This week the Australian Cyber Security Centre (ACSC) published an update to the Essential Eight Maturity Model, following an extensive review to ensure that it continues to be relevant in contemporary cyber threat environments.
This review was based on the ACSC’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing, and assisting organisations to implement the Essential Eight.
At Hastwell we see a lot of organisations who struggle to address all controls in the strategy. A number of notable recent changes now address this:
- The ACSC no longer expects all organisations to meet Maturity Level Three. Rather, they encourage organisations to assess their threat environment and select the appropriate maturity level.
- Focus has shifted to a risk-based approach rather than a compliance-based approach, recognising that many organisations have legacy systems, carry technical debt or have systems that aren’t based upon secure-by-design principles which inhibits full implementation of ACSC’s advice.
- There is an increased emphasis on implementing the mitigation strategies as a package, eg addressing all controls in Maturity Level One before moving onto Maturity Level Two.
The Essential Eight Security strategies outline the bare minimum security controls that every business must implement. How does your business compare against the new model?