Last updated: 2026-05-12. Authoritative source: the current version of the ACSC Essential Eight Maturity Model at cyber.gov.au prevails over anything stated here.
1. Purpose & scope of the application
ComplyWith (the “Application”) is a self-service educational and self-assessment tool designed to assist organisations in understanding, self-assessing against, and planning implementation of the Essential Eight Maturity Model published by the Australian Cyber Security Centre (ACSC), a function of the Australian Signals Directorate (ASD).
The Application addresses the following eight mitigation strategies, using the official terminology defined by the ACSC:
- Application Control — preventing the execution of unapproved or malicious programs including executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets.
- Patch Applications — applying security patches and updates to applications, including internet-facing services, web browsers, Microsoft Office, email clients, PDF software, and security products, within the timeframes set out in the Maturity Model.
- Configure Microsoft Office Macro Settings — disabling Microsoft Office macros for users without a documented business requirement, blocking macros originating from the internet, and limiting permitted macro execution to digitally signed macros or macros within Trusted Locations.
- User Application Hardening — configuring web browsers, Microsoft Office, PDF software and other user-facing applications to reduce attack surface, including the disabling of Internet Explorer 11, Java, advertisements and unnecessary features.
- Restrict Administrative Privileges — limiting privileged access to operating systems and applications based on duties, validating and revalidating access, separating privileged from unprivileged operating environments, and enforcing the use of dedicated Privileged Access Workstations at higher maturity.
- Patch Operating Systems — applying security patches and updates to operating systems on workstations, servers, network devices and firmware within the timeframes set out in the Maturity Model, and removing operating systems no longer supported by their vendor.
- Multi-factor Authentication — requiring two or more authentication factors for users, privileged users, customers and access to important data repositories, with progression to phishing-resistant authentication factors at higher maturity.
- Regular Backups — performing, retaining, securing and testing backups of important data, applications and configuration; restricting access to backups; and protecting backups from modification or deletion during their retention period.
2. Application features and their intended use
The Application provides, in respect of each mitigation strategy listed above, three distinct features. Each feature is for educational and internal planning purposes only and is described below in the terms used within the Application:
- Initial Check — a structured self-assessment questionnaire intended to indicate, on a non-authoritative and self-attested basis, the user’s current alignment with Maturity Level Zero (ML0) through Maturity Level Three (ML3) as those levels are described in the ACSC Essential Eight Maturity Model. The Initial Check applies the ACSC scoring convention under which the overall Essential Eight maturity of an organisation is bounded by the maturity level of its weakest in-scope mitigation strategy.
- Implementation Guide — technology-agnostic, illustrative guidance describing common actions, evidence artefacts and known pitfalls that organisations may consider when uplifting maturity. The Implementation Guide is informational only and is not a prescriptive, complete, or controlled implementation specification. The Implementation Guide does not address every requirement, exception, refinement, or interpretation set out in the Maturity Model or in the Information Security Manual (ISM).
- Validation Audit — a more evidence-driven self-assessment intended to assist organisations in sanity-checking their own self-attestations before any external review. The Validation Audit remains a self-assessment and is not equivalent to, nor a substitute for, an audit performed by an independent qualified third party.
3. No professional, legal or assurance advice
The Application does not constitute legal advice, cybersecurity consulting advice, audit advice, accreditation advice, regulatory advice, insurance advice, or any other form of professional advice. Information generated by the Application is general in nature and does not take into account the specific circumstances, risk profile, legal obligations, contractual obligations, or sectoral regulatory environment of any organisation.
Before relying on any output of the Application for compliance, regulatory, certification, accreditation, contractual, procurement, audit, insurance, or assurance purposes, you should obtain advice from suitably qualified professionals, which may include but is not limited to: assessors registered under the Infosec Registered Assessors Program (IRAP), qualified cybersecurity consultants, internal audit, external audit, and legal counsel.
4. Not an authoritative, official or endorsed assessment
The Application is an independent educational tool. The Application is not:
- Operated by, endorsed by, certified by, sponsored by, or affiliated with the Australian Cyber Security Centre, the Australian Signals Directorate, the Department of Home Affairs, the Commonwealth of Australia, or any other government or statutory body.
- An assessment performed by an IRAP assessor, a Common Assurance Maturity Model assessor, or any other accredited assessment body.
- A substitute for a formal Essential Eight assessment, ISM assessment, Protective Security Policy Framework (PSPF) assessment, Hosting Certification Framework assessment, or any other government, sectoral or commercial security assessment, audit or certification.
- A method by which any organisation may represent, certify, attest or warrant attainment of any specific Essential Eight Maturity Level for the purposes of any contract, tender, grant, regulation, certification, accreditation, or insurance.
Self-assessment outputs produced by the Application reflect the user’s own answers and do not, of themselves, constitute objective evidence that any mitigation strategy is implemented, operating, or effective.
5. Accuracy, currency and revision risk
The ACSC periodically revises the Essential Eight Maturity Model. The Application reflects the authors’ good-faith interpretation of the Maturity Model as understood at the time of publication and may not reflect the most recent revision, errata, supplementary guidance, or interpretive material issued by the ACSC, ASD, or any other authority. Users are solely responsible for consulting and applying the current authoritative versions of the Essential Eight Maturity Model and the Information Security Manual published at cyber.gov.au.
6. “As is” — no warranties
The Application is provided “as is” and “as available” without warranties of any kind, whether express, implied, statutory, or otherwise. To the maximum extent permitted by law, the authors, contributors, operators, distributors and hosts of the Application disclaim all warranties including, without limitation, warranties of merchantability, fitness for a particular purpose, non-infringement, accuracy, completeness, currency, timeliness, security, reliability, and availability.
7. Limitation of liability
To the maximum extent permitted by law, in no event shall the authors, contributors, operators, distributors or hosts of the Application be liable for any direct, indirect, incidental, special, consequential, punitive or exemplary damages — including without limitation damages for loss of profits, revenue, goodwill, data, business interruption, reputation, regulatory fines, or remediation costs arising from a cybersecurity incident — arising out of or in connection with the use of, inability to use, or reliance upon the Application or any of its outputs, even if advised of the possibility of such damages.
Nothing in these terms is intended to exclude, restrict or modify any consumer guarantee or statutory right which cannot lawfully be excluded, including those arising under the Australian Consumer Law (Schedule 2 to the Competition and Consumer Act 2010 (Cth)) or analogous legislation in your jurisdiction.
8. Privacy and data handling
The Application stores Initial Check, Implementation Guide selection, and Validation Audit answers exclusively in the user’s browser local storage. No assessment data is transmitted to the operators of the Application or to any third-party processor. The Application loads typography from Google Fonts, which may collect technical access logs in accordance with Google’s privacy policy. Clearing browser site data will delete all locally stored assessment progress.
9. Intellectual property & trademarks
“Essential Eight”, “Essential Eight Maturity Model”, “ACSC”, “Australian Cyber Security Centre”, “Australian Signals Directorate”, “ASD”, “Information Security Manual”, “ISM”, “Infosec Registered Assessors Program” and “IRAP”, and related marks, are trademarks, service marks or registered marks of the Commonwealth of Australia or its agencies. “Microsoft”, “Microsoft Office”, “Internet Explorer”, “Windows”, “PowerShell” and “AppLocker” are trademarks of Microsoft Corporation. All other marks are the property of their respective owners. Use of these marks in the Application is solely descriptive and does not imply endorsement, sponsorship or affiliation.
10. Acceptance
By using the Application you acknowledge that you have read, understood and accepted this disclaimer and these terms in full. If you do not accept any part of these terms, you must not use the Application.