🔍

Essential 8 Implementation Checklist: A Step-by-Step Guide - MSP Guide Australia

Compliance 2026-06-10 🕐 18 min 3675 words

Essential 8 Implementation Checklist: A Step-by-Step Guide

The Australian Signals Directorate (ASD) Essential 8 is the baseline cyber security framework for Australian government agencies and increasingly for private sector organisations. Whether you're an MSP implementing these controls across client tenants or an internal IT team hardening your own environment, this checklist gives you a practical, step-by-step path from Level 0 to Level 3.

If you're also looking at securing remote work, pair this with our Remote Work Security Checklist for a complete security posture.

This isn't theory. It's what you actually need to do, in what order, and what to watch out for along the way.

Before You Start: The Foundation

Before tackling any individual control, get these basics right:

Prerequisites

  • [ ] Asset inventory. You can't protect what you don't know about. Document every workstation, server, and critical application.
  • [ ] Network diagram. Understand your environment topology — VLANs, firewalls, internet-facing services.
  • [ ] User inventory. All accounts documented, including service accounts and shared accounts.
  • [ ] Current maturity assessment. Score yourself against each control at Level 0–3. Know your starting point.
  • [ ] Risk assessment. What data do you hold? What are the consequences of a breach? This drives your prioritisation.
  • [ ] Executive buy-in. Essential 8 implementation affects user experience. Leadership needs to support it.
  • [ ] Testing environment. Never deploy security controls directly to production. Test in a lab or pilot group first.

The Golden Rule

Don't try to achieve Level 3 on one control while leaving others at Level 0. A balanced approach across all eight controls reduces your overall risk more effectively than excellence in one area and neglect in others. Start with Level 1 everywhere, then systematically move to Level 2, then Level 3.

Control 1: Application Control

What it does: Prevents execution of unapproved or malicious programs, including .exe files, DLLs, scripts, and installers.

Why it matters: Malware execution is the primary attack vector. If the malware can't run, the attack fails.

Level 1 Checklist

  • [ ] Identify and inventory all authorised applications across workstations
  • [ ] Determine which applications are critical to business operations
  • [ ] Implement application whitelisting on workstations using one of:
  • Microsoft AppLocker
  • Windows Defender Application Control (WDAC)
  • A third-party solution (CrowdStrike, Carbon Black, etc.)
  • [ ] Block execution from user-writable directories (Downloads, Temp, AppData)
  • [ ] Test with a pilot group before broad deployment
  • [ ] Document all authorised applications in a central register
  • [ ] Establish a process for requesting new application approvals

Level 2 Checklist

  • [ ] Extend application control to servers (including domain controllers)
  • [ ] Implement application control on internet-facing servers
  • [ ] Review and update whitelists quarterly
  • [ ] Log application control events centrally
  • [ ] Monitor for blocked execution attempts (potential indicators of compromise)
  • [ ] Implement application control for PowerShell and script execution

Level 3 Checklist

  • [ ] Application control covers all executables, libraries, scripts, and installers
  • [ ] Block execution of scripts from user-writable directories
  • [ ] Centrally log and monitor all application control events
  • [ ] Automated alerting for unusual blocked execution patterns
  • [ ] Regular review of application control effectiveness
  • [ ] Document all exceptions with compensating controls

Common Pitfalls

  • Blocking legitimate business applications. Always test with a representative user group before deploying. Finance teams often use niche applications that IT doesn't know about.
  • Forgetting about PowerShell. Many organisations block .exe files but leave PowerShell unrestricted. Attackers love PowerShell.
  • Not updating whitelists. When software updates or new applications are deployed, the whitelist needs to keep up. Build this into your change management process.
  • Overlooking macros and scripts. Application control isn't just about executables. VBA macros, JavaScript, and PowerShell scripts are all execution vectors.

MSP Tip

Create standard application whitelists per client industry vertical (law firm, medical practice, construction, accounting) and maintain them centrally. This dramatically reduces per-client setup time.

Control 2: Patch Applications

What it does: Patches security vulnerabilities in applications within a defined timeframe.

Why it matters: Unpatched applications are the most commonly exploited attack vector. The ASD requires patching internet-facing applications within 48 hours of release.

Level 1 Checklist

  • [ ] Identify all internet-facing applications (web browsers, email clients, PDF readers, Java, etc.)
  • [ ] Patch internet-facing applications within 48 hours of critical vulnerability disclosure
  • [ ] Patch all other applications within one month of release
  • [ ] Implement automated patch management (your RMM tool's patch module, WSUS, SCCM, Intune)
  • [ ] Maintain a register of all applications and their patch status
  • [ ] Establish a patch testing and deployment process
  • [ ] Configure automatic updates where possible (browsers, Adobe, etc.)

Level 2 Checklist

  • [ ] Automated patch deployment with verification (confirm patches actually applied)
  • [ ] Regular vulnerability scanning to identify unpatched applications (Nessus, Qualys, Rapid7)
  • [ ] Document all patch exceptions with business justification and compensating controls
  • [ ] Patch third-party applications (Java, Adobe, Chrome, Zoom, etc.) — not just Microsoft products
  • [ ] Monitor for failed patch deployments and remediate
  • [ ] Establish emergency patching process for zero-day vulnerabilities

Level 3 Checklist

  • [ ] Automated scanning and deployment for all applications
  • [ ] Patch all critical vulnerabilities within 48 hours
  • [ ] Regular testing of patch deployment processes (verify patches actually install)
  • [ ] Vulnerability scanning confirms patches are applied (not just deployed)
  • [ ] Automated reporting on patch compliance across all systems
  • [ ] Rollback procedures documented and tested for failed patches

Common Pitfalls

  • Third-party applications. Most organisations patch Microsoft products well but forget about Java, Adobe Reader, Chrome, Zoom, 7-Zip, and other third-party tools. These are equally exploitable.
  • Patch testing. Deploying patches without testing can break business applications. Always test in a non-production environment first.
  • Server patching downtime. Server patches often require reboots. Negotiate maintenance windows with business stakeholders.
  • Legacy applications. Some legacy applications can't be patched or are incompatible with newer versions. Document these and apply compensating controls (isolation, application control, network segmentation).

MSP Tip

Use your RMM tool's patch management module to create standard patching schedules per client. Negotiate patching windows during onboarding so expectations are clear from day one.

Control 3: Configure Microsoft Office Macro Settings

What it does: Blocks or restricts macros to prevent malware delivery via Office documents.

Why it matters: Macro-based malware is one of the most common initial access techniques. A single malicious document can compromise an entire network.

Level 1 Checklist

  • [ ] Block macros from the internet (Microsoft's "Mark of the Web" blocking)
  • [ ] Only allow macros from trusted locations (network shares, approved directories)
  • [ ] Disable macros for users who don't need them
  • [ ] Configure via Group Policy or Intune:
  • Disable VBA for Office applications where not needed
  • Block macros from internet-downloaded files
  • Allow macros only from trusted locations
  • [ ] Identify users with legitimate macro requirements (finance, operations)
  • [ ] Create an approval process for macro exceptions

Level 2 Checklist

  • [ ] Only allow macros digitally signed by trusted publishers
  • [ ] Block all macros except those explicitly approved
  • [ ] Log macro execution events centrally
  • [ ] Implement macro scanning (anti-malware scanning of macro content)
  • [ ] Regular review of trusted publisher list
  • [ ] Monitor for attempts to bypass macro restrictions

Level 3 Checklist

  • [ ] Macros only allowed from digitally signed trusted publishers
  • [ ] Block macros from internet zone entirely
  • [ ] Centrally log and monitor all macro activity
  • [ ] Automated alerting for macro-based execution anomalies
  • [ ] Regular review of macro policies against business requirements
  • [ ] Block VBA for Office applications that don't require it

Common Pitfalls

  • Breaking business processes. Many organisations rely on macro-enabled Excel spreadsheets for critical business functions. Work with users to identify legitimate use cases before blocking.
  • Workarounds. Users may copy files to local drives to bypass internet-zone blocking. Application control (Control 1) helps prevent this.
  • VBA in Access databases. Legacy Access databases with VBA are common in Australian businesses. These need special handling — either migrate or create signed macro exceptions.
  • Trusted publisher management. If you allow signed macros, you need a process to review and revoke trusted publishers regularly.

MSP Tip

Many clients rely on macro-enabled spreadsheets for reporting and automation. Audit macro usage across your client base before deployment. You'll find that 80% of users don't need macros at all, but the 20% who do will push back hard if you don't handle it carefully.

Control 4: User Application Hardening

What it does: Configures web browsers and applications to block or restrict Flash, Java, web advertisements, and other risky features.

Why it matters: Browsers and Office applications are the most targeted software in any environment. Hardening them reduces the attack surface dramatically.

Level 1 Checklist

  • [ ] Block Flash, Java, and web advertisements in all browsers
  • [ ] Block web advertisements in Microsoft Office applications
  • [ ] Disable unneeded features in Office applications (ActiveX, OLE objects)
  • [ ] Configure browser security settings:
  • Block pop-ups
  • Disable third-party cookies
  • Enable safe browsing
  • Block dangerous downloads
  • [ ] Disable Java browser plugins
  • [ ] Remove or disable unnecessary browser extensions

Level 2 Checklist

  • [ ] Block PowerShell, Windows Script Host, and .hta files for standard users
  • [ ] Block execution of scripts from user-writable directories
  • [ ] Disable .NET Framework 3.5 (unless required by specific applications)
  • [ ] Configure browser to block outdated/insecure plugins
  • [ ] Disable Office features that allow child process creation
  • [ ] Block Office applications from creating executable content

Level 3 Checklist

  • [ ] Block all web advertisement content (including first-party ads on trusted sites)
  • [ ] Block all Microsoft Office child processes
  • [ ] Block PowerShell for standard users entirely
  • [ ] Centrally log and monitor blocked events
  • [ ] Block Office applications from injecting code into other processes
  • [ ] Block Office applications from creating child processes

Common Pitfalls

  • Blocking JavaScript. Some hardening measures break legitimate web applications. Test thoroughly and create exceptions for business-critical applications.
  • Disabling .NET 3.5. Legacy applications often require .NET Framework 3.5. Check before disabling.
  • PowerShell for automation. Many legitimate business processes use PowerShell. Blocking it entirely for standard users requires careful planning and exception management.
  • Browser compatibility. Aggressive browser hardening can break web applications. Maintain a whitelist of browser exceptions.

MSP Tip

Use Group Policy or Intune to apply these settings centrally. Test with a pilot group of 5–10 users before full deployment. Document every exception with business justification.

Control 5: Restrict Administrative Privileges

What it does: Limits admin access to only those who need it, reducing the attack surface.

Why it matters: Compromised admin accounts are devastating. If an attacker gets Domain Admin, they own your entire network. Least privilege is your most powerful defence.

Level 1 Checklist

  • [ ] Create separate admin accounts for all IT staff (no using Domain Admin for daily email)
  • [ ] Remove admin privileges from standard user accounts
  • [ ] Implement tiered admin model:
  • Tier 0: Domain controllers, identity infrastructure
  • Tier 1: Servers
  • Tier 2: Workstations
  • [ ] Restrict admin access to Tier 0 systems to dedicated accounts only
  • [ ] Document all admin accounts and their access levels
  • [ ] Implement password policy for admin accounts (16+ characters)
  • [ ] Disable local administrator accounts on workstations

Level 2 Checklist

  • [ ] Implement just-in-time (JIT) access where possible
  • [ ] Privileged access automatically expires after 12 months (revalidation required)
  • [ ] Admin actions logged and monitored centrally
  • [ ] Implement privileged access workstations (PAWs) for Tier 0 administration
  • [ ] Restrict admin access from non-compliant devices
  • [ ] Implement Privileged Identity Management (PIM) in Azure AD
  • [ ] Regular access reviews (quarterly)

Level 3 Checklist

  • [ ] Privileged access automatically expires after 45 days
  • [ ] Revalidation of privileged access every 3 months
  • [ ] Real-time monitoring of privileged account usage
  • [ ] JIT administration with time-limited access for all privileged tasks
  • [ ] Break-glass accounts for emergency access (secured, monitored, tested)
  • [ ] Automated alerting for unusual privileged account activity
  • [ ] Session recording for privileged access

Common Pitfalls

  • Shared admin credentials. "Everyone knows the Domain Admin password" is a disaster waiting to happen. Use individual accounts and PIM.
  • Admin accounts used for daily work. If your admin checks email on a Domain Admin account and clicks a phishing link, the attacker has Domain Admin. Separate admin and daily-use accounts.
  • Not revoking access. When staff leave or change roles, their admin access must be revoked immediately. Automate this through identity management.
  • Service accounts with permanent admin. Service accounts often accumulate excessive privileges. Audit them regularly.

MSP Tip

MSP environments are particularly vulnerable because many technicians need elevated access across multiple client tenants. Implement Azure AD PIM or equivalent for all technician accounts. No exceptions.

Control 6: Patch Operating Systems

What it does: Patches security vulnerabilities in operating systems within a defined timeframe.

Why it matters: OS vulnerabilities provide attackers with kernel-level access. Unpatched operating systems are sitting ducks for automated exploitation.

Level 1 Checklist

  • [ ] Patch all operating systems within one month of release
  • [ ] Use automated OS patching tools (WSUS, SCCM, Intune, RMM)
  • [ ] Include server operating systems in patching schedule
  • [ ] Maintain inventory of all OS versions across the environment
  • [ ] Establish patch testing process before production deployment
  • [ ] Document and track patch compliance across all systems
  • [ ] Apply patches to network devices (routers, switches, firewalls)

Level 2 Checklist

  • [ ] Automated deployment with verification (confirm patches actually applied)
  • [ ] Regular scanning to confirm patches applied (not just deployed)
  • [ ] Document all OS patch exceptions with compensating controls
  • [ ] Apply patches within one month for all vulnerabilities
  • [ ] Emergency patching process for critical zero-day vulnerabilities
  • [ ] Monitor for failed patch deployments

Level 3 Checklist

  • [ ] Patch all critical vulnerabilities within 48 hours
  • [ ] Automated scanning and deployment across all systems
  • [ ] Regular testing of patch deployment processes
  • [ ] Vulnerability scanning confirms patches are actually installed
  • [ ] Automated reporting on OS patch compliance
  • [ ] Network device patching integrated into standard process
  • [ ] Legacy OS remediation plan (isolate, migrate, or decommission)

Common Pitfalls

  • Legacy operating systems. Windows Server 2012, Windows 7, and other end-of-life operating systems can't be patched. Isolate them, migrate off them, or decommission them.
  • Server downtime. Server patches often require reboots. Plan maintenance windows carefully and communicate with stakeholders.
  • Network devices. Routers, switches, firewalls, and wireless controllers need patching too. Many organisations forget about network infrastructure.
  • Client reluctance. Some clients resist patching due to downtime concerns. Document the risk of not patching and get sign-off for any exceptions.

MSP Tip

Negotiate patching windows during client onboarding. Establish a standard patching schedule (second Tuesday of each month, plus emergency patches within 48 hours) and include it in your SLA.

Control 7: Multi-Factor Authentication (MFA)

What it does: Requires two or more forms of authentication to verify user identity.

Why it matters: MFA prevents 99.9% of account compromise attacks. It's the single most effective security control you can implement. Full stop.

Level 1 Checklist

  • [ ] Enable MFA for all users when accessing internet-facing services
  • [ ] Enable MFA for all privileged actions (admin consoles, elevated access)
  • [ ] Enable MFA for all remote access (VPN, RDP gateway, cloud services)
  • [ ] Use MFA methods that are NOT SMS-based where possible (Authenticator app, TOTP)
  • [ ] Configure MFA for all Microsoft 365 / Azure AD accounts
  • [ ] Disable SMS-based MFA for privileged accounts
  • [ ] Implement Conditional Access policies to enforce MFA based on risk

Level 2 Checklist

  • [ ] Move to phishing-resistant MFA methods (FIDO2 security keys, Windows Hello for Business)
  • [ ] Enable MFA for all authentication events (not just initial login)
  • [ ] Disable SMS-based MFA for all accounts where possible
  • [ ] Implement Conditional Access policies:
  • Require MFA from untrusted locations
  • Require MFA for high-risk sign-ins
  • Block legacy authentication protocols
  • [ ] Configure MFA for service accounts that support it
  • [ ] Implement number matching or location-based MFA to prevent MFA fatigue attacks

Level 3 Checklist

  • [ ] MFA for all users and all authentication events
  • [ ] Phishing-resistant MFA only (FIDO2, hardware tokens)
  • [ ] MFA for all privileged access with hardware tokens
  • [ ] Central logging and monitoring of all MFA events
  • [ ] Automated alerting for MFA bypass attempts
  • [ ] Regular review of MFA coverage (no accounts without MFA)
  • [ ] MFA for all service accounts where technically possible

Common Pitfalls

  • SMS-based MFA. SMS is phishable through SIM-swapping and SS7 attacks. Move to authenticator apps or hardware tokens.
  • MFA fatigue attacks. Attackers spam users with MFA push notifications until they approve. Implement number matching and location-based policies.
  • Service accounts. Many organisations enable MFA for user accounts but forget about service accounts. These are often the weakest link.
  • Not enforcing universally. MFA for Outlook but not for VPN? Attackers will find the unprotected path.

MSP Tip

Move all clients to Microsoft Authenticator or FIDO2 keys. Block SMS-based MFA using Conditional Access policies. This is the single highest-impact security improvement you can make.

Control 8: Regular Backups

What it does: Ensures data can be restored after a cyber security incident or data loss event.

Why it matters: Ransomware is rampant. If your backups are compromised or inaccessible, you're at the attacker's mercy. Immutable, tested backups are your last line of defence.

Level 1 Checklist

  • [ ] Identify all critical data, applications, and configuration settings
  • [ ] Implement backup solution for critical data (daily minimum)
  • [ ] Backups stored for 3–6 months minimum
  • [ ] Test restoration at least annually
  • [ ] Backups stored in a separate location from production data
  • [ ] Document backup procedures and restoration steps
  • [ ] Include M365 / cloud data in backup strategy (Microsoft doesn't back up your data). For more on M365 governance gaps, see M365 Governance: 10 Mistakes That Are Costing You.

Level 2 Checklist

  • [ ] Backups of important data, software, and configuration settings
  • [ ] Backups stored for 3–12 months
  • [ ] Test restoration every 6 months
  • [ ] Backups stored offline or in a separate, isolated location
  • [ ] Implement immutable backups (cannot be modified or deleted)
  • [ ] Backup encryption (at rest and in transit)
  • [ ] Regular backup integrity checks

Level 3 Checklist

  • [ ] Unprivileged accounts can't access or modify backups
  • [ ] Privileged accounts (except backup admin) can't access or modify backups
  • [ ] Backup admin accounts have separate credentials and MFA
  • [ ] Test restoration every 3 months
  • [ ] Backup integrity monitoring (detect corruption or tampering)
  • [ ] Documented and tested disaster recovery plan
  • [ ] Automated backup verification and reporting
  • [ ] Air-gapped or immutable backup copies

Common Pitfalls

  • Untested backups. A backup you haven't tested isn't a backup — it's a hope. Test restores regularly and document results.
  • Backups accessible to the same accounts as production data. If an attacker compromises your admin account, they can delete both production data and accessible backups. Isolate backup access.
  • Not backing up cloud data. Microsoft 365, Google Workspace, and other SaaS platforms don't back up your data. You need a separate backup solution.
  • Backup retention too short. Some compliance requirements demand 7-year retention. Check your obligations.
  • Ransomware encrypting backups. Immutable backups (WORM storage, air-gapped copies) are essential. Standard backups can be encrypted by ransomware.

MSP Tip

Use immutable backup solutions (Veeam with immutability, Datto, Acronis Cyber Protect, or cloud-based backup with WORM). Test restores regularly and document results. This is the control that saves businesses from ransomware.

Implementation Priority Order

If you're starting from scratch, here's the recommended order of implementation based on risk reduction:

  1. MFA (Control 7) — Immediate risk reduction. Block 99.9% of account compromise.
  2. Patch Applications (Control 2) — Eliminates the most common attack vector.
  3. Patch Operating Systems (Control 6) — Same as above, but for the OS layer.
  4. Restrict Admin Privileges (Control 5) — Limits blast radius if something is compromised.
  5. Regular Backups (Control 8) — Your safety net if everything else fails.
  6. Application Control (Control 1) — Prevents malware execution entirely.
  7. Configure Macros (Control 3) — Eliminates macro-based malware delivery.
  8. User Application Hardening (Control 4) — Reduces attack surface of browsers and Office.

This order isn't mandated by the ASD, but it reflects the risk reduction each control provides relative to implementation effort.

Measuring Your Progress

Track your implementation with a simple scorecard:

Control Current Level Target Level Target Date Status
Application Control 0 2 Q3 2026 Not started
Patch Applications 1 2 Q2 2026 In progress
Macro Settings 0 2 Q3 2026 Not started
App Hardening 0 1 Q2 2026 In progress
Admin Privileges 1 2 Q3 2026 Not started
Patch OS 1 2 Q2 2026 In progress
MFA 1 3 Q2 2026 In progress
Backups 1 2 Q3 2026 Not started

Review this scorecard monthly and report to leadership. Visibility drives action.

The Business Case

Essential 8 compliance isn't just a security exercise. It's a business enabler:

  • Winning government contracts. Many Australian government RFPs now require Essential 8 maturity evidence.
  • Reducing cyber insurance premiums. Insurers increasingly ask about Essential 8 controls. Higher maturity = lower premiums.
  • Meeting regulatory requirements. APRA, OAIC, and industry regulators expect baseline security controls. Many of these controls overlap with M365 governance best practices — particularly around data classification and access management.
  • Building customer trust. Demonstrating security maturity is a competitive advantage.
  • Reducing breach likelihood and impact. Each control reduces the probability and severity of a security incident.

Getting Started

  1. Assess your current maturity — Score each control honestly
  2. Identify the biggest gaps — Where are you at Level 0?
  3. Prioritise based on risk — Start with MFA and patching
  4. Implement in phases — Don't try to do everything at once
  5. Measure and report progress — What gets measured gets done

Pro tip: Start with MFA and patching. These two controls alone prevent the vast majority of common attacks and give you the most risk reduction for the least effort.

Frequently Asked Questions

What is the Essential 8?
The Essential 8 is an Australian Cyber Security Centre (ACSC) framework of eight mitigation strategies to protect against cyber threats, including application control, patching, macro settings, user application hardening, and more.
How long does Essential 8 implementation take?
Implementation typically takes 3-12 months depending on your current maturity level and organisation size. Our Essential 8 Implementation Checklist provides a step-by-step plan.
Do MSPs follow the Essential 8 framework?
Some do, many don't. Ask any MSP about their Essential 8 compliance before signing. If they don't know what it is, that's a red flag. See our MSP Essential 8 Guide.

Related Reading

Compliance
Essential 8 Maturity Model: Practical Guide
2 min read
Compliance
Essential 8 Audit Guide: Assessing Maturity for MSPs and Their Clients
8 min read
Cybersecurity
Essential 8 Maturity Level 1: What It Means and How to Get There
6 min read