Framework: Australian Cyber Security Centre โ Essential 8Audience: Australian SMBsVersion: 2025Contact: hello@oday.com.au
How to use this checklist: Work through each strategy and tick the items your organisation currently has in place. Use the Maturity Level badges (ML1โML3) to understand which controls are required at each level. Aim for at least Maturity Level 2 across all 8 strategies for a solid baseline defence.
ML1 โ Basic (Essential)
ML2 โ Intermediate (Recommended for SMBs)
ML3 โ Advanced (For sensitive environments)
1Application Control
Application control is implemented on workstations to prevent unapproved programs from executing
e.g. Windows Defender Application Control, AppLocker, or equivalent
ML1
Application control covers executables, DLLs, scripts (PS, VBS, JS), and installers
ML2
Application control is implemented on internet-facing servers
ML2
Application control events are logged and reviewed at least monthly
ML3
Notes / gaps identified:
2Patch Applications
A vulnerability scanner is used to identify missing patches in applications
ML1
Internet-facing services are patched within 48 hours of a critical patch release
ML1
Non-internet-facing applications patched within 2 weeks of release
ML2
Unsupported or end-of-life applications are removed or isolated
ML2
Automated patching is in place with a documented exception process
ML3
Notes / gaps identified:
3Configure Microsoft Office Macro Settings
Microsoft Office macros are disabled for users who don't require them
ML1
Macros are blocked from files originating from the internet
ML1
Only macros from trusted locations or digitally signed by a trusted publisher are permitted
ML2
Macro execution is logged and reviewed
ML3
Notes / gaps identified:
4User Application Hardening
Web browsers block Flash, Java, and ads from the internet
ML1
Internet Explorer 11 is disabled or removed
ML1
PDF readers prevent access to the internet from within PDFs
ML2
PowerShell is blocked or restricted to signed scripts for standard users
ML2
PowerShell module, script block, and transcription logging is enabled
ML3
Notes / gaps identified:
5Restrict Administrative Privileges
Admin privileges are only granted to users who require them for their role
ML1
Admin accounts are not used for email, web browsing, or everyday tasks
ML1
Admin accounts are reviewed at least annually and removed when no longer needed
ML2
Privileged access workstations (PAWs) or jump servers are used for admin tasks
ML3
Admin activity is logged and reviewed regularly
ML3
Notes / gaps identified:
6Patch Operating Systems
OS patches are applied within 2 weeks for standard vulnerabilities
ML1
Critical OS patches applied within 48 hours for internet-facing systems
ML1
Unsupported or end-of-life operating systems are replaced or isolated
ML2
An asset inventory is maintained and all OS versions are tracked
ML2
Notes / gaps identified:
7Multi-factor Authentication (MFA)
MFA is enabled for all remote access (VPN, RDP, cloud services)
ML1
MFA is required for all admin / privileged accounts
ML1
MFA is enforced for all user accounts on internet-facing services
ML2
Phishing-resistant MFA (hardware token, passkey) is used for privileged accounts
ML3
MFA bypass or exclusions are documented and reviewed quarterly
ML3
Notes / gaps identified:
8Regular Backups
Backups of important data are performed at least daily
ML1
Backups are tested quarterly to confirm data can be successfully restored
ML1
Backups are stored offline or in a separate, isolated environment (3-2-1 rule)
ML2
Backup access is restricted โ backup systems cannot be modified by compromised accounts
ML2
Full incident recovery exercise performed at least annually