What is Essential Eight Maturity Level 2 (ML2)?
Essential Eight Maturity Level 2 (ML2)
Essential Eight ML2 alignment for mid-market firms.
Documented uplift roadmap. ML2 to ML3 ratchet. Senior named delivery.
ML2 evidence is designed to drop into a CPS 234 §13 capability section. We do not separate them.
The problem ML2 actually solves
Most mid-market FS firms sit at ML1 with two or three controls leaning toward ML2. APRA, internal audit and cyber-insurance underwriters all increasingly expect ML2 across the eight. The work is rarely a single project — it is a 9-to-18-month uplift programme touching identity, endpoint, server, Microsoft 365, network and backup posture.
The three patterns that fail most ML1-to-ML2 audits in mid-market FS
- Application controlEndpoint allow-listing has not moved past pilot. Workstations are unmanaged for ML2 purposes.
- Restrict admin privilegesDomain admin accounts are still in daily use. Privileged Access Management has not been deployed or has been deployed but bypassed.
- Multi-factor authenticationMFA covers cloud SaaS but not legacy on-premises systems, VPN-without-MFA pockets remain, and break-glass accounts have no documented control.
A documented ML2 uplift programme that hits these three first closes 60% of the audit gap.
ML1 vs ML2 vs ML3
We work the eight controls to ML2 specifics, with documented per-control adoption notes and a 12-month uplift roadmap. The roadmap is shared with your CISO and Head of Risk monthly.
| Control | ML1 (baseline) | ML2 (target) | ML3 (advanced) |
|---|---|---|---|
| Application control | App control on workstations for executable files | App control on workstations and servers for executables, scripts, installers, libraries and HTML apps | App control with Microsoft-signed driver enforcement and validated rule sets |
| Patch applications | Internet-facing apps patched within 2 weeks | Internet-facing within 2 weeks; office productivity, browsers, email, PDF and security products within 1 month | All apps within 48 hours for critical, 2 weeks for non-critical, with vulnerability scanning |
| Configure MS Office macros | Macros disabled for users without business need | Macros from the internet blocked; macro execution logged; antivirus scans macros | Only signed macros from trusted publishers permitted; full macro telemetry |
| User application hardening | Web browsers do not process Java or Flash | Browsers, Office and PDF readers hardened to ASD configuration; ads, IE11, .NET 3.5 disabled | All hardening from ML2 plus Microsoft Edge mode enforcement and PowerShell command-line logging |
| Restrict admin privileges | Privileged accounts cannot access internet, email or web services | Privileged access requested and validated; privileged accounts separate from standard accounts; PAM deployed | Just-in-time privileged access; jump servers; full session recording |
| Patch operating systems | Internet-facing OS patched within 2 weeks | Internet-facing within 2 weeks; workstations and non-internet-facing servers within 1 month | All OS within 48 hours for critical; vulnerability scanning weekly |
| Multi-factor authentication | MFA for internet-facing services with sensitive data | MFA for all internet-facing services, privileged users, and important data repositories; phishing-resistant where available | MFA phishing-resistant across the board (FIDO2, smart cards); break-glass accounts MFA'd |
| Regular backups | Backups of important data and configs; daily-coordinated restore tested annually | Backups daily, retention adequate, restoration tested quarterly, privileged accounts cannot modify or delete | Backups with immutability, off-network copy, tested monthly with documented RTOs/RPOs |
Per-control BISTEC delivery
- 01
Application control
We deploy and operate Microsoft Defender Application Control or third-party allow-listing across workstations and servers, with documented exception process and quarterly review.
- 02
Patch applications
Co-managed patching across the application stack, with monthly patch evidence to your CISO and quarterly attestation to your Head of Risk.
- 03
MS Office macros
Group Policy + Defender for Office 365 configuration; macro telemetry into the SIEM.
- 04
User application hardening
Standard Operating Environment (SOE) hardened to ACSC configuration baselines; documented variance log.
- 05
Restrict admin privileges
PAM deployment (CyberArk, Delinea or BeyondTrust depending on stack); privileged-account inventory; quarterly access review.
- 06
Patch operating systems
Server and workstation patching at ML2 cadence; documented patching SLA; reporting into the CPS 234 §13 capability evidence pack.
- 07
Multi-factor authentication
MFA across all internet-facing services and privileged users; phishing-resistant MFA where the platform supports it; break-glass account control documented.
- 08
Regular backups
Daily backups with immutability; quarterly restoration test with named participants; documented RTO/RPO per critical workload, mapped to your CPS 230 critical-operations register.
What's on the contract
- Senior security operations running ML2-aligned monitoring across the eight controls
- Named lead + named senior security analysts (CREST-certified)
- Documented uplift roadmap delivered monthly to your CISO and Head of Risk
- ISO 27001 certified · Microsoft Solutions Partner · AWS Partner
- ML2 evidence pack designed to drop into a CPS 234 board pack
- We do not claim AI in our monitoring. Humans do the analyst work.
24-question self-assessment
Essential Eight ML2 Self-Assessment
A 24-question self-assessment, one to two questions per control, with a maturity scoring rubric. Tells you which of the eight is furthest from ML2 — and which uplift to do first. Free. Email-gated. Built from real ML1-to-ML2 uplift engagements with mid-market firms.
Frequently asked
Essential Eight Maturity Level 2 is the Australian Cyber Security Centre's intermediate maturity level for the eight mitigation strategies in the Essential Eight. ML2 is calibrated for organisations facing adversaries with moderate capability who target the organisation specifically. It is the level APRA-regulated mid-market firms, government suppliers, and most cyber-insurance underwriters expect across the eight controls.
ML1 is a baseline against opportunistic adversaries; ML2 raises the bar for adversaries who specifically target the organisation; ML3 hardens against well-resourced, persistent adversaries. The jump from ML1 to ML2 typically requires programme work across endpoint allow-listing, privileged access, and MFA coverage. The jump from ML2 to ML3 requires session recording, just-in-time privilege, and phishing-resistant MFA across the board.
For a mid-market firm with a baseline IT estate (200 to 2,000 staff): 9 to 18 months for full ML2 alignment across the eight. Application control and PAM are the long poles; MFA gaps are usually closed within 90 days. The work is sequenced — we typically prioritise admin privileges, MFA gaps, and patch cadence in the first quarter, then application control and macro hardening, then user-application hardening and backup uplift.
ML3 is calibrated for organisations facing well-resourced, persistent adversaries — typically nation-state-grade. Mid-market firms are not the priority target for that adversary class, and ML3 controls (just-in-time privilege, session recording on every privileged session, phishing-resistant MFA universally) carry operational cost that does not pay back at mid-market scale. ML2 is the right ratchet point. We document the path to ML3 in the roadmap so it is achievable when the threat profile shifts.
ACSC publishes the Essential Eight Maturity Model, which describes the implementation specifics for each control at each level. Evidence at ML2 is artefact-based: configuration baselines, exception registers, quarterly restoration tests, MFA enrolment reports, PAM session logs, patching cadence reports, application-control rule sets. APRA reviewers, internal auditors and cyber-insurance underwriters all increasingly ask for the same artefacts.
No. Essential Eight is not law for the private sector. It is mandated for non-corporate Commonwealth entities under the Protective Security Policy Framework. For private mid-market firms, it is an expected baseline — APRA references it in CPS 234 reviews, cyber-insurance underwriters use it as an underwriting checklist, and the ACSC recommends it broadly. Most boards now treat ML2 as a de facto expectation.
CPS 234 §13 requires information-security capability commensurate with the threat profile. Essential Eight ML2 is one of the most defensible ways to evidence that capability for an APRA-regulated mid-market firm. APRA does not mandate ML2 — but in practice, an ML2-aligned environment with documented evidence makes a CPS 234 review materially easier. Our ML2 evidence pack is designed to drop into the CPS 234 §13 capability section.
The three controls that fail most often in mid-market FS reviews: (1) restrict administrative privileges — daily-use domain admin accounts and untooled PAM; (2) application control — pilot-stage allow-listing that has not gone production; (3) MFA — incomplete coverage on legacy systems, VPN-without-MFA pockets, and undocumented break-glass accounts. Patching, macros, hardening and backups follow as secondary findings.
The ML2 to ML3 ratchet is the documented, planned uplift path from ML2 to ML3, sequenced over 18 to 36 months. Most mid-market firms do not need ML3 today, but having a documented ratchet makes the roadmap defensible to a board and avoids surprise budget conversations later. We deliver the ratchet as part of the ML2 alignment programme.