ASD Essential 8: Explained

Post Date: 03/01/2023
feature image

An increasing number of Australian organisations – both government and commercial – seek to align with the Essential Eight Cyber Security maturity model.  

The model was set up by the Australian Signals Directorate (ASD), a vital member of Australia’s national security community. The Essential Eight provides eight mitigation strategies that aim to protect Australian businesses from increasing cyber risks, both from inside and outside the organisation.   

However, nearly 90% of reporting Australian government entities still aren’t implementing basic cyber resilience protections despite a growing risk.

While the adoption of basic measures like the Essential Eight is improving, most reporting government entities aren’t at minimum maturity levels, and most entities aren’t utilising assistance from cyber agencies. 

ASD Essential 8’s Maturity Model 

The ASD Essential 8 includes four levels of maturity commencing with level zero. Organisations should identify and plan for a target maturity level suitable for their operating environment, then progressively implement each maturity level until that target is achieved.    

Each maturity level outlines key mitigation strategies that organisations should implement. Maturity level one starts with basic mitigation strategies, such as enabling macro antivirus scanning across your Microsoft Office environment. In contrast, maturity level three involves more complex strategies, like protecting unauthorised modification and deletion for multi-factor authentication event logs.  

Backups as a vital part of Essential Eight mitigation strategies 

Regular backups, or third-party data protection, form one of the Essential Eight mitigation strategies. Recommended as a vital ASD Essential 8 compliance measure by the Australian Cyber Security Centre, regular backups are one of the top three things Australians should do to protect their data. 

Learn all about the importance of backups in this infographic

Implementing regular backups as a mitigation strategy becomes more complex as you move through maturity levels 1, 2, and 3: 

  • Maturity level 1 criteria is relatively basic, meaning most third-party backup solutions will meet these requirements. 
  • Maturity level 2 increases the mitigation complexities and includes more technical and complex requirements. An example is “Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts”.  
  • Maturity level 3 introduces more security and compliance requirements in addition to maturity level 2 requirements. Building on the maturity level 2 requirements above, an example maturity level 3 requirement is “Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts, nor their own accounts”.   

Despite several years of education and time to implement data security protection solutions, many organisations still fail to comply with third-party data backups at either maturity level 2 or 3.   

Choosing 3rd-party data protection that’s Essential Eight compliant 

Not all third-party backup and data protection solutions are created equal. While on the surface, they do the same thing, there are often significant differences that you should consider.   

Download this brochure to see how AvePoint Cloud Backup helps customers meet Essential Eight standards by delivering compliant regular backups.

At AvePoint, we help our customers reach data protection compliance with their Microsoft 365 and Azure investments. We recommend our customers strive for at least maturity level 2 data protection compliance and advocate asking the following questions as part of their ASD Essential 8 checklist when considering compliant vendors:  

  • Do your backups include all important data? In the context of M365, does this include not only core workload like Exchange Online but also Teams chat and Power Platform data?  
  • Do your backups include important software and configuration settings?  
  • Can unprivileged accounts access backups belonging to other accounts and their own account?  
  • Can privileged accounts access backups belonging to other accounts and their own account?  
  • Are unprivileged accounts prevented from modifying and deleting backups?  
  • Are privileged accounts (including backup administrator accounts) prevented from modifying and deleting backups during their retention period?  

If you cannot get clear answers to the questions above, you won’t be fully compliant with Essential Eight.  

AvePoint Cloud Backup: Essential 8 Data Protection Compliant 

At AvePoint, our Cloud Backup solutions are built to protect your data. As a global business, our platform is designed to meet local Australian and global security standards, including the Essential Eight.   

We’d love to talk to you about the Essential Eight data protection compliance. AvePoint is an ISO 27001, SOC II certified, and IRAP-assessed solution provider; security and compliance are our core business.

Reach out to us. We’re ready to help you mitigate your ever-increasing security risks. 


Max McNamara is Director of Solution Engineering at AvePoint. An experienced IT leader and general manager, Max has more than a decade of experience in the Microsoft professional services and ISV ecosystem.

View all post by Max McNamara

Subscribe to our blog