Essential Eight Services

Strengthen your defences. Reduce risk. Prove resilience.

blue and white striped round textile
blue and white striped round textile
Book an E8 scoping session

The Essential Eight (E8) is Australia’s practical, high‑impact baseline for defending against ransomware, phishing, and common intrusion techniques. Let us help you implement it.

Essential Eight Cyber Security Uplift for SMEs

Strengthen your defences. Reduce risk. Prove resilience.

The Essential Eight is Australia’s practical, high‑impact baseline for defending against ransomware, phishing, and common intrusion techniques. It focuses on eight technical strategies that together help prevent malware execution, limit the impact of incidents, and ensure data recovery.

Ready to uplift?

Start with a Level 1 Foundation Assessment to establish your baseline and quick wins. Move to scoping session to plan your Level 2 Resilience or Level 3 Assurance journey.

The ACSC’s Essential Eight Maturity Model provides a progressive roadmap - Maturity Levels 1, 2, and 3 - so organisations can uplift controls consistently across all eight strategies and demonstrate defensible governance to customers, insurers, and regulators.

The Eight Strategies We Implement

Why Essential Eight, and why now?

  • Proven, prioritised controls that make compromise much harder for adversaries.

  • Risk‑based maturity path aligned to increasing adversary tradecraft, from opportunistic actors to adaptive, targeted attackers.

  • Cost‑effective uplift compared to responding to large‑scale incidents post‑breach.

We uplift all eight strategies to the same maturity level before moving higher, as recommended by ACSC, ensuring balanced coverage and fewer exceptions.

  1. Application Control - only allow approved code to run (executables, scripts, installers, drivers).

  2. Patch Applications - remediate known vulnerabilities quickly.

  3. Configure Microsoft Office Macro Settings - block from the internet; only allow trusted macros.

  4. User Application Hardening - harden browsers and common apps (disable risky features/content).

  5. Restrict Administrative Privileges - least privilege with separate, controlled admin accounts.

  6. Patch Operating Systems - keep OSs current to close exploitation paths.

  7. Multi‑Factor Authentication (MFA) - add strong second factors for remote, privileged, and sensitive access.

  8. Regular Backups - daily backups of data, software, and configs; test restores.

We deliver the Essential Eight as three packaged offerings. Each package achieves the same maturity level across all eight strategies, in line with ACSC guidance.

Book a free assessment
Level 1 “Foundation” Package

Achieve Maturity Level 1 across all eight strategies.

Achieve Maturity Level 2 across all eight strategies

Achieve Maturity Level 3 across all eight strategies with advanced, adaptive control posture.

Level 2 “Resilience” Package
Level 3 “Assurance” Package

Benefits:

  • Rapid uplift to a defensible baseline against common threats.

  • Reduced ransomware and business email compromise exposure.

  • Clear artefacts for insurers and customer due diligence

Benefits:

  • Reduced dwell time and stronger containment when targeted.

  • Evidence‑ready posture for third‑party assessments and higher assurance contracts.

  • Lower operational risk via stricter controls and MFA coverage.

Benefits:

  • Highest protection against adaptive, targeted attacks.

  • Strong assurance for boards, regulators, and critical customers; supports government‑grade expectations.

  • Demonstrably reduced residual risk with tested recovery pathways.

Inclusions (examples):

  • Baseline assessment & gap analysis against E8 maturity requirements; evidence‑based report.

  • Application Control (ML1): AppLocker pilots & allow‑listing for core business apps on Windows endpoints.

  • Patch Management: Standardised patching cadence for applications and OS; risk‑based prioritisation.

  • Macro Controls: Block macros from the internet; trusted macro approval workflow.

  • User Application Hardening: Browser and PDF reader hardening; disable risky content/features.

  • Admin Privileges: Role‑based access, separate admin accounts, basic privileged access processes.

  • MFA Enablement: MFA for remote access and privileged accounts.

  • Backups: Daily backups of critical data/configs; scheduled test restores.

  • Policy & Exception Register: Documented exceptions with compensating controls, per ACSC guidance.

  • User Awareness: Targeted phishing and macro hygiene training aligned to ML1 risk.

Inclusions (examples):

  • Enhanced assessment & evidence collection (logs, configs, change records) to ML2 expectations.

  • Application Control (ML2): Transition to Windows Defender Application Control (WDAC) where appropriate; change‑control workflows.

  • Accelerated Patching SLAs: Shorter remediation windows; vulnerability scanning with up‑to‑date signatures prior to scans.

  • Macro Governance: Signed/trusted macros only; conditional access policies.

  • Hardened User Apps: Broader hardening coverage incl. blocking risky web content and plugins.

  • Privileged Access Management: Just‑in‑time admin elevation, audit trails, and high‑risk activity logging.

  • Expanded MFA across remote, privileged, and sensitive line‑of‑business systems.

  • Backup Maturity: Offline/immutable replicas and routine disaster‑recovery exercises.

  • Automated Asset Discovery to inform patching/vulnerability scanning.

  • Incident Playbooks for ransomware, credential compromise, and malware.

Inclusions (examples):

  • Comprehensive audit & continuous assurance aligned to ML3 intent and evidence quality.

  • Application Control: WDAC in enforce mode with cryptographic/publisher rules; strict change governance and validation.

  • Rapid Patching & Exception mindset: near‑real‑time prioritisation; minimal, tightly scoped exceptions with controls.

  • Macro & Content Controls: reputation, isolation of untrusted documents, and signed content enforcement.

  • Holistic Hardening: browser, email, and endpoint content controls; exploit‑mitigation features enabled and monitored.

  • Privileged Access at Scale: Segregated admin tiers, session recording, approval workflows, and continuous monitoring.

  • Strong MFA across all critical systems; phishing‑resistant factors where feasible.

  • Resilient Backups: Multi‑region/store resilience, frequent restore drills, immutable retention, and recovery time objectives (RTO/RPO) tuned to business risk.

  • Assessment Readiness: Mapping to ISM controls and Essential Eight assessment artefacts for independent review.

How We Work With You

We help you choose the target maturity level appropriate for your environment and progress level by level attaining the same maturity across all eight before moving up.

  • Discover & Benchmark - We assess your environment against the latest Essential Eight Maturity Model, collect credible evidence, and identify compensating controls where needed.

  • Plan & Prioritise - We set a target maturity level suitable for your risk profile and agree milestones to reach it (Level 1, then Level 2, then Level 3).

  • Implement & Validate - We deploy controls for all eight strategies to the chosen level, validate effectiveness, and document exceptions via appropriate governance.

  • Operate & Improve - We provide ongoing monitoring, patch/privilege governance, restore testing, and periodic re‑assessments to keep pace with evolving threat landscape.

Let's talk!

(c) 2025 Infomatix Pty Ltd

Infomatix acknowledges Traditional Owners of Country throughout Australia and recognises the continuing connection to lands, waters and communities. We pay our respect to Aboriginal and Torres Strait Islander cultures; and to Elders past and present. We embrace and celebrate the oldest culture in the world.

a red and black background with a sun and a yellow sun
a red and black background with a sun and a yellow sun

Privacy Policy

Contact

Terms and Conditions

Support Service Desk