The Essential Eight

The ACSC has developed and published the Essential Eight strategies for mitigating cyber incidents. The Essential Eight are embedded in Mandatory Requirements 3.3 to 3.10. Agencies must implement the Essential Eight to applicable ICT environments with a minimum requirement of Level 1 maturity, as part of the baseline set in the Mandatory Requirements. Mitigation strategies for Level 2 and Level 3 maturity should then be considered alongside other mitigation strategies based on the threats and risks identified by the agency as part of the threat-based requirements (see Threat-based cyber risk management). 

The Mandatory Requirements aligned to the Essential Eight maturity level 1 in the NSW Cyber Security Policy are mapped to the controls taken from the December 2024 release of the Information Security Manual (ISM). Agencies must report against these, per the Mandatory Requirements. Cyber Security NSW will review changes made on an annual basis for any adjustments to be incorporated for the next reporting period. 

The Essential Eight controls are subject to annual review by the ACSC. Updates to the Essential Eight are often guided by changes in the threat environment and informed by evidence, including information about incidents observed by the ACSC. As such, agencies should assess changes and prioritise implementation of new or adjusted requirements as part of their risk management processes.