The Essential Eight is a set of cyber security mitigation strategies to assist organisations in protecting their networks from cyber threats.
However, within the next two years, it will be replaced with a broader “Essentials” series, which will cover a number of distinct security domains, such as enterprise IT, operational technology, cloud technology, and maybe even AI.
Speaking with iTnews, Australian Cyber Security Centre (ACSC) head of cyber security resilience Chris Horlyck said the Essential Eight will remain active during the transition, before it is slowly phased out.
“We anticipate that there will be a transition period where we will keep the Essential Eight a live document and the Essentials a live document,” Horlyck said.
“Then we will look to, probably in 12 months, start to deprecate the Essential Eight, and then in 24 months, we’ll retire the Essential Eight as a whole.”
He also added that the Essential Eight was no longer suitable as technologies like agentic AI and cloud have become core in the operations of many businesses.
“Essential Eight started before cloud was really a big thing in the sector,” he said.
“Now, if you don’t have cloud, that would be a really surprising architecture to have.”
The new Essentials framework will launch with three initial chapters: enterprise IT, operational technology, and cloud.
Speaking with Cyber Daily, Fortinet Australia chief information security officer Cornelius Mare celebrated the new framework.
“The Essentials series is a welcome update with the previous Essential Eight showing its age and no longer being the optimal fit for a 2026 environment characterised by Software-as-a-Service (SaaS), cloud, bring-your-own-device (BYOD), microservices, and AI agents. This mismatch is in terms of efficacy against a 2026 threat environment as well as poor return on investment,” he said.
“Additionally, with so much of the economy characterised as small- and medium-sized businesses, some of the enterprise-level controls in the previous Essential Eight are extremely difficult to implement from a costing perspective and extremely difficult to use to build operational efficiency from a technical operations standpoint.
“Any controls must remain simple, have business context and be cost-effective while still providing a realistic view of an organisation’s maturity journey.”
Mare added that the new framework is a welcome fit as more and more boards request Essential Eight audits to ensure cyber security standards are being maintained.
“We have always understood there is no one-size-fits-all approach; however, having clear guidance as a starting point is valuable, particularly when it comes from ASD and can be used by business as an authoritative reference,” he said.
“We are seeing more boards now requesting Essential Eight audits, driven in part by the Australian Institute of Company Directors’ (AICD) work in promoting cyber maturity, which is strengthening CISO conversations at board level because directors are also hearing this from their peers.
“However, the reality is many organisations are likely still using the Essential Eight as a compliance exercise rather than to provide a proactive risk and context-based program of increasing maturity and resilience.
“The Five Eyes cyber security agencies’ joint statement warning that AI will reshape risk in months reinforces this. If AI-enabled threats are accelerating and response windows are shrinking, baseline controls can’t sit in a static compliance frame.
“As the threat landscape evolves, so too must the baseline required to protect critical infrastructure. It will be important to define a baseline that supports safe adoption of emerging technologies and AI, with more context-aware frameworks that help secure critical infrastructure and Australian businesses.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
