The Essential Eight is Changing. What is happening?

Almost everything built using the Essential Eight carries forward or can be used as a stepping stone to the new ASD's Essentials series.
The Essential Eight is Changing. What is happening?
Source: cyber.gov.au

The Australian Signals Directorate (ASD) is retiring the Essential Eight and transitioning to the broader "Essentials" series. Here's a quick look at what's happening.


Quick Summary

If you attest against the Essential Eight the news that the ASD plans to retire it may have caused some anxiety. The quick take-away is that it is a multi-year transition and an evolution of the Essential Eight framework. Almost everything built using the Essential Eight carries forward or can be used as a stepping stone to the new ASD's Essentials series.

What is happening?

The Essential Eight is being replaced by the ASD's Essentials series which is a broader more principle-based guidance grounded in the Information Security Manual. The new ASD Essentials series is set to cover the domains of enterprise IT, operational technology, cloud, and eventually agentic AI.

The Essential Eight stays live for now alongside the new Essentials series. The indicated timeline is that the Essential Eight will start being deprecated in about 12 months and then over 24 months it will be fully retired. This leaves plenty of runway for organisations to transition and adapt to the new ASD's Essentials series.

Why is the change happening?

The Essential Eight was built in 2017 around on-premise IT so its controls don't map cleanly to today's cloud infrastructure, shared-responsibility models and SaaS environments. The new Essentials series shifts emphasis from prescriptive controls tied to specific technologies towards outcomes and intent, giving organisations more flexibility to meet guidance using whatever tools fit their environment.

Reassuringly, ASD frames this as an evolution, not a teardown which results in an expanded framework focusing on flexibility while keeping a clear path to strong cyber resilience for organisations already using the Essential Eight. With the new Essentials series there is a change in focus from the static approach of "did we implement the control?" to a dynamic approach of "can we show the security outcome, against a real threat, continuously?"

Reasonable guidelines to follow

  1. Keep meeting your current obligations. Your Maturity Level targets and attestation deadlines stand until the Essential Eight is formally retired - there's no need to pause anything.
  2. Read the enterprise IT chapter. It gives you an early, comfortable sense of where the program is heading.
  3. Map your controls to outcomes. For each control, note the outcome it delivers and the threat it counters - that's the language of the new model.
  4. Strengthen detection and response. The old framework was light here; the new one won't be. A natural first place to focus.
  5. Plan for cloud and supply chain when you're ready. The areas ASD says the old model handled least well - measured, not rushed.
  6. Don't rip anything out. The question is simply: what does this tool prove, and what still needs proving? Map your environment.

Further Resources to Read

A key influence for the Essential series is the ASD's Modern Defensible Architecture publication. This covers defence in depth and places an emphasis and focus on protecting core IT assets rather than just a superficial thin perimeter layer around an IT environment.

Keep Up with Regulatory Demands

The Essential Eight is being upgraded to the Essentials series framework on a timeline that gives you time to transition. OneDot61's vendor portfolio supports the new dynamic approach of the ASD Essentials series where the focus is on protecting the core IT assets, with continuous assessments and mapping of security outcomes, against real threats not simulated ones. Contact OneDot61


OneDot61 | LinkedIn
OneDot61 | 90 followers on LinkedIn. Consult | Secure | Succeed | We believe in the power of simplicity, without compromising on security. As a leading provider in the industry, our mission is to empower you with cyber safe solutions. Drawing inspiration from the golden ratio balance, we skillfully navigate the complexities of IT solutions, ensuring a harmonious blend between foreground and background, security and experience.
About the author

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to OneDot61.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.