🔍

Essential 8 Maturity Level 1: What It Means and How to Get There - MSP Guide Australia

Cybersecurity 2026-06-11 🕐 6 min 1284 words

Essential 8 Maturity Level 1: What It Means and How to Get There

The Australian Cyber Security Centre (ACSC) Essential 8 is the baseline cybersecurity framework for Australian organisations. Maturity Level 1 is the starting point — the minimum every business should achieve. Yet most Australian SMBs have not even reached this level.

If you are a business working with government, seeking cyber insurance, or simply trying to avoid being the next breach headline, Maturity Level 1 is where you start.

What the Essential 8 Actually Covers

The Essential 8 consists of eight mitigation strategies, each designed to prevent a specific category of cyberattack:

  1. Application Control — Prevent execution of unapproved/malicious programs
  2. Patch Applications — Patch security vulnerabilities in applications
  3. Configure Microsoft Office Macro Settings — Block or restrict macros
  4. User Application Hardening — Disable unneeded features in web browsers and applications
  5. Restrict Administrative Privileges — Limit who has admin access
  6. Patch Operating Systems — Patch security vulnerabilities in operating systems
  7. Multi-Factor Authentication — Require MFA for all users
  8. Regular Backups — Maintain backups and test restoration

At Maturity Level 1, each of these strategies has specific, achievable requirements. The ACSC publishes detailed maturity requirements on their website, but here is what Level 1 looks like in practice for each strategy.

Application Control

What Level 1 requires: Prevent execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications, and control panel applets from within user-writable directories.

What this means in practice: - Deploy application whitelisting on all workstations - Block executables from running from temp folders, download directories, and user profiles - Use Microsoft Defender Application Control or AppLocker - Allow only pre-approved applications to execute

Common mistake: Many MSPs claim they have application control in place but have configured it in audit mode rather than block mode. If it is not actually blocking unapproved applications, it is not working.

Patch Applications

What Level 1 requires: Patches, updates, or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. All other patches are applied within one month.

What this means in practice: - Automate patch deployment through your RMM tool - Prioritise internet-facing applications (browsers, VPN clients, email clients) - Maintain a patch compliance dashboard - Document exceptions for applications that cannot be patched

Key metric: Your patch compliance rate should be above 95% at any given time.

Configure Microsoft Office Macro Settings

What Level 1 requires: Microsoft Office macros are disabled for users who do not have a demonstrated business requirement. Macros from the internet are blocked. Antivirus scanning of macros is enabled.

What this means in practice: - Disable macros by default for all users - Enable macros only for specific users with a documented business need - Block macros in files downloaded from the internet (Mark of the Web) - Deploy Microsoft Defender Antivirus with macro scanning enabled

Why this matters: Macro-based attacks remain one of the most common initial access vectors in Australian business compromises.

User Application Hardening

What Level 1 requires: Web browsers do not process Java from the internet. Web browsers do not process web advertisements from the internet. Internet Explorer 11 is disabled or removed.

What this means in practice: - Disable Java in all web browsers - Deploy ad-blocking tools or DNS-level ad filtering - Remove Internet Explorer from all machines - Disable Flash, PowerShell (for standard users), and WinHT in web browsers - Block web advertisements at the network or browser level

Restrict Administrative Privileges

What Level 1 requires: Requests for privileged access are validated when first requested. Privileged accounts are not used for reading email, web browsing, or other non-administrative activities. Privileged access to systems is automatically disabled after 12 months unless revalidated.

What this means in practice: - Implement separate admin and standard accounts for all IT staff - Use Privileged Access Workstations (PAWs) for administrative tasks - Disable admin accounts that have not been used in 12 months - Log and audit all privileged access - Never use Global Admin accounts for day-to-day email or browsing

The reality check: If your MSP staff use the same account for managing your environment and browsing the web, you have a fundamental security gap.

Patch Operating Systems

What Level 1 requires: Patches, updates, or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. All other OS patches are applied within one month.

What this means in practice: - Automate OS patching through your RMM - Prioritise internet-facing servers and VPN gateways - Track patch compliance and remediate gaps - Plan for operating system end-of-life (e.g., Windows 10 EOL in October 2025)

Multi-Factor Authentication

What Level 1 requires: MFA is used to authenticate users to their organisation's internet-facing services. MFA is used to authenticate users to third-party internet-facing services that process, store, or communicate their organisation's sensitive data. MFA is enabled using phishing-resistant methods (e.g., security keys, passkeys) or at least one something-the-user-has factor.

What this means in practice: - Enable MFA for all Microsoft 365 accounts - Enable MFA for VPN, remote access, and all cloud services - Prefer hardware security keys or passkeys over SMS-based MFA - Enforce MFA for all admin accounts without exception

The bar has moved: SMS-based MFA is no longer considered sufficient at Maturity Level 1. Push notification fatigue attacks have made SMS and app-based MFA vulnerable. Push toward FIDO2 security keys or passkeys where possible.

Regular Backups

What Level 1 requires: Backups of important data, software, and configuration settings are performed and retained in accordance with business continuity requirements. Backups are synchronised to enable restoration to a common point in time. Backups are retained in a secure and resilient manner. Restoration of systems, software, and important data from backups is tested as part of disaster recovery exercises.

What this means in practice: - Back up all critical data daily - Store backups offsite and/or in immutable cloud storage - Test backup restoration at least quarterly - Document your recovery time objectives (RTOs) and recovery point objectives (RPOs) - Ensure backups are protected from deletion (immutable storage or air-gapped backups)

Critical note: Ransomware now specifically targets backups. Immutable backup storage is no longer optional.

Assessing Your Current State

Use this checklist to gauge where you stand:

  • [ ] Do you have application control deployed on all workstations?
  • [ ] Are patches applied within the ACSC timeframes?
  • [ ] Are macros disabled by default for all users?
  • [ ] Is Java disabled in web browsers?
  • [ ] Do admin accounts have separate standard accounts for daily use?
  • [ ] Is MFA enabled for all cloud services using phishing-resistant methods?
  • [ ] Do you have tested, immutable backups?

If you answered "no" to more than two of these, you are not at Maturity Level 1. The Essential 8 Implementation Checklist provides a step-by-step plan to get there.

How Your MSP Should Be Helping

Your MSP should be implementing Essential 8 as part of their service. If they are not:

  • Ask them to produce an Essential 8 maturity assessment for your environment
  • Request a gap analysis against Level 1 requirements
  • Negotiate a remediation plan with timelines
  • Consider whether your MSP is the right provider if they cannot demonstrate Essential 8 competence

The MSP Health Score includes Essential 8 compliance as a key metric.

Frequently Asked Questions

What is Essential 8 Maturity Level 1?
Maturity Level 1 is the baseline tier of the ACSC Essential 8 framework. It represents the minimum cybersecurity posture all Australian organisations should achieve. It covers fundamental controls across eight mitigation strategies.
Is Essential 8 Maturity Level 1 mandatory in Australia?
It is mandatory for non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF). For private sector organisations, it is not legally required but is increasingly expected by cyber insurance providers and government contractors.
How long does it take to reach Essential 8 Maturity Level 1?
For a typical Australian SMB with 20–50 users, reaching Maturity Level 1 takes 3–6 months with focused effort. Larger or more complex environments may take 6–12 months.
Can our MSP help us achieve Essential 8 compliance?
Yes, a capable MSP should be implementing Essential 8 as part of their service. If your MSP has not addressed Essential 8, it is a significant red flag. See our [Essential 8 Implementation Checklist](/essential-8-implementation-checklist) for details.
What happens if we do not meet Essential 8 Maturity Level 1?
For government entities, non-compliance can result in loss of accreditation. For private sector, the main consequences are higher cyber insurance premiums, reduced competitiveness for government contracts, and increased risk of breach.

Related Reading

Compliance
Essential 8 Audit Guide: Assessing Maturity for MSPs and Their Clients
8 min read
Compliance
Essential 8 Implementation Checklist: A Step-by-Step Guide
18 min read
Compliance
Essential 8 Maturity Model: Practical Guide
2 min read