Free tool · 6 minutes
ESSENTIAL EIGHT —
MAPPED TO MICROSOFT 365.
Score each of the ACSC's eight strategies against your current reality. Pick a target Maturity Level. Get the Microsoft 365 tooling that closes the gap — Intune, Defender, Entra ID, Purview, the lot. Export to PDF for your next board pack.
Score each of the 8 strategies
Where are you on the Essential Eight — honestly?
Eight strategies. Four levels each. Pick the statement closest to your reality today. We'll map it to the Microsoft 365 tooling that closes the gap.
What's your target Maturity Level?
Maturity Level 2 — most orgs' pragmatic target
- 01
Application control
Only approved applications can execute on workstations and servers.
- 02
Patch applications
Internet-facing apps, browsers, Office, PDF readers patched promptly.
- 03
Microsoft Office macros
Macros disabled unless from trusted locations and signed by a trusted publisher.
- 04
User application hardening
Web browsers and productivity apps hardened against the most common attacks.
- 05
Restrict administrative privileges
Admin accounts limited, separated and reviewed — the crown jewels of the tenant.
- 06
Patch operating systems
Operating system patches applied on a schedule that matches the risk.
- 07
Multi-factor authentication
MFA everywhere that matters — privileged accounts, remote access, important data.
- 08
Regular backups
Backups of important data, configuration and software — and restores you have actually tested.
FAQ
Common questions on the Essential Eight in Microsoft 365
- What is the ACSC Essential Eight?
- The Essential Eight is the Australian Cyber Security Centre's prioritised list of mitigation strategies. The eight strategies are application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Each strategy is scored on a Maturity Level from ML0 (not implemented) through ML3 (advanced).
- What Maturity Level should an Australian midmarket business target?
- Most non-government Australian organisations target Maturity Level 2 (ML2). It is the level the ACSC describes as defending against adversaries with a 'modest step-up in capability' from ML1 — the most common pragmatic target for boards and auditors. Federal government and critical infrastructure entities are typically required to reach ML2 or ML3 depending on classification and SOCI status.
- Can the Microsoft 365 stack actually deliver Essential Eight ML2?
- Yes. With the right SKU mix, Microsoft 365 covers all eight strategies natively: Intune for application control and patching, Defender for Endpoint for user application hardening, Entra ID Conditional Access and PIM for restricting administrative privileges, Entra MFA for multi-factor, and the Microsoft 365 Backup product or a third-party for backups. The tool maps each strategy to the specific Microsoft control.
- Is the assessment audit-ready?
- The output is a self-assessment baseline, not an external attestation. It is exactly what most AU boards and internal audit teams use as a starting point — a documented score per strategy, target ML, and the named tooling required to close each gap. For a formal IRAP or APRA-grade attestation you need an accredited assessor; Frontrow runs uplift programs that produce the evidence pack those assessors expect.
- Does this cost anything?
- No. The tool is free and there is no email gate. PDF and Excel export are included. Frontrow makes money on the uplift programs that follow, not on the assessment.