ASD Essential Eight Maturity Levels: Melbourne MSP Compliance Guide March 2026

The Australian Signals Directorate's Essential Eight has evolved from a government recommendation into a commercial baseline expected by cyber insurers, enterprise clients, and government procurement panels. For Melbourne businesses, achieving and evidencing Maturity Level 2 is increasingly a licence to operate — and your MSP is the vehicle through which most organisations will get there.

The Eight Controls at a Glance

1.Application Control

2.Patch Applications

3.Configure Microsoft Office Macros

4.User Application Hardening

5.Restrict Administrative Privileges

6.Patch Operating Systems

7.Multi-factor Authentication

8.Regular Backups

What Maturity Level 2 Actually Requires

Maturity Level 1 means controls exist. Level 2 means they are systematic, consistently applied, and produce evidence. Level 3 means they are optimised and resistant to sophisticated adversaries. Most Melbourne commercial organisations should be targeting Level 2 as their immediate objective.

Application Control — ML2 Requirements

Allowlisting applied to all workstations and internet-facing servers. Application control events logged and reviewed. Unauthorised execution blocked and alerted.

Patch Management — ML2 Requirements

Critical patches applied within 48 hours. All other patches within 2 weeks. Automated scanning confirms compliance. Exceptions require documented risk acceptance.

MFA — ML2 Requirements

MFA on all internet-facing services, remote access, and privileged accounts. Phishing-resistant MFA (hardware key or passkey) required for admin accounts.

Backups — ML2 Requirements

Daily backups of critical data. Backups disconnected from production network. Restoration tested quarterly and documented. Retention of at least 3 months.

How MSPs Deliver Against the Essential Eight

A quality MSP should be able to map every Essential Eight control to a specific managed service they deliver, with evidence available in a client-facing portal. If your MSP cannot show you real-time Essential Eight compliance status, ask why not.

Affinity MSP: Essential Eight as Standard

Affinity MSP delivers Essential Eight Maturity Level 2 as a standard inclusion across all managed service tiers, with live compliance dashboards, automated evidence collection, and quarterly assessment reports suitable for insurer and client submission.

100% of managed clients at Essential Eight ML2 or above
Automated patch deployment achieving 48-hour critical patch SLA
Quarterly backup restoration testing with documented outcomes
Live compliance dashboard accessible to client stakeholders

Common Gaps Found in Melbourne Assessments

MFA deployed on Microsoft 365 but not on legacy VPN or RDP endpoints
Backups taken daily but never tested — restores fail when needed
Admin privileges not restricted — developers and helpdesk staff run with Domain Admin
Patching tracked but with undocumented exceptions that persist for months
Application control deployed on servers but not workstations

These gaps are fixable — but only if your MSP is actively identifying and remediating them rather than simply running managed services on autopilot. Essential Eight compliance requires a partner who treats security as an ongoing program, not a one-time project.