How the Essential 8 Maturity Model Benchmarks Cybersecurity

March 14, 2025
Kane Nawrocki

Cybersecurity for business sprawls across systems, people, and processes, making it difficult to know how well you’re protecting your organisation. ASIC’s Cyber Pulse Survey 2023 reports that Australian-regulated organisations have an average cybersecurity maturity score of just 1.66 out of a scale from 0-3 But what does that mean? How can you find out your organisation’s cybersecurity maturity level? And what level should it be?


The Essential Eight Maturity Model


An initiative of the Australian Signals Directorate and the Australian Cyber Security Centre, the Essential Eight is designed to help Australian organisations stay cyber secure. The guidance provides various strategies across different areas of focus, that build in complexity at each maturity level, from level 0 to level 3.


For an overall ACSC primer, take a look at our ACSC Essential 8 blog.


Maturity models benchmark your organisation


Maturity models are a great way to see how your organisation compares to the rest of the playing field and to find new goals and KPIs to strive towards. Standardised maturity model frameworks provide checklists to achieve different levels of business sophistication. Popular models include:



The levels system of maturity models


The levels of maturity that these maturity models provide are staggered so that organisations can grow to excel in the given field. The levels are usually rising in number, with descriptions like “Ad-hoc” through to “Optimising”. Achieving a certain level means achieving all the requirements at that level. Organisations self-assess their maturity.


Note: In some cases, you may choose not to tick off all boxes at a certain level, and only strive to achieve what applies to your business at a higher level. 


In the Essential Eight, the levels are:


  • Level 0: Weaknesses exist that may easily be exploited
  • Level 1: Malicious actors may use typical tools to exploit the business in widespread attacks
  • Level 2: Malicious actors with selective and targeted attacks using typical tools may be able to exploit the business
  • Level 3: Malicious actors using sustained and customised strategies may be able to exploit the business


For most organisations, a Level 2 baseline is an excellent aiming point.


Certification of maturity level


Self-assessment of your organisation’s maturity level against a maturity model is usually “enough” to satisfy stakeholders and key decision-makers. However, some models offer official level-based certification, either through the model’s publisher or independent third parties. 


While the Essential Eight doesn’t offer official certification per se, some organisations may have mandates for third-party Essential Eight assessments, because of government, industry, or contractor policies. RIGA specialises in helping organisations assess their Essential Eight compliance. By getting an external assessor to verify your maturity level, you can proudly and confidently state it to clients, investors, and the public.


Benchmarking maturity


While the Essential Eight is only “essential” for Australian federal government departments, state and local gov and businesses of all shapes and sizes are now seeing the benefits of following this standardised model.


By benchmarking cybersecurity across the business using the Essential Eight, you know where you’re at – and where you’d like to be. Using the strategies outlined for the next maturity level, your organisation can become more secure with an easy-to-follow guide. Because the Essential Eight is updated regularly and is maintained by the Australian government, you’re assured of the model’s quality.


Gain a greater cyber awareness


Of course, there is more to strengthening your organisation’s cybersecurity program than just following the Essential Eight. Organisations can also join the Australian Signals Directorate’s Business Partnership program to be signed up for the ASD’s ACSC Alert Service, and receive the monthly cyber newsletter, targeted guidance and invitations to relevant events.


If you’d like a helping hand for self-assessment of the Essential Eight, rolling out the strategies contained within, or would like an external assessment of your E8 maturity, then make sure to get in contact with us today.    

Frequently Asked

Do you complete Security Audits?

YES - we can complete one-off audits to give you a second opinion on your environment. However, this is what we refer to as IT Cowboys, and we would prefer to build an ongoing relationship with you. That’s why, when you commit to one of our packages, we complete an onboarding audit, which includes a security audit, a gap analysis against our Tactical 12 fortress, along with internal and external penetration tests. We then put together a plan for remediation as quickly as possible to ensure your compliance and get your insurance sorted ASAP so you’re covered.

Do you come to site?

In the initial onboarding process, we attend your site to document and understand how you operate, completing a checklist, inspecting infrastructure suitability, meeting key stakeholders, and performing general IT housekeeping. Once the onboarding process is complete, your environment should be rock solid, and the need to attend the site moving forward should be very minimal, if at all.

Will my existing computers be supported?

YES - Providing they are a currently supported operating system by the vendor and under warranty by the manufacturer.

Do you support Apple Mac and can they be compliant?

YES - we worked hard to ensure that Apple products can be supported and secured under all our product offerings.

What happens if an issue arises outside my support contract?

inSUPPORT Helpdesk operates a 24/7 'follow-the-sun' support desk, serviced by a team of global geeks. You might get a Kiwi from New Zealand on one call, and a Pinoy/Pinay from the Philippines on the next.