ASD Flags Next Generation of Essential Eight

The Australian Signals Directorate (ASD) has opened national consultation on the evolution of the Essential Eight, its flagship cyber security framework.

ASD proposes a new Essentials series that expands the current framework. It aims to give organisations more flexibility while preserving a clear path to resilience.

Consultation runs through the ASD Cyber Security Partnership Program portal at https://partners.cyber.gov.au/ and closes on 12 July 2026.

The new guidance will be grounded in the Information Security Manual. ASD says it will offer prioritised, threat-informed mitigations for current technology environments.

Existing users can expect strong alignment with their current controls and investments. New adopters will gain established best-practice guidance, the agency says.

The evolved Essential Eight guidance will form the first chapter, Essentials for enterprise IT. Further chapters will follow. The current framework sits at https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight.

The review follows growing debate over whether the Essential Eight remains fit for purpose. Its eight controls and maturity model have not changed structurally since ASD's November 2023 update.

Adoption across government remains uneven. ASD found 22 per cent of federal entities reached overall Maturity Level Two in 2025. That was up from 15 per cent, but below the 25 per cent recorded in 2023. 

ASD attributes the shortfall against 2023 to hardening the Maturity Level Two controls that November. 

The 2025 report was tabled in February 2026 and covers the 2024-25 financial year. The Commonwealth Cyber Security Posture in 2026 report to Parliament will be delivered by the end of 2026.

Cyber strategist Ghaith Kayed argues the framework was built for conventional malware, phishing and privilege escalation, not AI-driven threats.

Kayed proposes an “Essential Ten” adding AI system integrity and data provenance controls. He also urges a shift from static compliance to continuous, automated assurance. 

Other security commentators say the framework hardens endpoints but does not deliver full resilience. They urge alignment with global standards such as NIST and ISO 27001.

ASD says feedback from government, industry, regulators and current users will shape future development of the Essentials series.

Business Solution
Cybersecurity

The Australian Signals Directorate (ASD) has opened national consultation on the evolution of the Essential Eight, its flagship cyber security framework.

ASD proposes a new Essentials series that expands the current framework. It aims to give organisations more flexibility while preserving a clear path to resilience.

Consultation runs through the ASD Cyber Security Partnership Program portal at https://partners.cyber.gov.au/ and closes on 12 July 2026.

The new guidance will be grounded in the Information Security Manual. ASD says it will offer prioritised, threat-informed mitigations for current technology environments.

Existing users can expect strong alignment with their current controls and investments. New adopters will gain established best-practice guidance, the agency says.

The evolved Essential Eight guidance will form the first chapter, Essentials for enterprise IT. Further chapters will follow. The current framework sits at https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight.

The review follows growing debate over whether the Essential Eight remains fit for purpose. Its eight controls and maturity model have not changed structurally since ASD's November 2023 update.

Adoption across government remains uneven. ASD found 22 per cent of federal entities reached overall Maturity Level Two in 2025. That was up from 15 per cent, but below the 25 per cent recorded in 2023. 

ASD attributes the shortfall against 2023 to hardening the Maturity Level Two controls that November. 

The 2025 report was tabled in February 2026 and covers the 2024-25 financial year. The Commonwealth Cyber Security Posture in 2026 report to Parliament will be delivered by the end of 2026.

Cyber strategist Ghaith Kayed argues the framework was built for conventional malware, phishing and privilege escalation, not AI-driven threats.

Kayed proposes an “Essential Ten” adding AI system integrity and data provenance controls. He also urges a shift from static compliance to continuous, automated assurance. 

Other security commentators say the framework hardens endpoints but does not deliver full resilience. They urge alignment with global standards such as NIST and ISO 27001.

ASD says feedback from government, industry, regulators and current users will shape future development of the Essentials series.

Business Solution
Cybersecurity