Essential Eight

The Essential Eight are ASD's prioritised mitigation strategies. QuantAssure maps ISM controls to E8 strategies and tracks your maturity level across all eight.

What Is the Essential Eight?

Eight mitigation strategies from ASD
Each has maturity levels: ML0 (not implemented) through ML3 (fully mature)
Many ISM controls relate directly to E8 strategies
Strong E8 maturity addresses a significant portion of IRAP controls

Maturity Levels: ML0 indicates the strategy is not implemented. ML1, ML2, and ML3 represent progressively stronger implementations of each strategy.

The Maturity Dashboard

Navigate to Compliance → Essential Eight
View overall maturity level (lowest across all strategies)
See per-strategy maturity with compliance percentages
Each strategy card shows:
- Current maturity level achieved
- Number of controls compliant vs total at each ML
- Progress bar toward next maturity level

Pro tip: Your overall maturity level is determined by your lowest strategy maturity. Focus on bringing up your weakest areas to improve your overall posture.

The Eight Strategies

Strategy	Focus area
Application Control	Preventing unauthorised applications
Patch Applications	Keeping applications up to date
Configure Microsoft Office Macros	Restricting macro execution
User Application Hardening	Reducing application attack surface
Restrict Administrative Privileges	Limiting privileged access
Patch Operating Systems	Keeping OS up to date
Multi-Factor Authentication	Requiring MFA for access
Regular Backups	Maintaining data recovery capability

Using E8 for IRAP Preparation

Filter ISM controls by E8 strategy to focus your work
Achieving ML2 across all strategies covers a substantial portion of OFFICIAL: Sensitive controls
Use the maturity dashboard to track progress
Address one strategy at a time for focused improvement

IRAP Assessment: While the Essential Eight are important, IRAP assessors will evaluate all applicable ISM controls. Use E8 as a prioritization framework, not a replacement for full ISM compliance.