The Essential Eight is published by the Australian Signals Directorate / Australian Cyber Security Centre and is the most prescriptive cybersecurity baseline in widespread use. Eight mitigation strategies (Application control, Patch applications, Configure Microsoft Office macro settings, User application hardening, Restrict administrative privileges, Patch operating systems, Multi-factor authentication, Regular backups) at three Maturity Levels (ML1, ML2, ML3).
For Australian government contractors, Essential Eight at the contract-specified maturity level is a procurement gate. For MSPs serving Australian government and government-adjacent clients, delivering Essential Eight readiness has become a billable service.
The Essential Eight is unusually prescriptive — specific implementation methods are called out, not just outcomes. That makes the right software particularly important.
What to look for
- Direct Essential Eight strategy mapping. Direct mapping to all eight strategies and the specific Maturity Level requirements (ML1 / ML2 / ML3).
- Application control implementation (Strategy 1). Strategy 1 (Application control) calls for specific implementation methods. Look for tools that deliver on the prescriptive requirements at the chosen maturity level.
- Patching evidence (Strategies 2 and 6). Application patching (Strategy 2) and operating-system patching (Strategy 6) have prescriptive timelines. Continuous evidence is essential.
- Office macro and user-application hardening evidence (Strategies 3 and 4). Macro execution policy and Office / browser hardening evidence.
- Privileged-access restrictions (Strategy 5). Evidence of administrative-privilege restrictions, including just-in-time elevation where applicable.
- MFA evidence (Strategy 7). MFA enforcement evidence across the relevant services.
- Backup hygiene evidence (Strategy 8). Regular backup execution, retention, and restoration testing evidence.
Options to evaluate
Lavawall®MSP platform with Essential Eight first-class
Direct Essential Eight strategy mapping at all three Maturity Levels. Application control without a kernel driver (Strategy 1). 7,500+ application patching across Windows, macOS, and Linux (Strategies 2 and 6). Configuration assessment for Office macro and user-application hardening (Strategies 3 and 4). Privileged-access evidence (Strategy 5). M365 / Entra MFA enforcement evidence (Strategy 7). Backup-system monitoring (Strategy 8).
Best when: Australian MSPs delivering Essential Eight readiness as a service.
Airlock Digital + Tenable + manual evidenceSpecialised application control + scanning
Airlock Digital is mature application control for Australian Essential Eight; Tenable provides scanning. Combined with manual control evidence, this is a common Australian MSP stack.
Best when: Australian MSPs deeply invested in Airlock + Tenable that need a specialised Essential Eight programme.
Microsoft Defender XDR + Microsoft Compliance ManagerMicrosoft-native
Microsoft Compliance Manager has Essential Eight templates. Strong inside the Microsoft tenant; multi-tenant management requires Lighthouse.
Best when: Microsoft-centric Australian organisations on E5.
Vanta / Drata / Hyperproof / SecureframeGRC platforms with Essential Eight templates
GRC platforms with Essential Eight framework templates. Strengths and trade-offs vary; multi-tenant for MSPs varies.
Best when: Single-organisation Essential Eight use cases.
How Lavawall® fits
Lavawall® includes the Australian Essential Eight as a first-class framework at all three Maturity Levels. The strategy-by-strategy mapping reflects the prescriptive implementation requirements ASD calls out, not generic interpretation.
Strategy 1 (Application control) is delivered by Lavawall®'s kernel-free application control. Strategies 2 and 6 (patching) are delivered by the 7,500+ application patch catalog across Windows, macOS, and Linux. Strategies 3, 4, and 5 (Office macros, user-application hardening, privileged-access) are delivered by the configuration assessment module. Strategy 7 (MFA) is delivered through the M365 / Entra / Google Workspace ITDR connectors. Strategy 8 (backups) is delivered through backup-system monitoring.
For Australian MSPs, the same evidence base satisfies Essential Eight, ISO 27001, SOC 2, NIST CSF, and the broader 15+ framework set Lavawall® supports.
Frequently asked
- What is the difference between ML1, ML2, and ML3?
- Maturity Level 1 is baseline implementation; ML2 adds further controls and shorter timelines; ML3 adds the most rigorous controls including 48-hour application patching for internet-facing services and stricter macro / privileged-access requirements.
- Does Lavawall® deliver Strategy 1 application control at ML2?
- Yes — Lavawall®'s kernel-free application control delivers the prescriptive ML2 application-control requirements. ML3 additional requirements (driver allowlisting in particular) overlap with Microsoft Windows Defender Application Control; coordinated implementation is typical.
- Are Australian MSPs required to be Essential Eight compliant themselves?
- MSPs serving Australian government clients are increasingly expected to maintain Essential Eight at the level matching the client's requirement. Internal MSP Essential Eight is becoming table-stakes.