Newsletter Article
THE ESSENTIAL EIGHT IS BEING RETIRED, MEET THE “ESSENTIALS” SERIES
Snare Insider Newsletter Series Article
Make sure you Subscribe
This has moved fast. Issue 11 reported that ASD had opened consultation on an evolution of the Essential Eight.
On 24 June 2026, Chris Horlyck, ASD’s Head of Cyber Security Resilience, confirmed the direction in comments reported by iTnews: the Essential Eight will be formally retired over the next two years, replaced by a broader, principles-based “Essentials” series covering enterprise IT, operational technology, cloud and, eventually, agentic AI as a dedicated domain.
AS of July, 2026, Nothing changes today.
The Essential Eight remains the live, audited, and contractually referenced framework, including for DISP membership, where Maturity Level 2 remains the mandated baseline assessed via the Cyber Security Questionnaire. ASD has been explicit that organisations already investing in Essential Eight controls will see that work carry across cleanly into the Essentials series.
☐ June/July 2026: consultation on the first chapter, “Essentials for Enterprise IT,” is open via the ASD Cyber Security Partnership Program portal until 12 July 2026.
☐ Transition period: the Essential Eight and the Essentials series run as live documents side by side.
☐ Approx. 12 months: ASD begins deprecating the Essential Eight.
☐ Approx. 24 months: the Essential Eight is retired in full, with Essentials as the standing framework.
ASD’s own reasoning is structural, not cosmetic. The Essential Eight was built in 2017 for an on-premises, Windows-centric world. It does not map cleanly onto cloud shared-responsibility models, SaaS platforms, or the identity-driven environments most organisations now run. The Essentials series shifts from a fixed, prescriptive checklist to threat-informed, outcomes-based guidance grounded in the Information Security Manual (ISM), designed to flex as technology and adversary tradecraft evolve, rather than requiring a rewrite every time it does.
The Commonwealth Cyber Security Posture report found that only 22% of surveyed government entities had achieved Maturity Level Two or higher across all eight mitigation strategies in 2025. This reflects one of the model’s core principles, carried forward into the Essentials series: an organisation’s overall maturity is determined by its least mature strategy. Strong performance in seven areas cannot compensate for a significant gap in the eighth.
Both the current Essential Eight and the emerging Essentials guidance place growing emphasis on:
These requirements turn logging from a technical configuration activity into a core resilience capability, and that principle survives the transition from Essential Eight to Essentials intact.
☐ Confirm required security events are centrally collected
☐ Validate that logs cannot be altered or deleted by unauthorised users
☐ Monitor internet-facing systems and cloud/SaaS control planes for suspicious activity
☐ Capture PowerShell and command-line activity at the required maturity level
☐ Verify consistent time synchronisation across log sources
☐ Test incident escalation and response processes
☐ Maintain evidence that controls are operating effectively, not merely configured
The Snare perspective
Don’t wait for the Essentials series to be finalised before improving logging maturity. Whatever the framework is called, the underlying evidence requirements are not going away, they’re broadening into cloud, SaaS and AI. The organisations best placed for the transition will be those that can already prove what activity occurred, when, involving which identity or system, whether the evidence is complete and trustworthy, and how quickly they detected and responded.

THREAT SPOTLIGHT: THEY DIDN’T BREAK IN. THEY LOGGED IN.