Skip to content

πŸ›‘οΈ Essential Eight Management Process

Overview

This document outlines GetCimple's comprehensive approach to managing Essential Eight compliance for Australian businesses. The Essential Eight is the Australian Cyber Security Centre's (ACSC) baseline cybersecurity framework.

Key Documents

1. Assessment Phase

Current Maturity Assessment

  • Quarterly maturity assessments using ACSC model (Levels 0-3)
  • Evidence-based scoring for each control
  • Documentation of implementation gaps
  • [Detailed assessment guide to be developed]

Target Maturity Setting

  • Board-led process to set target levels per control
  • Target may differ from "next level up" based on risk appetite
  • Partial targets supported (e.g., "75% of Level 2")
  • Rationale documentation required for each target

2. Implementation Planning

[To be developed]

3. Evidence Collection

[To be developed]

4. Monitoring & Reporting

[To be developed]

5. Continuous Improvement

[To be developed]

Current vs Target Maturity Distinction

A critical governance feature of GetCimple's E8 management is the explicit separation between:

  • Current Maturity: Where the organization actually is (assessed quarterly)
  • Target Maturity: Where the board has decided the organization should be

This distinction prevents common governance conflicts where directors question "why are we only at Level X?" without context of what level is actually appropriate for the organization.

Key Benefits

  1. Explicit Board Ownership: Target setting is a documented board decision
  2. Context-Based Targets: Considers risk appetite, resources, and regulatory requirements
  3. Flexible Goal Setting: Targets aren't automatically "the next level up"
  4. Partial Completion Recognition: Can target "75% of Level 2" if appropriate
  5. Clear Accountability: Management implements to board-set targets

Target Setting Principles

  • Risk-Based: Higher risk organizations may need higher targets
  • Resource-Aware: Targets consider available budget and staff
  • Industry-Appropriate: Reflects sector-specific requirements
  • Time-Bound: Includes realistic achievement timelines
  • Documented Rationale: Every target has a "why" statement

Key Features

Current & Target Maturity Tracking

  • Visual dashboard showing Current β†’ Target for each control
  • Progress indicators for movement toward targets
  • Historical tracking of maturity improvements
  • Gap analysis focused on board-set targets (not arbitrary levels)

Board Target Management

  • Simple interface for directors to set/review targets
  • Rationale documentation for each target decision
  • Target approval workflow with audit trail
  • Periodic target review reminders

Evidence Collection

[To be developed]

Board-Ready Reporting

  • Clear Current vs Target visualization
  • Progress toward board-set goals
  • Rationale context in reports
  • Risk-based prioritization of gaps

Integration Points

[To be developed]