Essential Eight Compliance Checklist (Melbourne Guide for 2026)

For most Melbourne SMBs, the answer is Maturity Level 1 as a baseline and Maturity Level 2 if you sell into defence, government, or regulated industries. Since November 2025, every member of the Defence Industry Security Program (DISP) is required to hold ML2 across all eight controls — not the old Top 4. That single change has dragged the rest of the Australian SMB market with it, because customers in DISP-aligned supply chains now push the same evidence requirements down to their own vendors.

What the Essential Eight actually is

The Essential Eight is the Australian Signals Directorate's prioritised set of eight mitigation strategies designed to make compromise materially harder. The framework targets the attack chain rather than specific tools — application execution, patching velocity, macro behaviour, application hardening, privilege use, OS patching, multi-factor authentication, and backup integrity. Each control maps to a documented attacker behaviour the ASD has observed in real Australian incidents.

The framework is not a product. It is not a vendor stack. It is a maturity model with four levels, and the path between them is the actual work.

Why Essential Eight now applies to Victorian SMBs whether you've heard of it or not

Three forces compound:

• DISP membership now requires ML2 across all eight controls. If you do any work that touches defence supply chains, this is your floor.
• Cyber insurance underwriting in Australia routinely asks for Essential Eight evidence — particularly MFA coverage and patching cadence — and prices accordingly. Policies often exclude losses on unsupported operating systems entirely.
• Procurement questionnaires from larger Australian customers now include Essential Eight maturity self-attestation. SMBs answer for it whether they have a formal program or not.

For most 20-150 seat Melbourne businesses the practical question is no longer should we, it's what level, by when, and what does the work look like internally.

The 8 controls, with the SMB reality for each

Each control below covers what it does, the implementation mistake we see repeatedly in Victorian SMBs, and what the gap between Maturity Level 1 and Maturity Level 2 actually looks like in practice. All control definitions trace back to the ACSC Essential Eight Maturity Model.

1. Application Control

Restricts which executables, libraries, scripts, installers, and HTML applications are allowed to run on workstations and servers. At ML1 the control is in place for user profiles and standard application directories; at ML2 it extends to all locations and includes Microsoft's recommended block rules for executables that bypass the control.

The common SMB mistake is treating this as "antivirus does that." It doesn't. Antivirus identifies known-bad. Application control whitelists known-good. Without it, a user who downloads a legitimate-looking signed installer can still execute arbitrary code. The right starting point is Microsoft Defender Application Control on managed Windows endpoints, scoped first to executables in user-writable directories.

2. Patch Applications

Patches internet-facing applications within 48 hours of an exploit being known, and other applications within two weeks. At ML2 the patch window for internet-facing applications tightens to 48 hours from patch release (not exploit publication), and vulnerability scanning becomes weekly across all applications.

The SMB mistake here is treating "patched" as "Windows Update is on." Microsoft's monthly cadence is fine for Windows itself but slow for everything else — browsers, PDF readers, MFA clients, line-of-business software. A real patch program means weekly automated scans against a CVE source and an inventory that lists every application by version. Most Melbourne SMBs we see are running 30-60 applications they cannot enumerate accurately.

3. Configure Microsoft Office Macros

Macros are blocked from running unless the document is from a trusted location, signed by a trusted publisher, or has been individually approved. At ML2, macros are blocked from running unless within a trusted location AND from a vetted publisher — both requirements, not either.

The mistake is doing this once via Group Policy and assuming it sticks. Office macro settings are routinely overridden by user-installed Office variants, M365 tenant policies that don't replicate the on-prem setting, and unmanaged personal devices that touch shared documents. A real implementation includes Microsoft 365 Defender for Office 365 configuration plus continuous policy validation.

4. User Application Hardening

Web browsers, Office, PDF readers, and similar tools are configured to block the features attackers exploit — Flash (legacy), Java in browsers, ads, OLE objects, weak ciphers in browsers, advertising in browser feeds. At ML2, this extends to PowerShell logging, browser extension restrictions, and disabling .NET Framework v3.5 and earlier.

Most SMBs implement the user-facing parts (no Flash, no Java) and miss the engineering-facing parts (PowerShell logging, .NET version constraints). The latter is where modern attackers actually live. See why antivirus alone isn't enough for the underlying attack pattern.

5. Restrict Administrative Privileges

Privileged accounts are segregated from standard user accounts, used only for privileged tasks, and the privileged environment is hardened separately. At ML2, privileged access workstations are mandatory and credentials for privileged accounts cannot be cached.

The SMB mistake is keeping an everyday user account with local admin rights "because it's faster." Every successful ransomware engagement we have reviewed in the last two years exploited this exact pattern. The fix is unsexy: separate accounts, separate workstations or sessions for admin tasks, time-limited just-in-time access where possible. The implementation is procedural before it is technical.

6. Patch Operating Systems

Operating systems on internet-facing servers and workstations are patched within 48 hours of an exploit being known; other systems within two weeks. At ML2 the timeline tightens, weekly scanning is required across the fleet, and unsupported OS versions must be removed.

The SMB mistake worth naming: running Windows Server 2012/2012 R2 in production. Extended support ended in October 2023. Server 2016 ends January 2027. We covered the broader OS-vs-hardware compatibility trap in The Server 2025 trap hardware warranty doesn't solve. Patching cadence does not save you from running unsupported software.

7. Multi-Factor Authentication (MFA)

MFA is required for all remote access, all privileged actions, and access to data repositories holding sensitive information. At ML2, MFA is phishing-resistant for privileged accounts — meaning hardware tokens, certificate-based authentication, or platform authenticators, not SMS or push prompts.

The pervasive SMB mistake is SMS-based MFA on M365 admin accounts. SMS MFA has been bypass-able since 2016 via SIM swap and SS7 attacks; the ACSC formally deprecated it for privileged accounts in the November 2023 update. Microsoft Authenticator with number-matching is acceptable at ML1; FIDO2 hardware keys are the right answer for ML2.

8. Regular Backups

Backups of important data, software, and configuration are performed and retained per business requirements, tested regularly, and protected from unauthorised modification. At ML2, backups are tested in a coordinated manner at least quarterly, and modification or deletion of backups requires privileged access that cannot be granted through a standard credential compromise.

The mistake almost every SMB makes here is one trust boundary. If the credential that can write to your file server can also delete the backups, you do not have backups — you have data with two copies. We covered the architecture pattern in Immutable backup for security. True ML2 backups require separate credentials, separate trust boundaries, and immutable retention windows on the backup target.

Maturity Level requirements at a glance

The ACSC publishes the full maturity matrix (and it runs to dozens of pages). The summary view that matters for an SMB decision-maker:

| Control | Maturity Level 1 (most SMBs) | Maturity Level 2 (DISP / regulated) | Maturity Level 3 (defence / critical infra) | |---|---|---|---| | Application Control | User profiles + temp dirs | All workstations + servers | Server allowlists driven by attestation | | Patch Applications | Internet-facing in 1 month, others 1 month | Internet-facing in 48h, weekly scan | Internet-facing in 48h, daily scan | | Office Macros | Blocked from internet | Trusted location + signed publisher | Above + per-user justification | | User Application Hardening | Flash, Java, ads blocked | + PowerShell logging, .NET v3.5 disabled | + Application sandboxing | | Restrict Admin Privileges | Separate accounts | + Privileged Access Workstations | + Just-in-time, regularly revalidated | | Patch Operating Systems | Internet-facing in 1 month | Internet-facing in 48h, weekly scan | Internet-facing in 48h, daily scan | | MFA | All remote + privileged | + Phishing-resistant for privileged | + Phishing-resistant for all access | | Regular Backups | Performed + offsite | + Quarterly tested + immutable | + Tested fortnightly + air-gapped option |

The ACSC's guidance is unambiguous: implement all eight at the same level. A business at ML2 on seven controls and ML0 on one is exposed at the lowest control's level. Attackers will find that gap.

A realistic 30/60/90-day implementation plan

This is the rough shape of a Communicat-led ML1 → ML2 uplift for a 50-seat Melbourne professional services firm. Your real plan changes with starting maturity, but the phases hold.

Days 1-30 — Inventory and quick wins. Stand up an accurate application inventory. Audit every privileged account against actual responsibilities. Enforce phishing-resistant MFA on every M365 global admin and every privileged role in core line-of-business systems. Block macros from internet origins via M365 tenant policy. Validate backup architecture against the separate-trust-boundary test. Most ML1 gaps close in this window because the work is procedural, not technical.

Days 31-60 — The harder controls. Roll out Microsoft Defender Application Control to managed Windows endpoints, scoped to user-writable directories first. Tighten application patching cadence — weekly scans, 48-hour windows for internet-facing software. Implement PowerShell logging and disable .NET Framework v3.5 across the fleet. Begin separating privileged access onto dedicated workstations or sessions. This phase is where you actually move from ML1 to most of ML2.

Days 61-90 — Evidence and operationalisation. Document every control against the ACSC maturity definitions with evidence — screenshots, policy exports, log samples. Run the first coordinated backup restore test. Conduct the first internal review against the ASD Essential Eight Maturity Model and identify residual gaps. The output of this phase is what you put in front of a cyber insurer, a DISP renewal, or a procurement questionnaire — and what you hand to a vCISO if you have one.

What Essential Eight looks like in your industry

Industry context changes what the controls cost and where the risk concentrates.

Manufacturing. OT environments, legacy SCADA systems, and shop-floor PCs running Windows 7 or unsupported Windows Server versions are the recurring exposure. Patch Applications and Patch Operating Systems are the hardest controls because production downtime is expensive and OT vendors gate their own update cadence. ML1 is realistic for most Victorian manufacturers; ML2 requires a parallel hardened management network and a vendor conversation about supported OS roadmaps.

Healthcare and aged care. Privacy Act obligations and Notifiable Data Breach exposure compound the Essential Eight requirements. MFA and Restrict Administrative Privileges are the two controls under most pressure because clinical systems often use shared accounts at the workstation. Backups under ML2 are critical because aged care has been a ransomware target since 2022. Application Control deployment in clinical environments typically requires a staging plan to avoid blocking specialised software.

Legal. Client confidentiality combined with extensive email and document workflows pushes the focus to Office Macros, User Application Hardening, and MFA. Litigation holds change the backup retention picture — backups must be both immutable and discoverable. A small-to-mid legal practice can typically reach ML1 inside 60 days because the technology fleet is uniform (M365, Practice Management, document management) and well-understood.

Food and beverage. A combination of cold-chain telemetry, ERP systems handling supplier and SKU data, and increasingly tight customer cyber requirements from major retailers. Patch Applications cadence often slips because the ERP vendor controls release timing. The recurring gap is Regular Backups — many F&B SMBs run a single nightly backup with no offsite copy, which would fail ML1 inspection. ML1 is the right target for most; ML2 only makes sense if you supply Woolworths or Coles.

Common mistakes worth naming directly

• Treating it as a one-time project. The controls degrade if not actively managed — patch cadence slips, macro policies get overridden, MFA exclusions accumulate.
• Only doing the easy controls. MFA and backups are the popular wins. Application Control and privileged access management are where the actual risk sits.
• Using vendor self-assessment as evidence. Independent assessment is required by DISP renewal and increasingly by cyber insurers. A self-attested score is not the same as a verified one.
• Not testing backups. Untested backups have a roughly 40% restore failure rate at first attempt by Veeam's tracking — and the failure tends to show up at the moment you need them.
• Ignoring the user side. Phishing-resistant MFA, application hardening, and macro policy all touch user workflows. Without training and change management, the controls are silently bypassed within weeks.

How long does it take, and what does it actually cost

For a Victorian SMB starting from a baseline of "we have Microsoft 365 and antivirus":

• Reaching ML1: typically 30-60 days of focused work, $5,000-$15,000 in implementation effort, plus tooling already covered by M365 Business Premium for most SMBs.
• Reaching ML2: typically 90-180 days, $15,000-$40,000 in implementation effort, with hardware tokens or FIDO2 keys adding $50-$80 per privileged user.
• Maintaining ML1 or ML2: typically $20,000-$60,000 per year for a 50-150 seat business, depending on how much of the work is internal vs outsourced.

Communicat's Essential Eight assessment is fixed-price from $3,500 and produces the maturity scorecard, the gap analysis, and the implementation plan. Implementation itself is quoted against the gap analysis output and varies by environment.

How Communicat IT helps

We work with Victorian SMBs across manufacturing, healthcare, legal, and food and beverage to take Essential Eight from "we need to talk about this" to evidenced maturity. The work is:

• Assess your current maturity against the ACSC matrix
• Identify the gaps that move the needle, not just the easy ones
• Implement the required controls — including EDR/MDR coverage, endpoint security, patching, and backup architecture
• Improve visibility and reporting so the maturity claim survives audit
• Maintain the controls so they don't decay between reviews

Our focus is real security outcomes — the kind that survive a cyber insurance audit, a DISP renewal, or a procurement security questionnaire from a major customer.

Frequently asked questions

Is Essential Eight mandatory for Victorian businesses?

Not under general legislation. It is mandatory for DISP members at Maturity Level 2 across all eight controls as of November 2025. It is functionally mandatory if you sell into defence supply chains, hold government contracts, or maintain cyber insurance — your customers and insurers will require evidence of it whether the law does or not.

What maturity level should a Melbourne SMB aim for?

Maturity Level 1 is the right baseline for most 20-150 seat Victorian businesses without government or defence exposure. Maturity Level 2 is required if you sell into DISP, hold government clients, or have cyber insurance that explicitly references ML2. Maturity Level 3 is rare outside government and critical infrastructure operators.

How much does Essential Eight assessment and implementation cost?

Assessment alone typically runs $3,500-$8,000 fixed-price for an SMB. Implementation to reach ML1 from a typical M365-and-antivirus baseline is $5,000-$15,000; reaching ML2 is $15,000-$40,000. Ongoing maintenance is $20,000-$60,000 annually for a 50-150 seat business depending on internal vs outsourced split. Costs vary based on your starting state, fleet complexity, and how much tooling you already own.

Can we implement Essential Eight internally?

Some controls — particularly MFA enforcement and backup architecture — can be handled by a capable internal IT person. Application Control rollout, PowerShell logging, privileged access architecture, and the documentation required for ML2 evidence are typically faster and lower-risk with external specialist support. The pragmatic answer for most Victorian SMBs is a co-managed approach: internal team owns day-to-day, external partner owns the uplift and the audit-grade evidence.