Skip to content

Essential Eight Mapping Guide

Document Information
Document Type Governance Tool (Not a Policy)
Version {{version}}
Effective Date {{effective_date}}
Document Owner {{document_owner}}
Next Review {{next_review_date}}

Purpose

This guide demonstrates how {{company_name}}'s governance policies provide comprehensive coverage for the Australian Cyber Security Centre (ACSC) Essential Eight mitigation strategies. It clarifies the distinction between governance (what policies mandate) and technical implementation (what controls deliver).

Understanding Essential Eight

The Essential Eight are technical controls (mitigation strategies), not governance policies. This is a critical distinction:

  • Controls = Technical/procedural implementations (what you DO)
  • Policies = Governance frameworks (what you MUST do)

Example:

  • E8 Control: "Multi-factor authentication is configured on all systems"
  • Policy Governance: "Access Control Policy requires MFA for all user accounts"

The policy establishes the requirement; the control implements it.

Policy-to-Control Mapping

The table below shows how {{company_name}}'s policies provide governance coverage for each Essential Eight control. Note that multiple policies often work together to govern a single control.

Essential Eight Control Relevant Policies How These Policies Help
1. Application Control access-control-policy.md
cyber-and-information-security-policy.md		 Establishes rules for approved applications and provides governance framework for maintaining application whitelists
2. Patch Applications cyber-and-information-security-policy.md
employee-handbook---cyber-security.md
third-party-software-acquisition-policy.md		 Defines patching timelines and responsibilities; handbook operationalizes procedures; software policy ensures patchable applications
3. Configure Microsoft Office Macro Settings cyber-and-information-security-policy.md
employee-handbook---cyber-security.md		 Mandates secure endpoint configurations including macro blocking from untrusted sources
4. User Application Hardening cyber-and-information-security-policy.md
physical-asset-environment-security-policy.md		 Requires disabling unnecessary features in applications to reduce attack surface
5. Restrict Administrative Privileges access-control-policy.md
password-authentication-policy.md		 Enforces principle of least privilege and defines approval process for administrative rights
6. Patch Operating Systems cyber-and-information-security-policy.md
physical-asset-environment-security-policy.md		 Sets mandatory timelines for OS patching based on vulnerability severity
7. Multi-factor Authentication access-control-policy.md
password-authentication-policy.md
remote-work-and-byod-policy.md		 Mandates MFA for remote access, privileged accounts, and sensitive data access
8. Regular Backups data-backup-and-recovery-policy.md
business-continuity-and-disaster-recovery-policy.md		 Defines backup scope, frequency, testing requirements, and restoration procedures

What This Pack Provides

Governance Coverage

{{company_name}}'s {{pack_name}} includes policies that:

  • Establish board-approved requirements for all 8 Essential Eight controls
  • Define roles, responsibilities, and accountabilities
  • Set minimum standards that align with ACSC guidance
  • Provide audit trails for regulatory compliance
  • Enable systematic implementation and monitoring

What Policies Do (Governance Layer)

  • Set Direction: Board-approved security requirements
  • Define Authority: Who can make security decisions
  • Establish Accountability: Who is responsible for what
  • Enable Compliance: Audit-ready documentation
  • Guide Implementation: Framework for technical teams

What You Must Still Do (Implementation Layer)

Policies provide governance; your organization must:

  1. Implement the technical controls described in each policy
  2. Configure systems to meet policy requirements
  3. Train staff on procedures and responsibilities
  4. Collect evidence of control implementation
  5. Monitor compliance and report to management/board
  6. Continuously improve security posture

Achieving E8 Maturity

Maturity Level Guide

Level Description Policy Coverage
Level 0 Not implemented Policies provide roadmap
Level 1 Partial implementation Policies establish minimum standards
Level 2 Good implementation Policies support systematic approach
Level 3 Excellent implementation Policies enable continuous improvement

Target Maturity by Organization Type

  • Government Suppliers: Level 2+ mandatory
  • Critical Infrastructure: Level 3 recommended
  • Financial Services: Level 2+ (ASIC expectation)
  • General Business: Level 1 minimum baseline

Implementation Roadmap

Phase 1: Foundation (Months 1-3)

Quick Wins:

  • Deploy MFA (E8 #7) - Supported by: Access Control Policy, Password Policy
  • Implement Backups (E8 #8) - Supported by: Backup Policy
  • Begin Patching (E8 #2, #6) - Supported by: Cyber Security Policy

Phase 2: Access Control (Months 4-6)

Governance Focus:

  • Restrict Admin Privileges (E8 #5) - Supported by: Access Control Policy
  • MFA Expansion - Supported by: Remote Work Policy
  • Backup Testing - Supported by: Business Continuity Policy

Phase 3: Hardening (Months 7-12)

Advanced Controls:

  • Application Control (E8 #1) - Supported by: Multiple policies
  • Office Macro Settings (E8 #3) - Supported by: Cyber Security Policy
  • User App Hardening (E8 #4) - Supported by: Cyber Security Policy

Monitoring and Reporting

For Management Teams

Track implementation progress:

  • Patching compliance percentages
  • MFA adoption rates
  • Backup success rates
  • Control maturity assessment scores

For Board Directors

Oversee governance effectiveness:

  • Overall E8 maturity level
  • Progress against target levels
  • Resource allocation effectiveness
  • Risk exposure from gaps

Reporting Frequency: {{board_reporting_cycle}}

Next Steps for Enhanced Coverage

For organizations with complex operations, {{company_name}}'s Complete Pack adds 7 additional policies that provide:

  • Offshore provider governance (ASIC-aligned)
  • Security audit framework (systematic assurance)
  • Vulnerability management (proactive E8 enhancement)
  • Infrastructure security depth (technical control detail)
  • AI and social media governance (emerging risks)

These policies strengthen your E8 posture and demonstrate mature security operations beyond baseline compliance.

  • Policy Pack Structure: See how policies are organized
  • Individual Policies: Detailed requirements for each governance area
  • Implementation Procedures: Technical guides for control deployment
  • Evidence Templates: Audit-ready documentation formats

Key Points for Directors

Understanding the Relationship:

  • Essential Eight = What the organization must technically implement
  • Policies = Governance framework that mandates and oversees those implementations
  • This guide = Shows how our policies systematically cover E8 requirements

Your Governance Role:

  1. Ensure policies are approved and communicated
  2. Allocate resources for implementation
  3. Review progress against E8 maturity targets
  4. Hold management accountable for control effectiveness

Questions to Ask:

  1. What is our current E8 maturity level for each control?
  2. Are we on track to meet target maturity levels?
  3. Do we have evidence demonstrating control effectiveness?
  4. What are the main barriers to full implementation?