ASD to retire Essential Eight cyber security framework within next two years

The Australian Signals Directorate intends to retire its Essential Eight guidance framework within two years, to keep up with shifting cyber security sands.

Replacing Essential Eight will be a broader "Essentials" series designed to cover enterprise IT, cloud, operational technology, and potentially agentic artificial intelligence (AI) as distinct security domains.

Chris Horlyck, head of cyber security resilience at the Australian Cyber Security Centre (ACSC) within ASD, told iTnews Essential Eight would remain active alongside the new guidance while its replacement was gestating.

"We anticipate that there will be a transition period where we will keep the Essential Eight a live document and the Essentials a live document," Horlyck said.

"Then we will look to, probably in 12 months, start to deprecate the Essential Eight, and then in 24 months we'll retire the Essential Eight as a whole."

Horlyck said Essential Eight's core limitation was structural: it was designed for on-premises enterprise IT at a time when cloud adoption was still nascent, and its controls do not translate cleanly to shared-responsibility models or SaaS environments.

"Essential Eight started before cloud was really a big thing in the sector," he said.

"Now, if you don't have cloud, that would be a really surprising architecture to have."

The new Essentials series shifts emphasis from prescriptive controls tied to specific technologies towards outcomes and intent, giving organisations more flexibility to meet guidance using whatever tools fit their environment.

Three initial chapters will kick off the Essentials framework: enterprise IT to start with, followed by operational technology and cloud.

Horlyck flagged that cloud in particular now offered controls not available in on-premises environments.

Separating it out would let ASD give organisations clearer guidance on what their shared responsibility with a cloud provider actually looked like in practice.

Meanwhile, agentic AI could possibly become a dedicated chapter as well, Horlyck said.

He spoke of the distinct identity and access requirements for non-person entities operating on networks, and the threat posed by prompt injection as sufficiently different from conventional controls to warrant its own treatment.

ASD's Modern Defensible Architecture publication is a key influence on the Essentials series, which aims for a stronger emphasis on defence in depth and protecting crown jewels rather than a thin perimeter layer around IT environments, Horlyck said.

Moved goalposts

One reason for the change that ASD acknowledged is a complaint that has persisted for years that maturity level requirements for Essential Eight have shifted under organisations' feet.

This has created the impression of organisations and agencies going backwards on cyber security, without any actual deterioration in their actual security posture.

Horlyck confirmed the phenomenon was real, attributing it to ASD absorbing new threat tradecraft into existing maturity levels rather than having a structure flexible enough to accommodate evolving controls separately.

He added that the Essentials series was designed to address it by decoupling threat-informed controls from a fixed maturity ladder.

The Essential Eight was first published in 2017, evolving from ASD's Top Four mandatory controls from 2012.

At a high level, Essential Eight advises to restrict administrator privileges, patching applications and controlling which software can run on systems along with hardening them, restricting Microsoft Office macros, updating operating systems, and backing up regularly.

Furthermore, ASD also strongly advises organisations to implement multi-factor authentication (MFA) under Essential Eight.

Organisations that have invested in Essential Eight compliance would not see their work become redundant under the new framework, ASD said.

"The investment you've made under the Essential Eight will still be relevant under the Essentials," Horlyck said.

ASD has opened consultation on the first chapter of the new series, Essentials for enterprise IT, with feedback due via the ACSC Partner Portal by July 12 2026.