AGD consulting on making Essential Eight mandatory

By Dylan Bushell-Embling
Friday, 11 June, 2021

AGD consulting on making Essential Eight mandatory

The Attorney-General’s Department has commenced consultation with all non-corporate Commonwealth entities regarding potentially making the Essential Eight mandatory.

The department has published its response to the Joint Committee of Public Accounts and Audit’s report into cyber resilience, which had making compliance with the security standards mandatory as one of its key recommendations.

The Australian Cyber Security Centre’s Essential Eight threat mitigation strategies are currently only partly mandatory. The top four mitigation strategies are required for non-corporate commonwealth entities (NCCEs) under the Protective Security Policy Framework, but the remaining four are only strongly recommended.

According to the response, the Attorney-General’s Department plans to recommend an amendment to the framework to mandate all eight strategies for all NCCEs. But because this would have a significant impact on NCCEs, the department is currently consulting with them about the implications of the proposal.

Meanwhile, the department has explored the possibility of requiring adherence with the top four strategies for government business enterprises and corporate Commonwealth entities.

But the response states that the department has determined that the use of a general protection order for this purpose would not be appropriate, in part because it would require that every such entity be consulted in advance of any changes to the PSPF.

Ivanti area VP Matthew Lowe said the decision to mandate the essential eight marks an important step in securing Australia’s cyber future. “[The department’s recommendation] demonstrates a commitment to protecting our cyber assets in the same way we defend our physical borders.”

A recent survey conducted by the company found that all CISOs polled intend to align their cybersecurity efforts with the Essential Eight within the next 12 months.

But Versent technical director Simon Morse said while the decision is welcome, “it is only one step towards good cybersecurity defence for the nation as a whole. With reliance on privatised critical infrastructure, state/local government bodies and federal corporate entities, it is also crucial to get the required breadth of coverage.”

Meanwhile, KnowBe4 security awareness advocate Jacqueline Jayne said the Essential Eight only focuses on technological aspects of mitigation. “What’s missing is the human aspect,” she said.

“In a recent Stanford & Tessian study it was reported that 88% of data breaches are caused by human error. There is strong evidence to support an update from the Essential Eight to the Essential Nine with the ninth element being the human element.”

Image credit: ©

Related Articles

If you want to fix cyber, stop trying to fix people

We need to stop trying to fix people and start understanding and supporting them with the right...

Managing through uncertainty requires facing security unknowns head on

Understanding the attack surface in its entirety is not just a tactical advantage; it is a...

Why the success of modern cyber defence hinges on identity security

 A single compromised identity could easily provide the keys to the kingdom if it isn't...

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd