16 June 2026 · 8 min read
Essential Eight maturity is showing up in cyber insurance and tender questions across SEQ. Learn what ML1–ML3 actually requires, how Brisbane providers differ, and how to close gaps without a 12-month “program.”
Essential Eight in Brisbane is no longer only for federal suppliers. Insurers, franchisors, and larger customers ask SMBs in Queensland for maturity levels against ACSC’s eight strategies — often before renewal.
The gap we see most: an MSP ticked “MFA enabled” on a slide while admin accounts, patching cadence, and backup restore tests still fail ML1 in practice. Assessment depth matters more than a logo on a proposal.
Application control and patching on workstations and servers — not just “we use Intune.”
Office macro settings, application hardening, and restricted admin privileges.
MFA on internet-facing services and for privileged roles — with exceptions documented.
Daily backups, offline/immutable copies where required, and tested restores.
Managed security MSPs often bundle M365 hardening with ongoing monitoring — strong for sustained ML2+ when you have budget for continuous improvement.
Assessment-only workshops give you a report but leave remediation in your ticket queue.
Fixed-scope baselines (North Ark FC-05) target ML1 closure in weeks: Conditional Access, privileged access, backup verification, and evidence pack for insurers — executed alongside your existing MSP.
Self-score honestly (use our Essential Eight self-score tool) — identify the two strategies dragging you below ML1.
Fix identity first: MFA, legacy auth off, admin separation.
Prove backups: restore test with timestamp evidence.
Patch and harden: Intune rings, LAPS, macro policy.
Document: one-page evidence for insurance — not a 200-slide framework.
