Logo

AWS · Essential Eight

The Essential Eight is a moving target: maturity levels and why compliant decays

Most leaders treat the Essential Eight as a test you pass once. It is not. It is a maturity ladder you hold against an adversary that keeps moving, on systems that keep changing. The framing matters, because it decides whether you build a posture or a snapshot.

Infostatus · AWS Advanced Tier Services Partner · ~9 min read

The Australian Signals Directorate’s Essential Eight is the most widely cited security baseline in the country, and the most widely misread. The common mental model is binary: you are compliant or you are not, you passed the audit or you failed it. That model is wrong in two ways at once. The Essential Eight is not assessed as a pass or fail, and even if it were, the result would be out of date almost as soon as it was issued.

This piece is about those two truths and what follows from them. If you lead IT or risk in an organisation that is starting to feel Essential Eight pressure, the gap between “we passed” and “we are holding the line” is the gap this article is trying to close.

Not pass or fail, a maturity ladder

The Essential Eight is assessed against the Essential Eight Maturity Model, published and maintained by the Australian Cyber Security Centre (ACSC). The model does not grade you compliant or non-compliant. It places you on a ladder of Maturity Levels, broadly numbered Zero, One, Two and Three, where each rung describes how completely you have implemented the strategies and, crucially, how capable an adversary that posture is designed to withstand.

The principle behind the rungs is that higher levels counter more capable attackers. The lower end broadly corresponds to defending against opportunistic actors using widely available, commodity tradecraft. The higher end broadly corresponds to defending against adversaries who are more targeted, better resourced and more adaptive, willing to invest real time and money to get past stronger controls. Level Zero, in broad terms, means you have weaknesses that fall short of even the first rung.

We are deliberately keeping those descriptions general. The exact requirements at each level, and the specifics of what each rung demands, are revised by the ACSC periodically. Treat the summary here as the shape of the model and confirm the current definitions against the ACSC Essential Eight Maturity Model itself before you commit to a target or design controls around it.

Maturity LevelWhat it broadly means
Level ZeroWeaknesses remain that fall short of the model’s first rung.
Level OneBroadly counters opportunistic actors using common, widely available tradecraft.
Level TwoBroadly counters more targeted adversaries investing additional effort to get in.
Level ThreeBroadly counters adaptive, well-resourced adversaries using advanced tradecraft.

A general orientation to the ladder. Confirm the precise, current definitions against the ACSC Essential Eight Maturity Model, which is updated from time to time.

You are at your weakest strategy

The second thing the binary model misses is how the assessment combines. The Essential Eight is eight separate mitigation strategies: application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups. Maturity is not assessed one strategy at a time and then averaged. It is assessed across all eight together.

The practical consequence is uncompromising. Your overall maturity is, in effect, the lowest level you hold on any single one of the eight. The ACSC’s guidance is that organisations should reach a given maturity level across all eight strategies before progressing any of them to the next. You do not get to bank Level Two on multi-factor authentication and patching while application control sits at Level One and call the result “mostly Level Two”. The result is Level One, because that is where the chain breaks.

A chain is as strong as its weakest link, and so are you. Seven strategies at a high standard and one left behind does not average out. An attacker does not attempt the strategy you are best at; they attempt the one you neglected. Maturity is set by your weakest control, not your best.

This is why “we have MFA and good backups” is not an Essential Eight answer. It might be two strong links. The question the model asks is about the weakest one.

Why compliant decays

Now assume you have done the work and reached your target level across all eight. Here is the uncomfortable part: that statement starts going stale the moment it is true.

Controls are not monuments; they are configurations sitting on top of living systems, and living systems drift. Applications and operating systems release new versions, and the patching posture that was current last month is behind this month. Exceptions accumulate quietly, a server excluded from a baseline for a project that finished a year ago, an account granted standing administrative rights “just for the migration”. New software is installed, new macros are enabled, a hardening setting is relaxed to fix a support ticket and never restored. None of this is negligence. It is the normal entropy of an estate in use.

So a point-in-time assessment describes a state that has already begun to dissolve. The audit report dated last quarter is an accurate photograph of a building that has been renovated since. The decay is not a failure of the assessment, it is a property of the thing being assessed. Which is exactly why a once-a-year attestation is the wrong instrument for a moving target.

The pressure is real

If the Essential Eight has suddenly arrived on your agenda, there is a reason, and it is worth naming so you can size your response to it.

The first driver is government. The Essential Eight underpins reporting and mandates that apply to Commonwealth entities, with the ASD and ACSC steering the framework and its measurement. For those organisations, maturity against the Essential Eight is an obligation, not a nice-to-have, and it is reported on.

The second driver is the way that obligation propagates. Government and large enterprises do not absorb their security expectations alone; they push them down their supply chains. If you sell to government, to defence-adjacent primes, or to large regulated enterprises, your Essential Eight posture increasingly shows up in their contracts, their tenders and their vendor risk questionnaires. Cyber-insurance underwriting is moving the same way. So even a private organisation with no direct mandate finds the Essential Eight on the table, because a customer or an insurer has put it there. That is usually why “everyone is suddenly asking”.

What the cloud changes

Here is where the architecture of where you run starts to matter, because the weakness of the point-in-time model is largely a weakness of how the evidence is gathered. Reconstructing a control’s state at audit time, from screenshots and spreadsheets and a scramble of exports, is what makes assessment a periodic, painful event. On AWS, that changes shape.

The relevant controls become measurable and continuously evidenced rather than periodically reconstructed. A few of the native services that do this work:

  • AWS Config records the configuration of your resources over time and evaluates them continuously against rules, so “is this resource compliant with our baseline?” is a query with a timestamped answer, not a manual review.
  • AWS Security Hub aggregates and prioritises security findings across accounts and services, and can run automated checks against established standards, giving a single, current view of posture.
  • AWS Systems Manager provides compliance and patch state across your fleet, so operating-system and application patch levels, central to two of the eight strategies, are reported continuously rather than sampled.

The shift is from attestation to telemetry. When the platform is recording configuration and compliance as it happens, you can show your maturity on any given day, including today, because the evidence is being generated continuously rather than assembled in a fortnight of audit preparation. That does not make you compliant on its own. It makes compliance observable, which is the precondition for keeping it.

Pick a target, then hold it

Put the pieces together and the right operating posture follows directly. Because the model is a ladder, you must choose a rung: a target maturity level proportionate to your risk, your sector and the obligations flowing toward you through contracts and insurance. Not every organisation needs the top of the ladder, and over-reaching on one strategy while others lag wins you nothing.

Because maturity is set by your weakest strategy, you raise all eight to that target together rather than gold-plating a favourite few. And because compliant decays, the target is not something you hit once and attest to annually. It is something you hold continuously, with evidence, watching the drift and correcting it before it pulls a control off its rung.

That is the whole reframe. The Essential Eight is not a certificate on the wall. It is a level you choose, reach across all eight strategies, and then defend day after day against an estate that keeps changing and an adversary that keeps probing. The cloud will not choose your target or do the holding for you, but it is what finally makes the holding visible, and a thing you cannot see is a thing you cannot keep.

This is one piece of a larger method

The Essential Eight is eight strategies and a maturity ladder. The full guide maps all eight onto AWS, sets out the maturity levels, and gives a 180-day plan to move up them.

Read: The Essential Eight on AWS, a practical implementation guide
Infostatus is an AWS Advanced Tier Services Partner. This article is general technical guidance; validate conversions and settings against current AWS documentation and your own workload before relying on them in production.
Share this post:

Related Articles

View All Insights
25Eight: Scaling Personalised Learning with Generative AI on AWS
Case Study

25Eight: Scaling Personalised Learning with Generative AI on AWS

How AWS Cloud Managed Services Free Internal Teams to Focus on Innovation
Blog

How AWS Cloud Managed Services Free Internal Teams to Focus on Innovation

Optimising Cloud Costs: Infostatus's Approach to Cost Management, Governance, and Efficiency
Blog

Optimising Cloud Costs: Infostatus's Approach to Cost Management, Governance, and Efficiency

Join our newsletter to stay up to date

By submitting, you agree to our Privacy Policy