This is a position piece, not a checklist. It sets out how Interconnekt reads the current direction of Australian cyber security guidance, and the framework we have chosen to implement against for the small and mid-sized businesses we look after. You can disagree with the reasoning, but you will at least know exactly where we stand and why, which is more than most managed service providers will tell you.
The short version: the Australian Signals Directorate has signalled that the Essential Eight is changing shape. In 2026 the ASD opened consultation on evolving the Essential Eight into a broader Essentials series, with the current framework becoming the first chapter, described as "Essentials for enterprise IT". [VERIFY: the ASD announcement was reported in June 2026 and the public consultation was reported to close on 12 July 2026; confirm both the month and the exact close date against cyber.gov.au before publication.] The stated intent is a more flexible, threat-informed set of guidance that reflects how organisations actually run today: cloud, software-as-a-service, and generative AI, rather than a fixed list of eight prescriptive controls.
We think that direction is correct, and it validates a call we made some time ago. For a modern Microsoft environment run through Intune and Entra, a pure Essential Eight checklist has always been a slightly awkward fit. It was written for a fleet you image and manage on-premises, and it maps unevenly onto a cloud-managed, identity-first world. So the framework we implement against day to day is the Center for Internet Security's CIS Controls v8.1, and we treat Essential Eight as the outcome we attest against, not the blueprint we build from. This paper explains that choice.
What the ASD has signalled, and why it matters for SMBs
The Essential Eight was first published in 2017 and, apart from a substantial revision in November 2023, had stayed largely stable. That November 2023 update raised the bar in ways worth remembering: it pushed phishing-resistant multi-factor authentication up the maturity levels, tightened the patching clock to 48 hours for critical vulnerabilities that vendors flag, and added requirements around centralised, tamper-resistant event logging. Those were sensible, threat-informed changes. They also made Maturity Level 2 meaningfully harder to reach.
The 2026 consultation goes further. Rather than another point revision, the ASD is reframing the Essential Eight as one chapter in an evolving Essentials series, grounded in the Information Security Manual but moving away from relying only on prescriptive technical controls. In the words attributed to the ACSC's head, Stephanie Crowe, "to defend against modern threats with modern tools, our guidance must evolve as well". [VERIFY: confirm this quote and attribution against the primary ASD or ACSC source.] The explicit motivation is to keep pace with cloud computing, software-as-a-service, microservices, and generative AI.
For a small or mid-sized Australian business, the practical takeaway is not "panic, the rules changed". It is the opposite. Guidance that used to feel like a fixed target is now openly described by its author as evolving. That is a good reason to stop treating any single checklist as the whole of your security programme, and to anchor instead to a stable, well-maintained control framework that already assumes a cloud-first world. You want a backbone that does not need re-writing every time the guidance moves.
It is worth being plain about scope. Essential Eight Maturity Level 2 remains a mandatory baseline for Australian non-corporate Commonwealth entities under the Protective Security Policy Framework. If you are a government entity, or you contract to one, the Essential Eight is not optional and this paper does not change that. Our argument is about how you get there and what you build on, not about whether the Essential Eight matters. For most private SMBs it is a strong benchmark and an increasingly common expectation from cyber insurers and enterprise customers, rather than a legal requirement.
Where a pure Essential Eight checklist strains in a cloud-first fleet
The Essential Eight is eight mitigation strategies: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Every one of them is worth doing. The strain is not in the controls themselves; it is in what the framework leaves out and how narrowly it frames what it includes.
Read the eight strategies against a business that has no on-premises servers, runs everything through Microsoft 365, manages laptops with Intune, and controls access with Entra ID Conditional Access. Whole categories of real risk in that environment sit outside the eight. There is no first-class treatment of identity and Conditional Access as a control surface, no explicit account-lifecycle or joiner-mover-leaver discipline, no data-classification or data-loss-prevention expectation, no coverage of SaaS-to-SaaS OAuth grants, and only a thin treatment of security awareness and email protections. These are precisely the areas where cloud-first SMBs get hurt.
The maturity-level framing adds a second kind of strain. Essential Eight maturity is defined as alignment with the intent of each strategy: Level 0 minimally aligned, Level 1 partly aligned, Level 2 mostly aligned, Level 3 fully aligned. That is a clean way to describe posture, but it pushes teams toward a single headline number for the whole organisation. In practice an SMB is rarely at one uniform level across all eight. Application control might be genuinely hard while multi-factor authentication is already solid. A single maturity score flattens that texture, and the texture is where the actual risk decisions live.
None of this makes the Essential Eight wrong. It makes it a floor rather than a full programme, especially for a cloud-managed fleet. The ASD's own move toward a broader, more flexible Essentials series is a tacit acknowledgement of the same gap. Our response has been to implement against a framework that already fills it.
The case for CIS Controls v8.1 as the implementation backbone
The CIS Controls, maintained by the Center for Internet Security, are a globally used set of prioritised safeguards. Version 8.1, released in 2024, is an iterative update to v8: it realigns the controls with evolving standards, refreshes the asset classes and safeguard descriptions, and adds a Govern function drawn from the NIST Cybersecurity Framework 2.0. For anyone already running a v8 programme, the change is deliberately light. That stability is a feature, not a shortcoming.
Version 8.1 is organised as 18 controls broken into 153 individual safeguards. Crucially for an SMB, those safeguards are tiered into three Implementation Groups. Implementation Group 1, the essential cyber-hygiene baseline aimed at smaller organisations, is 56 safeguards. Implementation Group 2 adds the safeguards a business with moderate complexity or regulatory obligations should carry. Implementation Group 3 covers all 153 for organisations facing sophisticated threats. The groups are cumulative, so IG2 includes all of IG1, and IG3 includes everything. That tiering is the single most useful thing about the framework for a business our customers' size: it tells you what to do first, and gives you an honest, defensible line for what you have chosen to defer.
The 18 controls read like a description of a modern environment rather than a legacy one. They cover inventory of enterprise assets and software, data protection, secure configuration, account and access management, continuous vulnerability management, audit log management, email and web browser protections, malware defences, data recovery, network infrastructure and monitoring, security awareness training, service provider management, application software security, incident response, and penetration testing. The identity, data-protection, SaaS-vendor, and awareness gaps we listed against the Essential Eight are all first-class controls here.
The point of choosing CIS as the backbone is not that it is longer. Length on its own is a liability; a framework you cannot finish is a framework you did not implement. The point is that CIS is prioritised, cloud-aware, and cumulative, so it gives an SMB a sequence rather than a wall. You implement IG1, you evidence it, you move deliberately into the IG2 safeguards that your risk profile and your insurer justify, and at every step you can say precisely where you are and why. That is a programme you can run, not a poster you hang.
How we map CIS safeguards to Essential Eight outcomes in Intune and Entra
Choosing CIS as the backbone does not mean walking away from Essential Eight attestation. The two frameworks overlap heavily, and every Essential Eight strategy has a natural home among the CIS safeguards. We implement the safeguard in the Microsoft toolset, then present the resulting evidence against the relevant Essential Eight strategy when an auditor, insurer, or enterprise customer asks. One implementation, two reporting views.
Application control (Essential Eight) maps to CIS Control 2, Inventory and Control of Software Assets, and its allowlisting safeguards. In a Microsoft fleet we deliver this with Windows Defender Application Control or AppLocker deployed through Intune, run in audit mode first to discover legitimate software, then moved to enforce. The CIS safeguard tells us to build and maintain the software inventory; the Essential Eight strategy is the outcome that inventory-driven allowlisting produces.
Patch applications and patch operating systems map to CIS Control 7, Continuous Vulnerability Management. We run this through Intune update rings and a vulnerability feed so that critical, actively-exploited issues are surfaced against the ASD's 48-hour expectation rather than a monthly cycle. Restrict administrative privileges maps to CIS Controls 5 and 6, Account Management and Access Control Management, delivered as separated admin accounts in Entra ID, privileged-role review, and Conditional Access that keeps privileged sessions off general browsing. Multi-factor authentication maps to the authentication safeguards in Control 6, delivered as Entra Conditional Access enforcing phishing-resistant methods, which is exactly where the November 2023 Essential Eight update pushed the bar.
Configure Office macro settings and user application hardening map to CIS Control 4, Secure Configuration, and Control 9, Email and Web Browser Protections, delivered as Intune configuration profiles and tenant policy. Regular backups map to CIS Control 11, Data Recovery, delivered with immutable or air-gapped backups and, the part most providers skip, quarterly restore tests with documented evidence. The safeguards the Essential Eight does not name, identity lifecycle, data-loss prevention, SaaS OAuth governance, and security awareness, are implemented from the same CIS backbone and simply have no Essential Eight box to tick. That is the gap closing, visible in the evidence.
The result is a single control programme in Intune and Entra that produces Essential Eight attestation as a byproduct. When the Essentials series lands and the guidance shifts again, the backbone does not move. We update the reporting view, not the environment. [VERIFY: the specific Microsoft feature-to-safeguard mappings above reflect current Intune and Entra capability as of mid-2026; re-check against Microsoft Learn before publication in case product naming or capability has changed.]
Who this is for
This position suits a cloud-first Australian SMB that runs on Microsoft 365, manages endpoints with Intune, and controls access with Entra. If that is you, and you want a security programme that survives the ASD's reshaping of the Essential Eight rather than needing a rebuild each time the guidance turns, building on CIS Controls v8.1 is the pragmatic call. You get a prioritised sequence, cloud-native controls, and Essential Eight attestation without treating a single checklist as the whole of your defence.
It is a poorer fit in two cases. If you are a non-corporate Commonwealth entity or a direct supplier to one, Essential Eight Maturity Level 2 is a mandated baseline and must be your explicit target; CIS is still a sound way to get there, but the attestation is not optional. And if you still run a substantial on-premises server estate, some of the cloud-first reasoning above softens, though the CIS backbone applies just as well to a hybrid environment. Either way, the framework is a means to a defensible posture, not an end in itself.
If your posture is somewhere between "we think we are mostly covered" and "we could not prove it to an auditor next week", that is the normal starting point and a good reason to have the conversation. We run a fixed-fee posture assessment that produces an evidence-grade gap analysis mapped to CIS Controls v8.1 and cross-referenced to Essential Eight outcomes. The deliverable is a prioritised remediation plan you own, not a slide deck.
We have held this position through more than twenty years of running IT for Australian businesses, and we will keep holding it as the guidance evolves, because a stable, cloud-aware backbone is what lets us answer honestly when a customer asks where they stand. If you want that answer for your environment, start a posture conversation with us.

