Transitioning from the ACSC Top 4 Controls to Essential 8 Maturity Level 2 (E8 ML2): What Current and Aspiring DISP Members Need to Know

INTRODUCTION

The Defence Industry Security Program (DISP) has announced an important update to its cybersecurity requirements. Previously, members were required to implement the ACSC Top 4 security controls to protect sensitive data and systems. However, DISP now mandates the adoption of the Essential 8 (E8) at Maturity Level 2 (ML2).

This change reflects the evolving cybersecurity landscape and aims to provide more comprehensive protections against sophisticated threats. If you're a DISP member, this shift requires action — you must meet the new requirements before your next Annual Security Review (ASR) or if you’re w new applicant you will have to demonstrate ML2 as part of the application process. If you can’t demonstrate ML2 you will be put into what DISP calls their Uplift Program and your DISP application will be suspended until full compliance is demonstrated.

This article outlines the key differences between the ACSC Top 4 and the Essential 8 ML2, what the transition entails, the potential timeframes, and indicative costs.

WHAT’S INVOLVED IN MOVING FROM THE TOP 4 TO ESSENTIAL 8 ML2?

The ACSC Top 4 cybersecurity controls include:

1. Application control – Ensuring only approved applications run on systems.
2. Patch applications – Keeping software up to date to mitigate vulnerabilities.
3. Patch operating systems – Ensuring systems are protected against the latest threats.
4. Restrict administrative privileges – Limiting access to prevent misuse or compromise.

While the Top 4 was an effective baseline when it was first released more than 10 years ago, it has well and truly been overtaken by the threat posed by our adversaries. To be brutally honest if you don’t have these minimum controls in place you’re not serious about cybersecurity and I wouldn’t want you in my supply chain: you’re too great a risk of compromise.

The Essential 8 at Maturity Level 2 (ML2) focuses on preventing more sophisticated cyber threats, which requires:

1. Application control – Extended to critical systems, with robust policy enforcement.
2. Patch applications – Addressing security patches within two weeks of release.
3. Configure Microsoft Office macros – Blocking macros from the internet, except for trusted sources.
4. User application hardening – Blocking Flash, Java, and ads in web browsers.
5. Restrict administrative privileges – Regular reviews of admin accounts, minimiing privileged access.
6. Patch operating systems – Updates must be applied within two weeks for security vulnerabilities.
7. Multi-factor authentication (MFA) – Enforced for all remote access and privileged accounts.
8. Daily backups – Implementing automated, daily backups that are tested regularly.

CHALLENGES IN THE TRANSITION TO ESSENTIAL 8 ML2

Moving from the Top 4 to Essential 8 ML2 is not just an incremental upgrade—it requires significant changes in processes, systems, and policies. The jump to ML2 emphasises consistency and enforcement rather than just ad-hoc compliance. For most organisations this represents a shift from a compliance-focussed approach to a security-focussed

Below are some key areas to address:

• Technical Adjustments:
  • Implementing MFA across the organisation.
  • Hardening browsers and disabling unnecessary features (e.g., Flash).
  • Ensuring backup processes are automated and regularly tested.
• Process and Policy Changes:
  • Establishing new patching schedules to meet ML2 timelines.
  • Enforcing application control on all key systems.
  • Introducing additional layers of access control and regular privilege reviews.
• Monitoring and Reporting:
  • Ongoing monitoring to ensure compliance.
  • Creating and maintaining comprehensive security documentation to demonstrate compliance during security reviews/audits.
• Training:
  • Your staff will need to be across the changes and the possible implications they may have for them.
  • It’s imperative that all staff know why changes are being implemented rather than just telling when changes are being implemented. When people understand the why they tend to support organisational change much better.

HOW LONG WILL THE TRANSITION TAKE?

The timeline to transition from Top 4 to Essential 8 ML2 will vary depending on the size and maturity of your organisation’s cybersecurity capabilities. For smaller organisations with basic controls already in place, the transition could take 3-6 months. However, for larger or more complex environments, the process may extend to 9-12 months or more.

Key Time Factors:

Staff training: Teams will need to understand and adopt new practices.

System upgrades: Ensuring that legacy systems can meet the requirements of E8.

Policy and procedural development: Refining backup processes, MFA enforcement, and patching schedules amongst other things.

Indicative Costs

Transitioning to Essential 8 ML2 will involve both direct and indirect costs. Below is a breakdown of typical expenses DISP members might encounter:

1. Technical Costs:

Software Licenses: Implementing MFA and advanced backup solutions can cost $5,000–$20,000, depending on the tools selected.

Application Control Tools: Solutions to enforce application control range from $10,000–$50,000.

2. Consulting Services:

Hiring a consultant to perform a security gap analysis and help with policy development may cost $10,000–$40,000.

3. Internal Resources:

Training: Staff training on new processes and tools might cost $5,000–$10,000.

Time and Labor: Internal IT teams may need to dedicate hundreds of hours to implement new controls, review accounts, and reconfigure systems.

4. Ongoing Compliance:

Monitoring and Audits: Regular security audits and monitoring tools could cost an additional $5,000–$15,000 annually.

NEXT STEPS: ACT BEFORE YOUR NEXT ASR

If you're a DISP member, proactive planning is essential. The Essential 8 ML2 requirements represent a more comprehensive security posture, and all members must comply before their next Annual Security Review (ASR).

What You Should Do Now:

1. Assess your current security posture: Identify gaps between your existing controls and Essential 8 ML2.
2. Develop a transition plan: Create a roadmap that includes technical changes, policy updates, and staff training.
3. Engage with experts: Consider hiring cybersecurity consultants if your internal team lacks capacity or expertise.
4. Monitor timelines: Ensure you complete the transition well before your ASR to avoid compliance risks.

CONCLUSION

The shift from the ACSC Top 4 to the Essential 8 was always going to occur and frankly is long overdue. The move to ML2 came as a surprise to many but it is a reasonable next step in cyber maturity because it moves toward more formalised standards such as ISO 27001. By this I mean at ML2 there is the early stages of a management system required to ensure controls are regularly reviewed to ensure ongoing effectiveness.

Honestly this is the minimum standard to you should be looking to implement in any business, but is even more important in the defence industrial base.

If you're a current DISP member, act now to avoid delays and ensure your organisation is compliant before your next ASR. Waiting too long could jeopardise your DISP membership, so it's critical to start the process immediately.

If you’re an aspiring DISP member you will also be subject to the higher cyber standard so there’s no time like the present to get your cybersecurity house in order.

Need help with the transition or don't know where to start? Get in touch with us today.