ACSC Essential Eight
The Australian Cyber Security Centre (ACSC) leads the Australian Government’s efforts to improve cyber security. The ACSC recommends all Australian organizations implement the Essential Eight mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a baseline. The baseline, known as the Essential Eight, are foundational cyber security measures that make it much harder for adversaries to compromise systems.
The Essential Eight maturity levels allow organizations to assess the appropriateness of their cyber security measures against common threats in the current interconnected technology landscape.
Audience
The Essential Eight (maturity level 2) is a mandatory requirement for all Australian noncorporate Commonwealth entities subject to the PGPA (Public Governance, Performance, and Accountability) Act (as per PSPF (Protective Security Policy Framework) Policy 10). For more information about Australian Government advice on PGPA legislation, associated instruments, and policies, see PGPA legislation, associated instruments, and policies.
This guidance is intended for security advisers, security assessors, system architects, and decision makers who wish to assess an organization’s maturity level. The guidance also provides details on how to implement the necessary controls to achieve the required maturity level.
These documents represent Consumer Guidance for the purposes of the cloud security assessment process. This material should also be considered and referenced within Microsoft’s relevant IRAP (Information Security Registered Assessors Program) Assessment Reports (for example, Azure IRAP Assessment) and ACSC advice.
If you require more information on Essential Eight, contact Essential-8@Microsoft.com.
What are the Essential Eight pillars?
See the following articles to learn about each pillar and how you can implement the controls to achieve a maturity level.
- Application Control
- Patch Applications
- Configure Microsoft Office Macro Settings
- User Application Hardening
- Restrict Administrative Privileges
- Patch Operating Systems
- Multifactor authentication
- Regular Backups
Microsoft licensing for the Essential Eight
The Microsoft 365 License Maps portal publishes a summary of the licenses and toolsets required to implement the Essential Eight controls across the maturity levels. The Essential Eight License Map is available as an interactive version and a downloadable version.
Note
These license maps have been built by Microsoft employees as a community project and are not official documents from Microsoft.
Moving from Essential Eight implementation to monitoring and continuous compliance
Essential Eight assessment and remediation using these documents is a point in time activity to achieve the desired maturity level.
However, to maintain security policies and/or compliance baselines, Microsoft recommends using these guides with the objective to stay continually compliant by preventing compliance drift by using Microsoft Purview Compliance Manager.
Purview Compliance Manager Essential Eight Premium templates are available on Essential Eight at all three levels to automate and assist from a monitoring, continuous assessment, and configuration drift/configuration management perspective.
Additionally, there are premium templates for IRAP compliance at Official and Protected for Australian organizations requiring this level assurance.
Microsoft Copilot for Microsoft 365
Copilot for Microsoft 365 operates within the context of the existing Office applications, including Teams, Mobile apps, and Office for the Web. As such, Copilot for Microsoft 365 inherits your existing Essential Eight controls and posture.
Note
Currently, Copilot for Microsoft 365 will not operate on a Macro-enabled Office document.