What is an Essential Eight self-assessment?

A self-assessment is a quick way to check your business against the eight mitigation strategies recommended by the Australian Cyber Security Centre. It highlights gaps in areas like patching, MFA, admin privileges, and backups before an attacker or insurer finds them.

Is this checklist the same as a formal Essential Eight assessment?

No. This checklist is a starting point based on Maturity Level One expectations. A formal assessment verifies each control with evidence and gives you a defensible maturity rating, which insurers and larger customers increasingly ask for.

A free interactive Essential Eight self-assessment checklist from StartCloud. 24 plain-English questions across the eight ACSC mitigation strategies, aligned to Maturity Level One expectations: application control, patching applications, Microsoft Office macro settings, user application hardening, restricting admin privileges, patching operating systems, multi-factor authentication, and regular backups. Results include practical next steps. No email address is required to use the checklist.

Free Self-Assessment

Essential Eight Self-Assessment Checklist

Twenty-four plain-English questions to see how your business measures up against Australia's baseline cyber security framework.

No email address required. Tick what's true for your business today and get an honest picture in about five minutes.

0 of 24 in place

1. Application Control

Stop unapproved programs from running on your computers and servers.

We keep a list of the applications our business actually needs.
Staff computers block programs that are not on the approved list.
Someone reviews and approves new software before it is installed.

2. Patch Applications

Keep everyday software like browsers and Office up to date.

Security updates for key applications are applied within two weeks, or 48 hours for serious flaws.
We use a tool or service that tells us when application updates are missing.
We no longer use applications the vendor has stopped supporting.

3. Configure Microsoft Office Macros

Macros are a common way for malware to sneak in via email attachments.

Macros are blocked for staff who do not need them.
Macros in files downloaded from the internet are blocked.
Macro security settings cannot be changed by staff themselves.

4. User Application Hardening

Switch off risky features in browsers and document readers.

Our web browsers do not run Java or web advertisements by default.
Internet Explorer 11 is not used to browse the web.
Browser security settings are managed centrally, not by each user.

5. Restrict Administrative Privileges

Limit the accounts that can change systems, since attackers target them first.

Day-to-day work is done with standard accounts, not admin accounts.
Requests for admin access are checked and approved before being granted.
Admin accounts cannot browse the web or read email.

6. Patch Operating Systems

Keep Windows, macOS, and server systems up to date.

Operating system updates are applied within two weeks, or 48 hours for serious flaws.
We can see which computers are missing updates at any time.
We no longer run operating systems the vendor has stopped supporting, such as Windows 10 after October 2025.

7. Multi-Factor Authentication

A second login step stops most password-based attacks cold.

MFA is required for email and Microsoft 365 or Google Workspace accounts.
MFA is required for remote access such as VPNs and remote desktops.
MFA is required for any online services that hold sensitive business data.

8. Regular Backups

Reliable backups are what stand between ransomware and a ransom payment.

Important data, settings, and systems are backed up automatically.
We have actually tested restoring from a backup in the last 12 months.
Backups cannot be modified or deleted by everyday user accounts.

Plenty of opportunity, and that's okay.

Most businesses start here. The Essential Eight is designed to be implemented progressively, so you don't need to fix everything at once. Start with MFA and backups, then work through the rest.

Book a Formal E8 Assessment Learn About the Framework

Keep reading: our plain-English compliance guide for Perth SMEs, a deeper look at each of the eight strategies, and why cyber insurance is not a substitute for controls.