SQEP-led, independent cyber resilience for Singapore CII and enterprise across APAC
ACSC-aligned cyber resilience baseline. Independent maturity assessment by CREST-certified operators. Built for ML2/ML3 expectations from regulators, insurers, and Defence primes.
The Essential Eight is the Australian Cyber Security Centre (ACSC) baseline for protecting internet-connected IT networks against common cyber threats.
It defines eight prioritised mitigation strategies — application control, patch applications, patch operating systems, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, multi-factor authentication, and regular backups — measured against four maturity levels (ML0 through ML3). Independent assessment by CREST-certified operators gives boards, regulators, insurers, and Defence primes the evidence they need that controls are not just documented, but effective. Infracom delivers ACSC-aligned Essential Eight assessment and uplift for Australian organisations from our Singapore operations base, partnering with CREST Accredited Australian firms for tender sign-off where required.
Eight controls developed by the Australian Signals Directorate from real-world cyber incident response, penetration testing, and threat intelligence. Together they form the most effective baseline against the cyber threats Australian organisations actually face.
Only approved applications are allowed to execute. Prevents unapproved binaries, scripts, installers, and dynamic-link libraries from running — the highest-impact control against malware and ransomware.
Infracom delivery: Allowlist scoping, ruleset assessment, exception governance, monitoring uplift.
Internet-facing applications and productivity software are patched within risk-based windows after vulnerability disclosure. Critical patches at ML2/ML3 require deployment within 48 hours where exploits exist.
Infracom delivery: Patch SLA review, vulnerability scan reconciliation, exception register audit.
Macros from the internet blocked. Macros only allowed where there is a demonstrated business requirement, with antivirus scanning and admin approval workflows. A primary phishing-payload vector.
Infracom delivery: GPO/Intune policy review, macro source-of-truth inventory, exception lifecycle.
Web browsers and PDF readers are configured to block Flash, ads, Java, and unnecessary features that adversaries exploit. ML2/ML3 extends to PowerShell logging and .NET hardening.
Infracom delivery: Browser baseline review, ASR rule mapping, PowerShell Constrained Language Mode validation.
Privileged accounts are validated, time-bounded, separated from standard accounts, and used only on hardened administrative workstations. ML3 requires no internet, email, or web services access from privileged accounts.
Infracom delivery: Privileged-access lifecycle audit, jump-host review, PAM tooling alignment.
Operating systems on internet-facing servers, workstations, and network devices are patched within ACSC-defined windows. Unsupported OS versions retired. Vulnerability scanners run on automated cadence.
Infracom delivery: OS patch posture assessment, EOL inventory, scanner output reconciliation.
MFA is enforced for users of internet-facing services, third-party services holding sensitive data, and privileged accounts. ML2/ML3 increasingly favour phishing-resistant methods — passkeys, FIDO2/WebAuthn, hardware tokens.
Infracom delivery: MFA coverage gap analysis, phishing-resistance posture review, conditional-access policy validation.
Backups of important data, software, and configuration settings are performed, retained, and tested for restoration. Retention aligned to business continuity needs. Restoration drills executed and evidenced.
Infracom delivery: Backup coverage assessment, restoration drill execution, immutability and air-gap validation.
Source: Australian Cyber Security Centre — Essential Eight (cyber.gov.au), November 2023 publication, the current standing version.
Four maturity levels measure how effectively each of the eight controls is implemented. The levels reflect increasing adversary sophistication — from opportunistic attacks at ML1 to highly targeted, well-resourced threat actors at ML3.
Controls are missing, partially implemented, or ineffective. An organisation at ML0 has known exploitable weaknesses. This is not a defensible posture for any organisation handling regulated data or supplying Defence and critical infrastructure ecosystems.
Defends against: Nothing reliably.
Defends against adversaries content with publicly available tradecraft. Basic application control, patching within defined windows, MFA on internet-facing services, and tested backups. The minimum credible baseline for any organisation with internet exposure.
Defends against: Commodity malware, mass phishing, opportunistic credential stuffing.
Defends against adversaries willing to invest time and tooling to compromise a specific target. Tighter patch SLAs, broader MFA coverage, centralised event logging, and incident response planning. The expected standard for most Australian businesses handling sensitive data, Commonwealth contracts, or third-party trust obligations.
Defends against: Targeted phishing, credential harvesting campaigns, commodity ransomware operators.
Defends against well-resourced, capable adversaries — including state-sponsored actors. Phishing-resistant MFA, application allowlisting validated under audit, isolation of privileged accounts from internet and email, and comprehensive event log correlation. Expected for Defence primes, critical infrastructure, and high-value targets.
Defends against: Advanced persistent threats, supply-chain compromise attempts, hands-on-keyboard targeted intrusions.
By 2026, regulators, cyber insurers, and supply chain partners increasingly expect ML2 or ML3 from organisations operating in Defence, government procurement, healthcare, financial services, and critical infrastructure ecosystems. ML0 and ML1 are no longer treated as acceptable for these sectors.
Australian organisations meet Essential Eight expectations through one of three paths. Each has different evidential weight with regulators, insurers, and procurement teams. ACSC explicitly states there is no requirement for certification, but independent or partner-delivered assessment is increasingly demanded under contractual and regulatory conditions.
← Swipe to compare →
| Dimension | Self-Attestation | Independent Assessment | Partner-Delivered AssessmentINFRACOM MODEL |
|---|---|---|---|
| Who performs the assessment | Internal team | External assessor engaged by the organisation | CREST-certified operators (CRT/CCT) delivering with an Australian CREST Accredited partner where sign-off is required |
| Independence from delivery teams | None — same team that runs the controls | Full external independence | Full external independence; partnership posture for AU sovereignty-sensitive work |
| Evidential weight for procurement | Lowest — accepted only where contracts do not specify otherwise | High — accepted across most Commonwealth and enterprise procurement | High — appropriate for SG-AU partner ecosystems and channel-delivered engagements |
| Suited to | Small organisations with low contractual obligations | Mid-market and enterprise with regulatory or insurance triggers | Organisations with SG-AU operational footprint; MSP/MSSP partners reselling assessment |
| Re-assessment cadence | Self-determined | Typically annual, or on material control change | Typically annual, with quarterly check-ins on uplift trajectory |
| Defence supply chain readiness | Not accepted | Accepted where assessor scope satisfies tender requirements | Accepted with Australian CREST Accredited partner sign-off where the tender requires it |
Table compares assessment paths on alignment, independence, and procurement evidential weight only. Commercial terms, scope, and contractual sign-off authority are determined per engagement. This is not legal or compliance advice — organisations should consult their procurement and legal teams to determine which assessment path satisfies their specific contractual obligations.
A Singapore-based cybersecurity consultancy operating in the Australian market through a deliberate partnership posture. Three things shape what we bring to AU Essential Eight engagements.
Infracom is a CREST Pathway+ Organisation. Our testing operators hold CREST-certified credentials (CRT, CCT) and complementary certifications including OSCP, CISSP, and CISA. For Australian engagements where the tender requires sign-off by a CREST Accredited firm, we partner with an established Australian CREST Accredited entity — our certified operators deliver the work, the partner provides the procurement-recognised attestation. This is the same model used by international consultancies entering the AU market.
Singapore and Australia renewed their Memorandum of Understanding on Cyber Security Cooperation on 24 February 2026, signed by the Chief Executive of the Cyber Security Agency of Singapore and the Australian Ambassador for Cyber Affairs and Critical Technology. The MOU sits under Pillar 4 of the Singapore-Australia Comprehensive Strategic Partnership (CSP) 2.0, announced 8 October 2025. The bilateral framework explicitly covers information exchange, best practice sharing, and capacity building between SG and AU cyber ecosystems — the same framework that governs how Infracom operates across both markets.
Infracom operates under ISO/IEC 27001-aligned information security management, the Cybersecurity Services Regulation Office (CSRO) licensing framework administered by the Cyber Security Agency of Singapore, and Cyber Trust Mark (CTM) Tier 3 certification. The same operating discipline that satisfies Singapore regulatory expectations applies to every Australian engagement — control documentation, evidence trails, segregation of duties, and assessor independence are not optional extras.
A repeatable four-phase model. Each phase has defined inputs, activities, and outputs. Scope and timing flex with your environment size; the phases do not.
Scope confirmation, environment baseline, stakeholder identification. We agree what is in scope (workstations, servers, internet-facing services, third-party systems), what evidence sources are available, and which business stakeholders need to be involved. Outputs: scope statement, evidence checklist, assessment plan.
Control-by-control evaluation against the maturity model. Each of the eight strategies is examined for evidence of implementation, operating effectiveness, and coverage. Interviews, technical validation, configuration review, and sampling. Outputs: working papers, control maturity scoring, exception register.
Findings, maturity rating, and prioritised uplift roadmap. A board-ready report with the uniform maturity rating, a per-strategy breakdown showing where the organisation sits on each control, gap analysis, and a prioritised remediation roadmap. Findings are evidenced — no opinion-only ratings. Outputs: assessment report, executive summary, remediation roadmap.
Targeted remediation, control validation, ongoing maturity tracking. Working alongside your team to close the gaps identified in Phase 3 — policy updates, configuration changes, evidence collection cadences, control re-validation. Optional quarterly check-ins to track maturity trajectory between annual reassessments. Outputs: remediation evidence, re-tested control validation, uplift report.
This engagement model is a regional adaptation of the broader Infracom Methodology applied to Australian Essential Eight contexts.
What Australian organisations ask before engaging an Essential Eight assessment — covering mandate, maturity levels, framework relationships, cross-jurisdictional delivery, and our CREST posture.
Australian organisations needing ACSC-aligned assessment, ML0–ML3 uplift, or IRAP-adjacent advisory — delivered from our Singapore operations base with CREST-certified operators and (where required) partnered with CREST Accredited Australian firms for tender sign-off.