Essential 8 Specialists
ISO 27001 Certified
Brisbane - Based Team
Right-Sized Approach
Your cyber insurer keeps asking about Essential 8 and you're not sure what to tell them.
Your biggest client just sent a security questionnaire asking about your maturity level.
You started Essential 8 work eighteen months ago and it's been quietly drifting ever since.
You've read the ACSC documentation, but turning it into actual configuration on actual systems is a different exercise.
You're not sure if Maturity Level 1, 2, or 3 is the right target for a business your size.
The Challenge
The Essential Eight framework itself is well-documented. The Australian Cyber Security Centre provides detailed guidance on each mitigation strategy and maturity level. You can read it all online for free. The challenge isn't understanding what Essential 8 is. The challenge is:
Knowing where you actually stand today.
Determining the right target for your business.
Implementing controls without disrupting operations.
Proving your compliance to stakeholders.
This is where having the right partner makes the difference between a successful Essential 8 implementation and an expensive, frustrating exercise that never quite gets finished.
Why Grassroots IT
We've Done It Ourselves
Grassroots IT is ISO 27001 certified. We don’t just advise on security frameworks—we’ve implemented them in our own business. We understand the practical challenges because we’ve navigated them ourselves. When we recommend an approach, it’s grounded in real experience, not just theory.
We Find the Right Level, Not the Highest Level
We Maximise Your Existing Microsoft Investment
Implementation That Actually Sticks
What is Essential 8
The Eight Strategies
1. Application Control
2. Patch Applications
3. Configure Microsoft Office Macros
4. User Application Hardening
5. Restrict Administrative Privileges
6. Patch Operating Systems
7. Multi-Factor Authentication
8. Regular Backups
The Maturity Levels
The Maturity Levels
The ACSC defines four maturity levels (0-3), with each level representing increasing protection against more sophisticated threats:
Level 0: Weak or absent controls—you’re exposed to basic attacks.
Level 1: Basic protection against opportunistic attackers. A solid starting point for most SMEs.
Level 2: Protection against more capable, targeted attacks. Appropriate for businesses with compliance requirements or valuable data.
Level 3: Comprehensive protection against sophisticated threats. Required for high-risk industries and critical infrastructure.
Which level is right for you? That’s exactly what we help you determine. We assess your risk profile, stakeholder requirements, and resources to find the appropriate target—then build a realistic roadmap to achieve it.
How We Work
Assess Where You Are
Determine Your Target
We work with you to understand your stakeholder requirements (insurers, clients, regulators), risk profile, and budget. Together, we determine the appropriate maturity level for each strategy—not one-size-fits-all, but right-sized for your business.
Build a Realistic Roadmap
We create a prioritised implementation plan that sequences changes sensibly. Quick wins come first. Complex changes are planned and tested. We balance security improvement with operational reality so you can make progress without disrupting your business.
Implement Together
We work alongside your team to implement controls at a pace that works for you. This isn’t a handover of documentation—it’s collaborative implementation with proper testing, user communication, and change management. You understand what’s being done and why.
Document and Demonstrate
We help you document your maturity level with the evidence your stakeholders need. When your insurer asks questions or a client requests your security posture, you have clear, accurate documentation to share—not scrambling to prove what you’ve done.
Maintain Your Posture
Essential 8 isn’t a one-off project. We help you maintain compliance through ongoing patching, periodic reassessments, and adjustments as your business evolves. Your security posture stays current, not a snapshot that quickly becomes outdated.
What You Get
Current State Assessment
A clear, honest picture of your existing Essential 8 maturity level across all eight strategies, with specific gaps identified and prioritised.
Target Level Recommendation
Our considered view on the right Essential 8 maturity level for your business, grounded in your stakeholder requirements, risk profile, and resources.
Implementation Roadmap
A practical, sequenced plan to reach your target maturity level, with quick wins identified and timing aligned to your operational reality.
Evidence Package
Documentation of the controls you’ve achieved, suitable for sharing with insurers, clients, and your board.
Ongoing Maintenance Plan
A clear approach to maintaining your Essential 8 posture as your business evolves, including patching, periodic reassessments, and adjustments over time.
Ready to Get Essential 8 Right?
Whether you’re starting from scratch, responding to an insurer’s requirements, or looking to improve your existing maturity level, we can help. Book a conversation with our security team to discuss your situation and understand what working together would look like.
ISO 27001 certified | Brisbane-based | Essential 8 specialists | Microsoft solutions partner
Frequently Asked Questions
How long does Essential 8 implementation take?
How much does it cost?
Will this disrupt our business operations?
We already have Microsoft 365. Do we need to buy more tools?
What's the difference between Essential 8 and SMB1001?
Is Essential 8 mandatory?
Can we do this ourselves?
What if we're already working with another IT provider?
Works alongside our other services
Our Managed IT Support works seamlessly with our other services to give you complete peace of mind: