Cybersecurity & Compliance

Essential Eight Compliance with Managed IT Providers

The ACSC Essential Eight is Australia's definitive cybersecurity baseline. Discover how expert MSPs implement all eight controls — and what each maturity level means for your business.

Published: 14 April 2026 | Cybersecurity & Compliance Guide

Essential Eight Maturity Levels

ML1

Partially aligned — mitigates unsophisticated adversaries using commodity threats

Baseline for most government suppliers
ML2

Mostly aligned — mitigates targeted threats from adversaries willing to invest effort

Recommended for most Australian businesses
ML3

Fully aligned — mitigates sophisticated, persistent adversaries

Required for government agencies and critical infrastructure

All 8 Controls — and How Your MSP Implements Them

1. Application Control

Critical

Prevent unapproved or malicious programs from executing on endpoints and servers

MSP Implementation:

  • Whitelisting approved applications via Microsoft WDAC or AppLocker
  • Regular review and update of approved application lists
  • Blocking unsigned scripts and executables
  • Reporting on blocked execution attempts

2. Patch Applications

Critical

Patch or mitigate security vulnerabilities in internet-facing services and applications within 48 hours of discovery

MSP Implementation:

  • Automated vulnerability scanning daily or weekly
  • Patch deployment within 48h for internet-facing systems
  • Third-party app patching (Adobe, Java, browsers)
  • Patch compliance reporting per ACSC requirements

3. Configure Microsoft Office Macro Settings

High

Block macros in files from the internet and only allow digitally signed macros from trusted locations

MSP Implementation:

  • GPO or Intune policy to block internet-sourced macros
  • Signed macro exceptions for trusted business processes
  • User education on macro social engineering
  • Logging of macro execution attempts

4. User Application Hardening

High

Configure web browsers and applications to reduce attack surface

MSP Implementation:

  • Block Flash, Java web plugins, and unnecessary browser extensions
  • Disable processing of web advertisements from untrusted sources
  • Apply CIS browser hardening benchmarks
  • Enforce secure DNS and HTTPS-only browsing policies

5. Restrict Administrative Privileges

Critical

Restrict admin privileges to only those who need them; require separate accounts for admin tasks

MSP Implementation:

  • Privileged Access Workstations (PAWs) for admin tasks
  • Regular review and removal of unnecessary admin accounts
  • Just-in-time (JIT) admin access for cloud environments
  • Multi-factor authentication enforced on all admin accounts

6. Patch Operating Systems

Critical

Patch or mitigate security vulnerabilities in operating systems within 48h of critical patches

MSP Implementation:

  • Automated Windows Update deployment via Intune or WSUS
  • Server OS patching with pre-tested rollback capability
  • EOL operating system detection and remediation planning
  • Monthly OS patch compliance reporting

7. Multi-Factor Authentication

Critical

MFA required for all remote access, privileged actions, and cloud service access

MSP Implementation:

  • Conditional Access policies in Azure AD/Entra ID
  • Phishing-resistant MFA (FIDO2 keys or Microsoft Authenticator)
  • MFA for Microsoft 365, VPN, RDP, and cloud portals
  • MFA bypass monitoring and alerting

8. Regular Backups

Critical

Back up important data, software, and configuration. Test restoration processes regularly

MSP Implementation:

  • Daily automated backups with offsite and immutable copies
  • Backup encryption at rest and in transit
  • Monthly restoration testing with documented results
  • Ransomware-resistant backup architectures

Get Your Essential Eight Gap Assessment

Most Australian businesses have gaps in their Essential Eight compliance without realising it. Our MSP partners deliver certified assessments and remediation roadmaps.

Get Free Essential Eight Assessment View #1 Rated MSP

Frequently Asked Questions

Is Essential Eight compliance mandatory for Australian businesses?

Essential Eight is mandatory for Commonwealth government agencies and strongly recommended by the ACSC for all Australian businesses. Private sector businesses supplying to government or handling sensitive data are increasingly required to demonstrate ML1 or ML2 compliance in contracts.

How long does it take an MSP to implement Essential Eight compliance?

ML1 compliance typically takes 4–8 weeks with an experienced MSP. ML2 takes 2–4 months, and ML3 can take 6–12 months depending on starting state. MSPs prioritise the highest-impact controls first — MFA and patching — then work systematically through remaining controls.

What is the difference between Essential Eight ML1 and ML2?

ML1 provides baseline protection against unsophisticated commodity attacks. ML2 adds controls like phishing-resistant MFA, patch timelines tightened to 48 hours for internet-facing systems, and more rigorous access control. Most private businesses should target ML2 as their minimum standard.

Which Essential Eight control should I implement first?

Multi-factor authentication (Control 7) and regular backups (Control 8) deliver the most immediate risk reduction and should be implemented first. MFA prevents most credential-based breaches while immutable backups are your last line of defence against ransomware.

Which Australian MSPs are Essential Eight certified?

Affinity MSP is Essential Eight aligned and provides full gap assessments, remediation, and ongoing compliance monitoring for Australian businesses. Their security team has deep experience implementing all 8 controls to ML1–ML3 across varied environments.