What Does Essential Eight Maturity Level 2 Actually Mean?

If you have been told your business needs to reach Essential Eight Maturity Level 2, you are not alone.

The confusion is understandable.

Most guidance is written for security professionals, not business leaders.

This article explains what Level 2 actually means, what assessors look for, and how organisations typically achieve it in practice.

What Is the Essential Eight?

The Essential Eight is a baseline set of cybersecurity strategies developed by the Australian Signals Directorate to help organisations reduce the likelihood and impact of cyber attacks.

It focuses on eight key areas:

• application control
• patch applications
• patch operating systems
• multi-factor authentication
• restricting administrative privileges
• restricting Microsoft Office macros
• user application hardening
• regular backups

Each of these controls is assessed using a maturity model, which defines four levels of implementation from Level 0 to Level 3.

The model is designed to help organisations progressively strengthen their security posture.

If you want a broader overview, it may help to explore Essential Eight explained for SMBs.

What Does Maturity Level 2 Actually Mean?

Maturity Level 2 means your security controls are:

• consistently implemented
• actively managed and monitored
• designed to stop common cyber attacks, not just accidental issues

In practical terms, it means your security works by default, not because someone remembers to apply it.

Controls are applied across the environment, exceptions are limited and documented, and there is evidence available to demonstrate that controls are working.

This is the point where security becomes structured and enforceable, not just assumed.

The Biggest Misconception About Level 2

One of the most common misunderstandings is: “We have the tools, so we must be compliant.”

This is not how assessments work.

For example:

• MFA must be enforced consistently, not just enabled
• administrative privileges must be tightly controlled
• patching must follow defined timeframes and be verified
• backups must be protected, not just exist

Assessors evaluate consistency and enforcement, not tool ownership.

What Changes Between Level 1 and Level 2?

The simplest way to understand the difference is:

Level 1 = basic cyber hygiene
Level 2 = controlled, enforced, and harder to bypass.

Multi-Factor Authentication

At Level 2, MFA is applied more broadly and securely.

Partial coverage or weaker implementations are no longer acceptable.

Patch Management

Critical vulnerabilities must be addressed quickly and consistently.

This includes applications, operating systems, and supporting components.

Administrative Privileges

Access to privileged accounts must be:

• tightly controlled
• documented regularly
• regularly reviewed

Backup Security

Backups must be protected from unauthorised access or deletion, not just stored.

If you want to better understand this area, it may help to review backup and disaster recovery: what most businesses get wrong.

What Auditors and Assessors Look For

When organisations are assessed, the focus is typically on four key areas:

1. Clear Policies

Controls must be documented, approved, and current.

2. Technical Evidence

Reports, logs, and configurations must demonstrate that controls are active.

3. Consistency

Controls must apply across all users, devices, and systems.

4. Governance of Exceptions

Any gaps must be documented, approved, and regularly reviewed.

Without evidence, controls are treated as not implemented.

A Plain-English Checklist for Level 2 Readiness

For business leaders, these are the key questions to consider:

Identity and Access

• Is MFA enforced consistently across users and systems?
• Are privileged accounts tightly controlled?

Patch Management

• Can you demonstrate that vulnerabilities are patched within the required timeframes?
• Are unsupported systems still in use?

Endpoint Security

• Are risky behaviours (such as macros) controlled?
• Are users prevented from weakening security settings?

Backup and Recovery

• Are backups protected from deletion or unauthorised access?
• Can you prove recovery processes work?

Governance and Evidence

• Are policies documented and current?
• Can you produce evidence quickly if required?

How Long Does It Take to Reach Level 2?

For most 20-100 user organisations:

• typically 3-6 months with a structured approach
• longer if starting from unmanaged or inconsistent environments.

The biggest delays are usually caused by legacy systems, insufficient documentation, and unclear ownership, not by the technology itself.

Why Regulated Businesses Target Level 2

For many organisations, Level 2 represents a practical and achievable standard.

It demonstrates that:

• controls are actively managed
• risks are understood
• security is consistent
• governance processes are in place

For a broader view of how this aligns with compliance, it may help to explore cybersecurity for regulated businesses.

What "Good" Looks Like

A business operating at Maturity Level 2 typically has:

• consistent security settings across systems
• controlled and monitored privileged access
• structured patching processes
• protected and tested backups
• clear documentation and governance
• the ability to produce evidence on demand

This is the difference between assuming security is in place and being able to demonstrate it.

Level 2 as a Structured Uplift

Reaching Level 2 is not a one-time project.

It is a structured uplift that requires:

• aligning controls to a framework
• implementing consistent processes
• improving visibility and documentation
• maintaining ongoing governance

Without structure, organisations often remain stuck between partial compliance and audit readiness.

This is where approaches such as The Fwd Steps process help ensure improvements are applied consistently.

Final Thoughts

Essential Eight Maturity Level 2 is not about perfection.

It is about demonstrating control, consistency, and intent.

For most organisations, the challenge is not understanding the framework.

It is implementing it consistently and proving that it is working.

Unsure Where You Currently Sit?

If your organisation has been asked about Essential Eight compliance but you are not confident where you stand, it may be worth reviewing your environment.

If you cannot clearly demonstrate your current maturity level, that is often the first indicator of risk.

Step Fwd IT provides Essential Eight readiness assessments to identify gaps, assess maturity, and define a practical path forward.

If you want a clearer view of your current position, you can request an Essential Eight Readiness Assessment or explore Managed IT Services.