Does this kit guarantee compliance with the Essential Eight?

No. This is a gap analysis and self-assessment tool, not a certification or compliance service. It helps you accurately understand your current maturity level, identify specific gaps, and prioritise remediation. To address the gaps identified, the Australian Compliance Bundle ($97) provides implementation templates for each of the 8 strategies.

Digital Download — Instant Access

Know Your Security Maturity —
Fix the Gaps

Q: What maturity level should my business aim for?

For Australian Government entities, the mandatory target is Maturity Level 2 (ML2). For private-sector SMBs, Maturity Level 1 (ML1) is the baseline recommended by the ACSC and endorsed by the Insurance Council of Australia as a first step toward cyber insurance eligibility. ML2 is increasingly required to win government supply chain contracts. Most Australian businesses are currently operating at ML0 or partial ML1 across multiple strategies.

Q: How long does the assessment take?

A thorough assessment of all 8 strategies takes approximately 2-4 hours when conducted by someone familiar with the organisation's IT environment. The scoring workbook is structured to make this efficient, with clear criteria for each maturity level across each strategy.

Before you can fix your Essential Eight posture, you need to know exactly where you stand. This kit scores you across all 8 strategies (ML0–ML3), surfaces your gaps, and gives you a board-ready report — without a $15,000 consultant invoice.

$47 USD

vs $8,000–$25,000 for a consultant-led assessment

Get Instant Access →

30-Day Money-Back Guarantee

Instant download ACSC November 2023 aligned Board-ready output

Most Australian Businesses Are Blind to Their Own Gaps

The Essential Eight is the ACSC's baseline framework for Australian cyber resilience — mandatory for government, best practice for every Australian business. Yet compliance rates remain critically low, and the rules tightened significantly in November 2023.

Compliance Rates Are Abysmal

In 2024, only 15% of Australian Government entities — with dedicated security teams and budgets — achieved overall Maturity Level 2 across all eight strategies, down from 25% in 2023. For under-resourced SMBs, the picture is significantly worse. (Source: ASD Commonwealth Cyber Security Posture 2024, cyber.gov.au)

Consultant Assessments Cost $8K–$25K

A formal Essential Eight gap assessment from an Australian MSSP or cybersecurity firm typically costs $8,000–$25,000 for an SMB — and takes 2–6 weeks. This kit gives you the same structured output in 2–4 hours for $47. (Source: itnetworks.com.au, cybercx.com.au)

November 2023 Update Changed the Rules

The ASD's November 2023 maturity model update introduced significant changes: 48-hour patching timelines for critical vulnerabilities, phishing-resistant MFA now required at ML2, centralised logging moved from ML3 to ML2, and new cloud service requirements. If your last assessment predates November 2023, you are measuring against the wrong standard. (Source: ASD Essential Eight Maturity Model Changes, November 2023)

No Assessment = No Insurance, No Contracts

The Insurance Council of Australia explicitly endorses the Essential Eight for SMEs seeking cyber insurance. Without a documented assessment and maturity baseline, insurers will deny coverage or inflate premiums. Government supply chain contracts increasingly require ML2 evidence. The average cost of a cybercrime incident for small businesses rose 14% to $56,600 AUD in 2024–25. (Source: ASD Annual Cyber Threat Report 2024–25, Insurance Council of Australia)

What's in the Kit

Five documents purpose-built for an efficient, structured Essential Eight self-assessment — from raw scoring through to board-ready output.

Essential Eight Self-Assessment Workbook Excel + CSV

The core scoring tool. Structured criteria for every maturity level (ML0, ML1, ML2, ML3) across each of the 8 strategies — 64 criteria sets in total. Score your current state objectively, see your aggregate maturity profile at a glance, and identify exactly which criteria you pass or fail in each strategy.

Gap Analysis Report Template PDF

An executive-ready report template that translates your workbook scores into a structured gap analysis. Documents each shortfall against the November 2023 maturity model criteria, with space for evidence notes and risk context. Ready to share with management, your board, insurers, or government procurement officers.

Remediation Priority Matrix PDF

Not all gaps are equal. The matrix ranks your identified shortfalls by security risk and implementation effort — so you know which fixes deliver the most protection per hour of IT effort. Stops you from getting lost in the detail and helps you build a credible remediation roadmap.

Board Executive Report Template PDF

A non-technical summary template designed for board or senior management presentation. Converts your ML scores into plain-language findings, business risk context, and a prioritised action plan. Gives executives the information they need to make resource decisions without wading through technical criteria.

Implementation Quick-Win Checklist PDF

30 targeted actions to reach Maturity Level 1 as quickly as possible. Grouped by strategy and sequenced by ease of implementation. Each action is mapped to the specific ML1 criterion it satisfies — so you can tick off compliance criteria in the most efficient order possible.

All 8 Strategies Covered

The workbook scores you against every ACSC-defined criterion for each strategy at each maturity level. No strategy left unscored.

1. Patch Applications

Patch or mitigate vulnerabilities in internet-facing services. Critical CVEs within 48 hours at ML2; within two weeks for standard patches.

2. Patch Operating Systems

Keep operating systems and firmware current. Critical vulnerabilities addressed within 48 hours. Vulnerability scanning required.

3. Multi-Factor Authentication

MFA for all users at ML1. Phishing-resistant MFA for all remote access and privileged accounts at ML2. Mandatory for sensitive data portals.

4. Restrict Admin Privileges

Least-privilege access. Privileged accounts must not browse the internet. Secure admin workstations required. Break-glass accounts and governance at ML2+.

5. Application Control

Only approved, signed applications execute. Annual ruleset reviews at ML2. Microsoft's recommended application blocklist implemented.

6. Restrict Office Macros

Block macros originating from the internet. Only allow vetted, signed macros from trusted publishers. Disable macros in high-risk Office applications.

7. User Application Hardening

Disable IE11 (mandatory), Flash, Java where not needed. Apply ASD and vendor hardening guides. PowerShell logging and command-line process creation events at ML2.

8. Regular Backups

Backup critical data regularly. Test restoration. Offline or immutable copies required. Business criticality-based prioritisation. Recovery objectives defined and verified.

Built For

Anyone who needs to know where they stand against the Essential Eight — without a five-figure consulting engagement.

IT Managers

Tasked with improving security posture but lacking a structured framework to diagnose gaps. Use this kit to baseline your current state, prioritise your roadmap, and report to leadership with evidence.

MSPs and IT Consultants

Need to assess SMB clients efficiently before recommending remediation work. The scoring workbook lets you run a structured assessment in a single client session and deliver a professional gap report.

Operations and Compliance Managers

Responsible for cyber insurance applications, government contract bids, or board-level cyber risk reporting. The board report template gives you the output you need without writing anything from scratch.

Business Owners

Who know the Essential Eight matters for insurance and contracts but have no clear picture of where they sit. Get a factual baseline without committing to an expensive consulting engagement first.

Assessment vs Assessment vs Assessment

There are three ways to assess your Essential Eight maturity. Here is how they compare.

Feature	DIY from ACSC Website	Consultant-Led Assessment	This Kit
Structured scoring workbook	No	Yes	Yes
November 2023 criteria included	Manual interpretation	Yes	Yes
Gap analysis report template	No	Yes	Yes
Board executive report	No	Yes (extra cost)	Yes — included
Remediation priority guidance	No	Yes	Yes
Done today (not weeks away)	Yes	No (2–6 weeks)	Yes
Price	Free (but unstructured)	$8,000 – $25,000	$47

Frequently Asked Questions

Is this based on the latest ACSC Essential Eight framework?

Yes. The workbook and all templates are aligned with the ASD's November 2023 Essential Eight Maturity Model update — the most significant revision since the framework launched. Key changes include 48-hour patching timelines for critical vulnerabilities, phishing-resistant MFA requirements at ML2, centralised logging moved from ML3 to ML2, and new cloud service management requirements. If your last assessment predates November 2023, you may be measuring against outdated criteria.

What maturity level should my business aim for?

For Australian Government entities, ML2 is the mandatory target under the Protective Security Policy Framework. For private-sector SMBs, ML1 is the ACSC baseline recommendation and the threshold endorsed by the Insurance Council of Australia for cyber insurance purposes. ML2 is increasingly required to win government supply chain contracts. The kit helps you understand the gap between your current state and whichever target level is relevant to your business.

Can I use this kit to assess my clients? (for MSPs and IT consultants)

A single licence covers one organisation's assessment. If you are an MSP or IT consultant assessing multiple client organisations, you will need a separate purchase for each client. The workbook is designed to be efficient — an experienced IT professional can guide a client through the assessment in 2–4 hours and produce a professional deliverable at the end.

How long does the assessment take?

A thorough assessment of all 8 strategies typically takes 2–4 hours when conducted by someone familiar with the organisation's IT environment, systems, and security controls. The scoring workbook is structured to make this systematic rather than open-ended — each strategy has specific criteria that you evaluate against documented evidence.

Does this kit guarantee Essential Eight compliance?

No. This is a self-assessment and gap analysis tool, not a certification or compliance service. It helps you accurately understand your current maturity level and identify specific gaps against the ACSC criteria. To address identified gaps, our Australian Compliance Bundle ($97) provides implementation templates — security policies, procedures, and a 12-month roadmap — that directly complement this assessment. Think of this kit as Step 1 (diagnose) and the bundle as Step 2 (fix).

What format are the files in?

The kit includes 5 files: the Self-Assessment Workbook in Excel/CSV format for scoring and calculation, and four PDF documents — the Gap Analysis Report Template, Remediation Priority Matrix, Board Executive Report Template, and Implementation Quick-Win Checklist. All files are delivered instantly via Polar upon purchase with permanent download access.

Step 1: Assess. Step 2: Fix.

This kit tells you where your gaps are. The Australian Compliance Bundle gives you everything you need to close them.

Essential Eight Assessment Kit — $47

Score your current maturity level across all 8 strategies. Identify gaps. Produce a board-ready gap report. Know exactly where to focus your remediation effort. Start here.

Australian Compliance Bundle — $97

Implementation templates to fix the gaps this kit identifies. Five ready-to-deploy documents: Essential Eight policies, security procedures, incident response plan, board reporting templates, and a 12-month compliance roadmap to ML2. Learn more →

Know Your Security Maturity —Fix the Gaps