VGCMB - How to scope your assessment

You’ll need to use different methods to gather the information needed to assess your maturity.

We suggest you:

• Scope your Essential Eight assessment
• Identify required resources – e.g. specialists, audit resources, tools
• Review relevant documents – e.g. security policies
• Assess selected system-based controls

Interview key stakeholders – e.g. ICT managers, cyber security professionals, suppliers including any Managed Service Provider (MSP) for ICT services.

The Essential Eight maturity model’s valuable for:

• servers
• jump hosts
• workstations.

To help identify the parts of your IT systems, you should include in your assessment, refer to Australian Cyber Security Centre (ACSC)’s Essential Eight Assessment Process Guide(opens in a new window).

Can I include cloud environments in scope?

The Essential Eight was designed for organisational corporate environments and may not suitably protect cloud environments. However, organisations should make risk- based decisions when identifying if cloud-based environments and services should be included in the assessment.

For guidance on working with managed service providers to complete your assessment, refer to the Improving Cyber Maturity with the Essential Eight guide. Organisations should seek appropriate assurance based on the risk from their MSP on the application of the Essential Eight control strategies.

Yes, apply Essential Eight control strategies that are applicable to Linux and Unix systems. The ACSC provides guidance for applying the Essential Eight in Linux Environments.

Four of the Essential Eight mitigation strategies are considered applicable to OT/IACS:

• application control
  • patch applications
  • restrict administrative privileges
  • patch operating systems.

For guidance on protecting control systems, the ACSC refers to the Seven Strategies to Defend ICS from the U.S. Department of Homeland Security.

Yes. Public facing systems and services can be included due to the associated risk of cyber-attack.

Yes. Organisations should list mitigating controls where appropriate to demonstrate the measures they’re taking to protect their ICT environments.

Organisations decide for themselves what constitutes important information and must record these in an information asset register.

Use of the Office of the Victorian Information Commissioner’s (OVIC) Victorian Protective Data Security Framework Business Impact Levels (BILs) may be an appropriate guide.

Organisations can use their information asset register to help identify assets suitable for the inclusion.

In some organisations additional screening may be required. Positions of trust can include, but aren’t limited to, an organisation’s Chief Information Security Officer and their delegates, administrators, or privileged users.

Organisations define their own risk levels for applications and operating systems. See ACSC’s guide Assessing Security Vulnerabilities and Applying Patches.