Essential Eight self-assessment

Eight honest questions. Your estimated maturity level. A PDF you can share.

No email required. No data leaves your browser. Answer for where you actually sit today, not where you want to sit, and the tool will give you an estimate of your Essential Eight maturity level with a branded PDF you can take to your board, broker or auditor.

Optional context

Only used in the downloaded PDF.

OrganisationPrepared by

01Application control

Do you restrict which applications can run on company Windows devices?

Why it matters · The single most effective technical control in the Essential Eight. If malware cannot execute, it cannot encrypt your files, steal credentials or open a back door.

What does this mean?

Not sure? Think about your office Windows computers. If a staff member downloads a random app from the internet, can they run it? If yes, nothing is restricting applications. An allowlist (sometimes called "allowlisting" or "application control") is a technology that only lets pre-approved programs run; anything else is blocked automatically, even if it's been downloaded or emailed in. Ringfencing is an extra layer that limits what even approved apps can do (e.g. a PDF reader can't suddenly launch PowerShell).

No, users can install and run whatever they like.IT installs approved software; users are blocked from installing new apps.An application allowlist determines what runs; unapproved executables are blocked.Allowlist enforced everywhere with ringfencing and central auditing; validated annually.

02Patch applications

How quickly are patches applied to web browsers, email clients, PDF readers and Microsoft Office?

Different questionThis is about applications: Chrome, Edge, Firefox, Outlook, Word, Excel, PowerPoint, Adobe Reader. Question 6 later asks the same shape of question about operating systems (Windows, macOS, server OSes, network firmware). Answer this one for apps only.

Why it matters · Most cyberattacks exploit known vulnerabilities in software the vendor has already patched. The gap between a patch being released and installed is where attackers operate.

What does this mean?

Not sure? "Patching" means installing the security updates that vendors (Microsoft, Adobe, browser makers) release. This question is about desktop apps specifically: Chrome / Edge / Firefox, Outlook, Word / Excel / PowerPoint, Adobe Reader. "Within 48 hours when an exploit exists" means: when a security issue is being actively used by attackers right now (a "known exploit"), you apply the patch within 2 days. Check how often your staff are prompted to restart for updates, and whether those updates actually go through.

We don't actively track or schedule patches for these apps.Within 1 month of release.Within 2 weeks of release; 48 hours when an exploit exists.Within 48 hours of release when an exploit exists; unsupported apps removed.

03Configure Microsoft Office macro settings

How are Microsoft Office macros managed across your organisation?

Why it matters · Macros have been the delivery mechanism for financially-motivated ransomware for a decade. Configuring them properly removes a whole class of attack.

What does this mean?

Not sure? A macro is a mini-program that runs inside a Word or Excel file. Useful for automation (a spreadsheet that auto-fills reports), but also the most common way ransomware sneaks in: an attacker emails a "quote" or "invoice" with malicious macro code and hopes someone opens it. If your staff never use macros you probably want them disabled entirely; if a few people genuinely need them for work, those specific people should be allowlisted and the macros they run should be digitally signed by a trusted source (so random internet macros can't run even on their machine).

Macros run freely; no restrictions are configured.Macros blocked for users without a business need; internet-origin macros blocked.Only allowlisted users can run macros; macro activity is centrally logged.Only digitally signed macros from trusted publishers run; logs centralised.

04User application hardening

Are browsers, Microsoft Office and PDF readers hardened beyond their default settings?

Why it matters · Hardening strips out features that have historically been attack surface without providing day-to-day value (legacy script engines, inactive add-ons, unrequired .NET versions).

What does this mean?

Not sure? "Hardening" means turning off features that are technically built into software but that your business doesn't actually need, and that attackers abuse. Examples: Java in the browser (rarely needed, widely exploited), old Flash-era scripting engines, OLE object embedding in Office, ads and trackers in browsers. If your devices are on their default out-of-the-box settings, they're not hardened. If someone set up a policy (usually through Microsoft Intune or a Group Policy) that turns these off, they probably are. PowerShell Constrained Language Mode is a more advanced setting that limits what scripts can do.

Default settings only. Nothing has been hardened.Java and ads blocked; basic browser and Office security configuration applied.Hardened via policy; PowerShell Constrained Language Mode enforced.Full hardening plus PowerShell module and script-block logging forwarded to central logs.

05Restrict administrative privileges

How are administrator privileges managed across your network?

Why it matters · An attacker who compromises a normal user can encrypt that user. An attacker who compromises an administrator can encrypt the organisation. Keeping the admin count small, named and audited is the biggest multiplier of containment.

What does this mean?

Not sure? An administrator account can install software, change settings, create other users and generally do anything on a network. If most of your staff can install software on their own laptops, they are probably running with admin rights all day, which also means any malware that reaches them inherits admin rights. A better pattern: regular day-to-day accounts with no admin rights, plus a separate admin account that's only used when someone genuinely needs to do IT admin. Just-in-time (JIT) admin is when the admin role is granted temporarily (say 30 minutes) and automatically revoked.

Most staff have admin rights, or we don't track who does.Admin accounts limited to designated staff; admin accounts can't access internet, email, or web services.Separate admin accounts used only for admin tasks; revalidated yearly; JIT admin for cloud services.JIT admin everywhere; secure admin workstations; privileged activity logged centrally.

06Patch operating systems

How quickly are operating system patches applied to workstations, servers and network devices?

Different questionThis is the operating system, not the apps on top of it. Windows, macOS, Linux server OSes, and the firmware on routers, firewalls and switches. Question 2 earlier covered Chrome, Office, Adobe Reader and the like. The two patch questions have the same shape on purpose, because most businesses are at different maturity levels on them.

Why it matters · The operating system is the foundation everything else runs on. An unpatched OS means every application running on it inherits the vulnerability.

What does this mean?

Not sure? The operating system is Windows, macOS, Linux, or the firmware on network equipment like routers, firewalls and access points. "Patching" the OS is installing the security updates Microsoft / Apple / your hardware vendor releases. Ask: does your IT person (or provider) actually track when patches come out and confirm they've installed? Or do staff click "remind me later" indefinitely on their own laptops? End-of-life means the vendor has stopped releasing patches entirely (e.g. Windows Server 2012, Windows 10 is coming up); anything still running on EOL software is a sitting duck.

We don't actively track OS patching.Within 1 month of release.Within 2 weeks for workstations and servers; 48 hours for internet-facing services.Within 48 hours across the environment; end-of-life systems removed.

07Multi-factor authentication

Where is MFA enforced across your environment?

Why it matters · Password theft via phishing remains the most common route to compromise. MFA forces the attacker to steal something they can't just type into a fake login page.

What does this mean?

Not sure? MFA (multi-factor authentication) is when you log in with your password plus a second thing, typically a code from Microsoft Authenticator / Google Authenticator, an SMS code, or a hardware key. Phish-resistant MFA is the stronger kind: a hardware security key (YubiKey, Feitian), a certificate, or Microsoft's number-matching authenticator with location verification. SMS codes are not phish-resistant; attackers regularly bypass them now. If your staff are prompted for a code every time they log in to Microsoft 365, that's a form of MFA; if that's all you have, you're probably at ML1 or below.

Not deployed, or only on some email accounts.On Microsoft 365 and other critical cloud services.On every service holding important data, using phish-resistant methods where possible.Phish-resistant MFA on every system that accesses important data; logs monitored centrally.

08Regular backups

How are your backups managed and tested?

Why it matters · Ransomware exists, hardware fails, people make mistakes. A backup is a hope until it has been restored. The testing is the whole game.

What does this mean?

Not sure? "Backups" cover your files, your Microsoft 365 email and SharePoint, any databases, and your server configurations. The key question isn't whether backups exist. Nearly everyone has something running. It's whether they've actually been restored in a test: has someone recently taken a backup, pretended a disaster happened, and recovered the data to prove the backup works? Many businesses discover their backup has been silently broken for months only when they actually need it. A privileged account is an admin account; if your backups sit on a share that an admin can delete, ransomware that compromises an admin will delete them too.

Backups exist, but we have never actually tested restoring from them.Restoration tested at least annually; backups retained per business need.Unprivileged accounts can't access or modify backups belonging to other accounts.Privileged accounts (except backup admins) cannot modify backups; admin segregation enforced.

Answer every question honestly. The PDF only reflects what you put in.

How this is scored

The ACSC scores the Essential Eight as a package: your overall maturity is the lowest control score, not an average. Being ML2 on seven controls and ML0 on one puts you at ML0 overall. This tool reflects that: the overall estimate is the floor across your eight answers. The numbered maturity levels map approximately to the ACSC Essential Eight Maturity Model (November 2023); for the full authoritative text, see the ACSC website.

This is a self-assessment, not a formal audit. The actual maturity an auditor, insurer or regulator would give you depends on evidence and control effectiveness, not just self-report. We run the full version of this assessment as part of our Essential Eight service.

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.