🔍

Essential 8 Audit Guide: Assessing Maturity for MSPs and Their Clients - MSP Guide Australia

Compliance 2026-06-11 🕐 8 min 1592 words

Essential 8 Audit Guide: Assessing Maturity for MSPs and Their Clients

The Australian Signals Directorate (ASD) Essential 8 is the baseline cybersecurity framework for Australian organisations. Originally designed for government agencies, it's now the standard that cyber insurance providers, clients, and regulators expect MSPs to understand and implement.

Whether you're auditing your MSP's own environment or assessing client maturity, this guide provides a practical, hands-on approach to Essential 8 evaluation. For the full implementation checklist, see our Essential 8 implementation checklist. For the maturity model overview, see our Essential 8 maturity model.

Why Essential 8 Matters for MSPs

Client expectations. Australian SMBs increasingly ask about Essential 8 compliance. Being able to demonstrate maturity across your client environments is a competitive advantage.

Cyber insurance. Insurers are tightening requirements. Some now ask for specific Essential 8 maturity levels as a condition of coverage.

Government contracts. Many government and defence contracts require Essential 8 maturity at Level 2 or above.

Risk reduction. The Essential 8 mitigates the most common attack vectors. Implementing it genuinely reduces your risk exposure.

Competitive differentiation. Most MSPs don't implement Essential 8 well. Those that do stand out.

The Eight Controls

The Essential 8 comprises eight mitigation strategies, each targeting a specific attack vector:

  1. Application Control — Prevent execution of unapproved programs
  2. Patch Applications — Update applications to remove known vulnerabilities
  3. Configure Microsoft Office Macro Settings — Block or restrict macros
  4. User Application Hardening — Disable unneeded features in web browsers and office applications
  5. Restrict Administrative Privileges — Limit admin access to what's needed
  6. Patch Operating Systems — Update operating systems to remove vulnerabilities
  7. Multi-Factor Authentication — Require MFA for all users
  8. Regular Backups — Maintain and test backups

The Maturity Levels

Level Description What It Means
0 Not aligned Minimal or no controls. High risk.
1 Partially aligned Basic controls in place. Protects against commodity threats.
2 Largely aligned Intermediate controls. Protects against more capable adversaries.
3 Fully aligned Advanced controls. Protects against sophisticated adversaries.

The target: Level 1 as a minimum baseline. Level 2 for higher-risk environments. Level 3 for critical infrastructure or high-value targets.

The Audit Process

Step 1: Preparation

Before assessing, gather:

  • Asset inventory. All workstations, servers, and critical applications
  • User inventory. All accounts, including service accounts and shared accounts
  • Network diagram. Environment topology
  • Existing documentation. Current policies, procedures, and configurations
  • Previous assessments. If available, review prior maturity assessments

Step 2: Control-by-Control Assessment

For each of the eight controls, evaluate your implementation against the maturity level descriptors.

Control 1: Application Control

Level 1 requirements: - [ ] Identified and documented all authorised applications - [ ] Implemented application whitelisting on workstations - [ ] Blocked execution of unapproved programs, scripts, and installers - [ ] Documented exceptions and business justification - [ ] Tested controls in a pilot group before broad deployment

Common MSP challenges: - Client-specific line-of-business applications that aren't in standard whitelists - Legacy applications that require administrative privileges - User resistance to restrictions - Keeping whitelists updated as applications change

Assessment questions: - Can users install software without approval? - Are application whitelists documented and maintained? - How are new applications approved and added? - Are there documented exceptions?

Control 2: Patch Applications

Level 1 requirements: - [ ] Automated patch management for all applications - [ ] Patches applied within 48 hours for critical vulnerabilities - [ ] Applications that can't be patched are removed or isolated - [ ] Patch compliance is monitored and reported - [ ] Patch testing before deployment (where possible)

Common MSP challenges: - Clients with legacy applications that can't be patched - Patch testing requirements that conflict with speed - Third-party applications that don't have regular patches - Balancing patch urgency with business continuity

Assessment questions: - What's your average patch deployment time for critical vulnerabilities? - How do you handle applications that can't be patched? - What's your patch compliance rate? - How do you test patches before deployment?

Control 3: Configure Microsoft Office Macro Settings

Level 1 requirements: - [ ] Macros disabled by default for users who don't need them - [ ] Only macros from trusted sources are allowed - [ ] Macros from the internet are blocked - [ ] Macro settings are centrally managed (GPO or Intune) - [ ] Users can't change macro settings

Common MSP challenges: - Clients with legitimate macro-dependent workflows - Financial and accounting applications that require macros - User training on alternative approaches - Centrally managing macro settings across multiple tenants

Assessment questions: - Are macros disabled by default? - Can users enable macros without approval? - How are macro exceptions managed? - Are macro settings centrally controlled?

Control 4: User Application Hardening

Level 1 requirements: - [ ] Web browsers configured to block Flash, Java, and web advertisements - [ ] Web browsers configured to block ads and disable unnecessary features - [ ] Microsoft Office configured to block DDE and other dangerous features - [ ] PDF viewers configured to disable JavaScript - [ ] Unnecessary features disabled across applications

Common MSP challenges: - Client applications that require Flash or Java - User complaints about blocked functionality - Keeping up with which features to disable across updates - Consistency across multiple application versions

Assessment questions: - Are Flash and Java blocked in web browsers? - Are web advertisements blocked? - Are dangerous Office features (DDE, macros) disabled? - Are PDF viewers hardened?

Control 5: Restrict Administrative Privileges

Level 1 requirements: - [ ] Administrative access limited to authorised personnel - [ ] Separate admin and standard accounts (no daily admin use) - [ ] Admin accounts not used for email or web browsing - [ ] Privileged access logged and monitored - [ ] Privileged access reviewed quarterly

Common MSP challenges: - Technicians using admin accounts for daily work - Clients requiring admin access for their staff - Managing privileged access across multiple tenants - Logging and monitoring privileged access

Assessment questions: - Do users have separate admin and standard accounts? - Are admin accounts used for email or browsing? - Is privileged access logged? - When was privileged access last reviewed?

Control 6: Patch Operating Systems

Level 1 requirements: - [ ] Automated OS patching for all systems - [ ] Patches applied within 48 hours for critical vulnerabilities - [ ] Operating systems that can't be patched are replaced or isolated - [ ] Patch compliance monitored and reported - [ ] Unsupported operating systems not in production

Common MSP challenges: - Legacy systems running unsupported OS versions - Client resistance to OS upgrades - Testing OS patches in production environments - Balancing patch urgency with stability

Assessment questions: - What OS versions are in your environment? - Are there any unsupported operating systems? - What's your OS patch compliance rate? - How do you handle legacy systems?

Control 7: Multi-Factor Authentication

Level 1 requirements: - [ ] MFA enabled for all users - [ ] MFA required for remote access - [ ] MFA required for privileged access - [ ] MFA enabled for all cloud services - [ ] MFA methods appropriate (hardware keys preferred, authenticator apps acceptable, SMS discouraged)

Common MSP challenges: - Users resisting MFA setup - Legacy applications that don't support MFA - Managing MFA across multiple client tenants - Choosing appropriate MFA methods

Assessment questions: - Is MFA enabled for all users? - What MFA methods are in use? - Are there any MFA exceptions? - Is MFA required for remote access?

Control 8: Regular Backups

Level 1 requirements: - [ ] Backups configured for all critical data - [ ] Backups tested (restores verified) at least annually - [ ] Backups stored securely (not accessible to attackers) - [ ] Backup schedules documented and followed - [ ] Backup retention periods defined

Common MSP challenges: - Client data that isn't being backed up - Untested backups (the most common finding) - Backup infrastructure that's vulnerable to ransomware - Inconsistent backup policies across clients

Assessment questions: - What data is being backed up? - When were backups last tested? - Where are backups stored? - What's the recovery time objective?

Step 3: Document Findings

For each control, document:

  1. Current maturity level (0-3)
  2. Evidence (configurations, screenshots, documentation)
  3. Gaps (what's missing for the next level)
  4. Remediation plan (specific actions to close gaps)
  5. Timeline (when gaps will be addressed)
  6. Owner (who's responsible for remediation)

Step 4: Create the Remediation Plan

Prioritise gaps by risk:

  • Critical gaps (Level 0 controls) — Address immediately
  • High gaps (Level 0→1) — Address within 30 days
  • Medium gaps (Level 1→2) — Address within 90 days
  • Low gaps (Level 2→3) — Address within 12 months

Common Audit Findings in MSP Environments

Based on real-world MSP assessments, these are the most common gaps:

  1. Application control not implemented. Most MSPs haven't deployed application whitelisting. This is often the biggest gap.
  2. Inconsistent patching. Patch compliance varies widely across clients. Some clients are patched within 48 hours; others within 4 weeks.
  3. MFA not universal. Many MSPs enforce MFA for their own systems but not across all client environments.
  4. Backups not tested. The most dangerous finding. Many MSPs have backups but haven't tested restores.
  5. Admin privilege creep. Too many users with administrative access, no regular review.
  6. Legacy systems. Unsupported operating systems and applications that can't be patched.

Frequently Asked Questions

What is the Essential 8 maturity model?
The Essential 8 Maturity Model defines four maturity levels (0-3) for each of the eight mitigation strategies. Level 0 means minimal controls, Level 3 means advanced protections. Organisations should target at least Level 1 as a baseline, with Level 2 or 3 for higher-risk environments.
How do I assess Essential 8 maturity for my MSP or clients?
Start with each of the eight controls and evaluate your current implementation against the maturity level descriptors. Document what you have, identify gaps, and create a remediation plan. Our checklist provides a structured assessment framework.
Do MSPs need to be Essential 8 compliant?
MSPs aren't legally required to be Essential 8 compliant, but many government contracts require it, cyber insurance providers increasingly expect it, and clients are asking about it. Implementing Essential 8 across your own environment demonstrates competence to clients.
How long does it take to reach Essential 8 Level 1?
Most organisations can reach Level 1 within 3-6 months with dedicated effort. Levels 2 and 3 take progressively longer — typically 6-12 months each. The timeline depends on your current maturity, resources, and organisational commitment.
What's the difference between Essential 8 and ISO 27001?
Essential 8 is a specific set of eight technical controls focused on threat mitigation. ISO 27001 is a comprehensive information security management system covering governance, risk, people, and processes. Essential 8 can be implemented independently or as part of an ISO 27001 programme.

Related Reading

Compliance
Essential 8 Implementation Checklist: A Step-by-Step Guide
18 min read
Compliance
Essential 8 Maturity Model: Practical Guide
2 min read
Cybersecurity
Essential 8 Maturity Level 1: What It Means and How to Get There
6 min read