How long does it take to reach Maturity Level One?

A focused small business can implement most Level One controls within a few weeks. MFA and backups can often be sorted in days; application control and patching cadence take longer to operationalise.

Do I need to reach the same level for all eight strategies?

Yes. Your overall maturity is determined by your weakest strategy, so the ACSC recommends reaching a consistent level across all eight before advancing.

What counts as important data for the backup strategy?

Any data and configuration needed to run the business — including cloud accounting records such as Xero. These should be backed up, retained and restoration-tested like any other critical system.

Reaching Essential Eight Maturity Level One: a practical checklist

The Essential Eight is measured on a maturity scale from Zero to Three. For most small and medium businesses, Maturity Level One is the right first goal — it blocks the bulk of opportunistic attacks without enterprise budgets. Here is what each strategy requires to reach it.

Key takeaways

Maturity Level One targets common, opportunistic attacks using widely available tools.
You are only as mature as your weakest of the eight strategies.
Most Level One controls are configuration and discipline, not expensive tooling.
Backups at Level One must be regular, retained, and restoration-tested.

How the maturity model works

The ACSC defines four levels. Level Zero means meaningful weaknesses exist. Level One mitigates attackers using commodity, off-the-shelf techniques. Levels Two and Three address increasingly targeted and capable adversaries. Your overall rating is set by your lowest scoring strategy — so balance matters more than excelling at one.

A strategy-by-strategy checklist

Application control — at minimum, prevent execution of unapproved executables in user directories.
Patch applications — patch internet-facing and common apps within two weeks, or 48 hours if an exploit exists.
Office macros — block macros from the internet for users without a demonstrated need.
User application hardening — disable or block Flash, web ads and Java in browsers.
Restrict admin privileges — validate requests, keep admin accounts off email and web browsing.
Patch operating systems — patch within two weeks; keep OSes vendor-supported.
Multi-factor authentication — enforce MFA for remote access and for users of important data repositories.
Regular backups — back up important data and configurations at a frequency matched to your tolerance for loss; retain them; test restoration.

The backup criteria people overlook

At Level One, backups are not just "do you have them." The ACSC expects that backups are retained for a useful period, that restoration is tested, and that unprivileged accounts cannot access or delete other users' backups or their own beyond their retention. In short: backups must survive the very incident they exist for. Cloud accounting data like Xero is "important data" under this strategy — and an isolated, immutable copy is how you meet the criteria.

A sensible order of operations

Turn on MFA and fix backups first — they deliver the most protection per hour of effort. Then work through patching and macro settings, and tackle application control last as it usually needs the most planning. Re-assess quarterly; maturity drifts as systems change.

How the maturity model works

A strategy-by-strategy checklist

The backup criteria people overlook

A sensible order of operations

Frequently asked questions

How long does it take to reach Maturity Level One?

Do I need to reach the same level for all eight strategies?

What counts as important data for the backup strategy?

The Essential Eight, explained for Australian small businesses

Immutable backups and WORM storage, explained

RPO and RTO: the two backup metrics every business should know