BlackFlag Advisory
Threat Scan Enquire
Sydney, NSW  ·  Asia-Pacific
Governance & Risk  ·  ASD Essential Eight

The Essential Eight.
What Your Internal Team Cannot See.

Most Australian organisations believe they meet Essential Eight Maturity Level Two. An external assessment almost always finds otherwise. Here is what the gap looks like — and why it matters.

What the Essential Eight Actually Requires

The ASD Essential Eight is not a suggestion. For Australian government suppliers, regulated entities, and any organisation that has signed a contract requiring demonstrated cyber maturity, it is a baseline obligation. Maturity Level Two is the current de facto standard expected by procurement teams, insurers, and the Australian Signals Directorate.

Most organisations believe they comply. Most are wrong — not because they are negligent, but because the gap between what they have documented and what is actually implemented and tested is almost never visible from the inside.

The Maturity Level Two Standard At Maturity Level Two, controls must not only exist — they must be implemented consistently across all systems, monitored for effectiveness, and tested to confirm they function as intended. A policy document does not satisfy Maturity Level Two. Evidence does.

The Eight Controls — and Where Organisations Actually Fail

The Essential Eight covers eight mitigation strategies. Every one of them has a common failure mode in Australian mid-market organisations.

Patch Applications Patches for internet-facing services with critical vulnerabilities must be applied within 48 hours at Maturity Level Two. Most organisations patch on a monthly cycle at best. The gap is publicly visible — exposed versions are identifiable from outside your network without any access to your systems.
Multi-Factor Authentication MFA must be enforced across all users accessing internet-facing services and all privileged accounts. The most common failure: MFA is enabled but not enforced — users can bypass it, or it is not applied to service accounts and administrative access.
Restrict Administrative Privileges Administrative privileges must be validated and revalidated. Former staff, contractors, and service providers frequently retain access that was never revoked. This is not detectable from inside the organisation without an audit — but the exposure is real.
Application Control Only approved and tested applications can execute. This is one of the most commonly misrepresented controls. Having a policy is not the same as having technical controls in place that prevent unapproved execution.

What an External Assessment Finds That Internal Teams Miss

An internal team assessing their own Essential Eight compliance will always find a higher maturity level than an independent external assessor. This is not dishonesty — it is the natural result of familiarity. You cannot objectively assess what you built and maintain.

A BlackFlag Advisory passive OSINT assessment identifies Essential Eight gaps that are visible externally — from the same vantage point as a threat actor, a regulator conducting due diligence, or a procurement team verifying your maturity claim. We look at what is actually exposed, not what your documentation says should be in place.

What We Identify

  • Unpatched internet-facing services — version identification from public sources
  • Email security gaps — SPF, DKIM, DMARC configuration and enforcement
  • Exposed administrative interfaces — login portals, management consoles visible externally
  • Credential exposure — staff credentials in public breach datasets
  • Subdomain sprawl — forgotten or unmanaged subdomains running outdated software
  • Certificate and TLS configuration — expired, weak, or misconfigured certificates

Why It Matters to Insurers and Government Procurement

Cyber insurers in Australia are increasingly requiring demonstrated Essential Eight maturity as a condition of cover. Policies issued without verified maturity evidence are being voided at claim time. The question is no longer whether you have a policy — it is whether you can prove implementation.

Government procurement panels, ASX-listed clients, and enterprise supply chains are applying the same standard. A self-declaration of compliance carries diminishing weight. An independently validated assessment carries evidence.

BlackFlag Advisory delivers that evidence. A single Board-ready report mapping your observable posture against the Essential Eight — delivered within five to seven business days, no systems accessed.

Where Does Your Organisation
Actually Stand?

A BlackFlag Advisory passive assessment maps your observable security posture against the ASD Essential Eight — giving your Board an externally validated view of where the gaps are before a procurement team, regulator, or insurer finds them first.

Request an Assessment →