Cyber Smart Solutions
Cyber Smart Solutions
  • Home
  • Company
    • About Us
    • Contact Us
    • News
    • Blog
    • Upcoming Events
    • Careers
  • Prevent
    • Cyber Posture Assessment
    • Vulnerability Assessment
    • Penetration Testing
    • Sec. Awareness Training
    • Phishing Simulation
    • Governance RiskCompliance
    • Essential 8 Compliance
    • Secure Enterprise Browser
    • Domain Filtering
    • Cloud & SaaS Posture
    • xIOT Security
    • Digital Risk Protection
    • Data Loss Prevention DLP
  • Detect
    • Endpoint Protection (EPP)
    • Endpoint Detection (EDR)
    • Ransomware Protection
    • SIEM
    • Security Operations (SOC)
    • Extended Detect & Respond
    • Network Defence & Respond
    • Mobile Device Defense
  • Respond
    • Backup & Recovery
    • SOAR
    • Incident Response Plan
    • Cyber Insurance
  • Cyber Packages
    • Package Overview
  • Services
    • Suspect an Incident
    • Firewall & IDS/IPS MGMT
    • Virtual CISO-as-a-Service
    • 3rd Party Risk Management
  • More
    • Home
    • Company
      • About Us
      • Contact Us
      • News
      • Blog
      • Upcoming Events
      • Careers
    • Prevent
      • Cyber Posture Assessment
      • Vulnerability Assessment
      • Penetration Testing
      • Sec. Awareness Training
      • Phishing Simulation
      • Governance RiskCompliance
      • Essential 8 Compliance
      • Secure Enterprise Browser
      • Domain Filtering
      • Cloud & SaaS Posture
      • xIOT Security
      • Digital Risk Protection
      • Data Loss Prevention DLP
    • Detect
      • Endpoint Protection (EPP)
      • Endpoint Detection (EDR)
      • Ransomware Protection
      • SIEM
      • Security Operations (SOC)
      • Extended Detect & Respond
      • Network Defence & Respond
      • Mobile Device Defense
    • Respond
      • Backup & Recovery
      • SOAR
      • Incident Response Plan
      • Cyber Insurance
    • Cyber Packages
      • Package Overview
    • Services
      • Suspect an Incident
      • Firewall & IDS/IPS MGMT
      • Virtual CISO-as-a-Service
      • 3rd Party Risk Management
  • Sign In
  • Create Account
  • Bookings
  • My Account

  • Signed in as:

  • filler@godaddy.com

  • Bookings
  • My Account

  • Sign out

Signed in as:

filler@godaddy.com

  • Home
  • Company
    • About Us
    • Contact Us
    • News
    • Blog
    • Upcoming Events
    • Careers
  • Prevent
    • Cyber Posture Assessment
    • Vulnerability Assessment
    • Penetration Testing
    • Sec. Awareness Training
    • Phishing Simulation
    • Governance RiskCompliance
    • Essential 8 Compliance
    • Secure Enterprise Browser
    • Domain Filtering
    • Cloud & SaaS Posture
    • xIOT Security
    • Digital Risk Protection
    • Data Loss Prevention DLP
  • Detect
    • Endpoint Protection (EPP)
    • Endpoint Detection (EDR)
    • Ransomware Protection
    • SIEM
    • Security Operations (SOC)
    • Extended Detect & Respond
    • Network Defence & Respond
    • Mobile Device Defense
  • Respond
    • Backup & Recovery
    • SOAR
    • Incident Response Plan
    • Cyber Insurance
  • Cyber Packages
    • Package Overview
  • Services
    • Suspect an Incident
    • Firewall & IDS/IPS MGMT
    • Virtual CISO-as-a-Service
    • 3rd Party Risk Management

Account

  • Bookings
  • My Account

  • Sign out

  • Sign In
  • Bookings
  • My Account

CYBER SMART ESSENTIAL 8 ASSESSMENT PROCESS

As recommended by the Australian Signals Directorate (ASD)

Although the approach to conducting an assessment depends on the size and complexity of the organisation, there are foundational principles that are common to each assessment. Cyber Smart as a base incorporates the guidance provided by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) but also uses our own judgement and expertise. 

Evidence Quality

In conducting an assessment, Cyber Smart gather and review credible evidence to support conclusions we draw on the effectiveness of controls. We seek to gather and use the highest quality evidence where reasonably practicable and the budget allows. The four levels of evidence quality are as follows:

Excellent Evidence: Testing a control with a simulated activity designed to confirm it is in place and effective.

Good Evidence: Reviewing the configuration of a system through the system's interface to determine whether it should enforce an expected policy.

Fair Evidence: Reviewing a copy of a system's configuration (e.g. using reports or screenshots) to determine whether it should enforce an expected policy.

Poor Evidence: A policy or verbal statement of intent (e.g. sitting mention of controls with documentation or controls being discussed during interviews with personnel administering or managing system security).


Determining effective implementation of mitigation strategies

Upon conclusion of the assessment activities, Cyber Smart will provide you with a report determining whether the mitigation strategies you have in place were effective or not. This determination requires a combination of judgment and consideration of the following factors:

  • adoption of a risk-based approach to the implementation of mitigation strategies
  • abilities to test the mitigation strategies across an accurate representative sample of workstations (including laptops), servers and network devices
  • level of assurance gained from assessment activities and any evidence provided (noting the quality of evidence)
  • any exceptions, including associated compensating controls, and whether they have been accepted by an appropriate authority as part of a formal exception process.

Cyber Smart use ASD's standardised recommended assessment outcomes which are:

  1. Not assessed: The control has not yet been assessed.
  2. Effective: The organisation is effectively meeting the contro's objective.
  3. Alternate control: The organisation is effectively meeting the control's objective through an alternate control.
  4. Ineffective: The organisation is not adequately meeting the control's objective.
  5. No visibility: Cyber Smart was unable to obtain adequate visibility of a control's implementation.
  6. Not implemented: The organisation has decided not to implement the control.
  7. Not applicable: The control does not apply to the system or environment.


Please Note: Cyber Smart do not allow risk acceptance as a justification for not implementing an entire mitigation strategy. For a system owner to claim they have implemented a mitigation strategy, all controls specified within the mitigation strategy must be assessed as 'effective' or 'alternate control'. In turn, this applies to the determination of whether a system owner has met the target maturity level for their system (i.e. if one or more mitigation strategies are deemed to have not been implemented, then the target maturity level for the system cannot be claimed to have been met). 


Stages of an assessment

At a high-level, assessments are comprised of four stages:

  • Stage 1: Cyber Smart plans and prepares for the assessment.
  • Stage 2: Cyber Smart determines the scope (i.e. assessment boundary) and approach for the assessment.
  • Stage 3: Cyber Smart assesses the controls associated with each of the mitigation strategies.
  • Stege 4: Cyber Smart develops the Essential Eight Assessment Report.

Please see below a sample of the Essential Eight Assessment Report

Essential EIGHT SAMPLE ASSESSMENT REPORT

Stages of an assessment (pdf)

Download

Essential Eight Assessment Report Template (pdf)

Download

essential eight maturity model and assessment

Maturity Levels Explained

The Australian Signals Directorate (ASD) has developed the Strategies to Mitigate Cyber Security Incidents, which include the highly effective Essential Eight framework. Designed to safeguard internet-connected IT networks, the Essential Eight consists of complementary mitigation strategies aimed at addressing various cyber threats. Although these principles can be applied to enterprise mobility and operational technology environments, they are not specifically designed for such contexts, and alternative strategies may be more appropriate. The Essential Eight Maturity Model, first introduced in 2017 and regularly updated, provides a structured approach to implementing these strategies based on ASD’s extensive experience in cyber threat intelligence and incident response.

To adopt the Essential Eight, organisations should identify a suitable target maturity level and progressively implement each level until the target is reached. The framework’s maturity levels, ranging from Zero to Three, are designed to counter varying levels of tradecraft and targeting by malicious actors. While achieving higher maturity levels enhances protection, no implementation guarantees complete immunity from cyber threats. Organisations are encouraged to use a risk-based approach, document exceptions, and consider additional controls from the broader Strategies to Mitigate Cyber Security Incidents and the Information Security Manual. Ultimately, organisations should tailor their approach to their specific risks, balancing security needs with operational requirements.

Comparison of maturity levels

Comparison of maturity levels

maturity levels

Level 0 (UNPROTECTED)

Level 0 (UNPROTECTED)

Level 0 (UNPROTECTED)

Represents the starting point within the Essential Eight Maturity Model and signifies that an organisation has not effectively implemented any of the mitigation strategies. At this level, there are significant gaps in cyber security measures, leaving the organisation highly vulnerable to even basic cyber threats.

Organisations at Maturity Level Zero lack the foundational controls necessary to prevent or mitigate common cyber incidents, such as ransomware, phishing, or malware attacks. This level reflects an environment where cyber security practices are either absent, inconsistent, or insufficiently planned and executed, exposing systems, networks, and data to potential compromise.

When exploited, these weaknesses could facilitate the compromise of the confidentiality of their data, or the integrity or availability of their systems and data, as described by the tradecraft and targeting in Maturity Level One below. 

Level 1 (BASIC)

Level 0 (UNPROTECTED)

Level 0 (UNPROTECTED)

The focus of this maturity level is malicious actors who are content to simply leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, a system. For example, malicious actors opportunistically using a publicly-available exploit for a vulnerability in an online service which had not been patched, or authenticating to an online service using credentials that were stolen, reused, brute forced or guessed.

Generally, malicious actors are looking for any victim rather than a specific victim and will opportunistically seek common weaknesses in many targets rather than investing heavily in gaining access to a specific target. Malicious actors will employ common social engineering techniques to trick users into weakening the security of a system and launch malicious applications. If user accounts that malicious actors compromise have special privileges they will exploit it. Depending on their intent, malicious actors may also destroy data (including backups).

Level 2 (STRONGER)

Level 2 (STRONGER)

Level 2 (STRONGER)

The focus of this maturity level is malicious actors operating with a modest step-up in capability from the previous maturity level. These malicious actors are willing to invest more time in a target and, perhaps more importantly, in the effectiveness of their tools. For example, these malicious actors will likely employ well-known tradecraft in order to better attempt to bypass controls implemented by a target and evade detection. This includes actively targeting credentials using phishing and employing technical and social engineering techniques to circumvent weak multi-factor authentication.

Generally, malicious actors are likely to be more selective in their targeting but still somewhat conservative in the time, money and effort they may invest in a target. Malicious actors will likely invest time to ensure their phishing is effective and employ common social engineering techniques to trick users to weaken the security of a system and launch malicious applications. If user accounts that malicious actors compromise have special privileges they will exploit it, otherwise they will seek user accounts with special privileges. Depending on their intent, malicious actors may also destroy all data (including backups) accessible to a user account with special privileges.

Level 3 (ADVANCED)

Level 2 (STRONGER)

Level 2 (STRONGER)

The focus of this maturity level is malicious actors who are more adaptive and much less reliant on public tools and techniques. These malicious actors are able to exploit the opportunities provided by weaknesses in their target’s cyber security posture, such as the existence of older software or inadequate logging and monitoring. Malicious actors do this to not only extend their access once initial access has been gained to a target, but to evade detection and solidify their presence. Malicious actors make swift use of exploits when they become publicly available as well as other tradecraft that can improve their chance of success.

Generally, malicious actors may be more focused on particular targets and, more importantly, are willing and able to invest some effort into circumventing the idiosyncrasies and particular policy and technical controls implemented by their targets. For example, this includes social engineering a user to not only open a malicious document but also to unknowingly assist in bypassing controls. This can also include circumventing stronger multi-factor authentication by stealing authentication token values to impersonate a user. Once a foothold is gained on a system, malicious actors will seek to gain privileged credentials or password hashes, pivot to other parts of a network, and cover their tracks. Depending on their intent, malicious actors may also destroy all data (including backups).

maturity level requirements and comparisons

Maturity Level One (pdf)

Download

Requirements - Maturity Level Two (pdf)

Download

Requirements - Maturity Level Three (pdf)

Download

Comparison of maturity levels (pdf)

Download
  • About Us
  • Contact Us

Cyber Smart Solutions PTY LTD

A.C.N. 682 850 728

Copyright © 2025 Cyber Smart Solutions - All Rights Reserved.

Teach to Stop A Breach

90% of breaches start with a single click - don't become a victim of Cyber crime.

For less than a coffee a month, our self-paced training arms you and your team with the skills to stay safe, while our dark web scans deliver alerts if your email is compromised.

Strengthens compliance, protects your brand and slashes the risk of crippling attacks.

Act now - Lock in peace of mind today.

Stop breaches now

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

Accept