How ACE Builds on Australia’s Leading Cyber Security Framework
The Australian Cyber Security Centre’s (ACSC) Essential Eight (E8) is widely recognised as the most practical starting point for cyber security in Australia. It is recommended by the ACSC for all Australian organisations, increasingly referenced by cyber insurers, and cited by boards as a benchmark for due diligence. For good reason: it works.
But the E8 is, by design, is a technical controls framework. Understanding what it covers, and where it ends, helps organisations decide what comes next.
What the Essential Eight actually covers
The E8 is built around eight mitigation strategies, each targeting a specific technical attack surface:
- Application control: Preventing unapproved or malicious programs from executing
- Patch applications: Addressing software vulnerabilities within defined timeframes
- Configure Microsoft Office macro settings: Blocking macros from the internet and restricting execution to vetted sources
- User application hardening: Configuring browsers and applications to reduce exposure to risky content
- Restrict administrative privileges: Limiting admin access to only those who need it, only for tasks that require it
- Patch operating systems: Keeping operating system vulnerabilities addressed on a regular cycle
- Multi-factor authentication (MFA): Requiring MFA for remote access and privileged actions
- Regular backups: Maintaining and testing backups of important data, software, and configuration settings
These eight strategies address the most common attack vectors used against Australian organisations. They are measurable, implementable, and mature. Achieving Maturity Level 1 (ML1) across all eight controls represents a meaningful reduction in an organisation’s risk exposure. Progressing to ML2 and ML3 builds on that foundation incrementally.
None of that is in question.
Where the technical controls stop
The E8 is designed to answer a specific question: are the right technical defences in place? It does not set out to answer broader questions about how an organisation identifies, manages, and governs its cyber risk over time.
That distinction matters more than it might first appear.
Technical controls, no matter how well implemented, sit inside a context. That context includes the people responsible for maintaining them, the processes that govern how decisions are made when something goes wrong, and the risk appetite of the organisation and its board. Without that surrounding structure, even a well-implemented E8 programme can leave gaps that are not visible in a maturity assessment.
Consider a few common scenarios:
- An organisation has achieved ML1 across all eight controls. But when a staff member clicks a phishing link, there is no documented incident response procedure. The technical controls helped contain the immediate impact; the absence of process governance determined what happened next.
- Or an organisation maintains strong patching compliance but has no formal third-party risk assessment process. A supplier with access to their systems is breached. The E8 did not cover that surface because it was not designed to.
- Or a board is told the organisation is “E8 compliant” without understanding what that means, what the residual risks are, or how cyber risk connects to the organisation’s broader risk register. The technical work is sound; the governance layer is missing.
What Australian Cyber Essentials adds
Australian Cyber Essentials (ACE) is not a replacement for the Essential Eight. It is designed to work alongside it.
ACE incorporates a substantial portion of E8’s technical controls, including patching disciplines, access management, MFA, backup integrity, and application hardening. These are not duplicated for the sake of it: they are part of a broader evidence-based assurance framework that places technical implementation inside a governance and risk management context.
Where ACE extends beyond the E8, it addresses the questions that technical controls alone cannot answer:
Governance and accountability: Does the organisation have board-level oversight of cyber risk? Are roles and responsibilities for security clearly defined? Is there a documented risk appetite?
Incident response and business continuity: What happens when a control fails? Is there a tested incident response plan? Can the organisation recover, and does it know how long that will take?
Third-party and supply chain risk: How are vendors and partners assessed? Are access controls and contractual obligations in place for third parties with system access?
Risk management and treatment: Is cyber risk formally identified, assessed, and treated? How does it connect to the organisation’s broader risk register and strategic planning?
Regulatory alignment: Does the organisation understand its obligations under the Privacy Act 1988, the Cyber Security Act 2024, and relevant sector-specific requirements? Are those obligations tracked and evidenced?
The result is a more complete picture of organisational security maturity: one that a board can understand, that regulators and insurers can rely on, and that reflects how the organisation actually operates, not just how its technical environment is configured.
If you have already invested in the Essential Eight
Existing E8 work is not wasted when an organisation pursues ACE. In fact, it becomes direct evidence.
Documented E8 assessments, gap analyses, and remediation records all contribute to ACE evidence requirements across the technical control domains. If an organisation has already engaged a provider to assess or uplift its E8 posture, that work can be mapped against the relevant ACE controls and submitted as part of the assurance process.
This means the pathway to ACE certification is shorter for organisations that have done the groundwork. The E8 effort has already addressed a meaningful portion of the technical implementation; what ACE adds is the governance, risk management, and process disciplines that sit around it.
For organisations at the beginning of their security journey, the E8 and ACE can be pursued in parallel. The technical controls required by the E8 align directly with ACE’s technical domains, so a structured programme that targets both simultaneously is both practical and efficient.
The right framework for your organisation
The question is not which framework is better. It is what your organisation needs to demonstrate and to whom.
If the primary goal is technical uplift, the E8 provides a clear, measurable path. If the goal is to demonstrate assurance to a board, a regulator, a major client, or a partner in the supply chain, then the governance and risk dimensions that ACE addresses become essential.
For many Australian organisations, both are true. The E8 builds the technical foundation. ACE provides the structure that makes that foundation credible, auditable, and complete.
Contact our ACE team to discuss how ACE can assist your business.
