Eito./Blog
Guide

What to Do After Your Essential Eight Assessment: A Step-by-Step Action Plan

You've completed your assessment and seen your gaps. Now what? Here's a practical guide to turning results into action, without getting overwhelmed.

Cas12 February 20268 min read

Congratulations. You've completed an Essential Eight self-assessment. You now have a clear picture of your cybersecurity gaps, prioritised by risk and effort. That's more than most Australian small businesses have ever done.

But a report sitting in your downloads folder doesn't make you more secure. The value is in what you do next. Here's a step-by-step plan to turn your results into real improvements.

Step 1: Understand What You're Looking At

Your assessment results show two key numbers for each of the eight strategies:

  • Completion %: how many questions you answered. This is your progress, not your score.
  • Maturity %: the percentage of controls you have in place. This is your actual security posture.

A strategy can be 100% complete (you've answered every question) but 0% mature (you answered "no" to everything). That's actually a good result. It means you have a clear, honest picture.

Don't panic if your scores are low. Most Australian SMBs start with significant gaps. The important thing is that you now know where they are.

Step 2: Focus on Critical Gaps First

Your results categorise gaps into four types:

  • Critical: High severity, blocks other controls, or affects multiple strategies. Fix these first.
  • Quick Win: Low effort, high impact. These are the easy wins that make a real difference fast.
  • Strategic: Important but requires more effort or planning. Schedule these.
  • Minor: Lower priority. Address after the critical and strategic gaps are handled.

Start with Critical gaps and Quick Wins. These give you the biggest security improvement for the least effort.

Step 3: Pick One Strategy at a Time

Don't try to fix everything at once. Pick one strategy, ideally the one with the most Critical gaps, and work through it completely before moving on. This approach is more manageable, and you'll see measurable progress that builds momentum.

If you're not sure where to start, these three strategies typically have the highest impact for small businesses:

  • Multi-Factor Authentication: quick to implement, massive risk reduction.
  • Patch Applications and Operating Systems: often just enabling automatic updates.
  • Regular Backups: your safety net against ransomware and data loss.

Step 4: Decide: DIY or IT Provider?

For each gap, ask yourself: can I fix this myself, or do I need help?

Many Level 1 controls are configuration changes that don't require specialist skills. Turning on MFA, enabling automatic updates, setting up cloud backups: these are things you can often do yourself with the guidance provided in your results.

For more complex controls (application whitelisting, restricting admin privileges across a network, configuring macro policies) you'll likely want your IT provider involved. Share your PDF report with them and ask them to address the specific gaps identified.

Step 5: Document Everything

As you close gaps, keep records:

  • What was changed and when.
  • Who made the change.
  • Screenshots or configuration exports as evidence.
  • Any remaining exceptions and why they exist.

This documentation is valuable for insurance applications, audit preparation, and your own institutional memory. You shouldn't have to re-figure out what was done six months from now.

Step 6: Reassess in 6 Months

Cybersecurity isn't a one-and-done exercise. Threats evolve, your business changes, staff join and leave, and new software introduces new risks. Plan to reassess every six months to track your progress and catch new gaps.

When you reassess with Eito, you can compare your results side by side with your previous assessment to see exactly what's improved and what still needs attention.

Set a calendar reminder for 6 months from now. When it pops up, the reassessment takes 15 minutes. That's a small investment for a clear picture of your security trajectory.

Common Mistakes After an Assessment

  • Doing nothing. The most common mistake. Don't let the report gather dust.
  • Trying to fix everything at once. You'll burn out and nothing will get done properly.
  • Only fixing the easy stuff. Quick Wins are great, but don't ignore Critical gaps because they're harder.
  • Not involving your IT provider. They can't help if they don't know what you've found.
  • Forgetting to reassess. A single snapshot is useful, but tracking progress over time is powerful.

Your Action Plan Template

Here's a simple framework you can follow right now:

  • This week: Download your PDF report. Share it with your IT provider or decision-makers.
  • This month: Address all Critical gaps and Quick Wins. Focus on MFA, patching, and backups.
  • This quarter: Work through Strategic gaps one strategy at a time. Document what you fix.
  • In 6 months: Reassess. Compare. Celebrate progress. Plan the next round.

The hardest part is starting. You've already done that. Now keep going.

Get Started

Ready to see where you stand?

Take 5 minutes to run a free Essential Eight Quick Check. No account required. Your data never leaves your browser.

Start Free Assessment