Last Updated on August 7, 2025 by Arnav Sharma
In this blog, we will look into the specifics of the Essential Eight Maturity Model, comparing the different maturity levels and exploring what it takes to advance from one level to the next. Whether you’re just starting your cyber security journey or looking to enhance your existing practices, understanding these maturity levels is crucial for achieving a good cyber security posture.
Essential 8 Maturity Levels Comparison
| Essential 8 Strategy | Maturity Level 1 | Maturity Level 2 | Maturity Level 3 |
|---|---|---|---|
| Application Whitelisting |
– Basic whitelisting of executables. – Only allows trusted executable files to run. – Protects against common malware and unapproved software. |
– Whitelisting of executables, scripts, and installers. – Adds whitelisting for scripts and installers to prevent unauthorized software. – Reduces the risk from more sophisticated threats using scripts and installers. |
– Comprehensive whitelisting including libraries and applications. – Extends whitelisting to include libraries and all types of applications, providing a robust security layer. – Provides the highest level of protection by ensuring only fully vetted software components can run. |
| Patch Applications |
– Patching within 30 days. – Applies security patches for known vulnerabilities within a month. – Balances operational impact with security needs. |
– Patching within 14 days. – Speeds up the patching process to address vulnerabilities faster. – Ensures more timely protection against exploits. |
– Patching within 48 hours. – Implements an urgent patching process to minimize the window of exposure. – Drastically reduces the risk of exploitation by rapidly closing security gaps. |
| Configure Microsoft Office Macro Settings |
– Block macros from the internet. – Disables macros from untrusted sources to prevent malware. – Basic level of protection against macro-based attacks. |
– Allow only macros from trusted locations. – Allows macros only from trusted, secure locations to reduce risk. – Balances usability with security by permitting necessary macros. |
– Use of Group Policy to enforce macro settings. – Enforces strict macro policies through centralized management, ensuring compliance and security. – Comprehensive control over macro execution to prevent unauthorized access or actions. |
| User Application Hardening |
– Basic hardening techniques. – Removes or disables unnecessary features to reduce attack surfaces. – Provides a fundamental defense against common exploits. |
– Additional hardening to block browser ads and prevent Flash content. – Adds protections against web-based threats and deprecated technologies like Flash. – Enhances security by addressing more specific and sophisticated threats. |
– Comprehensive hardening including blocking Java and unnecessary browser extensions. – Implements thorough hardening measures to block high-risk content and minimize vulnerabilities. – Maximizes protection by eliminating broad categories of potential vulnerabilities. |
| Restrict Administrative Privileges |
– Review of administrative privileges every 6 months. – Periodic checks to ensure admin privileges are still necessary. – Helps prevent privilege creep and reduces the risk of misuse. |
– Regular review and monitoring of administrative accounts. – More frequent reviews to promptly identify and remove unnecessary privileges. – Maintains tighter control over administrative access to reduce risk. |
– Continuous monitoring and review with just-in-time admin access. – Implements just-in-time access and continuous monitoring for the highest level of security. – Ensures administrative privileges are used only when absolutely necessary, minimizing potential misuse. |
| Patch Operating Systems |
– Patching within 30 days. – Applies critical OS updates within a month to protect against known threats. – Ensures systems are regularly updated without significant operational disruption. |
– Patching within 14 days. – Accelerates patching timeline to address vulnerabilities more swiftly. – Enhances protection by reducing the window of vulnerability. |
– Patching within 48 hours. – Implements immediate patching for critical updates to minimize exposure to threats. – Provides the highest level of protection with minimal delay between patch release and application. |
| Multi-Factor Authentication |
– MFA for remote access and critical data. – Requires additional authentication for remote and critical access to add an extra layer of security. – Provides essential protection against unauthorized access to critical systems. |
– MFA for all users accessing sensitive information. – Expands MFA requirements to include all users accessing sensitive information, enhancing security. – Reduces the risk of credential theft and unauthorized access for sensitive data. |
– MFA for all users and privileged accounts with hardened devices. – Enforces MFA for all access points, including privileged accounts, ensuring maximum security. – Combines MFA with hardened devices for privileged users, offering the strongest level of protection. |
| Daily Backups |
– Daily backups stored offsite. – Ensures critical data is backed up daily and stored in a secure offsite location. – Provides basic recovery capability in case of data loss or cyber incidents. |
– Daily backups stored offsite and verified quarterly. – Adds regular verification to ensure backups are complete and accurate. – Enhances reliability of backups, ensuring they can be restored when needed. |
– Daily backups stored offsite, verified, and tested quarterly with a recovery exercise every 6 months. – Includes comprehensive verification and testing to guarantee backup integrity and recovery capability. – Ensures a robust backup and recovery process, capable of restoring operations swiftly in case of disaster. |
Arnav Sharma
Microsoft MVPMCT
Microsoft Certified Trainer · Cloud · Cybersecurity · AI
I help organisations secure their cloud infrastructure and stay ahead of evolving cyber threats. Microsoft MVP and Certified Trainer, author of Mastering Azure Security, and founder of arnav.au — a platform for practical Cloud, Cybersecurity, DevOps and AI content.