If you’re exploring cybersecurity frameworks for your Australian business, you’ve likely encountered both the Essential Eight and the ACSC Security Principles. Many businesses assume they need to pick one or the other. The reality is that these two frameworks are designed to work together — and implementing both gives you significantly better protection than either one alone.
This guide explains how the two frameworks complement each other and why combining them is the smartest approach for Australian small businesses.
A Quick Recap
The Essential Eight is a set of eight technical mitigation strategies from the ACSC. It focuses on preventing attacks (application control, patching, MFA), limiting damage (restricting admin privileges, hardening applications), and recovering from incidents (regular backups). It uses three maturity levels (ML1, ML2, ML3) and currently has 152 controls across 8 domains.
The ACSC Security Principles provide strategic guidance on how to protect your organisation’s systems and data. Published as part of the Information Security Manual (ISM), they cover six functional areas — Govern, Identify, Protect, Detect, Respond, and Recover — with 34 controls. They focus on governance, culture, risk management, and organisational processes rather than specific technical implementations.
Essential Eight
Security Principles
Focus
Technical controls
Strategic governance
Approach
Prescriptive — specific actions
Principle-based — strategic guidance
Scope
8 domains, 152 controls
6 domains, 34 controls
Maturity model
ML1, ML2, ML3
Incomplete → Optimising (5 levels)
Covers governance?
No
Yes — dedicated Govern domain
Covers incident response?
Limited (backups only)
Yes — Respond & Recover domains
Covers detection?
No
Yes — dedicated Detect domain
Technology specific?
Yes (Windows-focused)
No — technology agnostic
Why They’re Better Together
The Essential Eight Stops Attacks. The Security Principles Prepare You for Everything Else.
The Essential Eight is exceptional at preventing the most common cyber attacks from succeeding. Patching, MFA, application control, and backups address the vast majority of threats that hit Australian small businesses. But what happens when an attack does get through? Who makes the decisions? What’s the communication plan? How do you detect that something’s wrong before it becomes catastrophic?
That’s where the Security Principles come in. The Govern domain ensures someone is responsible for cybersecurity decisions. The Identify domain ensures you know what assets you have and what risks they face. The Detect domain gives you the ability to spot incidents early. The Respond and Recover domains ensure you can handle and bounce back from incidents effectively.
Together, They Cover the Full Lifecycle
Think of it this way: the Essential Eight builds the walls and locks the doors. The Security Principles ensure someone is watching the cameras, there’s a plan for when something goes wrong, and the business knows what’s worth protecting in the first place.
A business with only the Essential Eight has strong technical defences but may not detect a breach for weeks, may not know how to respond when one occurs, and may not have documented what data they’re protecting or why.
A business with only the Security Principles has great governance and planning but may be missing the specific technical controls that stop 85% of attacks.
A business with both has defence in depth — the technical controls to prevent attacks and the organisational capability to detect, respond to, and recover from the ones that get through.
Essential Eight Provides
✓ Application control and patching
✓ Multi-factor authentication
✓ Admin privilege restrictions
✓ Regular backups
✓ Specific, measurable technical controls
Security Principles Add
✓ Cybersecurity governance and leadership
✓ Asset identification and risk assessment
✓ Security monitoring and detection
✓ Incident response planning
✓ Recovery and business continuity
How to Implement Both
The practical approach for most small businesses is straightforward:
Step 1: Start with the Essential Eight ML1. Get your technical foundations right. Implement the eight controls at Maturity Level 1. This stops the majority of common attacks and gives you immediate, measurable protection.
Step 2: Assess against the Security Principles. Once your technical controls are in place, assess your governance, detection, and response capabilities. Identify the gaps — most small businesses will find they’re weakest in the Detect and Respond domains.
Step 3: Build a combined remediation plan. Address your Essential Eight gaps and Security Principles gaps together in one prioritised 12-month plan. Many actions overlap — for example, improving your backup processes supports both frameworks.
Assess Both Frameworks with CyberSmart360
CyberSmart360 is one of the few platforms that supports both the Essential Eight (152 controls) and the ACSC Security Principles (34 controls) in a single dashboard. Assess against one or both frameworks, get AI-powered gap analysis for each, and build a combined remediation plan — all in plain language, all from $49/month.
CyberSmart360 — the only platform built for Australian small businesses that supports both Essential Eight and ACSC Security Principles assessments.
