Implementing the Essential Eight

The Essential Eight is a series of baseline mitigation strategies taken from the ACSC’s Strategies to Mitigate Cyber Security Incidents that are designed to make it harder for adversaries to compromise systems.

The Essential Eight:

  1. Application control
  2. patch applications
  3. configure Microsoft Office macro settings
  4. user application hardening
  5. restrict administrative privileges
  6. patch operating systems
  7. multi-factor authentication
  8. regular backups.

The ACSC says organisations should identify a target maturity level before implementing the Essential Eight, to then progressively plan the implementation to achieve the same maturity level across all eight mitigation strategies, before moving onto higher maturity levels.

The Essential Eight Maturity Model is designed to assist organisations to implement the Essential Eight in a graduated manner based upon different levels of adversary tradecraft and targeting. Four maturity levels have been defined, from Maturity Level Zero to Maturity Level Three.

There is no requirement for organisations to have their Essential Eight implementation certified by an independent party, but implementations may need to be assessed by an independent party if required by a government directive or policy, by a regulatory authority, or as part of contractual arrangements.

As a trusted partner to world leading enterprise organisations and in its commitment to supporting Federal, State and local government, CyberArk is continuously certifying its technology to more effectively defend against attacks, enable their digital business to drive operational efficiencies, and satisfy audit and compliance.

CyberArk recognises that these key value drivers are required when helping organisations address “Essential Eight” risk management strategies.  As organisations have shifted their security mindset to one in which identity is becoming the modern approach to securing enterprises, CyberArk has evolved its Identity Security Platform to enable organisations to determine which capabilities they require and deliver risk reduction against well-understood risks.

CyberArk holds the industry’s most comprehensive set of privileged access management government certifications, including the international Common Criteria certification by the National Information Association Partnership (NIAP).

Find out what CyberArk is doing to support implementation of the Essential Eight here.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter


Leave a comment:

Your email address will not be published. All fields are required