Essential Eight Maturity Levels Explained
A plain-English guide to ASD Essential Eight maturity levels ML0 through ML3 — what each level means for Microsoft 365 and Google Workspace, and why point-in-time assessments expire.
The Australian Cyber Security Centre (ACSC) Essential Eight is the de facto baseline for cyber hygiene in Australia. Insurers, tenders, and boards increasingly ask not just whether you follow it, but which maturity level you have achieved — and whether you can prove it with current evidence.
This guide explains the four maturity levels (ML0–ML3), how they apply to cloud tenants, and why a one-off checklist is rarely enough on its own.
What are Essential Eight maturity levels?
Essential Eight maturity levels describe how consistently your organisation implements each of the eight mitigation strategies — not whether you have "done cyber security" in general.
| Level | Plain English |
|---|---|
| ML0 | Below the baseline — significant gaps that attackers routinely exploit |
| ML1 | Minimum baseline — partial implementation of each strategy |
| ML2 | Target for most organisations — stronger controls, better coverage |
| ML3 | Advanced — often requires automation, monitoring, and strict enforcement |
Your overall achieved maturity is the lowest level across all eight controls. If seven controls are at ML2 but one is at ML1, your overall level is ML1. That "weakest link" rule is why drift on a single control — like a new Global Admin without MFA — can drop your posture overnight.
The eight strategies (cloud lens)
For Microsoft 365 and Google Workspace tenants, the eight strategies map to configuration you can often observe via admin APIs:
- Application control — what can run on managed devices (Intune, Chrome policies)
- Patch applications — third-party and browser patch cadence
- Configure Office macros — macro blocking (M365); N/A or partial for native Google Docs
- User application hardening — browser and app hardening settings
- Restrict administrative privileges — who has admin roles, PIM, super-admin count
- Patch operating systems — OS update compliance on enrolled devices
- Multi-factor authentication — MFA registration and enforcement via Conditional Access / 2SV
- Regular backups — backup and retention signals where APIs expose them
A honest assessment scores controls as no visibility when APIs cannot see the signal — rather than guessing. That matters especially for Google Workspace desktop fleets and hybrid Office environments.
Why ML2 is the practical target for SMEs
The ACSC positions ML2 as the maturity level suitable for most organisations handling sensitive data. For Australian SMEs on cloud productivity suites, ML2 typically means:
- MFA enforced for all users (not just admins)
- Privileged access limited and monitored
- Patch and hardening policies applied to managed endpoints
- Evidence that backups exist where the platform exposes them
Cyber insurers and procurement panels often ask for ML2 evidence dated within the last 90 days. A spreadsheet from last year's consultant engagement does not answer the question "what is your posture today?"
Point-in-time vs continuous posture
Manual audits, Purview Compliance Manager templates, and ACSC self-assessment spreadsheets all have a place. They help you understand gaps and plan remediation.
The limitation is timing:
- A consultant engagement produces a snapshot valid on the day of the review
- A new privileged admin added without MFA the following week is invisible until the next audit
- Configuration drift is silent — there is no alert when Conditional Access weakens
Continuous monitoring closes that gap: daily re-scans against the same eight strategies, change-triggered alerts when something material shifts, and hash-anchored API evidence auditors can verify independently.
How to find your current level
You do not need to guess. A read-only scan of your Microsoft 365 or Google Workspace tenant can score each control against ML0–ML3 in minutes:
- Enter a work email and grant read-only admin access (Entra admin consent or Google domain-wide delegation)
- Aegis Eight reads security configuration metadata — never email, files, or chat content
- You receive a PDF maturity report with per-control levels and prioritised remediations
The free assessment is one report per tenant, no credit card. If you subscribe, daily scans and drift alerts keep evidence current for insurers and board reviews.
Next steps
- Start a free Essential Eight scan — see your ML0–ML3 levels in minutes
- Download a sample report — redacted PDF example
- Compare plans — continuous monitoring from A$59/month or A$590/year
Questions? Email [email protected].