ACSC Updates Essential Eight Guidance: What Changed

The ACSC has released updated guidance for the Essential Eight framework. While the core controls haven’t changed dramatically, there are some notable updates worth understanding.

Here’s what’s different and what it means for your business.

The Context

The Essential Eight was first published in 2017 as a prioritised subset of the Australian Signals Directorate’s broader Strategies to Mitigate Cyber Security Incidents. Since then, it’s become the de facto security standard for Australian organisations.

Updates happen periodically as threats evolve and technology changes. This latest update reflects lessons from recent incidents and shifts in how businesses operate.

Key Changes

1. Cloud-Native Considerations

The original Essential Eight assumed on-premises infrastructure. That’s increasingly unrealistic.

The updated guidance explicitly addresses:

  • Cloud application patching (SaaS vendor responsibility vs your responsibility)
  • Cloud-native MFA implementations
  • Backups for cloud services (not just on-premises)
  • Application control in cloud environments

Why it matters: If you’re using Microsoft 365, Google Workspace, or other cloud services, the guidance now clearly explains how Essential Eight applies. Previously, there was ambiguity about whether cloud services counted as “patched” if the vendor handled updates.

2. Passwordless Authentication Clarification

MFA guidance now explicitly addresses passwordless authentication methods:

  • Passkeys
  • FIDO2 security keys
  • Certificate-based authentication

These are considered compliant MFA and in some cases are rated higher than traditional password + authenticator combinations.

Why it matters: If you’re moving toward passwordless (which Microsoft is pushing heavily), you can be confident this meets Essential Eight requirements. It’s actually better than traditional MFA for phishing resistance.

3. Application Control Flexibility

Application control remains the hardest Essential Eight control to implement. The updated guidance provides more practical options:

  • Publisher-based rules (allow software signed by specific vendors)
  • Path-based rules (allow software in specific directories)
  • Hash-based rules (allow specific verified files)

The guidance acknowledges that full application whitelisting may not be feasible for all organisations and provides a path to compliance using less restrictive approaches.

Why it matters: Maturity Level One is now more achievable. You don’t necessarily need enterprise-grade application whitelisting to be compliant.

4. Macro Settings for Modern Office

Macro guidance has been updated to reflect how modern Microsoft 365 handles macros:

  • Clearer guidance on blocking macros from the internet
  • Recognition of Microsoft’s default blocking of internet macros
  • Guidance for organisations using Office Scripts (the modern alternative)

Why it matters: If you’re on current Microsoft 365 versions, some macro protections are now enabled by default. The guidance clarifies what additional configuration is still needed.

5. Administrative Privilege Just-in-Time Access

The updated guidance emphasises just-in-time (JIT) administration:

  • Privileged accounts should have elevated access only when needed
  • Access should be time-limited
  • Approval workflows are encouraged

This aligns with tools like Microsoft Entra Privileged Identity Management (PIM).

Why it matters: Moving from “always-on” admin accounts to JIT access significantly reduces risk. The guidance now makes this expectation clearer.

What Hasn’t Changed

The fundamental structure remains:

  • Eight controls in the same priority order
  • Three maturity levels (One, Two, Three)
  • Focus on both prevention and recovery

The changes are evolutionary, not revolutionary. If you were compliant before, you’re probably still compliant.

Implications for Insurance

Cyber insurers have increasingly tied requirements to Essential Eight. These updates may flow through to insurance requirements:

Expect questions about:

  • Cloud service backup arrangements
  • MFA type (passwordless vs traditional)
  • Application control approach
  • Privileged access management

Documentation: Insurers want evidence. The updated guidance provides clearer benchmarks for what “compliant” looks like, which can actually make documentation easier.

If your insurance renewal is coming up, review your coverage against the updated guidance. Some insurers may ask specifically about newer requirements.

Practical Steps for SMBs

1. Review your current state

Map your current controls against the updated guidance. Focus on areas that have changed:

  • Cloud service patching and backup
  • MFA implementation type
  • Application control approach
  • Privileged access management

2. Identify gaps

The updated guidance may reveal gaps that didn’t exist under previous versions:

  • Do you have proper backup for SaaS data?
  • Is your MFA phishing-resistant?
  • How are admin privileges managed?

3. Prioritise remediation

Not everything needs to happen at once. Prioritise based on:

  • Risk (what’s most likely to be exploited)
  • Effort (what can be fixed quickly)
  • Requirements (what insurance or contracts mandate)

4. Update documentation

If you have Essential Eight compliance documentation, update it to reference the new guidance. This demonstrates ongoing attention to compliance.

Tools That Help

Several tools have been updated to align with the new guidance:

Microsoft Secure Score: Microsoft regularly updates Secure Score to reflect Australian security frameworks. Check your score against Essential Eight recommendations.

Assessment tools: Vendors like Qualys, Tenable, and Huntsman Security are updating their Essential Eight assessment modules. If you use these, expect updates soon.

Compliance platforms: GRC (governance, risk, and compliance) platforms that track Essential Eight compliance should incorporate the new guidance.

Working with Providers

If you work with an IT provider or security consultant, this is a good time for a conversation:

Questions to ask:

  • Have you reviewed the updated Essential Eight guidance?
  • How does it affect our current compliance status?
  • What changes do we need to make?
  • Can you provide updated compliance documentation?

Good providers will proactively reach out about this. If yours hasn’t, initiate the conversation.

Firms like AI consultants Sydney that specialise in security can help assess your current state against updated requirements and recommend practical remediation steps.

The Maturity Model

A reminder of how maturity levels work:

Level One: Basic implementation of each control. Minimum acceptable for most contexts.

Level Two: Enhanced implementation. Faster patching, broader MFA coverage, stricter controls.

Level Three: Advanced implementation. The target for high-risk environments.

The updated guidance provides clearer definition of what each level requires. If you were borderline at a certain level, review whether you still qualify.

Common Questions

Q: Do I need to change anything immediately? Not necessarily. Review the updates, assess your current state, and plan remediation if needed. This isn’t an emergency requiring overnight changes.

Q: Does this affect my cyber insurance? It might at renewal. Insurers follow ACSC guidance. The updated requirements may appear in future questionnaires.

Q: Is this harder to achieve than before? In some ways, the guidance is clearer and more practical. Cloud-native organisations may actually find compliance easier with explicit cloud guidance.

Q: How often does ACSC update this? Major updates happen every few years. Minor clarifications happen more frequently. Subscribe to ACSC alerts for notifications.

Resources

ACSC Official Guidance: The primary source is cyber.gov.au. The Essential Eight section contains the updated maturity models and implementation guides.

Essential Eight Assessment Reports: ACSC provides templates for documenting compliance. Updated templates reflect the new guidance.

Partner Guidance: Microsoft, Google, and major security vendors publish Essential Eight mapping guides for their products. These are typically updated following ACSC changes.

Getting Help

For businesses that need assistance implementing the updated requirements, Team400 and similar security-focused consultancies can provide:

  • Gap assessments against new guidance
  • Implementation support for specific controls
  • Compliance documentation
  • Ongoing monitoring and maintenance

The investment in getting this right is modest compared to the cost of non-compliance - whether that’s insurance issues, contract problems, or actual security incidents.

Final Thoughts

Essential Eight updates aren’t cause for panic. They’re an opportunity to review your security posture and make improvements.

The framework remains practical and achievable for SMBs. The updates make it more relevant to how modern businesses actually operate.

Review the changes. Assess your gaps. Make a plan. Execute.

That’s how security improvement works: steady, consistent progress toward a more resilient state.