Observations
The ASD’s Essential Eight has transcended its origins as a guidance document to become a quasi-regulatory standard in Australia. For non-corporate Commonwealth entities (NCCEs), compliance with these strategies is mandatory, subject to audit and parliamentary oversight. For the private sector, particularly those falling under the critical infrastructure definition, the Essential Eight serves as a benchmark for reasonable steps to protect systems of national significance.
The Essential Eight strategies are designed to target the most prevalent tradecraft used by adversaries, but they are primarily outcome-focused rather than a guide to implementing and sustaining a robust cyber security program.
The Essential Eight – an Outcomes-Focused Approach
As an example of the limitations of the Essential Eight’s outcomes-focused approach, the Essential Eight dictates patching critical vulnerabilities in applications within 48 hours, but it does not mandate the asset management required to know what to patch or how to achieve this outcome. Effective patching presupposes a near-perfect inventory of all software assets, a capability many organisations lack, and the Essential Eight does not mandate. While the ASD’s more comprehensive information security manual (ISM) provides guidance for asset management, it too fails to provide the how. The gap between this high-level mandate and the messy reality of legacy IT environments is where many Australian organisations fail. They often attempt to implement advanced controls without the foundational maturity in asset management and other critical foundational controls, leading to operational friction and security gaps.
Why Consider the CIS Critical Security Controls (CIS 18)
CIS 18 is a globally recognised, community-driven framework consisting of 18 prioritised defensive actions and 153 specific safeguards, designed to mitigate the most pervasive and dangerous cyber threats facing modern organisations. Developed by the Centre, the framework translates complex security principles into a set of actionable, measurable safeguards, organised into three tiered implementation groups (IGs) that provide a scalable on-ramp for organisations of varying sizes and resource levels. Unlike abstract high-level standards, the CIS 18 focuses on the practical technical controls, such as asset inventory, data protection, and incident response, that are proven to stop the most common attack vectors while maintaining close alignment with major regulatory frameworks like NIST and ISO 27001, which, like the Essential Eight, also focus on the what and not the how.
Foundational Dependencies
A primary reason Australian organisations fail to sustain Essential Eight maturity is attempting to implement the specific guidance without addressing the underlying technical dependencies required to achieve the outcome. The CIS 18 roadmap recognises that you cannot control what you do not know you have. Thus, the implementation of CIS Control 1 (enterprise assets) and Control 2 (software assets) are very obvious, non-negotiable prerequisites for every Essential Eight strategy.
By following the CIS roadmap, an organisation can build the foundations required to support the Essential Eight, ensuring that efforts like application allow listing are supported by a near-perfect inventory, avoiding business disruption and persistent security gaps. The following table demonstrates the dependencies of each of the Essential Eight to just the first two CIS 18 controls.
| Essential Eight Strategy | CIS Control | Why it is Critical |
| Application Control | CIS 2 | The Allow-list Problem: You cannot create a rule to ‘allow only authorised software’ if you don’t have a definitive software inventory. CIS 2.1 provides the baseline of known-good software needed to build your execution policies. |
| Patch Applications | CIS 1 & 2 | The Visibility Gap: You cannot patch software you don’t know is installed. CIS 2 identifies the specific versions/titles, while CIS 1 ensures every physical device is accounted for so that no shadow IT remains unpatched. |
| Patch Operating Systems | CIS 1 | Scanning Coverage: Essential Eight Maturity Levels 2 and 3 explicitly require ‘automated asset discovery’. CIS 1.1 and 1.3 provide mechanisms to identify all servers and workstations and ensure they receive OS updates. |
| Configure MS Office Macros | CIS 2 | Targeting: Hardening macros requires knowing exactly which machines have MS Office installed. CIS 2 allows you to target these specific assets for policy enforcement rather than guessing where the risk lies. |
| User Application Hardening | CIS 2 | Surface Area Identification: This strategy targets web browsers and PDF readers. CIS 2 identifies all end-of-life (unsupported) browsers or unauthorised PDF viewers that must be removed before hardening can begin. |
| Restrict Admin Privileges | CIS 1 | Account Sprawl: Local administrative accounts are tied to specific hardware. CIS 1 identifies the total pool of workstations and servers that must be audited and have these high-risk privileges revoked. |
| Multi-factor Authentication | CIS 1 & 2 | Entry Point Mapping: MFA is required for ‘internet-facing services’. CIS 1 and 2 identify the servers and web applications exposed to the internet, thereby defining exactly where MFA must be enforced. |
| Regular Backups | CIS 1 & 2 | The Scope of Protection: To meet the Essential Eight requirement for backing up critical data, you must first use CIS 1 and 2 to identify where that data lives (e. g., which specific server hosts the database or file share). |
Closing the Gaps Beyond the Essential Eight
The Essential Eight is a prioritised baseline but is not an exhaustive security program. It purposely omits critical areas such as security awareness, incident response, and audit logging. Although the ISM offers a broader range of security requirements, like the Essential Eight, it fails to provide the direct, single-action instructions that define the CIS 18’s technical how-to approach. The CIS roadmap fills these gaps to provide a truly robust operating model. For instance, CIS Control 14 (security awareness) addresses the human element of phishing, while CIS Control 17 (incident response) ensures that when defences fail, the organisation can detect and recover. By incorporating these into the roadmap, Australian organisations move beyond a simple checklist to achieve genuine cyber resilience, ensuring all common attack vectors are addressed.
Scalable Maturity
The CIS 18 framework is specifically designed to be achievable for organisations of all sizes and budgets, through its three-tiered implementation group (IG) structure. Implementation group 1 (IG1) defines essential cyber hygiene, consisting of 56 safeguards that are typically achievable with limited resources and existing tools. This provides a cost-effective on-ramp for Australian small to medium enterprises (SMEs), ensuring they are not overwhelmed by complex documentation requirements. As an organisation matures and grows or its risk profile increases, the roadmap scales to IG2 (74 additional safeguards) and IG3 (23 additional safeguards). This ensures that initial investments in IG1 are not wasted but serve as the foundation for more advanced safeguards required for critical infrastructure or lower risk appetites. While not an official government mapping, the following table highlights the strong correlation between the technical safeguards of the CIS 18 (IGs) and the strategic outcomes of the Essential Eight.
| CIS Implementation Group | Essential Eight Maturity Level | Alignment |
| IG1: Essential Cyber Hygiene | Maturity Level 1 | The Baseline: Both target small-to-medium organisations facing opportunistic threats. IG1 provides the 56 basic safeguards (such as asset discovery) that enable an organisation to achieve the Essential Eight ML1 outcomes. |
| IG2: Moderate Complexity | Maturity Level 2 | The Operational Shift: Both are aimed at organisations with dedicated IT staff and more sensitive data. IG2 introduces more advanced logging and authentication controls that directly support the Essential Eight ML2 requirements. |
| IG3: High Sensitivity | Maturity Level 3 | Advanced Defence: Targeted at critical infrastructure and large enterprises. IG3 includes advanced safeguards for incident response and penetration testing, which are required to defend against the sophisticated adaptive adversaries described in Essential Eight ML3. |
Translating Technical Progress into Executive Value
The CIS 18 roadmap provides the metrics necessary to translate technical activity into business value for boards and senior leadership. The CIS roadmap is not based on theory but on the community defence model (CDM), which uses global threat data to ensure defensive recommendations remain relevant. This model maps safeguards to the MITRE ATT&CK (adversarial tactics, techniques, and common knowledge) framework, providing a mathematical calculation of effectiveness. For Australian organisations concerned with ransomware, the roadmap provides a clear, measurable win: implementing the 56 safeguards in IG1 defends against 78 per cent of the techniques used in ransomware attacks2. The framework also facilitates precise and tangible measurement of KPIs, such as “92 per cent implementation of IG1 safeguards” or “100 per cent MFA coverage for admin accounts”. These metrics allow for the creation of heat map dashboards that show maturity at a glance. This moves the conversation from the abstract to concrete, measurable risk reduction, enabling technical staff to show precisely how their efforts are mitigating the most prevalent attack types.
A Universal Language for Supply Chain Trust
In an increasingly interwoven digital economy, a security framework must communicate trust to customers and partners both locally and globally. While the Essential Eight is the local standard for what must be achieved, the CIS 18 is a globally recognised framework. Aligning with the CIS 18 roadmap enables Australian government agencies and businesses to respond efficiently to international vendor risk assessments, such as the standardised information gathering (SIG) and the consensus assessments initiative questionnaire (CAIQ). By stating they align with CIS IG1, organisations provide a shorthand for maturity that international partners immediately understand. This establishes immediate trust and reduces the friction of international sales cycles by demonstrating adherence to a global standard.
Precise Instructions for Technical Implementation
For IT staff, the CIS roadmap provides actionable guidance through the principle of one ask per safeguard. This eliminates the ambiguity that plagues the high-level mandates of the Essential Eight and ISM. For example, instead of a general instruction to “secure configurations”, CIS safeguard 4.5 provides specific requirements for host-based firewalls. This level of detail, combined with CIS benchmarks for over 100 technologies, enables technical staff to configure systems precisely without interpreting intent. The CIS benchmarks are highly detailed, vendor-specific technical hardening guides that provide the exact configuration settings required to secure a specific technology. By providing a clear roadmap and delivery guides, the CIS 18 allows organisations to create a logical sequence of activities based on their priorities, communicate progress to stakeholders, and thereby significantly accelerate their cyber security programs.
A Continuous Operating Model
The CIS 18 roadmap integrates a dedicated govern function aligned with NIST CSF 2.0, ensuring security is an organisational strategy rather than an ad hoc task. This function mandates that processes for asset inventory and data protection are established and maintained as part of the management system. The CIS 18 provides a comprehensive set of policy templates that map directly to technical controls, allowing organisations to document their program for auditors quickly. By using tools like the CIS-hosted CSAT3, a web-based application that tracks and prioritises their implementation and provides automated reporting and benchmarking against industry averages, organisations can track their maturity over time and ensure that their security posture continuously adapts to new threats.
Next Steps
- Establish your baseline control maturity to score your organisation against the 56 essential cyber hygiene safeguards to identify the foundational design debt currently blocking your Essential Eight progress.
- Deploy the CIS 18 configuration assessment tool (CIS-CAT) Pro automated scanning tool to identify configuration gaps against granular CIS benchmarks, ensuring that the technical how of your system settings matches the strategic what of your security policy.
- Use the CIS 18 community defence model (CDM) data to present a formal return-on-investment (ROI) model to your board, demonstrating how following the CIS roadmap will provide a quantifiable reduction in susceptibility to ransomware.
Footnotes
- ‘CIS Critical Security Controls Version 8’, Center for Internet Security, 2025.
- ‘CIS Community Defense Model 2.0’, Center for Internet Security, 2021.
- ‘CIS-Hosted CSAT Guide’, Center for Internet Security, 2025.
