Understanding the Essential 8: Maturity Levels 1, 2 and 3

If you’ve looked into cyber security for your business in Australia, you’ve probably run into the Essential 8. It’s the Australian Cyber Security Centre’s (ACSC) set of eight mitigation strategies that form a baseline for protecting organisations from a range of common threats. What’s less obvious at first is that the Essential 8 isn’t a single checklist—it’s a maturity model. Each of the eight mitigations has multiple maturity levels, and where you sit on that scale has a real impact on how well you’re protected. In this post we’ll focus on what maturity levels 1, 2 and 3 actually mean, how they differ, and why that matters when you’re planning your security improvements.

What is the Essential 8?

The Essential 8 is a framework, not a product. It covers: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. The ACSC recommends that organisations implement these mitigations to a level that matches their risk and environment. The idea is to make it harder for attackers to get in, move around, and cause damage—and to make recovery possible when something does go wrong.

Each mitigation is broken down into maturity levels. Level 0 means it’s not implemented or not in a meaningful way. Levels 1, 2 and 3 represent progressively stronger, more consistent and more automated implementations. Moving up doesn’t just mean “doing more”—it usually means doing things in a more disciplined, repeatable and often technology-supported way. If you’re based in Perth or the greater metro area and want to align with the Essential 8, understanding these levels is the first step to deciding where to aim and how to get there. Our cyber security services are built around helping businesses do exactly that.

Maturity Level 1

Maturity level 1 is the first step beyond “we don’t do this.” For each of the eight mitigations, level 1 is about having something in place that addresses the control in a basic way. It’s often manual or partially manual, and it might not cover every system or every user—but it’s there, and it’s intentional.

For example, with application control, level 1 might mean you have a policy that only approved applications can be run, and you’re blocking execution of at least some types of untrusted or risky code (e.g. in standard locations like downloads). With patching, level 1 typically means security patches for applications and operating systems are applied within a reasonable time—often within a month or so for critical issues—even if the process isn’t fully automated or measured. For backups, level 1 usually means you’re taking backups regularly and they’re stored off the main system, with at least one restoration test. Our backup and recovery services help businesses put this in place and test restorations. For multi-factor authentication (MFA), level 1 means MFA is in use for a defined set of users or systems (e.g. remote access or admin accounts), even if it’s not yet everywhere it could be.

So level 1 is about “we’ve started; we have a control in place and we’re using it.” It’s a foundation. Many small and mid-sized businesses sit here for at least some of the eight. The gap at level 1 is that implementation can be inconsistent—different people, different systems, different timing—and there’s usually limited evidence that everything is being done as intended. That’s where level 2 comes in.

Maturity Level 2

Maturity level 2 tightens things up. The same eight mitigations are still in scope, but the bar is higher: the control is applied more consistently, and there’s usually a clearer, more formal process and some form of validation. The ACSC often describes level 2 as involving automation or other measures that make it harder to bypass or forget the control.

Taking the same examples: at application control level 2, you’re typically blocking execution of untrusted and unsigned code in a more comprehensive way (e.g. across standard locations and with a defined allow list), and the approach is applied in a consistent, documented manner. For patching, level 2 usually means patches are applied within a shorter window (e.g. two weeks for critical vulnerabilities) and there’s a process—often partly automated—to assess and deploy them. For backups, level 2 often adds things like testing restorations more regularly, and ensuring backups are stored in a way that makes them harder to tamper with (e.g. offline or immutable). For MFA, level 2 typically extends MFA to more sensitive scenarios (e.g. all remote access, or all users for important systems) and may specify phishing-resistant methods where appropriate.

So the main difference between level 1 and level 2 is consistency, process and proof. At level 2 you’re not just “doing something”; you’re doing it in a way that’s repeatable, that covers the right scope, and that can be checked. That reduces gaps and makes it harder for an attacker to find the one system or user that wasn’t properly controlled. Many organisations that are serious about security aim for at least level 2 on the mitigations that matter most for their risk profile.

Maturity Level 3

Maturity level 3 is the strongest of the three. Here the ACSC is looking for robust, automated and well-maintained implementations that are hard to bypass and that are regularly validated. Level 3 is where many of the “best practice” expectations live: faster patching, comprehensive application control, phishing-resistant MFA in the right places, and backups that are not only tested but protected and recoverable in line with your recovery objectives.

For application control, level 3 usually means execution is restricted to an approved set of applications (and versions) everywhere it matters, with technical enforcement and a maintained allow list. For patching, level 3 often means critical security patches are applied within 48 hours (or similar short window), with automation and verification. For backups, level 3 typically requires that backups are encrypted, stored in a way that prevents tampering or deletion by an attacker (e.g. immutable or air-gapped), and that restoration is tested often enough to meet your recovery goals. For MFA, level 3 generally means MFA is used for all users in scope, including for sensitive data and systems, and that the method is phishing-resistant (e.g. FIDO2 or similar) where the ACSC specifies it.

The jump from level 2 to level 3 is often about speed, automation, coverage and resilience. You’re not just doing the right thing; you’re doing it quickly, in a way that’s hard to circumvent, and with evidence that it’s working. That’s why level 3 is the target for organisations with higher risk or stricter compliance needs—including many in government, finance and critical infrastructure—while level 1 or 2 may be enough for others, at least for some mitigations.

How the Levels Differ in Practice

A simple way to think about it: level 1 is “we have the control”; level 2 is “we have it in a consistent, process-driven way”; level 3 is “we have it in a strong, automated and validated way.” You don’t have to be at level 3 on every mitigation. The ACSC encourages a risk-based approach and recommends achieving the same maturity level across all eight mitigations before advancing to the next level—so it’s better to be at level 1 everywhere than level 2 in some areas and level 0 in others. Prioritise the mitigations that matter most for your environment, then improve over time. Many businesses use managed IT and cyber security support to get there.

For a lot of small and medium businesses in Perth and WA, a practical path is to get to level 1 across the eight, then lift the most important ones (e.g. MFA, backups, patching) to level 2, and only push to level 3 where risk or compliance really demands it. That way you get real protection without chasing a perfect score card before the basics are solid.

If you’re not sure where you stand, a security assessment can map your current state to the Essential 8 maturity levels and highlight the gaps that matter most. From there you can plan the steps that fit your budget and risk. We help businesses do exactly that—aligning with the Essential 8 in a way that’s practical and sustainable, whether you need IT support for patching and hardening or broader managed IT and security. If you’d like to discuss your maturity level or your next steps, you can get in touch or request a quote for tailored advice.

Summary

The Essential 8 is a maturity model: each of the eight mitigations can be implemented at level 1, 2 or 3. Level 1 is the first step—controls in place in a basic form. Level 2 adds consistency, process and validation. Level 3 adds robustness, automation and stronger assurance. Understanding these differences helps you decide where to focus and how to progress. For many organisations, getting to level 1 across the board and then lifting key mitigations to level 2 is a realistic and effective goal; level 3 is there when your risk or compliance needs justify the extra effort.