Essential 8 Compliance

The federal government will mandate the Essential Eight framework for all 98 non-corporate Commonwealth entities (NCCEs).

Prior to 2017, only the top four security controls in objective 1 of the Essential Eight were mandatory, but now compliance across all eight strategies is required to be fully compliant.

To ensure all security controls are maintained at the highest degree, all entities that must comply with this cybersecurity framework will require a comprehensive audit every 5 years commencing from June 2022.

The full maturity model is available here - Essential Eight Maturity Model | Cyber.gov.au

What is the Essential Eight Compliance?

The Essential Eight is an Australian cybersecurity framework by the Australian Cyber Security Centre (ACSC). This framework, published in 2017, is an upgrade from the original set of 4 security controls by the ASD. The Essential Eight (sometimes known as the ACSC Essential Eight or ASD Essential Eight) introduced 4 additional strategies to establish the eight control that aim to protect Australian businesses from cyberattacks today.

The eight strategies are divided across three primary objectives - prevent attacks, limit attack impact, and data availability.

Objective 1: Prevent Cyberattacks

• Patch application vulnerabilities

• Application control

• User application hardening

• Configuring MS Office Macro settings

Objective 2: Limit the Impact of Cyberattacks

• Patch operating system vulnerabilities

• Restrict Admin access

• Implement Multi-Factor Authentication (MFA)

Objective 3: Data Recovery and System Availability

• Daily backups.

Organizations that implement the Essential Eight can track their compliance through the framework's maturity scale, which is comprised of three levels:

• Maturity Level One - Partially aligned with mitigation strategy objectives

• Maturity Level Two - Mostly aligned with mitigation strategy objectives

• Maturity Level Three - Fully aligned with mitigation strategy objectives

Each level can be customized to suit each business's unique risk profile. This allows organizations to identify their current state of compliance so that they understand the specific efforts required to progress through each level.

The Australian Signals Directorate (ASD) recommends that all Australian businesses achieve maturity level three for the optimal malware threat and cyberattack protection.

It's important to understand that the Essential Eight is the minimum baseline of cyber threat protection recommended by the ASD. Organizations are encouraged to augment additional sophisticated data breach prevention solutions to this framework to significantly mitigate the impact of cyberattacks.

Is the Essential Eight Mandatory?

The federal government will mandate the Essential Eight framework for all 98 non-corporate Commonwealth entities (NCCEs).

Previously, only the top four security controls in objective 1 of the Essential Eight were mandatory, but now compliance across all eight strategies is expected.

To ensure all security controls are maintained at the highest degree, all entities that must comply with this cybersecurity framework will undergo a comprehensive audit every 5 years commencing on June 2022.

Do Australian Businesses Need to Report Data Breaches?

All Australian businesses with an annual turnover of $3 million are required to report data breaches to both impacted customers and the Office of the Australian Information Commissioner (OAIC) within 72 hours.

This essential requirement applied to all private and public Australian businesses - whether or not they've implemented the Essential Eight framework.

Any breach that is likely to result in serious harm to individuals and customers must be reported. Because it's difficult to gauge the impact of each breach, to be safe, it's best to report all breaches to the OAIC.

This regulatory requirement is known as the Notifiable Data Breach Scheme (NDB) and its compliance is also mandatory for the following entities:

• Health service providers

• Credit reporting bodies

• Credit providers that process credit eligibility information

• Tax File Number (TFN) recipients

• All entities regulated under the Privacy Act 1988

Failure to comply with the NDB scheme breaches the Privacy act which could result in enforcement action.