Eito./Blog
Education

Essential Eight Maturity Levels Explained: Level 1, 2, and 3 in Plain English

What do the three maturity levels actually mean? Which one is right for your business? A clear, jargon-free guide to Essential Eight maturity levels.

Cas25 January 20268 min read

If you've started looking into the Essential Eight, you've encountered the three maturity levels: Level 1, Level 2, and Level 3. They sound simple enough, but the official documentation can make them feel overwhelming. Let's break them down in plain English.

What "Maturity Level" Means

A maturity level describes how well a specific security control is implemented. Think of it like a building code: Level 1 is a solid house that meets minimum standards. Level 2 is a house built to withstand a storm. Level 3 is a bunker designed to survive extreme conditions.

Each level builds on the one before it. Level 2 includes everything in Level 1, plus additional requirements. Level 3 includes everything from both. You can't skip to Level 3 without completing Level 1 and 2 first.

Level 1: The Baseline

Level 1 is designed to protect against common, opportunistic attacks, the kind that hit thousands of businesses every day. These aren't sophisticated hackers targeting your specific organisation. They're automated attacks scanning the internet for easy victims.

What Level 1 looks like in practice:

  • MFA is enabled on internet-facing services (email, cloud apps, remote access).
  • Operating systems and applications are kept up to date with security patches.
  • Daily backups of important data, stored separately from your main systems.
  • Administrative privileges are restricted to people who actually need them.
  • Microsoft Office macros are disabled for users who don't need them.
  • Web browsers are configured to block known risky content.
  • Only approved applications are allowed to run on workstations.

Level 1 is the right target for most Australian SMBs. It stops the vast majority of common attacks and forms the foundation for everything else.

Who needs Level 1?

Everyone. Every Australian organisation, regardless of size or industry, should aim for Level 1 as a minimum. If you're a 5-person accounting firm, a 20-person construction company, or a 50-person medical practice. Level 1 is for you.

Level 2: Targeted Protection

Level 2 adds protection against adversaries who are more capable and specifically targeting your organisation. The controls are tighter, the timeframes are shorter, and the requirements are more specific.

What changes from Level 1 to Level 2:

  • MFA uses phishing-resistant methods (hardware tokens or authenticator apps, not SMS).
  • Critical security patches must be applied within 48 hours, not just "regularly."
  • Application control extends to all user-accessible folders, not just default locations.
  • Backups are tested more frequently and stored in more resilient configurations.
  • Admin accounts have stricter separation and monitoring.
  • Additional logging and alerting capabilities are in place.

Who needs Level 2?

Organisations that handle particularly sensitive information or face a higher threat level. This includes:

  • Healthcare providers storing patient records.
  • Financial services firms handling client money and data.
  • Government contractors and suppliers (especially DISP members).
  • Organisations with regulatory obligations around data protection.
  • Businesses that are attractive targets due to their industry, size, or profile.

Level 3: Advanced Defence

Level 3 is the highest maturity level and is designed to protect against sophisticated adversaries, including state-sponsored actors. The controls at this level are extensive, require significant investment, and are maintained with rigorous ongoing processes.

What Level 3 adds:

  • Application control verified by hash or publisher certificate, preventing even renamed executables.
  • Critical patches applied within 48 hours; all patches within two weeks.
  • MFA with phishing-resistant hardware tokens for all access, including internal systems.
  • Comprehensive logging and monitoring with real-time alerting.
  • Backups stored in immutable, air-gapped configurations.
  • Regular penetration testing and red-teaming exercises.

Who needs Level 3?

Very few organisations. Level 3 is primarily for:

  • Australian Government departments and agencies.
  • Defence contractors with classified information.
  • Critical infrastructure operators (energy, telecommunications, transport).
  • Organisations identified as high-value targets by intelligence assessments.

If you're a small business and someone tells you that you need Level 3, get a second opinion. It's expensive, complex, and almost certainly unnecessary for most SMBs. A well-implemented Level 1 is vastly more valuable than a half-implemented Level 3.

The Most Common Mistake

The biggest mistake we see is organisations skipping Level 1 and aiming for Level 2 or 3. The levels are cumulative. You can't build Level 2 on a shaky Level 1 foundation. It's like renovating the upstairs of a house that doesn't have solid walls.

Get Level 1 right first. Make sure every control is genuinely in place, tested, and documented. Only then should you start thinking about higher maturity levels.

How to Check Your Maturity Level

A self-assessment gives you a clear picture of which controls are in place at each level, for each strategy. Eito walks you through every control with plain-English questions and shows you exactly where you stand, strategy by strategy, level by level.

Start with Level 1. See where the gaps are. Fix them. Then decide if Level 2 is right for your organisation. That's the smart way to build cybersecurity maturity: incrementally, deliberately, and honestly.

Get Started

Ready to see where you stand?

Take 5 minutes to run a free Essential Eight Quick Check. No account required. Your data never leaves your browser.

Start Free Assessment