Essential 8 Compliance: A Plain-English Guide for Australian Businesses

If you sell to government, handle health data, or just want to sleep at night, the Essential Eight is the cybersecurity baseline you're being measured against in Australia. The Australian Cyber Security Centre (ACSC) published it, the Attorney-General's Department mandates it for non-corporate Commonwealth entities, and almost every cyber insurer now asks about it on the renewal form.

Here's what each control actually means in plain English, and where most Australian small businesses get stuck.

The eight controls

1. Application control — only approved apps can run on a device. In practice this means Microsoft AppLocker or Windows Defender Application Control with an allow-list.
2. Patch applications — internet-facing apps (browsers, Office, PDF readers) patched within 48 hours of a critical vulnerability being released.
3. Configure Microsoft Office macros — block macros from the internet, allow only signed macros from trusted publishers.
4. User application hardening — block Flash, ads and Java in browsers; disable unnecessary Office features.
5. Restrict administrative privileges — staff don't run as local admin. Admin accounts are separate, MFA-protected, and reviewed yearly.
6. Patch operating systems — same 48-hour rule for critical OS vulnerabilities on internet-facing systems.
7. Multi-factor authentication — MFA on all internet-facing services, privileged accounts, and any system holding sensitive data.
8. Regular backups — important data, software and configs backed up, retained for at least three months, and tested by restore, not just by green tick.

Where SMBs typically get stuck

The two controls that catch nearly every business out are application control and restricting admin privileges. Both require a discovery phase — you can't allow-list apps you don't know are running, and you can't take admin off staff who genuinely need it without a workflow for elevation requests.

How to start without boiling the ocean

1. Turn on MFA everywhere. This week. Conditional Access in Microsoft 365 takes about an hour.
2. Move admin work to dedicated admin accounts. No admin rights on day-to-day logins.
3. Set Windows Update for Business or Intune update rings — quality updates within 7 days, feature updates deferred.
4. Run a backup restore drill. Pick one file and one mailbox. If you can't restore both in under an hour, you don't have backups — you have hope.

What auditors actually look at

An Essential Eight assessor isn't reading your policy document — they're checking your tenant. Expect screenshare requests for Intune compliance policies, Conditional Access rules, your patch dashboard, and your backup retention settings. Have those four screens ready and you'll pass Maturity Level 1 in most assessments.

If you want a one-page checklist that maps your current Microsoft 365 tenant against the Essential Eight, our engineers can run a free 30-minute assessment — no obligation.