Maturity model — ML0 through ML3.

The ASD Essential Eight Maturity Model defines four implementation tiers. Each tier addresses a progressively more capable adversary.

ML0 — no maturity

The control is not implemented, or implementation is partial and inconsistent. Most Australian SMBs without dedicated security investment sit at ML0 on multiple controls.

ML1 — opportunistic adversaries

Mitigates adversaries content with using widely-available exploits against unpatched systems and credentials. Phishing and password-spray are the typical attack patterns. This is the baseline for any organisation handling sensitive data.

ML2 — capable adversaries

Mitigates adversaries willing to invest in social engineering, phishing-kit infrastructure, and adapting commodity malware. ML2 is the Horizon 2 government-recommended baseline for all Australian industries through 2028.

ML3 — advanced adversaries

Mitigates adversaries with bespoke tooling, novel exploits, and the patience to defeat security controls through targeted methods. Required for critical infrastructure operators and Australian Government entities handling classified material.

How to measure your maturity

Run the same evidence-gathering exercise an IRAP assessor would: for each of the eight controls, document the highest maturity level for which you can produce traceable, timestamped, ISM-mapped evidence. Your organisation's overall maturity is the lowest of the eight.

Then read each control's deep-dive page to find the common evidence gaps before you book a formal assessment:

• Application Control
• Patch Applications
• Configure Microsoft Office Macro Settings
• User Application Hardening
• Restrict Administrative Privileges
• Patch Operating Systems
• Multi-Factor Authentication
• Regular Backups