The Australian Signals Directorate’s (ASD) cyber security framework the Essential Eight was first published in 2017 and most Australian IT business leaders would be familiar with its risk-mitigation strategies and defensive baseline guidelines.
Now, the ASD and the ACSC are introducing a new Essentials series to the Essential Eight, with the first chapter of the series covering Essentials for Enterprise IT.
More chapters are set to follow, including for areas such as operational technology.
"These changes give organisations flexibility in how they implement cybersecurity while providing a clearer path to cyber resilience," the head of the Australian Cyber Security Centre (ACSC), Stephanie Crowe, said in a video announcing consultation on the changes.
The new framework won’t require Australian organisations to replace their existing Essential Eight investments, Crowe noted, adding the framework is "cost-conscious" and builds on what Australian businesses already have in place.
“Organisations currently using The Essential Eight will find many of their current tools and platforms naturally map into the new framework,” Crowe said.
“New adopters,” she continued, “will benefit from the broad experience and maturity the community has built over time.”
A principles-based approach
ASD technical expert Jayden Cooke said the new framework is designed around four core principles: flexibility, threat informed insights, prioritisation and risk management, and compatibility and future focus.
“The framework adopts principle-based guidance to achieve cyber security outcomes. It also helps you make the most of what you already have while allowing modern and emerging technologies to be applied as your environments are upgraded," he stated.
Cooke observed the framework is built on the ASD’s unique insights, uplift activities and incident response experience, and stated it helps Australian businesses understand the adversary techniques they face and provides practical guidance on how to respond through clear mitigation principles and approaches to reduce malicious activity.
“By taking a risk-based approach [Australian businesses] can focus [their] efforts on where they’ll have a big impact early on, getting the most from [their] cybersecurity investments.”
Guidance linked to ISM
Changes to the framework are also designed to ensure guidance remains closely linked to the Information Security Manual (ISM), which will help support consistency for government entities.
At the same time, the framework moves away from relying only on prescriptive technical controls drawn solely from the ISM, meaning it’s designed to be more flexible and better supports organisations that are already using other cybersecurity frameworks.
"The framework is designed to evolve over time; it enables ASD to introduce new guidance, services and best practice advice over time in response to changes in the threat environment, without requiring a redesign of the model or creating regulatory impacts," Cooke said.
ASD is currently undertaking national consultation with government, industry, regulators and organisations that use the Essential Eight, with feedback from across the community set to provide an "important role" in shaping the future development of the Essentials series.
Consultation on Essentials for Enterprise IT is now open via the ASD Cyber Security Partnership Program portal and will run until 12 July 2026.
.jpg&h=142&w=230&c=1&s=1)
.jpg&h=142&w=230&c=1&s=1)
.jpg&w=100&c=1&s=0)
.jpg&w=100&c=1&s=0){kind=logo}
.jpg&w=100&c=1&s=0)
