The Australian Signals Directorate (ASD), through the Australian Cyber Security Centre (ACSC), has released the Essential Eight Assessment Guidance Package. This comprehensive guidance continues our effort to help build Australia's cyber resilience and mitigate against common cyber threats. It supports entities to gather and test system configurations and record maturity levels. This package includes:
- Essential Eight Assessment Process Guide - This guide provides assessors with detailed assessment methods for each security control within the Essential Eight. Multiple approaches for testing each security control is provided for instances in which the preferred option is unavailable. The guide also provides detailed information for assessors to assess the use of compensating controls in the context of the intent of the Essential Eight Maturity Model.
- Essential Eight Assessment Report Template - This template highlights the content requirements expected to be covered within an Essential Eight Assessment Report. It helps standardise and improve the consistency of assessment reports and the interpretation of results.
These resources will enable a high quality, consistent approach for entities to assess the effectiveness of their implementation of the Essential Eight security controls. By utilising the guidance, tools and templates, entities will be well positioned to target their security remediation activities based on the identification of control weaknesses and misconfigurations. This will lead to a stronger cyber security posture.
This guidance package complements the ACSC's Cyber Toolbox, a suite of tools that supports entities self-assess their maturity level in line with Essential Eight mitigation strategies. The toolbox is comprised of the Essential Eight Maturity Verification Tool (E8MVT) and the Application Control Verification Tool (ACVT), which can be used by technical professionals to automate the testing and assessment of an entities cyber security posture against five of the eight mitigation strategies on a Microsoft Windows system. Access to this capability through the ACSC Partner Portal is being expanded to new Network Partners.
The ACSC suggests that, under the Essential Eight Maturity Model, system owners can adopt compensating controls instead of the specific Essential Eight requirements. However, they will need to demonstrate that their compensating controls provide an equivalent level of protection with respect to the specific Essential Eight requirements.
Additionally, the ACSC will soon release the Small Business Cloud Security Guides. These guides are a suite of publications that will equip Australian organisations with ways to improve their cyber security posture and resilience. They will also assist small businesses secure their systems and data by providing step-by-step examples on how to harden a Microsoft 365 cloud environment to meet the intent of the Essential Eight Maturity Level 1. The Small Business Cloud Security Guides are expected to be released before the end of 2022.
ASD, through the ACSC, is committed to providing technical cyber security advice and assistance to government and industry. If you are interested in becoming an ACSC Partner and accessing additional cyber security products and services, you can sign up to join the ACSC Partner Program.