← All posts
Compliance

The Essential 8 Compliance Checklist: What Australian SMBs Actually Need to Do in 2026

A practical, plain-English breakdown of the ACSC Essential 8, maturity levels, and what Australian SMBs need to have in place to satisfy government contracts, cyber insurers, and their own clients' supply chain reviews.

Josh McCarthy · Director and Lead Auditor, Your IT Managers · 18 April 2026 · 9 min read

What Australian SMBs Actually Need to Do in 2026

The Essential 8 used to be a thing IT teams did when they had the headspace. It's now a commercial requirement.

If you sell into government, your tender won't be shortlisted without a credible Essential 8 maturity claim. If you carry cyber insurance, your premium is being priced against it. If you supply enterprise clients, their auditors are asking about your maturity level. Specifically yours, not "your industry's".

I run an MSP that does Essential 8 work for Australian SMBs every week. This post is what I tell prospects in the first call: what the framework actually is, what the maturity levels mean, and a concrete checklist of what you need in place to claim ML1 honestly and have a path to ML2.

Nine-minute read. The checklist is halfway down. Skip there if you're short on time.

What the Essential 8 is

Eight controls published by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD). They're the ACSC's opinion on the eight highest-impact things most Australian organisations can do to keep the most common cyber attacks out.

It's not a complete security program. It's not exhaustive. It is, however, the shorthand everyone in Australia uses right now for "does this organisation take cyber security seriously".

The eight controls:

  1. Application control
  2. Patch applications
  3. Configure Microsoft Office macro settings
  4. User application hardening
  5. Restrict administrative privileges
  6. Patch operating systems
  7. Multi-factor authentication
  8. Regular backups

The four maturity levels

Each of the eight controls has four possible maturity levels: ML0, ML1, ML2, and ML3.

  • ML0: You don't have the control, or it's ineffective.
  • ML1: The control is in place against opportunistic attackers using off-the-shelf techniques.
  • ML2: The control is in place against moderately capable attackers willing to invest some effort.
  • ML3: The control is in place against well-resourced, targeted attackers.

You don't need ML3 on everything. The ACSC itself says organisations should choose a target maturity level based on the threats they face and the data they hold.

Practical 2026 reality for Australian SMBs:

  • ML1 is the bare minimum. Most cyber insurance questionnaires assume ML1 as the starting point.
  • ML2 is where most government tenders and enterprise supplier reviews want you to land.
  • ML3 is typically required only for organisations handling classified or highly sensitive data, often in defence, finance, or healthcare integrations.

If someone has told you that your business is "Essential 8 compliant" and they haven't specified a maturity level, that sentence means very little. Ask.

Why this matters now

Three things changed in the last 18 months that turned this from "should do" into "have to".

Cyber insurance. Underwriters now ask specific Essential 8 questions before issuing quotes. No answers, no cover. Or cover at 2x to 3x last year's premium. The pattern across our client base is clear: the questionnaires landing on renewal desks today are unrecognisable from what they were filling in two years ago.

Government procurement. State and Commonwealth tender panels list Essential 8 ML2 as a minimum acceptance criterion now, not as an aspiration. We've seen tenders rejected at the desktop review because the maturity claim couldn't be evidenced.

Enterprise supply chain. Your clients are being audited. Their auditors ask about their suppliers. You are the supplier. Contract renewals now routinely include "what's your Essential 8 maturity, and can you evidence it" as a hard question, not a chat.

"We're too small for that" used to be a reasonable answer. It isn't anymore.

The checklist

Here's what an Australian SMB needs in place to credibly claim ML1 and have a clear path to ML2. For the full ML2 detail by control, see the ACSC's official guidance, linked at the end.

1. Application control

ML1 target: You have a documented list of approved applications and a technical mechanism that prevents users running unapproved executables on workstations.

Checklist:

  • Microsoft Defender Application Control (WDAC) or AppLocker policy deployed via Intune or Group Policy
  • Policy covers all user workstations, not just servers
  • Policy is in enforcement mode, not audit only
  • Documented exceptions process for legitimate business apps

ML2 adds: Application control also covers scripts, installers, compiled HTML, HTML applications, and control panel applets.

2. Patch applications

ML1 target: You patch internet-facing applications within 2 weeks of a vendor release (48 hours if the vulnerability is rated critical). You know what you've got.

Checklist:

  • Automated patching configured for browsers, Microsoft Office, Adobe Reader, Teams
  • Vulnerability scan run at least fortnightly against all internet-facing systems
  • Documented inventory of all third-party applications in use
  • Process for removing unsupported software from the estate

ML2 adds: Patching within 2 weeks for non-internet-facing applications as well. Vulnerability scanning weekly.

3. Configure Microsoft Office macro settings

ML1 target: Macros are blocked by default. Users can't enable macros from the internet. Macros from trusted locations are allowed only where needed.

Checklist:

  • Office macros blocked for users without a documented business need
  • Macros from the internet blocked via Group Policy or Intune
  • Only digitally signed macros from trusted publishers allowed
  • Macro usage logged centrally

ML2 adds: Only macros from trusted locations or with a digital signature from a trusted publisher can execute. Events logged and reviewed.

4. User application hardening

ML1 target: Browsers and Office are configured to block known risky behaviours. Flash is gone (it is). Java plugins are gone.

Checklist:

  • Web browsers block Java and unauthorised browser extensions
  • Microsoft Office is configured to block OLE packages
  • Internet Explorer 11 is disabled
  • PDF readers are configured to disable JavaScript

ML2 adds: ACSC-hardening-guide configuration baselines applied to browsers, Office, and PDF readers. Events logged.

5. Restrict administrative privileges

ML1 target: Admin accounts are separate from standard user accounts. Only people who need admin rights have them. Admin accounts are reviewed regularly.

Checklist:

  • Every privileged user has a separate admin account, not shared with their standard day-to-day login
  • Admin accounts don't have email, web, or Office access
  • Privileged access reviewed at least annually, with evidence of who reviewed and when
  • Service accounts inventoried, documented, and unused ones disabled

ML2 adds: Privileged accounts are only granted the rights required for their role. Privileged access is logged and events reviewed.

6. Patch operating systems

ML1 target: Operating systems on internet-facing systems are patched within 2 weeks of release (48 hours if critical). Everything is on a supported version.

Checklist:

  • Windows Update for Business or equivalent configured on all workstations
  • Server patch schedule documented and followed
  • Unsupported Windows and macOS versions removed from the estate
  • Mobile devices (iOS, Android) enrolled in Intune with compliance policies requiring current OS versions

ML2 adds: Patching within 2 weeks for non-internet-facing systems. Weekly vulnerability scanning.

7. Multi-factor authentication

ML1 target: MFA is on for all privileged accounts and all remote access. Users authenticate with something stronger than a password for anything internet-facing.

Checklist:

  • MFA enforced for all Microsoft 365 admin accounts
  • MFA enforced for all remote access (VPN, Remote Desktop Gateway, web apps)
  • MFA enforced for all standard users on internet-facing services
  • Conditional Access policies in place to block legacy authentication

ML2 adds: MFA uses phishing-resistant methods where possible (FIDO2 keys, Windows Hello for Business, Microsoft Authenticator with number matching).

8. Regular backups

ML1 target: Critical data is backed up, tested, and recoverable within a documented RTO. Backups are separated from production systems so ransomware can't encrypt them.

Checklist:

  • Documented backup schedule for all business-critical data
  • Backups stored in a location separate from production (immutable or offline)
  • Backup restore tested at least quarterly with evidence
  • Documented RTO (recovery time objective) and RPO (recovery point objective)

ML2 adds: Access to backups restricted to backup administrators. Backup retention aligned with business requirements. Restoration tested at least half-yearly, with unprivileged accounts tested for inability to modify or delete backups.

How to actually use this checklist

Don't try to lift everything to ML2 at once. That's a multi-quarter project and trying to do it in one go is how it stalls.

What I'd actually do:

  1. Baseline yourself honestly. Score ML0 to ML3 on each of the eight controls. If a control is "sort of in place", that's ML0 or partial ML1. Don't grade on a curve.
  2. Pick the cheapest wins. MFA on all admin accounts and blocking legacy authentication are nearly always the highest-impact, lowest-cost moves. Start there.
  3. Build a 90-day plan. Pick the three or four controls furthest below your target and sequence them.
  4. Document evidence as you go. Most SMBs don't fail tender audits because controls are missing. They fail because nobody can produce evidence the control is actually working.
  5. Get a second pair of eyes before committing to a tender response. Self-assessments are systematically more optimistic than independent ones. If a tender hinges on your maturity claim, validate it externally first.

Common pitfalls

The same five mistakes come up over and over in first-time Essential 8 work:

"We use Microsoft 365, so we have MFA." No. M365 licences don't enable MFA by default. Security Defaults gets you part way. Conditional Access policies do the rest. If it's not explicitly configured, it's not on. I've seen this exact misunderstanding cost businesses contracts they thought were theirs to lose.

"Auto-updates are on, so we're patching." ML1 requires evidence of time-to-patch within 2 weeks. Without visibility tooling, you can't prove it, even if it's true.

Running application control in audit-only mode indefinitely. Audit mode logs what would have been blocked. It doesn't actually protect anything. ML1 requires enforcement. Sitting in audit-only is a common pattern with auditors specifically because someone got nervous about breaking line-of-business apps and never went back.

Shared admin accounts for "break glass" scenarios. Shared credentials shouldn't exist anywhere in 2026. Use Privileged Identity Management or just-in-time elevation. The "but we need it for emergencies" answer doesn't survive a tender review.

Backups on the same domain as production. If ransomware encrypts the domain, it encrypts the backups. Immutable storage or offline retention only. We've cleaned up enough recoveries to know this is non-negotiable.

Where this fits with ISO 27001

Essential 8 is narrower than ISO 27001. ISO 27001 covers the whole Information Security Management System: risk management, policies, training, supplier management, incident response, physical security, the lot. Essential 8 covers eight technical controls.

The two frameworks complement each other. Essential 8 ML2 lifts you across a meaningful chunk of the technical controls in ISO 27001's Annex A. So Essential 8 work isn't wasted effort if you're heading towards 27001 later.

Which to start with: if the pressure is coming from tenders or insurers, Essential 8. If the pressure is coming from enterprise clients doing supply chain audits, ISO 27001. If both, do Essential 8 first and treat it as a step on the path to 27001 rather than a separate project.

Next steps

If you want a structured baseline of where your business sits, I've built a free self-assessment. 25 questions, ten minutes, produces a maturity scorecard across all eight controls plus a prioritised action list.

Take the Essential 8 Self-Assessment

If you've already done a self-assessment and want an independent review before staking a tender response on it, book a 30-minute gap analysis call:

Book a gap analysis

References

I'm Josh McCarthy, Director and Lead Auditor at Your IT Managers, a Melbourne-based MSP that does ISO 27001, Essential 8, and Microsoft 365 security work for Australian SMBs across the country. If something in this post doesn't match what you're seeing in your own audits, I'd be interested to hear about it.