Essential Eight Self-Assessment

How exposed is your business? Answer 16 plain-English questions and get an instant security score based on the Australian Signals Directorate's Essential Eight — the baseline every Australian business is measured against.

⏱️ About 5 minutes 🔒 Nothing stored unless you ask for an emailed copy 💰 Free, no email required

You don't need to be technical. If you're not sure about an answer, choose "I don't know" — for a small business, knowing what you don't know is half the value of this exercise.

What is the Essential Eight?

The Essential Eight is a set of eight baseline cyber security strategies published by the Australian Signals Directorate (ASD) in 2017. It exists because the vast majority of successful attacks on Australian businesses exploit the same handful of weaknesses — unpatched software, missing multi-factor authentication, careless admin accounts, and untested backups. Get the eight basics right and you've closed off most of the ways small businesses actually get compromised.

The eight strategies are: application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups. The ASD measures implementation against four maturity levels (ML0–ML3), with higher levels defending against more sophisticated attackers.

Why should a small business care?
  • Cyber insurance. Australian insurers increasingly ask about MFA, backups, and patching — controls that map directly to the Essential Eight. Weak answers mean higher premiums or refused cover.
  • Winning bigger clients. Government agencies and large companies are pushing Essential Eight expectations down their supply chains. Being able to say "we've assessed ourselves against it" is becoming a door-opener.
  • It's mostly free. Unlike enterprise security frameworks, most Essential Eight basics — MFA, automatic updates, separate admin accounts — cost nothing but a few hours of setup.

Which maturity level should you aim for?

The ASD measures Essential Eight implementation against four maturity levels — and they're defined by the kind of attacker you can withstand, not by company size:

  • Maturity Level 0 — the requirements for Level 1 aren't met. Most Australian small businesses sit here without realising it.
  • Maturity Level 1 — protects against opportunistic attacks: commodity tools, public exploits for unpatched software, stolen or guessed passwords. These attackers aren't targeting you specifically — they're targeting anyone vulnerable.
  • Maturity Level 2 — protects against attackers willing to invest time in your business specifically, including targeted phishing and bypassing weak MFA. Mandated for federal government entities, and increasingly expected by cyber insurers and large-company supply chains.
  • Maturity Level 3 — protects against sophisticated, adaptive adversaries. Realistic territory for critical infrastructure, defence, and other high-value targets.

You'll often see this simplified as "Level 1 for small business, Level 2 for medium to large, Level 3 for critical infrastructure." That's a fair rule of thumb, but the ASD's actual guidance is risk-based: a ten-person firm holding sensitive client data — legal, accounting, health — may have good reason to aim higher than its size suggests.

For most small businesses, the honest starting point is Maturity Level 1. That's exactly the territory this assessment covers.

What this assessment covers (and what it doesn't)

Our self-assessment translates each of the eight controls into plain-English questions a business owner can answer without calling their IT person. It gives you a percentage score per control, an overall rating, and the three fixes that will move the needle most. The questions are aligned with the foundations of Maturity Level 1 — deliberately, because that's the level designed to stop the opportunistic attacks small businesses actually face.

It is not an official maturity assessment. The ASD's formal maturity model is deliberately strict — you only reach Maturity Level 1 when every requirement is met — and properly assessing it requires looking at your actual systems, not asking questions. It's also worth knowing the Essential Eight was designed primarily for Windows-based networks; if you're a Mac shop, most of the principles still apply, but some specifics (like Office macro settings) may not.

If your score worries you — or your insurer, client, or board is asking for evidence — that's where a professional assessment comes in. Our cybersecurity services cover security audits, penetration testing, and practical remediation sized for small business.

Common questions

What is the Essential Eight?

The Essential Eight is a set of eight baseline cyber security strategies published by the Australian Signals Directorate (ASD). It covers application control, patching applications and operating systems, Microsoft Office macro settings, application hardening, restricting administrative privileges, multi-factor authentication, and regular backups.

Is this an official Essential Eight maturity assessment?

No. This is a simplified self-check inspired by the Essential Eight, written in plain English for small business owners. Official maturity assessments (Maturity Levels 0-3) are far stricter and are usually performed by a security professional against the full ASD maturity model.

How long does the assessment take?

About five minutes. There are 16 questions and your results appear instantly on the page — no email address required.

Does the Essential Eight apply to businesses that use Macs?

The Essential Eight was designed primarily for Windows-based, internet-connected networks. Most of its principles — MFA, backups, updates, restricting admin privileges — apply equally well to Mac and mixed environments, but some controls like Microsoft Office macro settings may not be relevant.

Why do cyber insurers ask about the Essential Eight?

Australian cyber insurance applications increasingly ask about controls that map directly to the Essential Eight — particularly MFA, backups, and patching — because businesses with these basics in place make far fewer claims. A poor answer can mean higher premiums or refused cover.

What maturity level should my business aim for?

Officially it's a risk-based decision, not a size-based one. As a rule of thumb: small businesses should work toward Maturity Level 1, federal government entities are mandated to Level 2, and critical infrastructure aims for Level 2 or 3. If you hold sensitive client data or sit in a government supply chain, you may need to aim higher than your size suggests — and cyber insurers are increasingly asking for Level 2 controls.

Which maturity level does this assessment cover?

This tool checks the foundations of Maturity Level 1 — deliberately, because that's the right starting point for most small businesses and the level designed to stop opportunistic attacks. Formally assessing Maturity Levels 1-3 against the full ASD model means examining your actual systems, which is a professional engagement rather than a five-minute quiz.

Is this really free? What's the catch?

Really free, and no email is needed to see your results. If you choose to have the report emailed to you, we store your email address and scores to send it — nothing else, and no newsletter. We built it because it's genuinely useful, and because some people who use it will want professional help with the fixes. That's the whole business model.

How accurate is the score?

It's as accurate as your answers — it's a self-check, not an audit. It's designed to show you where your gaps are and what to do first, not to certify anything. Treat a high score as "good foundations," not "unhackable."

We scored badly. How urgent is this?

Don't panic, but don't sit on it either. Start with the three fixes in your results — MFA and backups in particular can usually be sorted within a week, and they're the two that matter most in a real incident.

Can you do an official Essential Eight assessment for us?

We can assess your environment against the Essential Eight principles and help you implement the controls, prioritised by risk and budget. Get in touch for a free initial chat about what you actually need.