Essential Eight audit preparation guide
A practical playbook for Australian SMBs preparing for an ACSC Essential Eight assessment — built around the Microsoft 365, Intune, Defender and Entra ID stack you probably already own.
What the Essential Eight covers
The Essential Eight is the Australian Cyber Security Centre's baseline of eight mitigation strategies. Each strategy is graded across three maturity levels: ML1 (basic defences against opportunistic attacks), ML2 (defending against attackers willing to invest more effort), and ML3 (defending against adaptive, well-resourced adversaries).
Most Australian SMBs should target Maturity Level 1. If you supply government, handle health or financial data, or hold ISO 27001 / SOC 2 obligations, plan for Maturity Level 2.
The eight strategies and Microsoft 365 quick wins
Application control
Only approved applications run on endpoints — block unsigned binaries, unknown installers, and script interpreters used by attackers.
Quick win: Enable Microsoft Defender Application Control (WDAC) or Intune-managed AppLocker on a pilot device group.
Patch applications
Browsers, Office, PDF readers and other internet-facing apps must be patched within 48 hours of a vendor release.
Quick win: Enable Microsoft Intune update rings for Office and Edge, and surface third-party patch status via Defender for Endpoint.
Configure Microsoft Office macro settings
Block macros from the internet by default; only signed and trusted macros should execute.
Quick win: Deploy the ACSC Office macro configuration via an Intune Administrative Template — under 10 minutes for the whole tenant.
User application hardening
Disable Java, Flash and unneeded browser plugins; block ads, web-ads, and untrusted Office add-ins.
Quick win: Use Microsoft Edge baselines from the Microsoft 365 Apps Admin Center as your starting policy.
Restrict administrative privileges
Privileged accounts are validated, time-limited and separated from day-to-day user accounts.
Quick win: Roll out Microsoft Entra Privileged Identity Management (PIM) for Global Administrator and Exchange Administrator roles.
Patch operating systems
Internet-facing OS patches inside 48 hours; all other systems within two weeks.
Quick win: Move Windows updates to Intune Autopatch and report status through Defender for Endpoint vulnerability dashboards.
Multi-factor authentication
Phishing-resistant MFA on all internet-facing services, privileged accounts and remote-access tools.
Quick win: Enforce Conditional Access policies requiring number-matching MFA for all users; block legacy authentication entirely.
Regular backups
Daily backups of important data, software and configuration, retained for at least three months and tested for restorability.
Quick win: Use Microsoft 365 Backup plus Azure Backup with immutable vault and quarterly restore drills.
Five-step audit preparation plan
Step 1
Document your business-critical systems, data flows, and current Microsoft 365 / Azure tenant configuration.
Step 2
Score yourself against each Essential Eight strategy at Maturity Level 1, 2 and 3 using the ACSC's published criteria.
Step 3
Capture evidence — Intune policies, Conditional Access rules, Defender configuration, backup reports — that proves each control.
Step 4
Identify gaps and prioritise by risk: identity, email, endpoints and backups usually rank highest.
Step 5
Build a 90-day remediation plan, then schedule an independent assessment to validate your maturity level.
Frequently asked questions
What is the Essential Eight?
The Essential Eight is a set of eight baseline mitigation strategies published by the Australian Cyber Security Centre (ACSC) to help organisations protect against the most common cyber threats. Each strategy is scored across three maturity levels.
Which Essential Eight maturity level should an Australian SMB target?
Maturity Level 1 is the practical baseline for most small and medium businesses. Regulated industries, government suppliers and businesses handling sensitive data are typically expected to reach Maturity Level 2.
How long does Essential Eight audit preparation take?
For a Microsoft 365 environment with reasonable hygiene, preparation usually takes 6 to 12 weeks: 2 weeks to baseline, 4 to 8 weeks of remediation, and 1 to 2 weeks of evidence collection before the formal assessment.
Do Microsoft 365 and Intune cover the Essential Eight?
Microsoft 365 E3 and E5 with Intune, Defender, Entra ID Premium and Microsoft 365 Backup can meet every Essential Eight control at Maturity Level 1 and most controls at Level 2 without third-party tooling.
