π‘οΈ Essential Eight Compliance (MVP)¶
What It Is¶
The Essential Eight is Australia's cybersecurity framework from the ASCS. GetCimple helps businesses track and improve their Essential Eight maturity.
The 8 Controls¶
- Application Control - Only approved software can run
- Patch Applications - Keep software updated
- Microsoft Office Macros - Block dangerous macros
- User Application Hardening - Secure web browsers
- Admin Privileges - Limit who has admin access
- Patch Operating Systems - Keep Windows/Linux updated
- Multi-factor Authentication - Require 2FA for access
- Regular Backups - Protect against ransomware
Maturity Levels¶
ACSC Maturity Model¶
- Level 0: Not implemented
- Level 1: Partially implemented
- Level 2: Mostly implemented (minimum for government suppliers)
- Level 3: Fully implemented
Current vs Target Approach¶
GetCimple distinguishes between:
- Current Maturity: Where you are today (assessed)
- Target Maturity: Where the board decides you should be
- Partial Targets: Can target "75% of Level 2" based on risk appetite
How GetCimple Helps¶
1. Board-Friendly Assessment¶
40 Simple Questions that cover 152 ACSC controls:
- Grouped by 8 strategies for clarity
- Board-friendly language + technical detail
- 2-3 minute board decision time
- Pre-filled from existing policies (45%), insurance (30%), other assessments (10%)
Current State Assessment:
- Evidence-based maturity scoring
- Auto-calculate current level per strategy
- Track improvements over time
- Support for partial targets (e.g., "80% of Level 2")
Board Target Setting:
- Directors set target per strategy
- Document rationale for each target
- Targets based on risk appetite, not arbitrary progression
- Clear gap analysis: current vs target
2. Question-Level Evidence Management¶
Evidence Collection (at question level, not control level):
- Upload proof of implementation (policies, configs, screenshots)
- Add notes explaining context
- Link evidence to assessment questions
- Evidence automatically flows to all covered controls
Example: Question "Is MFA mandatory for admin accounts?"
- Upload:
password-authentication-policy.pdf - Notes: "Enforced via Kinde Auth. All admins enrolled."
- Covers: ML1-MF-01, ML2-MF-01, ML2-MF-07 (multiple controls)
3. Exception Documentation¶
Board-Approved Exceptions (at question level):
- Flag questions as "documented exception"
- Provide justification (why exception exists)
- Document compensating controls (what we do instead)
- Track board approval and review dates
Example: Legacy systems can't integrate modern IAM
- Exception: Yes
- Justification: "AS/400 systems 20+ years old"
- Compensating: "Quarterly manual access reviews"
- Board approved: 2025-09-15
- Review: 2026-03-15
4. Audit Export (NEW)¶
Bridge to Audit Compliance without UI complexity:
- One-button "Generate ACSC Audit Report"
- Exports 152-control detail from 40 questions
- Excel/CSV format auditors expect
- Includes all evidence and exception justifications
- Audit-ready artifact for external assessments
See E8 Audit Export for details.
5. Board Reporting¶
- Current vs Target Dashboard: Shows gaps to board-set targets
- 8 Strategy Summary: High-level maturity per strategy
- Progress Tracking: Movement toward targets since last quarter
- Risk-Based View: Focus on strategies below target
- Achievement Status: Clear "at target" vs "below target" indicators
MVP Features¶
Core Assessment¶
- 40-question assessment covering 152 ACSC controls
- 8 strategy-level summary for board clarity
- Pre-fill from policies, insurance, other assessments
- Board decision time: 2-3 minutes
Evidence & Exceptions¶
- Question-level evidence uploads (files + notes)
- Exception documentation with board approval workflow
- Compensating controls tracking
- Review date management
Audit Bridge¶
- One-button ACSC Audit Report export
- 152-control detail generated from 40 questions
- Excel/CSV format for external auditors
- Evidence and exception justifications included
Board Governance¶
- Current vs target maturity tracking
- Board-driven target setting with rationale
- Progress tracking quarter-over-quarter
- Risk-based gap analysis
Why Essential Eight Matters¶
- Required: For government suppliers
- Recommended: By cyber insurers
- Proven: Prevents 85%+ of cyber attacks
- Australian: Designed for our threat landscape
Validation & Testing¶
Framework Status: β VALIDATED (2025-01-24)
The E8 Assessment Framework has been comprehensively tested and validated:
- Test documentation:
/docs-internal/docs/06-features/e8-testing/ - All 152 ACSC controls mapped successfully
- Pre-fill rates: 20-95% depending on organization maturity
- Board decision time: 2-3 minutes (exceeds < 5 min target)
- Routing accuracy: 97% (exceeds 95% target)
See Test Results Summary for details.
Design Philosophy¶
Why 40 Questions, Not 152 Controls?¶
Our Principle: Build for boards, not auditors
- Boards need: Strategic clarity (8 strategies), fast decisions (2-3 min), confidence
- Auditors need: Control-level detail (152 controls), evidence per control, compliance artifacts
Our Solution: Progressive complexity
- Board View: 8 strategies (highest level)
- Management View: 40 questions (actionable detail)
- Audit Export: 152 controls (external compliance)
We don't build 152-control UI because:
- β Too complex for board-level governance decisions
- β Turns us into a GRC platform (not our market)
- β Serves 5% use case (audits) at expense of 95% (decisions)
- β Significant dev investment (1-2 cycles) without validated demand
We do provide audit export because:
- β Serves audit needs without UI complexity
- β 1-2 days of work vs 1-2 dev cycles
- β Validates demand before building full feature
- β Keeps focus on board experience
See E8 Audit Export for the rationale and Decision Log for the full decision context.
Future Evolution¶
Post-MVP Enhancements (Demand-Driven)¶
Phase 2 (Validated via Audit Export):
- Continuous assessment (not just quarterly)
- API integration for automated scoring
- Real-time maturity tracking
- Peer benchmarking by industry
Phase 3 (Only if customers demand it):
- Full 152-control management UI
- Per-control evidence workflows
- Control implementation tracking
- Integration with vulnerability scanners
- Control testing and validation
Trigger for Phase 3: When paying customers say "We love the export, but need to manage controls live in GetCimple"
Don't build Phase 3 if: Export satisfies audit needs and customers prefer simple board interface
Related Documentation¶
- E8 Audit Export - Pragmatic approach to audit compliance
- E8-UQB Integration - Pre-fill and routing architecture
- E8 Testing Results - Validation of 40-question approach
- Context Separation Guide - Building for boards vs startups
For now, we help you track Essential Eight compliance simply and effectively - with a bridge to audit requirements when needed.