Cyber Security
Essential 8 Maturity Assessment
Essential Eight Maturity Assessments provide organisations with a clear and practical view of how effectively the Australian Cyber Security Centre’s Essential Eight controls are implemented and operating in practice, helping leaders understand current maturity, identify priority risks, and focus uplift efforts where they will most effectively reduce exposure to common and high-impact cyber threats.
What we do.
We deliver independent Essential Eight maturity assessments for government agencies and organisations, assessing how controls are designed, implemented and sustained across operational and delivery environments, and providing clear, actionable guidance that aligns cyber uplift activities with organisational risk, capability and delivery priorities.
What is an E8 maturity assessment?
In plain English, an Essential Eight maturity assessment is a health check of how well your core cyber security controls are working, examining whether the eight strategies are consistently applied, operating effectively day-to-day, and achieving the maturity levels claimed, while highlighting gaps that may leave the organisation exposed to common cyber threats.
How we deliver an E8 maturity assessment.
We deliver assessments in a structured, evidence-based and minimally disruptive way, reviewing technical configurations, policies and operational practices to validate maturity in practice, and providing prioritised recommendations that support progressive uplift without over-engineering or slowing delivery.
Key focus areas of E8 maturity assessments.
Application Control
Assess how effectively application control is implemented to prevent unauthorised or malicious software from running, and whether controls are applied consistently across systems in line with ACSC maturity expectations.
Patch Application
Review how promptly and consistently security patches are applied to applications, and whether patching practices reduce exposure to known vulnerabilities across the environment.
Configure Macro Settings
Assess how Microsoft Office macro settings are configured and managed to reduce the risk of malware delivery, while balancing usability and operational requirements.
User Application Hardening
Review browser and application hardening measures to ensure unnecessary functionality is disabled and common attack techniques are effectively mitigated.
Restrict Administrative Privileges
Assess how privileged access is controlled, monitored and limited to authorised users, reducing the risk of credential misuse and unauthorised system changes.
Patch Operating Systems
Evaluate operating system patching processes to confirm critical updates are applied within required timeframes and supported by effective governance and monitoring.
Multi-Factor Authentication
Assess how multi-factor authentication is implemented across users, privileged accounts and remote access pathways to reduce the risk of credential compromise.
Regular Back Ups
Evaluate whether backups are performed, protected and tested regularly to ensure systems and data can be reliably restored following a cyber incident.
Our E8 maturity assessments difference.
PM Solutions sets the benchmark for Essential Eight maturity assessments, offering a depth of expertise that goes well beyond checklist compliance. Our specialised practitioners bring multi-domain experience across all E8 controls, supported by a proven track record in advising, implementing, and sustaining uplift activities in complex environments.
What sets us apart is our independent assurance heritage – meaning we don’t just assess; we provide clear, evidence-based insights, pragmatic remediation guidance, and ongoing support that strengthens security posture long after the assessment is complete. The result is a more accurate, more actionable, and more strategically valuable E8 maturity assessment than any traditional provider can deliver.
Our assessments go beyond simple maturity scoring to evaluate how Essential Eight controls operate in practice, providing assurance over effectiveness rather than surface-level compliance.
We assess maturity in the context of real operational and delivery constraints, ensuring uplift recommendations are achievable, prioritised and aligned to organisational capability.
Our practitioners bring hands-on experience across all eight Essential Eight strategies, enabling nuanced assessment of complex environments rather than generic interpretations.
We base maturity ratings on validated technical and operational evidence, providing confidence that results are accurate, defensible and credible to executives and external stakeholders.
We provide clear, prioritised remediation guidance that helps organisations progressively uplift maturity without over-engineering or unnecessary disruption.
Our independence ensures objective, unbiased assessment outcomes that support informed decision-making and long-term security improvement.
Understanding the E8 model.
The Essential Eight mitigation strategies are organised according to a corresponding maturity level designed to mitigate increasing levels of threat actor tradecraft. This means that organisations and governments can select the maturity level that is proportionate to your cyber threat profile and invest in stages to achieve your goal.
Maturity Level 0
There are weaknesses in the mitigation strategy that make your organisation vulnerable to compromise.
Maturity Level 1
The mitigation strategy provides resilience against threat actors who leverage commodity tradecraft that is widely available.
Maturity Level 2
The mitigation strategy provides resilience against the next level of threat actors who invest more time in targeting, reconnaissance and tool effectiveness.
Maturity Level 3
The mitigation strategy provides resilience against threat actors who focus on specific targets and invest significant time into circumventing security controls.
Best practice
compliance accreditations.
Learn more about our cyber security services.
Cyber Security Assurance Reviews
IRAP Readiness Assessments
ISO 27001 Assessments and Audits
ISO 42001 Assessments and Audits
