Skip to main content

Essential Eight to ISM Mapping

Introduction

The Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are the Essential Eight.

The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on the ACSC’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight.

As the Essential Eight outlines a minimum set of preventative measures, organisations need to implement additional measures where it is warranted by their environment. Further, while the Essential Eight can help to mitigate the majority of cyber threats, it will not mitigate all cyber threats. As such, additional mitigation strategies and security controls need to be considered, including those from the Strategies to Mitigate Cyber Security Incidents and the Information Security Manual (ISM).

Mapping between the Essential Eight and the ISM

As Maturity Level Two is considered the baseline for non-corporate Commonwealth entities, a mapping between Maturity Level Two and Maturity Level Three of the Essential Eight Maturity Model and the ISM is outlined below. Changes between maturity levels are indicated via bolded text.

Mitigation Strategy

Maturity Level Two

Maturity Level Three

Application control

0843, 1490, 1657, 1660, 1661

0843, 1490, 1656, 1657, 1658, 1544, 1659, 1582, 1660, 1661, 1662, 1663

Patch applications

1690, 1691, 1693, 1698, 1699, 1700, 1704

1690, 1691, 1692, 1693, 1698, 1699, 1700, 1704, 0304

Configure Microsoft Office macro settings

1671, 1488, 1672, 1673, 1489, 1677

1671, 1674, 1487, 1675, 1676, 1488, 1672, 1673, 1489, 1677, 1678

User application hardening

1486, 1485, 1666, 1667, 1668, 1669, 1542, 1670, 1412, 1585, 1664

1486, 1485, 1654, 1667, 1668, 1669, 1542, 1670, 1412, 1585, 1655, 1621, 1622, 1664, 1665

Restrict administrative privileges

1507, 1647, 1648, 1175, 1380, 1687, 1688, 1689, 1387, 1685, 1509, 1650

1507, 1647, 1648, 1508, 1175, 1653, 1380, 1687, 1688, 1689, 1649, 1387, 1685, 1686, 1509, 1651, 1650, 1652

Patch operating systems

1694, 1695, 1701, 1702, 1501

1694, 1695, 1696, 1701, 1702, 1407, 1501

Multi-factor authentication

1504, 1679, 1680, 1681, 1173, 1401, 1683

1504, 1679, 1680, 1681, 1173, 1505, 1401, 1682, 1683, 1684

Regular backups

1511, 1515, 1705, 1707

1511, 1515, 1705, 1706, 1707, 1708

Further information

The Information Security Manual is a cyber security framework that organisations can apply to protect their systems and data from cyber threats. The advice in the Strategies to Mitigate Cyber Security Incidents, along with its Essential Eight, complements this framework.

Contact details

If you have any questions regarding this guidance you can write to us or call us on 1300 CYBER1 (1300 292 371).

Was this information helpful?
Was this information helpful?

Thanks for your feedback!

 
Optional

Tell us why this information was helpful and we’ll work on making more pages like it