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation