Skip to content

🎯 Essential Eight Target Maturity Setting Guide

Overview

Setting target maturity levels for Essential Eight controls is a critical board governance decision. This guide helps directors understand how to set appropriate targets based on organizational context, rather than blindly pursuing higher levels.

Key Principle: Context Over Compliance Theater

Target maturity is NOT about reaching the highest level possible.

It's about finding the right balance between:

  • Risk tolerance
  • Available resources
  • Business objectives
  • Regulatory requirements
  • Industry expectations

Understanding Current vs Target

Current Maturity

  • Where the organization is today
  • Assessed through evidence-based evaluation
  • Updated quarterly
  • Objective measurement

Target Maturity

  • Where the board decides the organization should be
  • Based on strategic considerations
  • Can be maintained at current level
  • Includes timeline for achievement

Why This Distinction Matters

Without explicit targets, directors often ask "why are we only at Level 1?" without context. Setting targets prevents this by:

  • Making the desired state a board decision
  • Documenting the rationale
  • Creating accountability for management
  • Avoiding arbitrary "level chasing"

Target Setting Framework

1. Consider Your Context

Risk Profile

  • High-value targets need higher maturity
  • Critical infrastructure requires Level 2+
  • Lower risk businesses may accept Level 1

Resources

  • Budget constraints
  • Technical expertise availability
  • Implementation timeline
  • Opportunity costs

Regulatory Requirements

  • Government suppliers need Level 2 minimum
  • Industry-specific requirements
  • Cyber insurance expectations

2. Partial Targets Are Valid

Not every control needs 100% implementation at a level:

  • "75% of Level 2" may be appropriate
  • Focus on risk-relevant aspects
  • Document what's included/excluded
  • Review periodically

3. Document Your Rationale

Every target needs a "why" statement:

Good Examples:

  • "Level 2 required for government contracts by Q3 2025"
  • "Maintain Level 1 - current risk profile doesn't justify Level 2 investment"
  • "Target 80% of Level 2 - full implementation not feasible with current IT architecture"

Poor Examples:

  • "Should be higher"
  • "Industry best practice"
  • "Seems appropriate"

Control-by-Control Considerations

Application Control

  • High impact on user productivity
  • Level 2+ requires significant IT resources
  • Consider business disruption

Patch Applications

  • Critical for ransomware prevention
  • Level 2 achievable for most organizations
  • Clear ROI on investment

Microsoft Office Macro Settings

  • Low user impact if well-communicated
  • Quick win for most organizations
  • Consider Level 2 as baseline

User Application Hardening

  • Browser security critical for all businesses
  • Level 1 minimum recommended
  • Level 2 for businesses with sensitive data

Restrict Administrative Privileges

  • Fundamental security control
  • Level 1 should be minimum
  • Higher levels need identity management maturity

Patch Operating Systems

  • Critical vulnerability management
  • Level 2 recommended for most
  • Automation makes higher levels achievable

Multi-factor Authentication

  • User experience considerations
  • Level 1 for all internet-facing systems
  • Level 2+ based on data sensitivity

Regular Backups

  • Business continuity essential
  • Level 2 includes testing
  • Level 3 for critical operations

Board Decision Process

1. Review Current State

  • Understand where you are
  • Identify biggest gaps
  • Consider quick wins

2. Set Priorities

  • Which controls matter most?
  • What's achievable this year?
  • Where to maintain vs improve?

3. Document Decisions

  • Record target for each control
  • Include rationale
  • Set review date
  • Assign accountability

4. Communicate Clearly

  • Management needs clear targets
  • Explain the "why"
  • Set realistic timelines
  • Define success criteria

Common Pitfalls to Avoid

"Higher is Always Better"

  • Level 3 isn't always necessary
  • Consider cost vs benefit
  • Some controls may stay at Level 1

"Set and Forget"

  • Review targets annually
  • Adjust based on changes
  • Celebrate achievement
  • Reassess after incidents

"Perfection Paralysis"

  • Partial implementation is valid
  • Progress over perfection
  • Document exclusions
  • Plan improvements

Example Target Setting

Small Professional Services Firm

  • Application Control: Level 1 (maintain)
  • Patch Applications: Level 2 (improve from Level 1)
  • Office Macros: Level 2 (quick win)
  • User Hardening: Level 1 (maintain)
  • Admin Privileges: Level 2 (improve)
  • Patch OS: Level 2 (improve)
  • MFA: Level 2 (critical)
  • Backups: Level 2 (improve testing)

Rationale: "Focus on quick wins (macros) and critical controls (MFA, patching). Maintain Level 1 where business impact is high (application control). Timeline: 12 months."

Questions for Board Discussion

  1. What's our current risk exposure?
  2. What are our regulatory obligations?
  3. What resources can we allocate?
  4. Which controls protect us most?
  5. What's realistic in 12 months?
  6. Where should we maintain vs improve?
  7. How do we measure success?

Next Steps

  1. Schedule board session for target setting
  2. Review current maturity assessment
  3. Discuss and document targets
  4. Communicate to management
  5. Monitor progress quarterly
  6. Review targets annually

Remember: The goal isn't the highest level - it's the right level for your organization.