The Essential Eight Maturity Model describes how well each of the eight strategies is implemented, on a scale of four levels. Higher levels are aligned to increasingly capable adversary tradecraft.
The four maturity levels
- Maturity Level Zero (ML0) - there are weaknesses in the organisation's overall security posture; the strategy is not yet implemented to the ML1 baseline.
- Maturity Level One (ML1) - aligned to mitigating adversaries using widely available, commodity tradecraft.
- Maturity Level Two (ML2) - aligned to mitigating adversaries operating with more time, effort and targeting.
- Maturity Level Three (ML3) - aligned to mitigating adaptive adversaries who are willing to invest significant effort to bypass controls.
Assessed as a set
The ACSC recommends implementing all eight strategies to the same target maturity level as a package, rather than reaching a high level on one strategy while others lag. Your target level should be based on the threats your organisation faces; many organisations aim for ML1 or ML2 as a baseline.
How to move up a level
Moving up means meeting more of the specific requirements the model sets for each strategy at the next level. The practical path is to assess your current position control by control, identify the gaps to your target, and remediate them one at a time. The Essential Eight assessment tool does exactly this - scoring each strategy, showing the gaps to your target, and tracking progress over time.
Frequently asked questions
What are the Essential Eight maturity levels?
Four levels: Maturity Level Zero (ML0), One (ML1), Two (ML2) and Three (ML3). Higher levels are aligned to mitigating increasingly capable and targeted adversary tradecraft.
What maturity level should we target?
It depends on the threats you face. The ACSC recommends choosing a target level and implementing all eight strategies to it as a set; many organisations aim for ML1 or ML2 as a baseline.