Keep Calm and Carry On - Retirement Plans for the Essential Eight

When I read that the Australian Signals Directorate intends to retire the Essential Eight within the next two years, my first reaction was not alarm (well, maybe a little bit!). It was more the recognition that the Essential Eight was "growing up" to evolve with the environments we all run today: cloud-first platforms, SaaS-heavy operating models, hybrid work, identity-centric security, operational technology, and fast-moving threats that do not respect a neat eight-control checklist focussed on on-prem "traditional" environments.

ASD and the ACSC are framing this decision as a transition to a broader “Essentials” series, beginning with “Essentials for enterprise IT”. The goal is not to discard good cyber practice but to provide more flexible, threat-informed guidance for contemporary environments. There will be a transition period, with Essential Eight remaining live alongside the new guidance before deprecation and eventual retirement somewhere in the next 2 or 3 years.

For our clients and partners, this matters because it tells us two things. First, this is a strategic evolution, not a repudiation of the controls organisations have already invested in. Second, the right response is calm, measured, and practical: keep building sound security capability now, but do it in a way that is broader than a single framework label and easier to evidence to boards, regulators, insurers, and customers.

That is why I believe this announcement strengthens the case for the Microsolve SecureStart program underpinned by SMB1001.

Why ASD is making this move

Essential Eight has been enormously influential because it gave Australian organisations a plain-language set of technical priorities:

1. patch applications
2. patch operating systems
3. control administrative privileges
4. harden user applications
5. manage macros
6. enforce MFA
7. apply application control, and
8. maintain regular backups.

These controls still matter! In fact, ASD has made clear that investments organisations have already made in Essential Eight will continue to be useful as the framework evolves.

What has changed is the operating environment. ASD has said the replacement guidance is being designed to better cover enterprise IT, cloud, operational technology, and potentially AI-enabled environments as distinct domains, with a stronger focus on prioritised mitigations grounded in the Information Security Manual rather than a static compliance ladder. That reflects the lived reality for most organisations today, especially those relying on Microsoft 365, SaaS line-of-business applications, managed cloud platforms, distributed devices, and outsourced service providers.

In other words, the old baseline is not suddenly wrong. It is simply no longer enough on its own as the organising model for every security conversation. That is an important distinction, because panic would be the worst possible reaction. If you have been investing in stronger identity controls, better backup practices, patch discipline, and tighter administration, you have not wasted your effort. You have built foundations that still belong in any sensible cyber program.

A measured response is best

In moments like this, the market often swings between two extremes. One camp says, “Nothing changes, ignore it.” The other says, “Throw out your roadmap and start again.” Personally, neither position serves clients particularly well!

A measured response starts by acknowledging that the current framework still stands today. Until ASD finalises the new guidance, Essential Eight and its maturity model remain an active benchmark. At the same time, a measured response also recognises that organisations should stop treating Essential Eight as the sole destination and start treating it as one important input into a broader, more resilient operating model.

That broader model needs to do more than enumerate controls. It needs to help leadership understand risk, document accountabilities, support incident response, structure training, guide vendor oversight, and give the organisation evidence it can use in audits, tenders, insurance renewals, and board reporting. This is exactly where many organisations struggle if they rely on Essential Eight alone, because it is highly effective as a technical baseline but does not, by itself, give an SMB-friendly certification and governance structure.

SecureStart with SMB1001 = the practical answer

This is where our SecureStart program comes in.  SecureStart is the mechanism that turns cyber strategy into an achievable journey rather than a compliance scramble. It starts with the current state, identifies what is already working, maps gaps in plain language, and sequences uplift over 12, 24, and 36 months so leaders can make steady progress without destabilising operations.

Underpinning SecureStart with SMB1001 makes that journey stronger. SMB1001 was developed by Dynamic Standards International as a cyber security standard specifically for small and medium businesses, with tiered certification from Bronze through to Diamond and a design philosophy that recognises the budget, staffing, and operational realities of real organisations. Independent comparisons consistently describe SMB1001 as a practical framework for SMBs because it combines technology controls with governance, policy, training, incident response, continuity, and a certifiable pathway rather than stopping at a technical checklist.

This matters now more than ever! If the market is moving from a single, prescriptive Essential Eight lens toward a broader Essentials series, organisations will need a framework that helps them demonstrate maturity in a way that boards and non-technical stakeholders can understand. SMB1001 provides that structure.

Essential Eight still tells us a lot about what good technical hygiene looks like; SMB1001 gives us the wrapper that makes those controls visible, governable, and auditable.

I do not see this as an either-or choice. I see SecureStart with SMB1001 as the calm middle path: respect Essential Eight, implement its controls where relevant, but avoid building your entire strategy on a framework name that now has a sunset date.

What this means for Aged Care

For aged care providers, this announcement is especially important because the sector already operates in an environment of heightened regulatory and community scrutiny. Microsolve’s aged care SMB1001 guidance explains that providers managing highly sensitive health, personal, and financial information and must be able to show practical cyber discipline to regulators, families, insurers, and partners.
microsolve.com

That pressure has only increased under the new Aged Care Act 2024 and related rules that commenced on 1 November 2025, which introduced stronger obligations and changes to the Serious Incident Response Scheme. Microsolve has also highlighted that compliance with Essential Eight Maturity Level 1 became a regulatory floor for aged care providers from 1 November 2025, meaning the sector must be able to demonstrate a minimum technical baseline around issues such as patching, access control, and backups.

This is exactly why I think aged care providers should resist the temptation to read the ASD announcement as a reason to pause. The opposite is true. Essential Eight remains relevant today, and in aged care it still represents a baseline expectation; but providers also need a way to show continuous evidence, governance, staff awareness, and operational resilience beyond minimum compliance. SMB1001 is well suited to that challenge because it aligns with Essential Eight while expanding the conversation into governance, training, documentation, and certification in a form that is practical for providers without large in-house cyber teams.

In our view, SecureStart offers aged care organisations a disciplined way to achieve that. We can begin with a realistic assessment of Microsoft 365 security, backups, access controls, policies, and evidence, then build from Bronze or Silver foundations toward stronger maturity over time, without burdening clinical teams or forcing a disruptive “big bang” project. That is a far better story to tell a board or executive team than “we are waiting to see what ASD does next.”

What we are saying to the market now

The message we want the market to hear is simple: do not confuse framework evolution with strategic uncertainty. The controls that reduce cyber risk are still the controls that reduce cyber risk. What is changing is the way ASD wants organisations to think about applying them across different environments and risk contexts.

For that reason, I believe the best market opportunity is to help organisations move from narrow compliance language to durable cyber capability. We should be saying that SecureStart with SMB1001 helps clients do four things at once.

• Maintain alignment with Essential Eight while it remains current and relevant.

• Build a certifiable cyber program that is understandable to boards, insurers, customers, and regulators.

• Create the governance, policy, training, and incident response maturity that a pure technical checklist cannot deliver on its own.

• Position the organisation to adapt smoothly as ASD’s broader Essentials series becomes clearer over the next two years.

That is the heart of the SecureStart proposition. We are not asking clients to bet against ASD. We are helping them prepare for where ASD is going.

Why this is good news for clients who act sensibly

I think there is a hidden upside in this announcement. For years, many organisations have treated cyber as a race to satisfy one framework label. That can produce short-term uplift, but it can also encourage checkbox thinking and fragmented investment. ASD’s decision creates permission for a better conversation, one focused on resilience, evidence, and fitness for purpose across real-world environments.

For Microsolve, that aligns neatly with what we have already been writing and delivering. Our SMB1001 blog explains why certification is emerging as a practical and trusted standard for Australian SMEs, especially where boards, insurers, enterprise customers, and tender processes are asking tougher questions about cyber posture. Our related guidance for aged care shows how SMB1001 and Essential Eight can work together as a practical playbook rather than as competing demands, with Essential Eight providing a technical baseline and SMB1001 supplying the broader governance and assurance model.

That is the position I am comfortable taking to market today.

Stay calm. Keep improving the foundations. Do not abandon what already works.

But do lift your ambition beyond a framework that is heading toward retirement. If you want a practical path through that transition, SecureStart underpinned by SMB1001 remains, in my view, one of the clearest and most sensible ways to get there.