🛡️ Essential Eight Assessment Framework¶

Executive Summary¶

GetCimple transforms the ACSC's 152 technical controls into one board decision: "What E8 level do you want?" IT handles the assessment complexity, board sees a single number and decides the target. Simple.

The GetCimple Difference¶

From 152 Controls to 40 Questions¶

ACSC Reality: 152 technical controls across ML1-ML3
GetCimple Reality: ~40 plain-English questions that directors understand
Magic: Each question intelligently maps to multiple controls

Intelligent Delegation Model¶

The Reality: Boards don't want to answer "Is application whitelisting enabled?" - they want IT to handle that.

IT Automatically Gets: ~35 technical questions
Board Only Sees: ~5 governance questions
Board Experience: "90% complete by IT team" → 2-3 minutes to finish
Smart Routing: Questions auto-assigned based on role

Triple-Crossover Intelligence¶

Policy Crossover: 18 approved policies → 45% of E8 controls
Insurance Crossover: 34 insurance questions → 30% of E8 controls
Assessment Crossover: Other frameworks → 10% of E8 controls
Result: 85% pre-completion on average

Core Design Principles¶

1. Board-First Language¶

❌ Technical: "Is application whitelisting implemented on all workstations?" ✅ GetCimple: "Can your team only use approved software on their computers?"

2. Progressive Disclosure¶

Start with 10 "quick win" questions (usually 100% pre-filled)
Progress to intermediate questions (usually 70% pre-filled)
End with advanced questions (usually 40% pre-filled)

3. Gamified Experience¶

Visual progress bars per E8 strategy
Achievement badges for maturity levels
"Streak" tracking for continuous improvement
Celebration moments at key milestones

The 8 Essential Strategies (Simplified)¶

1. 🛡️ Application Control¶

Board Question: "Can your team only use approved software?"

Maps to: 7 technical controls
Pre-filled from: IT Provider Contract, Acceptable Use Policy

2. 🔄 Patch Applications¶

Board Question: "How quickly are security updates applied to critical software?"

Maps to: 9 technical controls
Pre-filled from: Patch Management Policy, Insurance Q047

3. 📎 Configure MS Office Macros¶

Board Question: "Are dangerous email attachments automatically blocked?"

Maps to: 4 technical controls
Pre-filled from: Email Security Policy, Insurance Q023

4. 🌐 User Application Hardening¶

Board Question: "Are web browsers configured to block malicious content?"

Maps to: 18 technical controls
Pre-filled from: Web Security Policy, Browser Standards

5. 👤 Restrict Admin Privileges¶

Board Question: "Do staff only get special computer access when needed?"

Maps to: 13 technical controls
Pre-filled from: Access Control Policy, Insurance Q089

6. 💻 Patch Operating Systems¶

Board Question: "How quickly are Windows/Mac security updates installed?"

Maps to: 9 technical controls
Pre-filled from: OS Update Policy, IT Service Agreement

7. 🔐 Multi-factor Authentication¶

Board Question: "Do all important systems require more than just a password?"

Maps to: 12 technical controls
Pre-filled from: Authentication Policy, Insurance Q112

8. 💾 Regular Backups¶

Board Question: "Can you recover from ransomware within 24 hours?"

Maps to: 6 technical controls
Pre-filled from: Backup Policy, Disaster Recovery Plan

Question Architecture¶

Question Structure (UQB-Compliant)¶

{
  "id": "E8_MFA_001",
  "question": "Do all admin accounts require multi-factor authentication?",
  "boardTranslation": "Do computer administrators need more than just a password to log in?",
  "type": "boolean",
  "domain": "security",
  "importance": "critical",
  "defaultFromPolicy": "password-authentication-policy",
  "mappings": {
    "frameworks": ["E8", "ISO27001", "ACSC-ISM"],
    "e8Controls": ["ML1-MF-01", "ML2-MF-01", "ML3-MF-01"],
    "maturityImpact": {
      "ML0": "fail",
      "ML1": "required",
      "ML2": "required",
      "ML3": "required"
    }
  },
  "crossoverSources": [
    {
      "type": "policy",
      "id": "password-authentication-policy",
      "field": "mfa_admin"
    },
    { "type": "insurance", "id": "ins_047", "confidence": 0.95 },
    { "type": "assessment", "id": "iso27001_9.4.2", "confidence": 0.9 }
  ],
  "quickWin": true,
  "estimatedTime": "30 seconds"
}

Simple Implementation Flow¶

Step 1: IT Completes Technical Assessment (20 minutes)¶

IT answers ~35 technical questions. Board doesn't see this complexity.

Step 2: Board Sees One Number (30 seconds)¶

"Your Essential Eight Level: 0.5"

Step 3: Board Makes One Decision (2 minutes)¶

"What level do you want?" → Level 2

Step 4: GetCimple Shows the Path¶

"To reach Level 2: $150k budget, 9 months, quarterly check-ins"

Done. No complex processes. No detailed tables. Just clarity.

Phase 2: Board Decision - One Number, One Target¶

Simple Reality: IT completes the assessment, board makes ONE decision.

Your Current E8 Level: 0.5 ⚠️
Industry Standard:     Level 2
Minimum Required:      Level 1

What level do you want to achieve?
[ ] Level 1 - Basic ($50k, 6 months)
[✓] Level 2 - Standard ($150k, 9 months)
[ ] Level 3 - Advanced ($300k, 18 months)

That's it. One decision. The technical team handles the rest.

Why Different Maturity Levels? Real Examples¶

🟢 Level 1 - Basic Protection¶

Who Needs This: Small businesses without sensitive data

Example: Local retail shop, small consultancy, trades business
Why: Stops opportunistic attacks, meets basic insurance requirements
Reality: "We're not a likely target, but we need basic hygiene"

🟡 Level 2 - Industry Standard¶

Who Needs This: Most businesses with customer data or IP

Example: Professional services, healthcare practices, SaaS companies
Why: Required by many contracts, expected by boards, reduces liability
Reality: "We handle client data and need to meet expectations"

🔴 Level 3 - Advanced Protection¶

Who Needs This: Large organizations that are prime targets

Example: Major banks, critical infrastructure operators, defense contractors
Why: Nation-state threats, massive data breaches would be catastrophic
Reality: "We're a household name or critical to national infrastructure"
NOT for: Small financial planners, local accountants, or SME professional services

Quick Decision Guide¶

Ask yourself:

Do we handle credit cards or personal data? → Minimum Level 1
Do we have contracts requiring cyber standards? → Likely Level 2
Are we a major bank/insurer or critical infrastructure? → Consider Level 3
Have we been breached before? → Go one level higher than minimum

Size matters: A 3-person financial planning firm needs Level 1-2, not Level 3 just because they're "financial services"

Remember: You can always increase your target later. Start achievable.

Gamification Elements¶

Progress Mechanics¶

Overall Score: "ML1: 85% | ML2: 60% | ML3: 20%"
Strategy Badges: 8 badges, bronze/silver/gold per maturity
Streak Counter: "7 days of continuous improvement"
Peer Comparison: "You're in the top 30% of similar companies"

Achievement System¶

🏆 "First Assessment" - Complete initial E8 assessment
🚀 "Quick Starter" - Answer 10 questions in 2 minutes
🎯 "ML1 Achiever" - Reach Maturity Level 1
📈 "Consistent Improver" - Improve score 3 months in a row
👑 "E8 Champion" - Achieve ML2 across all strategies

Technical Integration¶

Data Sources¶

Primary Sources
ACSC E8 control mappings (152 controls)
GetCimple policy templates (18 policies)
Insurance question bank (127 questions)
Crossover Analysis
27% of insurance questions map to E8
18 policies cover ~50% of E8 controls
Other assessments add 10-15% coverage

UQB Integration¶

// E8 questions are first-class citizens in the Unified Question Bank
const e8Questions = await questionBank.getQuestions({
  framework: 'E8',
  includeAnswered: true,
  withCrossoverData: true,
})

// Each question shows its reuse value
e8Questions.forEach((q) => {
  console.log(
    `Question ${q.id} satisfies ${q.mappings.frameworks.length} frameworks`
  )
  console.log(`Pre-filled confidence: ${q.prefilledConfidence}%`)
})

Reporting & Board Communication¶

Executive Dashboard¶

Maturity Radar: Visual spider chart of 8 strategies
Progress Timeline: Month-over-month improvement
Peer Benchmark: Industry comparison
Risk Translation: "What this means for the board"

Simple Board Report¶

ESSENTIAL EIGHT STATUS

Current Level:    0.5 ⚠️
Target Level:     2 ✅
Progress:         25% ████░░░░░░░░░░░░

Investment:       $150k approved
Timeline:         9 months (3 complete)
On Track:         Yes ✅

Next Decision:    Q2 progress review

That's the entire board report. One slide. Clear status.

Success Metrics¶

User Experience¶

Time to first insight: < 2 minutes
Completion rate: > 90%
Return rate: > 80% monthly
NPS score: > 50

Business Value¶

Pre-fill accuracy: > 85%
Time saved: 4 hours vs traditional assessment
Board confidence: "Finally understand our cyber position"
Compliance coverage: Maps to multiple frameworks

Implementation Checklist¶

Future Enhancements¶

Phase 2: Intelligence Layer¶

AI-powered answer suggestions
Automatic evidence collection
Continuous compliance monitoring
Predictive maturity modeling

Phase 3: Ecosystem Integration¶

Direct integration with IT tools
Automated control testing
Real-time maturity tracking
Board meeting integration

Conclusion¶

GetCimple's E8 Assessment Framework transforms a daunting 152-control compliance exercise into an engaging 25-minute journey that boards actually understand. By leveraging our triple-crossover intelligence and "Answer Once, Use Everywhere" philosophy, we deliver immediate value while building long-term compliance confidence.

The Result: Directors who sleep better knowing their E8 compliance is not just assessed, but actively managed and continuously improved.