COMPLIANCE / Essential 8
COMPLIANCE, ESSENTIAL 8
The Australian security baseline.
The Australian Cyber Security Centre's Essential 8 is the practical baseline for cyber resilience, increasingly required by government contracts, cyber insurers and Privacy Act compliance. BaseHost builds and runs the technical controls that underpin each of the eight strategies. Your auditor or assessor sets the bar; we make the technology meet it and keep meeting it.
THE EIGHT STRATEGIES
What you'll need to implement
Strategy 1
Application control
Allow-list which executables, libraries and scripts can run on endpoints and servers. Microsoft Defender Application Control or AppLocker, deployed via Intune.
Strategy 2
Patch applications
Patch internet-facing applications within 48 hours, others within two weeks. Vulnerability scanning, prioritisation, scheduled patching windows.
Strategy 3
Configure Microsoft Office macros
Block macros from the internet by default, allow only signed macros from trusted publishers. Configured via Intune ADMX policy.
Strategy 4
User application hardening
Disable Java, Flash, ads in browsers. Restrict PowerShell. Block legacy authentication. Implemented via Attack Surface Reduction rules.
Strategy 5
Restrict admin privileges
Privileged Identity Management, just-in-time access, separate admin accounts, MFA on all elevation. Validated quarterly.
Strategy 6
Patch operating systems
Internet-facing OS patched within 48 hours, others within two weeks. Update Rings via Intune, escalation for missed cycles.
Strategy 7
Multi-factor authentication
MFA on all internet-facing services, all privileged accounts, all access to sensitive data. Phishing-resistant methods (FIDO2, Authenticator number-match) prioritised.
Strategy 8
Regular backups
Tested, immutable, isolated from production. Quarterly restore drills with written evidence. Mapped to our Disaster Recovery service.
MATURITY LEVELS
Three rungs on the ladder
ACSC defines three maturity levels for each strategy. Most enterprise contracts now require ML2 minimum; ML3 is the target for higher-risk environments.
ML1
Defends against opportunistic attackers
Basic implementation of all eight strategies. Stops commodity malware and untargeted attacks. The minimum acceptable baseline for any organisation handling personal information.
ML2, most common target
Defends against targeted attackers
Stricter implementation with shorter patching windows, phishing-resistant MFA, application control monitoring. Required by most enterprise procurement and government contracts.
ML3
Defends against advanced adversaries
Adversary-grade testing, centralised logging, real-time monitoring. Appropriate for high-value targets, regulated financial services, defence supply chain.
PRIVACY ACT & APP 11
Privacy Act compliance, covered
Australian Privacy Principle 11 requires organisations to take "reasonable steps" to protect personal information. The OAIC has stated that implementing Essential 8 to ML2 generally constitutes reasonable steps for most APP entities. So a properly delivered Essential 8 uplift discharges most of your Privacy Act security obligations, no separate Privacy Act readiness programme needed.
For entities with higher data sensitivity (health data, financial services, large-scale personal information processing), Essential 8 ML3 is more appropriate.
HOW WE DELIVER ESSENTIAL 8
Essential 8 maturity built as you go, not retrofitted for audit.
Readiness assessment, written gap report, implementation plan with effort estimates, evidence library, and ongoing measurement against ML1, ML2 and ML3. We follow the model the ASD and ACSC publish, with the operational layer wrapped around it so the controls become a way of working, not a quarterly fire drill. Where Essential 8 overlaps with SMB1001, ISO 27001 or SOC 2, the same control gets logged once and the evidence is reused.
Maturity is not a slide deck. It is evidence you can hand to an auditor, an insurer or a customer, with dates, owners, and the underlying configuration that produced it. We build the evidence as we build the controls, so the audit becomes a verification of what is already operating, not a scramble to find proof.
ALWAYS ON
Australia's cyber baseline. Implemented properly.
Engineers monitoring around the clock from our operations base. No outsourced helpdesk, no script-readers. Just experienced people who know your environment.
SCOPE OF SERVICE
What BaseHost owns. What we don’t.
The ACSC and your assessor define what Essential 8 looks like. We make sure the technology underneath delivers it.
What BaseHost owns
- Configure application control, patching, macro hardening and user application hardening.
- Deploy and tune Defender for Endpoint, MFA and admin privilege restriction.
- Build the backup, restore and recovery-testing schedule.
- Capture the evidence for each of the eight strategies on a recurring basis.
- Map our managed services onto ML1, ML2 or ML3 and keep the controls operating at that level.
What we don’t
- Issue your maturity assessment or sign off your gap report as an auditor.
- Set your target maturity level. That’s a decision for your board, your customers or your insurer.
- Act as your IRAP assessor or external Essential 8 assessor.
- Own your policies, procedures or governance documentation.
Where are you on the ladder? Find out in two minutes.
Free Essential 8 readiness assessment, eight questions, scored against ACSC criteria, written report with prioritised remediation.
RELATED READING