How does your business score against the Essential Eight?
The Australian Cyber Security Centre’s Essential Eight is the baseline for protecting your business from the most common cyber attacks. This free self-assessment checks your alignment across all eight controls and shows you exactly where the gaps are. Five minutes, 27 questions, no technical knowledge required.
Your insurer is asking. Your accountant is asking. Now you need an answer.
Two years ago, most small businesses hadn’t heard of the Essential Eight. Now it’s showing up in cyber insurance renewals, client due diligence questionnaires, and conversations with your accountant.
The questions are straightforward enough: “Do you have multi-factor authentication? Are your systems patched? Do you have immutable backups?” But if nobody is managing your IT properly, you probably don’t know the answers. And guessing isn’t good enough when your insurance coverage depends on it.
Cyber insurance requirements have tightened
Insurers are asking specific questions about MFA, patching, backups, and admin access. If you can’t demonstrate these controls, your premium goes up or your cover gets reduced.
The ACSC has made Essential Eight the national benchmark
It’s no longer advice aimed at government agencies. The Australian Cyber Security Centre recommends Essential Eight for all Australian organisations, including small businesses.
Attacks on small businesses are increasing
Ransomware operators target SMBs because they know the security is weaker. The ACSC’s latest annual report shows small businesses are among the most frequently targeted. Essential Eight Level 1 blocks the most common attack methods.
None of this means you need to panic. It means you need to know where you stand. This assessment gives you that in 5 minutes.
The Essential Eight, explained in plain English
The Essential Eight is a set of eight security controls published by the Australian Cyber Security Centre (ACSC). Together, they protect businesses against the most common types of cyber attacks: ransomware, phishing, credential theft, and unauthorised access. Here’s what each one covers.
Application control
Only approved software runs on your devices. If a staff member downloads something dodgy, or ransomware tries to install itself, it gets blocked before it runs.
Patch applications
Your business apps are updated to close known security holes. When a vulnerability is discovered in software you use, the patch is applied before attackers can exploit it.
Configure Microsoft Office macros
Macros from the internet are blocked by default. Macros are small programs embedded in Office documents. Attackers use them to deliver malware. Blocking untrusted macros stops this.
User application hardening
Web browsers and email clients are locked down against common exploits. Features that attackers rely on, like Flash, Java, and certain ad scripts, are disabled or restricted.
Restrict administrative privileges
Only the right people have admin access, and they use separate accounts for it. If a regular user account gets compromised, the attacker can’t use it to control your systems.
Patch operating systems
Windows and macOS are kept current with security updates. An operating system that’s out of date is an operating system with known vulnerabilities that anyone can look up.
Multi-factor authentication
A second step, like a phone prompt or authenticator app, is required to log in. Even if someone steals a password, they can’t get in without the second factor.
Regular backups
Your data is backed up, stored offsite, and tested regularly. If ransomware locks your files or a server dies, you can restore everything from a clean copy.
Most small businesses have some of these partially in place. Very few have all eight implemented properly. This assessment tells you exactly where you stand.
Five minutes. No technical knowledge required.
Answer 27 questions
All multiple choice. Covers passwords, patching, backups, email security, device management, and more. If you manage a team, you can answer these. No IT background needed.
Get your alignment report
We score your answers against the Essential Eight framework and generate a report specific to your business. You’ll see your alignment level, your gaps, and what’s at risk.
Talk to an engineer (optional)
If your results raise concerns, book a 30-minute call with our Sydney-based team. We’ll walk through your report and explain what fixing the gaps actually involves. No cost, no obligation.
Your personalised Essential Eight alignment report
Answer 27 multiple-choice questions and get a detailed report covering:
Your overall alignment score
A clear number showing how close your business is to Essential Eight Level 1. Not a pass/fail. A score from 0 to 10 that tells you where you sit relative to the ACSC baseline.
Section-by-section breakdown
Each of the eight controls scored individually. You’ll see where you’re strong, where you’re exposed, and what’s missing entirely.
Specific risks in your environment
Not generic warnings. Findings based on your actual answers. If your backups aren’t tested, or MFA isn’t enforced, or admin access is too broad, the report flags it and explains what it means.
Priority recommendations
What to fix first to close the biggest gaps. Not everything needs to happen at once. The report gives you an order of operations based on risk, so you know where your time and budget make the most difference.
The report is written for business owners, not engineers. Every finding comes with a plain-English explanation of what it means and why it matters.
You don’t need to be technical. You just need 5 minutes.
This self-assessment is built for:
Renewing cyber insurance
Your insurer or broker has started asking about MFA, patching, and backup controls. You need to know what’s actually in place before your next renewal.
Asked about Essential Eight by your accountant or client
Due diligence questionnaires now include questions about Essential Eight alignment. This assessment gives you the answers before someone else asks.
Running a business with 5 to 100 staff
You don’t have a dedicated IT team or security person. IT grew organically and nobody has checked whether it still holds together.
Been putting off dealing with IT security
You know it needs attention. You keep pushing it down the list. This is the 5-minute starting point that gets the picture on paper.
If you’ve been meaning to look into Essential Eight but haven’t known where to start, this is the starting point.
Built by a Sydney IT team that implements Essential Eight every day
We’re CIO Tech, based in Bella Vista. We implement Essential Eight controls for small businesses across Sydney as part of our managed IT service. Every CIO Tech Assured client gets Essential Eight Level 1 controls as standard, including MFA enforcement, critical patching within 48 hours, application control, macro restrictions, and admin access lockdown.
We built this assessment because the businesses we work with kept asking the same question: “Where do we actually stand?”
This assessment gives you the answer. Free, no strings attached. Your data stays private. Your report comes to your inbox. If you want to talk about what the results mean, we’re here. If not, the report is yours to keep.
What if you want a hands-on assessment?
Our $990 IT Audit sends an engineer to your premises for a half-day, on-site assessment of your entire IT environment. You get a written Risk Report with findings, risk ratings, and a prioritised remediation roadmap. Book an IT Audit.
Looking for a broader IT health check beyond Essential Eight? Take the IT Maturity Assessment. It covers 8 areas including backup, device management, and staff practices.
Essential Eight Self Assessment
Free. 5 minutes. 27 questions. Your Essential Eight alignment report lands in your inbox.
HubSpot form embed. Replace this div with the HubSpot embed script.
Your information is stored securely in our CRM. We won’t share it. You’ll receive your report by email within 1 business day.
Ready to take the next step?
The Australian Cyber Security Centre’s Essential Eight is the baseline for protecting your business from the most common cyber attacks. This free self-assessment checks your alignment across all eight controls and shows you exactly where the gaps are. Five minutes, 27 questions, no technical knowledge required.
