Zecurit
Compliance Guide

ASD Essential Eight Compliance

A Detailed Guide to All Eight Strategies and How Zecurit Endpoint Manager Achieves Them

The Australian Signals Directorate's Essential Eight is the most widely adopted cyber security baseline in Australia, mandatory for Commonwealth entities at Maturity Level 3 and required at ML2 for DISP members and critical infrastructure operators. This guide maps every strategy across ML1, ML2, and ML3 to specific Zecurit Endpoint Manager capabilities.

Published byZecurit
CategoryCompliance & Regulation
AudienceAustralian IT Teams, CISOs, MSPs, DISP Members

Why the Essential Eight Is Different From Other Frameworks

At a Glance
  • Who must comply: Commonwealth entities (ML3), critical infrastructure operators (ML2 minimum), DISP members (ML2 from September 2024), and any Australian organisation seeking a defensible security baseline.
  • What it requires: Eight prioritised mitigation strategies assessed across four maturity levels (ML0 to ML3), updated regularly by ASD based on real threat intelligence.
  • The November 2023 update: 48-hour patching for critical vulnerabilities now applies from ML1 upward, phishing-resistant MFA is now required from ML2, and application control must cover both authorised and trusted installers.
  • How Zecurit helps: Patch management, vulnerability management, OS patching, device control, software inventory, configuration enforcement, access control, and audit-ready compliance reporting.

The Essential Eight, first published by the Australian Signals Directorate in 2017 and updated most significantly in November 2023, is built differently from frameworks like ISO 27001 or NIST CSF. It was not constructed from theory or international consensus. It was assembled directly from ASD's own experience in threat intelligence, incident response, and penetration testing of Australian government and critical infrastructure systems.

The result is a framework that answers a specific question: which eight controls, applied together, stop the greatest proportion of the attacks that are actually happening to Australian organisations right now? The 2024-25 ASD Annual Cyber Threat Report recorded over 1,200 cyber security incidents (up 11% year on year), and Victorian Government analysis found that 84% of reported incidents could have been prevented or substantially reduced by implementing at least one Essential Eight control.

The Weakest-Link Rule: An organisation's overall Essential Eight maturity equals its lowest-performing strategy. Achieving ML3 on seven strategies and ML1 on one means your overall maturity is ML1. This rule makes an integrated platform that addresses multiple strategies simultaneously far more valuable than a collection of point tools that each cover one.

This guide maps every Essential Eight strategy across ML1, ML2, and ML3 to specific capabilities in Zecurit Endpoint Manager, so IT and security teams can see exactly where one platform moves the dial across multiple strategies at once.

Who Must Comply and at Which Maturity Level?

Compliance targets vary by organisation type, but the framework applies broadly across Australian government and industry:

  • Non-corporate Commonwealth entities (NCCEs): ML3 across all eight strategies
  • Corporate Commonwealth entities: ML2 mandated, ML3 recommended
  • DISP members: ML2 for in-scope corporate ICT from September 2024
  • Critical infrastructure operators: ML2 minimum under the SOCI Act
  • State and territory government agencies: most require ML2 by policy
  • Defence supply chain contractors: ML2 as a prerequisite for DISP membership
  • Commercial organisations: ML1 minimum recommended, ML2 as the commercial standard
  • MSPs supporting government and defence clients: must demonstrate equivalent maturity
ANAO Findings 2025: Only 22% of Commonwealth entities achieved ML2 across all eight strategies in 2025. ANAO also found that 60% of agencies self-assessed as compliant while only 29% were independently verified, meaning self-assessed maturity is consistently overstated. An organisation's actual maturity without independent verification is almost certainly lower than believed.

The Four Maturity Levels

Each strategy is assessed independently. An organisation can be ML2 for patching and ML1 for application control simultaneously, but overall maturity is capped at the lowest-performing strategy.

ML0

Not Implemented

The strategy is absent or so weak it provides no meaningful defence. Vulnerable to opportunistic automated attacks.

ML1

Partial Protection

Protects against commodity threats using widely available tools. Basic controls exist but gaps remain. Critical vulnerabilities patched within 48 hours.

ML2

Targeted Threat Protection

Protects against adversaries willing to invest time and effort. The mandated baseline for Australian Government and DISP members. Phishing-resistant MFA required.

ML3

Advanced Adversary Protection

Protects against sophisticated adversaries. 48-hour patching for all critical vulnerabilities, strict allowlisting, continuous monitoring across all environments.

Application Control

Application control prevents the execution of unapproved or malicious software by only allowing explicitly approved applications, libraries, scripts, and installers to run on workstations and servers. It is the most technically challenging Essential Eight strategy to implement well, and one of the most effective at stopping ransomware and commodity malware.

1
ASD Requirements Across Maturity Levels

Application Control

What ASD Requires
ML1: Application control on workstations; allowlist of approved executables, software libraries, scripts, and installers ML2: Extend to internet-facing servers; allowlist validated using file hashing or publisher certificates; review every 12 months ML3: Extend to all servers; allowlist validated using file hashing; block interpreter-based scripts not used by business; centralised logging
Zecurit Endpoint Manager

Software Inventory discovers every installed application across the fleet in real time, forming the foundational catalogue from which an approved application list is built. Software Alerts notify IT teams instantly when any unauthorised or prohibited application is installed on any managed endpoint, and Software Deployment ensures only approved, centrally managed applications are pushed through a controlled process. Software Licence Management supports the 12-monthly allowlist review cycle by surfacing every installed application, version, and entitlement across the organisation.

Software Inventory Software Alerts Software Deployment Software Licence Management

Patch Applications

Patching applications that interact with untrusted internet content, including web browsers, email clients, office suites, PDF readers, and security software, is a primary attack surface for adversaries. The November 2023 update significantly tightened the patching timelines across all maturity levels in response to ASD's analysis of actual exploit deployment speeds.

2
ASD Requirements Across Maturity Levels

Patch Applications

What ASD Requires
ML1: Critical patches for internet-facing apps within 48 hours; other patches within 2 weeks; vulnerability scanner for internet-facing services within 2 weeks; unsupported apps removed ML2: Fortnightly vulnerability scan for all applications; non-critical patches within 1 month; threat intelligence used to prioritise patching ML3: Critical patches for browsers, Office suites, email clients, PDF software within 48 hours; all apps not listed removed if vendor no longer supports them
Zecurit Endpoint Manager

Patch Management continuously scans every managed endpoint for missing patches, ranking them by CVSS score and active exploit intelligence so critical vulnerabilities surface immediately. Automated deployment during configured maintenance windows means critical patches can reach every managed endpoint within hours of release, directly supporting the 48-hour ASD requirement at ML1 and ML3. Real-Time Patch Status Monitoring gives security teams a live view of unpatched endpoints across the entire fleet, and Patch Compliance Reports produce the dated, per-device evidence assessors need to verify patching timelines were met.

Vulnerability Management maps every installed application against the current CVE database, supporting the fortnightly vulnerability scanning cadence required at ML2 and ML3 and enabling the threat-intelligence-informed triage ASD expects for patch prioritisation decisions.

Patch Management Vulnerability Management CVSS Prioritisation Patch Status Monitoring Patch Compliance Reports Automated Deployment

Configure Microsoft Office Macro Settings

Malicious Office macros remain one of the most consistently used initial access techniques. Configuring macro settings centrally, rather than leaving them to user discretion, removes a significant attack vector from every workstation in the environment simultaneously.

3
ASD Requirements Across Maturity Levels

Configure Microsoft Office Macro Settings

What ASD Requires
ML1: Macros disabled for users who do not need them; macros in files from internet blocked; macro antivirus scanning enabled ML2: Macros only allowed from trusted locations defined by administrators; ASD and vendor hardening guidance applied; macro execution events logged ML3: Macros signed by trusted publishers only; unauthorised macro execution attempts centrally logged; PowerShell logging and command line process creation logging active
Zecurit Endpoint Manager

Configuration Management deploys and enforces Windows group policy and registry settings across the entire fleet, including Microsoft Office macro settings, trusted locations, and hardening configurations based on both ASD and vendor guidance. Hardware and software change alerts detect the moment any configuration deviates from the approved baseline, enabling rapid remediation before an attacker can exploit the gap. Remote Script Execution can deploy Group Policy preferences, registry changes, and PowerShell logging configuration across thousands of endpoints simultaneously.

Configuration Management Centralised Profile Management Remote Script Execution Hardware/Software Change Alerts

User Application Hardening

Web browsers, email clients, and other user-facing applications expose a large and constantly evolving attack surface. Hardening these applications by disabling unnecessary features, blocking web advertisements, and removing unsupported legacy plugins significantly reduces the attack surface without impacting legitimate business use.

4
ASD Requirements Across Maturity Levels

User Application Hardening

What ASD Requires
ML1: Web browser blocks ads; Java disabled for internet content; Flash disabled or not installed; unused browser extensions removed ML2: Both ASD and vendor hardening guidance applied to web browsers; hardening guide applied to Microsoft Office; object linking and embedding blocked ML3: Hardening applied to all internet-facing applications; only permitted browser extensions installed; hardening review at least annually
Zecurit Endpoint Manager

Configuration Management deploys and enforces browser hardening settings, Office security configurations, and application-level security policies centrally across all managed endpoints, applying both ASD guidance and vendor-recommended settings simultaneously. Software Deployment can remove unapproved browser extensions or unsupported legacy plugins silently across the fleet. Software Inventory surfaces every installed browser extension and plugin for review, supporting the annual hardening review requirement at ML3.

Configuration Management Software Deployment Software Inventory Remote Script Execution

Restrict Administrative Privileges

Administrative privileges are the most valuable credential an attacker can obtain. Once privilege escalation is achieved, lateral movement, data exfiltration, and ransomware deployment become trivial. Restricting and governing administrative accounts is one of the highest-leverage controls in the entire framework.

5
ASD Requirements Across Maturity Levels

Restrict Administrative Privileges

What ASD Requires
ML1: Requests for privileged access validated; admin accounts not used for email or web browsing; admin activity logged ML2: Privileged users use separate unprivileged accounts for email and browsing; admin accounts disabled after 12 months if not revalidated; admin access to data repositories logged ML3: Privileged access workstations (PAWs) used; admin accounts only access systems of the same classification; break glass accounts have long, unique credentials managed centrally
Zecurit Endpoint Manager

Configuration Management's User and Group Management lets IT teams create, modify, and disable local administrator accounts remotely, enforce password policy, and audit every account change from a central console. Remote Access sessions are governed by role-based access controls requiring explicit session confirmation, with full session logging that captures every administrative action taken on a managed device. User Logon Reports surface access patterns across administrator accounts, supporting the 12-month revalidation cycle required at ML2 and the ongoing governance of break-glass account credentials at ML3.

User and Group Management Role-Based Access Session Confirmation and Audit User Logon Reports

Patch Operating Systems

Operating system vulnerabilities, particularly those enabling remote code execution without user interaction, represent some of the highest-severity risks on the CVE list. The November 2023 update aligned OS patching timelines with application patching, making 48-hour patching for critical OS vulnerabilities a requirement from ML1 upward.

6
ASD Requirements Across Maturity Levels

Patch Operating Systems

What ASD Requires
ML1: Critical OS patches applied within 48 hours; other patches within 2 weeks for internet-facing services, 1 month for others; unsupported OS removed ML2: Fortnightly vulnerability scan for workstations and servers; patches for non-critical OS vulnerabilities applied within 1 month; vulnerability scanner used at least fortnightly ML3: Latest or previous OS release only; patches for critical vulnerabilities in workstations and servers within 48 hours; drivers and firmware patched; daily vulnerability scan for internet-facing services
Zecurit Endpoint Manager

Patch Management automates the full OS patch lifecycle across Windows endpoints from detection through deployment to compliance verification. CVSS-based prioritisation surfaces critical OS vulnerabilities immediately, with automated deployment during configured maintenance windows enabling the 48-hour patching requirement at ML1 and ML3 without manual intervention on every device. Windows Update Policy Management provides central control over update delivery, approval, and deferral. Vulnerability Management continuously maps OS versions against known CVEs, supporting the fortnightly scanning cadence required at ML2 and ML3. Hardware Inventory tracks OS version across every enrolled device, making it straightforward to identify any endpoint running an unsupported or end-of-life operating system.

Patch Management Vulnerability Management CVSS Prioritisation Windows Update Policy Patch Compliance Reports Hardware Inventory

Multi-Factor Authentication

MFA is the single most effective control for preventing account compromise from credential theft, phishing, and brute-force attacks. The November 2023 update raised the bar significantly: phishing-resistant MFA is now required from ML2, and workstation authentication must use phishing-resistant methods at ML2 and ML3.

7
ASD Requirements Across Maturity Levels

Multi-Factor Authentication

What ASD Requires
ML1: MFA for internet-facing services (remote access, webmail, cloud); MFA for privileged users; MFA for administrative access to systems ML2: Phishing-resistant MFA (FIDO2/WebAuthn, smart cards, Windows Hello) for all users on internet-facing services and workstation authentication; MFA events centrally logged ML3: Phishing-resistant MFA for data repositories and customer-facing online services; MFA logs protected from unauthorised modification and analysed in a timely manner
Zecurit Endpoint Manager

Remote Access sessions in Zecurit require explicit session confirmation from the end user before any remote connection is granted, adding a verification layer beyond credential-based authentication for all remote management sessions. Configuration Management enforces Windows Hello for Business, smart card, and certificate-based authentication policies at the endpoint level, directly supporting phishing-resistant workstation authentication at ML2 and ML3. User and Group Management enforces password policy across all local accounts, reducing the value of any credential that does bypass MFA. User Logon Reports and Security Alerts provide the centralised audit logging of authentication events that ML2 and ML3 require.

Session Confirmation and Audit Configuration Management User and Group Management User Logon Reports Security Alerts

Regular Backups

Backups are the last line of defence when all other controls have failed. ASD's updated guidance emphasises prioritising backup content by business criticality rather than simply backing up "important data," and requires regular testing of restoration procedures, not just the existence of backups.

8
ASD Requirements Across Maturity Levels

Regular Backups

What ASD Requires
ML1: Backups of important data, software, and configuration settings performed and retained for at least 3 months; restoration tested at least once ML2: Backups synchronised to enable restoration to a common point in time; backup access restricted to backup administrators; restoration tested at least once every 12 months ML3: Unprivileged accounts cannot access backups; restoration tested at least once every 12 months; business criticality used to prioritise which data is backed up and to what recovery time objective
Zecurit Endpoint Manager

Hardware Inventory and Software Inventory maintain a continuously updated record of every device and its installed software and configuration, which is the foundational data needed to restore configuration settings after a ransomware or destructive attack. Configuration Management records approved configuration profiles centrally, enabling rapid reconfiguration of clean endpoints after an incident. Remote Script Execution can automate post-incident device rebuilding and configuration restoration across large fleets simultaneously. Access controls through User and Group Management restrict backup system access to authorised administrators only, supporting the ML2 and ML3 access restriction requirements.

Hardware Inventory Software Inventory Configuration Management Remote Script Execution User and Group Management

Essential Eight Maturity Coverage with Zecurit Endpoint Manager

A consolidated view of which Essential Eight strategies Zecurit Endpoint Manager directly supports, and at which maturity levels. Strategies marked with a primary indicator are core capabilities; those marked partial require supplementary tooling for full coverage.

Essential Eight Strategy Zecurit Capabilities ML1 ML2 ML3
S1: Application Control Software InventorySoftware AlertsSoftware Deployment Partial
S2: Patch Applications Patch ManagementVulnerability ManagementCVSS PrioritisationPatch Compliance Reports
S3: Configure MS Office Macros Configuration ManagementRemote Script ExecutionChange Alerts
S4: User Application Hardening Configuration ManagementSoftware DeploymentSoftware Inventory
S5: Restrict Admin Privileges User and Group ManagementSession AuditUser Logon Reports Partial
S6: Patch Operating Systems Patch ManagementVulnerability ManagementWindows Update PolicyHardware Inventory
S7: Multi-Factor Authentication Session ConfirmationConfiguration ManagementUser Logon Reports Partial Partial
S8: Regular Backups Hardware InventoryConfiguration ManagementRemote Script Execution Partial
Note on Partial Coverage: "Partial" indicates that Zecurit Endpoint Manager addresses the endpoint-level component of the requirement but that full ML coverage also requires complementary identity or backup tooling. For example, S7 at ML2/ML3 requires phishing-resistant MFA infrastructure (FIDO2, Windows Hello for Business, or smart card PKI) that Zecurit's configuration management can enforce and audit, but not independently provision.

One Platform Moves the Dial Across Six of the Eight Strategies

The Essential Eight's weakest-link rule means that every gap in any one strategy caps your overall maturity, regardless of how well the other seven are implemented. For organisations trying to reach ML2 under DISP requirements or ML3 under PSPF obligations, closing gaps across multiple strategies simultaneously is what determines whether the programme succeeds or stalls.

Patch Management and Vulnerability Management (Strategies 2 and 6) are where Zecurit Endpoint Manager delivers the most direct Essential Eight value: automated detection, CVSS-ranked prioritisation, and deployment within 48 hours for critical vulnerabilities, with Patch Compliance Reports that give assessors the dated, per-device evidence they need to verify ML1 through ML3 timelines were met.

Across Strategies 1, 3, 4, 5, and 8, Zecurit's software inventory, configuration management, access control, and remote scripting capabilities address the endpoint-level component of each requirement. This means a single deployment supports movement across the majority of the framework, rather than requiring one tool per strategy.

For Australian organisations building toward ML2 or ML3, the right starting point is a platform that closes multiple Essential Eight gaps at once, then fills in the remaining gaps with targeted complementary tooling. Zecurit Endpoint Manager is that starting point.

Zecurit

About Zecurit

Zecurit develops cloud-based IT management solutions designed for modern IT teams. The Zecurit platform helps organisations manage endpoints, track assets, enforce security policies, and securely support distributed workforces through centralised, easy-to-use tools.

To learn more about Zecurit Endpoint Manager and how it supports your Essential Eight compliance programme, start a free 14-day trial or contact the Zecurit team.

Contact Zecurit