Essential Eight Compliance Questionnaire (Free Template)

The Essential Eight is a cybersecurity posture maturity model created by the Australian Signals Directorate to help Australian businesses achieve the minimum baseline of cybersecurity recommended by the Australian government to defend against cyber threats.

To become Essential Eight compliant, organizations must meet various requirements across eight different cybersecurity strategies. In this blog, we will cover the Essential Eight cybersecurity framework and provide a questionnaire template for organizations seeking to become compliant with this framework.

What is the Essential Eight?

The Essential Eight (also known as the ACSC Essential Eight or ASD Essential Eight) is a set of cybersecurity strategies recommended by the Australian Cyber Security Centre (ACSC) to mitigate cybersecurity incidents. It was first published in 2017 to secure internet-connected Microsoft Windows-based networks against cyber attacks. The protocols can also protect cloud service providers and other operating systems. However, it's worth noting that certain operating systems with unique cyber risk threats may require other, more effective mitigation strategies.

Mitigation strategies are cybersecurity practices, security policies, and tools designed to start the remediation process and protect an organization's information security from data breaches or unauthorized privileged access. These strategies are intended to limit and manage the damages caused by cyber incidents while safeguarding digital assets, networks, and data security.

Essential Eight Security Controls

The core of the Essential Eight is eight mitigation strategies designed to enhance an organization’s overall cybersecurity posture using various security measures. The eight security controls are:

• Application Control: Organizations should only allow specified applications to run on their networks, including network endpoints like workstations and servers, preventing malware and unapproved applications from executing.
• Patch Applications: Organizations must promptly install security patches to prevent exploitation and should automate this process to stay ahead.
• Configuring Microsoft Office Macro Settings: Organizations should limit macro execution to trusted sources, preventing internet-based attacks. Microsoft Defender can scan Office macros for viruses.
• User Application Hardening: Organizations should configure web browsers and Microsoft Office to block unnecessary and potentially malicious content, which minimizes vulnerable points in applications.
• Patching Operating Systems: Organizations must update their operating systems regularly for better security requirements and protection against potential threats.
• Restricting Administrative Privileges: Organizations should limit administrative and privileged access, ensuring users have minimum access to get their work done.
• Multi-Factor Authentication (MFA): Organizations must implement dual authentication methods to prevent unauthorized access.
• Regular Backups: Organizations must create backups of important data to speed up recovery after a cybersecurity breach.

The Essential Eight Maturity Model

To help organizations implement the Essential Eight framework, the ASD also produced The Essential Eight Maturity Model. The model includes four different maturity levels based on risk assessment and mitigating increasing levels of targeting from malicious actors. This model helps organizations consider what level of targeting, rather than which malicious actors they aim to mitigate.

• Maturity Level Zero: This baseline level signifies weaknesses in an organization’s vulnerability management. If exploited, confidential data and system integrity could be compromised.
• Maturity Level One: In this level, malicious actors are content to utilize average tools to gain access to and control systems. These include publicly available exploits, stolen credentials, brute force, etc.
• Maturity Level Two: Malicious actors in this level are a step up in capability and are willing to invest more time and tools in a target. These include targeting specific credentials through phishing, circumventing weak MFA, etc.
• Maturity Level Three: In this level, malicious actors are more adaptive and less reliant on public tools and techniques. They can exploit weaknesses in cybersecurity posture, like older software or insufficient logging/monitoring—not only initially accessing systems but evading detection and solidifying their presence.

Who Should Implement the Essential Eight?

The Australian Government has made it mandatory for all 98 non-corporate Commonwealth entities (NCCEs) to comply with the Essential Eight framework. Previously, the Government only required entities to comply with the first four security controls of the Essential Eight. Now, entities must follow all eight security controls to achieve compliance requirements. To ensure organizations maintain every security control, Australia requires all entities to undergo a comprehensive security assessment every five years starting in June 2022.

Outside of NCCEs, the Essential Eight operates as a cybersecurity benchmark and not a regulation—meaning there are no self-assessment requirements to implement the risk management strategies and no penalties for non-compliance. However, the ACSC strongly recommended the Essential Eight, and the cybersecurity framework can be applied globally, as it provides practical and foundational cybersecurity approaches.

Free Template: Essential Eight Compliance Questionnaire

The questionnaire template below is a starting point for organizations aiming to become Essential Eight compliant. Questions are organized by the different security controls outlined in the Essential Eight framework.

Although this template can serve as a helpful guide, it is important to remember that it simply provides a starting point. To be compliant, reference the full Essential Eight framework, tracking specific metrics, as you evaluate your organization’s cybersecurity controls.

Essential Eight Compliance Questionnaire

1. Application Control

1.1. Have you implemented application control to prevent the execution of unapproved/malicious programs?

• Yes
• No
• [Free Text Field]

1.2. Are controls in place to ensure only approved software can be installed and run?

• Yes
• No
• [Free Text Field]

1.3. Do you update and maintain the list of approved applications?

• Yes
• No
• [Free Text Field]

1.4. Is there a process for evaluating and approving exceptions to the application control policy?

• Yes
• No
• [Free Text Field]

1.5. Do you have a process to handle violations of application control policies?

• Yes
• No
• [Free Text Field]

[Open text field for vendor comments]

2. Patch Applications

2.1. Are all applications, including third-party applications, regularly patched?

• Yes
• No
• [Free Text Field]

2.2. Do you have a process to ensure critical and security patches are applied within 48 hours?

• Yes
• No
• [Free Text Field]

2.3. Is there an inventory or registry of all applications used in the organization for tracking purposes?

• Yes
• No
• [Free Text Field]

2.4. Do you have a process to ensure patches are tested before deployment?

• Yes
• No
• [Free Text Field]

2.5. Can you identify mechanisms that are in place for monitoring and reporting patch compliance across the organization?

• Yes
• No
• [Free Text Field]

[Open text field for vendor comments]

3. Configure Microsoft Office Macro Settings

3.1. Are macros in Microsoft Office applications disabled by default and only allowed for essential trusted documents?

• Yes
• No
• [Free Text Field]

3.2. Do you have a process to manage and monitor exceptions for macro usage?

• Yes
• No
• [Free Text Field]

3.3. Is there employee training on the risks associated with macros?

• Yes
• No
• [Free Text Field]

3.4. Do you have an auditing process for macro use and exceptions?

• Yes
• No
• [Free Text Field]

3.5. Are macro security settings regularly reviewed and updated?

• Yes
• No
• [Free Text Field]

[Open text field for vendor comments]

4. User Application Hardening

4.1. Have you implemented measures to block web browser access to malicious content (e.g., Flash, ads, Java from the internet)?

• Yes
• No
• [Free Text Field]

4.2. Are users' ability to download and install unapproved applications restricted?

• Yes
• No
• [Free Text Field]

4.3. Is browser and other critical software hardening part of regular security reviews?

• Yes
• No
• [Free Text Field]

4.4. Can you identify how application hardening policies is monitored and enforced?

• Yes
• No
• [Free Text Field]

4.5. Are employees trained on the importance of application hardening?

• Yes
• No
• [Free Text Field]

[Open text field for vendor comments]

5. Restrict Administrative Privileges

5.1. Are administrative privileges restricted to an essential number of users and reviewed regularly?

• Yes
• No
• [Free Text Field]

5.2. Do you have mechanisms in place to monitor the use of administrative privileges?

• Yes
• No
• [Free Text Field]

5.3. Is there an approval process for granting administrative privileges?

• Yes
• No
• [Free Text Field]

5.4. Are there specific dates when user accounts are audited for unnecessary administrative privileges?

• Yes
• No
• [Free Text Field]

5.5. Are administrative activities logged and regularly reviewed?

• Yes
• No
• [Free Text Field]

[Open text field for vendor comments]

6. Patch Operating Systems

6.1. Are operating systems patched regularly?

• Yes
• No
• [Free Text Field]

6.2. Can you identify how frequently security vulnerabilities are assessed and patches applied?

• Yes
• No
• [Free Text Field]

6.3. Do you have a system for prioritizing patching based on threat exposure and business impact?

• Yes
• No
• [Free Text Field]

6.4. Are patching efforts documented and reported to management?

• Yes
• No
• [Free Text Field]

6.5. Do you have a system to evaluate the effectiveness of the patch management process?

• Yes
• No
• [Free Text Field]

[Open text field for vendor comments]

7. Multi-Factor Authentication (MFA)

7.1. Is MFA enabled for all remote access, privileged accounts, and sensitive information access?

• Yes
• No
• [Free Text Field]

7.2. Can you ensure the security and robustness of your MFA implementation?

• Yes
• No
• [Free Text Field]

7.3. Are all staff members required to use MFA without exceptions?

• Yes
• No
• [Free Text Field]

7.4. Can you identify how frequently MFA settings are reviewed and updated?

• Yes
• No
• [Free Text Field]

7.5. Is there a process for responding to MFA lockouts or failures?

• Yes
• No
• [Free Text Field]

[Open text field for vendor comments]

8. Daily Backup of Important Data

8.1. Are daily backups of essential data, software, and configuration settings conducted?

• Yes
• No
• [Free Text Field]

8.2. Are these backups tested regularly to ensure they can be rapidly restored following an incident?

• Yes
• No
• [Free Text Field]

8.3. Is backup data stored securely, both on-site and off-site?

• Yes
• No
• [Free Text Field]

8.4. Do you have controls to protect backup integrity against malware or ransomware attacks?

• Yes
• No
• [Free Text Field]

8.5. Are backup and restoration processes documented and regularly reviewed for improvements?

• Yes
• No
• [Free Text Field]

[Open text field for vendor comments]

Get Essential Eight Ready with UpGuard

The Essential Eight outlines fundamental cybersecurity measures. For advanced protection and vulnerability management from cyber threats, consider UpGuard’s external attack surface management, Breach Risk.

UpGuard Breach Risk helps you understand the risks impacting your external security posture and ensures your assets are constantly monitored and protected. Our all-in-one dashboard makes it easy to view your organization’s cybersecurity at a glance and communicate internally about risks, vulnerabilities, or current security incidents.

Other features include:

• Data Leak Detection: Protects your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches
• Continuous Monitoring: Get real-time information and manage exposures, including domains, IPs, and employee credentials
• Attack Surface Reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting
• Shared Security Profile: Eliminate having to answer security questionnaires by creating a Trust Page
• Workflows and Waivers: Simplify and accelerate how you remediate issues, waive risks, and respond to security queries
• Reporting and Insights: Access tailor-made reports for different stakeholders and view information about your external attack surface