ASD Opens Consultation on the Essentials Series
What Australia's shift from Essential Eight to the ASD Essentials series means for SMEs and MSPs — timeline, first chapter, and how to participate before 12 July 2026.
On 15 June 2026, the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) opened national consultation on the evolution of Australia's flagship cyber security framework. The headline change: Essential Eight is becoming a chapter in a broader Essentials series — starting with Essentials for enterprise IT, with dedicated chapters for cloud, operational technology, and potentially agentic AI to follow.
If you run Microsoft 365 or Google Workspace and already report maturity levels to insurers, boards, or government customers, this affects the language and structure of those conversations — even though your underlying controls mostly stay the same.
What is changing?
The Essentials series is ASD's answer to a problem many practitioners have raised for years: Essential Eight was designed when on-premises enterprise IT was the norm. Cloud adoption, shared-responsibility models, SaaS productivity suites, and AI-enabled threats do not map cleanly onto a single prescriptive control list tied to specific technologies.
The proposed Essentials series shifts emphasis from:
- Prescriptive ISM controls → outcomes and intent, with flexibility in how you implement them
- A fixed maturity ladder → threat-informed controls that can evolve without organisations appearing to go backwards when ASD tightens requirements
- One framework for everything → domain-specific chapters (enterprise IT, cloud, OT, and more)
ASD says the series is grounded in the Information Security Manual (ISM) and influenced by its Modern Defensible Architecture guidance — with stronger emphasis on defence in depth and protecting crown jewels, not just a perimeter around traditional IT.
What is not changing (yet)
During the transition, Essential Eight remains a live document. ASD has indicated a phased retirement:
| Phase | Approximate timing | What it means |
|---|---|---|
| Coexistence | Now | Both Essential Eight and Essentials guidance are active |
| Deprecation | ~12 months | Essential Eight marked deprecated; Essentials is the primary reference |
| Retirement | ~24 months | Essential Eight withdrawn as a standalone framework |
ASD has also been explicit that organisations already invested in Essential Eight implementation should not see that work made redundant. The first chapter — Essentials for enterprise IT — evolves the current eight mitigation strategies rather than replacing them with something unrelated.
For most Australian SMEs on cloud productivity suites, the practical implication in 2026 is: keep measuring the same control areas, but expect the framing, evidence expectations, and possibly the maturity model to evolve as consultation closes and chapters are published.
The first chapter: Essentials for enterprise IT
This is the chapter that directly replaces today's Essential Eight guidance. It covers the familiar mitigation strategies — application control, patching, macro settings, hardening, privileged access, MFA, backups — but reframed as prioritised, threat-informed mitigations with clearer implementation paths.
Future chapters will address areas where Essential Eight was always a poor fit:
- Cloud — shared responsibility, native provider controls, and what the tenant (not the hyperscaler) must prove
- Operational technology — environments where patching cadences, availability, and safety constraints differ from corporate IT
- Agentic AI (under consideration) — non-human identities, autonomous agents on networks, and prompt-injection risks that do not map to conventional access controls
If you assess posture via Microsoft Graph or Google Admin APIs today, the enterprise IT chapter is your primary reference for the foreseeable future. A dedicated cloud chapter will eventually sharpen guidance on what "good" looks like in M365 and Google Workspace specifically.
Why ASD is doing this now
Two complaints have persisted in the market for years, and ASD has acknowledged both:
-
Maturity level goalposts have shifted. ASD has absorbed new threat tradecraft into existing ML1/ML2/ML3 definitions rather than adding parallel controls. Organisations that did not change a single setting have sometimes appeared to regress — not because security worsened, but because the bar moved.
-
Cloud and SaaS are the default architecture. An SME running Microsoft 365 or Google Workspace without meaningful cloud footprint is now the exception. Controls written for on-premises Windows estates do not translate cleanly to Conditional Access, Intune compliance, or domain-wide delegation models.
The Essentials series is designed to decouple threat-informed controls from a rigid maturity ladder, giving ASD room to update guidance without the "we went from ML2 to ML1 overnight" effect.
Who should respond to the consultation?
ASD is seeking feedback from government, industry, regulators, and organisations that currently use Essential Eight. That includes:
- IT and security leads at SMEs who live with insurer questionnaires and tender evidence requirements
- MSPs running repeatable maturity reviews across dozens of tenants
- Compliance and risk teams who need defensible, timestamped evidence — not self-attested checklists
- Sectors with supply-chain mandates (defence, critical infrastructure, government panels) where Essential Eight is already a baseline expectation
Submissions are due 12 July 2026 via the ASD Cyber Security Partnership Program portal. You need a portal account to submit formal feedback.
Even if you do not submit, reading the draft Essentials for enterprise IT chapter is worth the time — it is the best preview of what boards and underwriters will start asking for in 2027.
What this means for continuous posture monitoring
Point-in-time assessments — consultant engagements, spreadsheet self-assessments, Compliance Manager templates — remain useful for gap analysis. They go stale the moment configuration drifts.
Whatever framework name appears on the cover page, the operational question stays the same: can you prove your cloud security posture is sound today, not at last year's audit?
That is why Aegis Eight assesses against ASD Essentials mitigation strategies (currently aligned to the enterprise IT chapter and maturity model) via read-only API evidence from Microsoft 365 and Google Workspace — with continuous re-scans and change-triggered alerts on subscription.
We will update our scoring and report language as ASD publishes final Essentials chapter guidance. Your historical evidence and remediation work remain relevant through the transition.
Key dates and links
- Consultation opens: 15 June 2026
- Submissions close: 12 July 2026
- Official announcement: Consultation on evolution of Essential Eight (cyber.gov.au)
- Submit feedback: ACSC Partner Portal
- Current framework (during transition): Essential Eight on cyber.gov.au
Related reading
- Essential Eight Maturity Levels Explained — what ML0–ML3 mean for cloud tenants today
- Start a free assessment — see your current maturity levels in minutes
- Download a sample report — redacted PDF example
Questions about how the transition affects your tenant? Email [email protected].