All articles

14 July 2026

The Essential Eight Is Getting a Reboot

Eight years is a long time in cybersecurity. ASD has confirmed the Essential Eight is being replaced — gradually — by a new principles-based Essentials series. Here's what's changing, what it means for IRAP and transformation roadmaps, and what to pre-empt now.

Eight years is a long time in cybersecurity. Long enough that the framework built for 2017-era threats now looks tired next to AI-powered attacks, cloud-native everything, and adversaries who move faster than any audit cycle. ASD agrees. It just confirmed the Essential Eight is being replaced.

Not tweaked. Replaced, gradually, by something called Essentials.

What to Expect

On 24 June, ASD confirmed a staged transition to a new Essentials series over roughly 24 months. The first chapter, Essentials for Enterprise IT, evolves the current Essential Eight into a broader, principles based model instead of eight fixed technical controls lifted straight from the ISM.

Consultation on this first chapter runs until 12 July, so we're right at the pointy end of feedback season. For about 12 months, the Essential Eight and Essentials will run side by side as live documents. After that, ASD starts deprecating the old framework, with full retirement expected around the two year mark.

The ISM itself keeps moving too. The June update added a control recommending AI models be used to help detect security events and identify incidents, tightened language around ASD approved cryptography, and clarified that software development guidance now covers AI-assisted and AI-driven development, not just human-written code.

Impact of the Changes

The biggest shift is philosophical. Essential Eight was a checklist: patch this, enable that, hit maturity level two. Essentials moves away from prescriptive controls toward threat informed principles, and that's a deliberate response to how badly the checklist model has aged. ANAO audits have repeatedly found low compliance across Commonwealth entities, and even the Department of Parliamentary Services recently fell short on seven of eight key controls despite years of mandated uptake.

Translation: the old model wasn't just outdated, it wasn't working. Organisations were chasing a static target while the threat landscape sprinted ahead, especially with AI-enabled attacks now completing expert-level tasks that were impossible a year ago.

Essentials is built to flex with that. It's designed for cloud, SaaS, and hybrid architectures, with operational technology guidance to follow, rather than just the on-prem Windows networks the original eight controls assumed.

Impact on IRAP Assessments

IRAP doesn't assess against the Essential Eight. It assesses against the ISM, so that's where the ground actually shifts under assessors' feet.

Two things are landing at once. ASD published a new IRAP Quality Assurance Framework in January 2026, putting assessors' methodology under scrutiny, not just their findings. Clean, timestamped, ISM-mapped evidence is no longer a nice to have. It's what keeps an assessment defensible.

At the same time, the 2023–2030 Cyber Security Strategy entered Horizon 2 in January, formalising Maturity Level Two as the expected baseline across every sector, with Level Three now the bar for critical infrastructure, defence supply chain, and regulated industries.

Net effect: if your System Security Plan still leans on Essential Eight maturity levels as proxy evidence of ISM compliance, expect assessors to ask harder questions about how those levels map to the actual controls being tested, especially as the ISM keeps absorbing new AI-specific requirements.

Impact on Existing Transformation Strategies

If your roadmap says "reach Maturity Level Two by Q3," that line needs a second look. Not because the goal was wrong, but because the target it's aimed at is being retired within 24 months.

Here's the good part: ASD has explicitly designed Essentials to stay compatible with existing Essential Eight programs. Work you've already done on patching, MFA, and application control isn't wasted. It becomes your foundation instead of your endpoint. But transformation plans built purely around hitting a fixed maturity number will need reframing around outcomes and threat coverage instead.

Boards and steering committees that report progress through Essential Eight maturity scores should expect that metric to have a shelf life. Start thinking now about how you'll report cyber posture once the scorecard changes shape.

Things to Pre-empt

Get ahead of this instead of reacting to it later.

  • Read the consultation material before the 12 July window closes, and feed back if it affects your sector, especially if you're waiting on sector specific or OT guidance.
  • Don't pause current Essential Eight uplift work. It stays relevant and compatible through the transition, and a strong Essential Eight baseline makes the move to Essentials easier, not harder.
  • Start budgeting for AI-related controls now. The ISM's new AI detection guidance and the software development changes show where ASD is heading, and it's a safe bet those threads carry straight into Essentials.
  • Revisit how cyber maturity gets reported internally. If your KPIs are tied to Essential Eight levels, start designing the successor metric before the framework underneath it disappears.

Two years sounds like a lot of runway. In transformation terms, it isn't.