Free Essential Eight Gap Assessment

Check your organisation's cybersecurity maturity against the ACSC Essential Eight framework. Takes about 5 minutes.

Based on ACSC Essential Eight (2023) 100% Free No Account Required

Step 1 of 10 10%

01 // YOUR ORGANISATION

Tell us a bit about your business so we can tailor recommendations.

Company size

Industry

Do you hold government contracts or work with government agencies?

Yes No Planning to

02 // APPLICATION CONTROL

Application control prevents unapproved software from running on your systems.

Do you restrict which applications can be installed and run on company computers?

Is there a formal list of approved software that employees are allowed to use?

Are users prevented from running scripts, installers, or executable files that haven't been approved?

Are application control rules applied to servers as well as workstations?

03 // PATCH APPLICATIONS

Keeping software up to date closes security holes that attackers exploit.

Are applications like web browsers, email clients, and PDF readers updated within two weeks of a patch being released?

For critical security vulnerabilities, are patches applied within 48 hours?

Do you have a process to identify and remove applications that are no longer supported by the vendor?

Do you use automated tools to scan for and deploy application updates?

04 // MICROSOFT OFFICE MACROS

Macros in Office documents are a common way malware gets into organisations.

Are Microsoft Office macros disabled for users who don't need them?

Are macros from the internet (e.g., email attachments, downloads) blocked from running?

For users who need macros, are only digitally signed or approved macros allowed?

05 // USER APPLICATION HARDENING

Reducing the attack surface of everyday applications like web browsers and PDF readers.

Are web browsers configured to block Flash, Java, and unnecessary web ads?

Is JavaScript blocked or restricted on websites that don't need it?

Are PDF readers configured to block active content (e.g., embedded scripts)?

Are Microsoft Office applications configured to prevent OLE packages and ActiveX controls?

06 // RESTRICT ADMIN PRIVILEGES

Limiting who has admin access reduces the damage from compromised accounts.

Do only staff who genuinely need it have administrator (admin) accounts?

Do admin users have separate accounts for admin tasks vs everyday work (email, browsing)?

Are admin privileges regularly reviewed and removed when no longer needed?

Are privileged accounts prevented from accessing the internet (email, web browsing)?

07 // PATCH OPERATING SYSTEMS

Keeping Windows, macOS, and Linux up to date with the latest security patches.

Are operating system updates applied within two weeks of release?

For critical OS vulnerabilities, are patches applied within 48 hours?

Are all computers running a currently supported operating system version (not end-of-life)?

08 // MULTI-FACTOR AUTHENTICATION

MFA adds a second layer of security beyond just a password.

Do all users need to provide a second factor (e.g., phone code, authenticator app) to log in?

Does this apply to ALL accounts including admin and remote access?

Are phishing-resistant methods used (e.g., hardware keys, passkeys) rather than SMS?

Is MFA enforced for all third-party and cloud services (M365, CRM, accounting software)?

09 // REGULAR BACKUPS

Backups are your safety net against ransomware, hardware failure, and human error.

Are important data, settings, and software backed up regularly (at least weekly)?

Are backups stored in a separate location or offline (so ransomware can't reach them)?

Are backups tested regularly to make sure they actually work when you need them?

Are backups retained for a sufficient period and protected from unauthorised access or modification?

This assessment provides an indicative maturity level based on the ACSC Essential Eight framework. For a formal assessment, contact a certified assessor.