ACSC essential eight
the essential eight
While all organisations operate differently and have different risk profiles, no single mitigation strategy is guaranteed to prevent cyber-security incidents from occurring. ACSC’s recommendation of implementing the Essential Eight mitigation strategies as a baseline effectively makes it harder for adversaries to compromise systems. ACSC found that an Effective implementation of Essential Eight strategies can mitigate 85% of cyber threats. Proactive approaches to implementing these strategies are cost-effective solutions in terms of time, money and effort than simply being reactive to responding to large scale cyber-security incidents.
NSW Government Cyber Security Policy requires the implementation, amongst others, of the Australian Cyber Security Centre’s (ACSC) Essential Eight security controls. The policy requires (Requirement 3.1 and 3.2) an independent annual assessment of all mandatory requirements in the policy for the previous financial year, including a maturity assessment (referred to by Privasec as ‘gap and maturity assessment’) against the ACSC Essential Eight.
ACSC’s recommended implementation order for each adversary can assist organisations in building a strong cyber-security posture for their business and the support systems, which are critical to an organisation’s success in delivering business objectives, i.e., no business interruption due to a cyber-security incident.
ACSC Essential Eight Controls and their Importance:
The Essential Eight strategies focus on 3 key objectives for mitigation strategy. The infographic below explains each of the mitigation strategies, the controls, and the importance of these controls:
Effective implementation of these controls is a starting point, and continual improvement to bring maturity is key in keeping up with the changing cyber threat landscape. Once the baseline controls are implemented, organisations should focus on increasing the maturity of their implementation such that they eventually reach full alignment in keeping the intent of each mitigation strategy.
ACSC has defined three maturity levels to assist organisations in determining the maturity of their implementation. The maturity criteria defined in ACSC Maturity Model includes:
- Maturity Level 1 – Partly aligned with intent of mitigation strategy.
- Maturity Level 2 – Mostly aligned with intent of mitigation strategy.
- Maturity Level 3 – Fully aligned with intent of mitigation strategy.
Privasec’s ACSC Essential Eight Maturity Assessment Approach
Privasec follows a mature assessment and auditing approach to provide organisations with assurance on its effective alignment with the Essential Eight controls and roadmap to achieve the highest level of maturity.
Our assessment process leverages the people, process, and technology aspects with a combination of advanced auditing tools to provide an objective assessment of risk and compliance to the Essential Eight controls.
Deliverables
Our reports provide a holistic and detailed view of the organisation’s current compliance to the Essential Eight, cyber-risk exposure profile and the current maturity. We also deliver a detailed compliance roadmap against each of the mitigation strategies, with recommendations of ways to achieve the highest level of maturity.
These reports form a baseline for the Annual Compliance Reporting and can be used to support the organisation’s cyber-security reporting, for example, NSW Cyber Security Policy Annual reporting and attestations submissions to relevant governance bodies including the Cyber Security Senior Officers Group (CSSOG) and the ICT and Digital Leadership Group (IDLG).
Ready for the assessment?
Contact us for a holistic and detailed view of the organisation’s current compliance to the Essential Eight, cyber-risk exposure profile and the current maturity.