Visit the crayon.com enterprise site | Crayon is becoming SoftwareOne - Read more
Crayon Channel APAC
  • CommunityConnecting partners to even greater value.
    • Partner Value
    • Tech For Good Program
    • ISV Innovation Hub
    • Partner Connections Program
    • Partner Advisory Committee
    • Community Events
  • ServicesLeverage Crayon’s expertise to expand your service catalogue and create new revenue streams.
    • Security Services
    • Cloud Migration
    • ERP Implementation
    • Managed Services
    • Support as a Service
    • Cloud Cost Optimisation
    • Application Control Solutions & Services (Allowlisting)
  • Enablement
  • VendorsWith a vendor-agnostic approach, we are committed to ensuring our partners have access to the latest industry-leading solutions that solve real business challenges.
    • Access4
    • Acronis
    • Airlock Digital
    • Alibaba
    • Automox
    • AvePoint
    • Backup365
    • ConnectWise
    • ContraForce
    • CoreView
    • Cytrack
    • Delinea
    • DNSFilter
    • Docusign
    • ESET
    • Google
    • Hornetsecurity
    • invicti
    • Lark
    • Layer 8 Security
    • Microsoft
    • Nerdio
    • Netwrix
    • NinjaOne
    • Octopus Cloud
    • Probax
    • Runecast
    • Senserva
    • SigniFlow
    • SmartEncrypt
    • SMX
    • Swoosh.Cloud
    • Trend Micro
    • usecure
    • Veeam
    • VIPRE
    • Virtuozzo
    • VMware by Broadcom
    • Wasabi
    • Zimbra
    • ZIRILIO
    • Zoom
  • Platforms
  • About CrayonCrayon helps its partners, and their customers, build the commercial and technical foundation for a successful and secure cloud-first, digital transformation journey.
    • SoftwareOne and Crayon
    • Careers
    • Contact us
    • APAC Leadership
    • Visit Crayon Japan
  • Become a Partner
  • Partner Login

Search

Become a Partner Partner Login
  • CommunityConnecting partners to even greater value.
    • Partner Value
    • Tech For Good Program
    • ISV Innovation Hub
    • Partner Connections Program
    • Partner Advisory Committee
    • Community Events
  • ServicesLeverage Crayon’s expertise to expand your service catalogue and create new revenue streams.
    • Security Services
    • Cloud Migration
    • ERP Implementation
    • Managed Services
    • Support as a Service
    • Cloud Cost Optimisation
    • Application Control Solutions & Services (Allowlisting)
  • Enablement
  • VendorsWith a vendor-agnostic approach, we are committed to ensuring our partners have access to the latest industry-leading solutions that solve real business challenges.
    • Access4
    • Acronis
    • Airlock Digital
    • Alibaba
    • Automox
    • AvePoint
    • Backup365
    • ConnectWise
    • ContraForce
    • CoreView
    • Cytrack
    • Delinea
    • DNSFilter
    • Docusign
    • ESET
    • Google
    • Hornetsecurity
    • invicti
    • Lark
    • Layer 8 Security
    • Microsoft
    • Nerdio
    • Netwrix
    • NinjaOne
    • Octopus Cloud
    • Probax
    • Runecast
    • Senserva
    • SigniFlow
    • SmartEncrypt
    • SMX
    • Swoosh.Cloud
    • Trend Micro
    • usecure
    • Veeam
    • VIPRE
    • Virtuozzo
    • VMware by Broadcom
    • Wasabi
    • Zimbra
    • ZIRILIO
    • Zoom
  • Platforms
  • About CrayonCrayon helps its partners, and their customers, build the commercial and technical foundation for a successful and secure cloud-first, digital transformation journey.
    • SoftwareOne and Crayon
    • Careers
    • Contact us
    • APAC Leadership
    • Visit Crayon Japan
  • Become a Partner
  • Partner Login
Crayon Channel APAC

Search

Home / Enablement Hub / Insights / Blogs / Essential Eight is Evolving

Essential Eight is evolving: what Australian partners need to know

2nd July 2026 | Michael Brooke, Cybersecurity Pre-Sales Lead

For close to a decade, the Essential Eight (E8) has given Australian organisations a clear and practical starting point for improving cyber resilience. The Australian Signals Directorate (ASD) is now preparing the framework for its next phase.

In this blog – the first of a 3-part series – we’ll break down what this means for current Essential Eight work, how to position announced changes with your customers, and where this evolution opens doors to a wider security conversation.

Essential Eight is alive and well

Essential Eight is alive and well

Assure your customers that E8 remains the current ASD framework.

Customers may see the word ‘retirement’ in recent media coverage and query if this means a pause to current projects and immediate changes to security roadmaps.    

It’s important to keep the ASD announcement in context. Current projections have the transition to a broader Essentials series rolling out over at least two years.  

 

 

 

 

Keep current Essential Eight work moving.

The risks addressed by its controls remain active, and ASD has said that existing controls and investments will align strongly with the new guidance.

The capabilities developed through it will provide a strong foundation for the new Essentials guidance.

What has the ASD announced about the Essential Eight?

What has the ASD announced about the Essential Eight?

ASD has opened consultation on a new Essentials series. The first chapter will cover enterprise IT, with additional chapters to follow.

Consultation on Essentials for enterprise IT is open to ASD Cyber Security Network partners until July 12th, 2026.

The official announcement confirms that the guidance will be grounded in the Information Security Manual and provide prioritised, threat-informed mitigations for contemporary technology environments.

The reported direction includes:

  • an initial enterprise IT chapter, followed by operational technology and cloud;
  • greater emphasis on security outcomes and control intent;
  • a period in which the E8 and new Essentials guidance remain active together;
  • possible deprecation of E8 after approximately 12 months;
  • retirement of the E8 framework in approximately 24 months;
  • potential future guidance for agentic AI.

While this provides a useful indication of ASD’s direction, it should be treated as provisional until ASD publishes further formal guidance.

Why is the Essential Eight framework changing?

Why is the Essential Eight framework changing?

Originally published in 2017, the Essential Eight evolved from ASD’s Top Four mitigation strategies, identified through real-world incident response as having the greatest impact on security posture.

It provided a clear, prescriptive baseline for protecting internet-connected, largely on-premises and Microsoft-centric enterprise environments.

The operating landscape is now far more complex. Most organisations span cloud, SaaS, remote endpoints, third-party platforms and interconnected data environments. Many also manage operational technology, industrial systems and emerging AI workloads.

 

Cloud changes both the control set and the ownership model.

Responsibility is shared across customers, providers and service partners, and controls designed for traditional networks do not always translate cleanly across multiple platforms.

ASD’s proposed Essentials series is intended to address this through domain-specific guidance focused more closely on security outcomes and control intent.

This should give organisations greater flexibility to select controls that suit their architecture while still demonstrating how those controls address the relevant threat and achieve the required outcome.

Does current Essential Eight work still have value?

Does current Essential Eight work still have value?

Essential Eight work is still valuable and important. The controls covered by E8 are the baseline from which the new Essentials framework will grow.

The Essential Eight controls mitigate the most common security risks to business:

  • Unpatched applications and operating systems
  • Weak or missing multi-factor authentication
  • Excessive administrative access
  • Uncontrolled application execution
  • Insecure user application settings
  • Risky Microsoft Office macro use
  • Poor backup and recovery practices

Customers will continue to need capabilities that address exposures to common attack techniques, regardless of how the future guidance is structured.  

 

 

Organisations already using E8 can expect strong alignment between the new guidance and their existing controls and investments.

For partners, this means active assessments, remediation plans and maturity uplift programmes retain their value.

The evidence created through that work will also remain useful. Assessment results, exception registers, control tests, remediation records and risk decisions all help establish the customer’s current position.

The transition to the broader Essentials series gives partners a reason to look beyond customer maturity scores.

The two-year timeframe provides reasonable runway to work with customers on wider security programmes.

What should partners tell customers now?

What should partners tell customers now?

Here’s our top 4 tips for positioning this transition with your customers:

1. Keep current uplift work moving

Known gaps in patching, identity, administrative access, application control and recovery remain genuine security risks. Delaying remediation while waiting for the final Essentials series would leave those risks unresolved.

2. Preserve assessment evidence

Current maturity assessments, remediation records, exception registers and control-testing evidence will help customers demonstrate their starting position as the new guidance emerges. They can also reveal where existing controls are working well and where further investment may be required.

3. Closely follow updates to ASD guidance

It’s important your customers know the ASD consultation period is active and much yet to be confirmed from this process. Control requirements, assessment methods and the detailed structure of later chapters may change.

Prepare your customers for the direction of travel, but avoid commitments based on an unfinished framework.

4. Review what sits outside the Eight

The E8 has always been a minimum set of preventative measures rather than a complete cyber-security programme. ASD advises organisations to implement additional controls where their environment or risk profile warrants them. Partners can use this transition to stimulate broader discussion and questions:

  • Are cloud and SaaS responsibilities clearly divided between the customer, providers and partners?
  • Are identity controls consistent across every environment?
  • Can the organisation detect, investigate and contain suspicious activity?
  • Are its most critical systems and data clearly identified?
  • Is recovery tested against realistic attack scenarios?
  • Are third-party and supply-chain risks understood?
  • Is the business ready for AI?
  • Do they have Data Governance controls in place to manage AI adoption?

For customers that may be more advanced in their AI journey, partners might also query how machine identities, AI agents and automated access are being governed.

What does this mean for partner security practices?

What does this mean for partner security practices?

In the short to mid-term, it’s going to be about keeping genuine security improvement moving forward. E8 assessments will remain a credible entry point during the transition.

The wider opportunity sits in connecting the customer’s current E8 position with the complete environment they need to protect. This expands the engagement from a defined maturity assessment into an ongoing security-improvement programme that can create demand for capabilities including:

  • cloud security architecture and posture assessment
  • identity and privileged-access management
  • data security and governance
  • threat detection and response
  • incident readiness
  • backup and recovery assurance
  • continuous control monitoring;
  • AI security and data-readiness assessment.

 

 

Partners that currently deliver Essential Eight work can begin mapping how their advisory, implementation and managed services extend into these adjacent areas.

The starting point is to review current services against the environments customers now operate.

  • Where can you assess confidently today?
  • Where can you deliver remediation?
  • Which capabilities could become managed services?
  • Where would external expertise help you complete the customer roadmap?

NB:  You don’t need to wait for the completed Essentials series.

Frameworks that can help cover the wider environment include the ASD Information Security Manual, NIST Cybersecurity Framework 2.0, CIS Critical Security Controls v8.1, ISO/IEC 27001 and ISO/IEC 27002 and the Cloud Security Alliance Cloud Controls Matrix.

Where we can help

Where we can help

Services.

Our Essential Eight Maturity Assessment service remains available to help partners establish a customer baseline, identify gaps and prioritise remediation.

Where your customer’s requirements extend beyond the eight strategies, partners can also leverage services for:

  • Microsoft Cloud Security Assessments
  • Azure Security Assessments

 

 

Resources.

Our Data Protection focus hub provides partners with access to a series of comprehensive playbooks that map data security, continuity and governance plays to customer maturity across four lifecycle stages.  

You’ll also find our latest whitepapers, articles and webinars on data security and protection topics.

On your side. Always.

On your side. Always.

The Essential Eight is evolving and our cybersecurity services can help you to respond to updated guidance that emerges from the new Essentials series.

Learn More

Related tags:
Essential Eight Security AssessmentsSecurityPartner BusinessRisk and Resilience
SHARE

Related

Attaining a Security SPD
Featured

Blogs

Attaining a Security SPD

In the second article in our Security SPD series, Michael Brooke offers tips to help partners gain the insight track from start to finish.

Read Now.
Essential Eight is Evolving
Featured

Blogs

Essential Eight is Evolving

The Australian Signals Directorate has announced changes to the Essential Eight framework will be phased in over the next two years. Our latest blog breaks down what partners need to know now.

Learn More
Crayon named finalist in two categories at the 2026 techpartner.news Impact Awards
Featured

Press Release

Crayon named finalist in two categories at the 2026 techpartner.news Impact Awards

Crayon has been named a finalist in two categories at the 2026 TechPartner News Impact Awards, recognising its strong performance and impact in the IT channel.

Read more
Copilot Cowork goes live
Featured

Blogs

Copilot Cowork goes live

Copilot Cowork reached general availability today. Here are five concrete actions Microsoft partners should take now

Learn More
Microsoft 365 Copilot Business: SMB offers and opportunities.
Featured

Blogs

Microsoft 365 Copilot Business: SMB offers and opportunities.

From July 1, Microsoft's new SMB Copilot pricing creates a bigger partner opportunity. Here's what's changed and how to turn it into more sales.

Learn More
Security SPD Business Case
Featured

Blogs

Security SPD Business Case

Does the investment in Security SPD attainment stack up against the potential for partners to make a strong commercial return? Michael Brooke explores the economics in the last in this three-part series.

Learm more
Microsoft Security SPD
Featured

Blogs

Microsoft Security SPD

In the first of a 3-part series, Michael Brooke explains why the buying signals from the market make Security SPD attainment worth a close look for partners.

Learn More.
CRN Channel Chiefs Australia 2026
Featured

Press Release

CRN Channel Chiefs Australia 2026

Crayon’s Mathew Howard named in 2026 CRN Australia Channel Chiefs list for driving partner success, innovation, and growth in ANZ IT channels.

Read more
Copilot for All
Featured

Blogs

Copilot for All

Learn how Microsoft’s strategic Copilot for All framework combines with Crayon’s inhouse AI expertise to drive practice development and revenue growth for partners.

Learn More
Data Protection Webinar 
Featured

On Demand Webinars

Data Protection Webinar 

Watch the on‑demand webinar on turning data risk into revenue. Learn how partners use data protection maturity models to drive recurring revenue and customer trust.

Watch Video
Accelerate Your Security Practice with Microsoft SPD
Featured

On Demand Webinars

Accelerate Your Security Practice with Microsoft SPD

Join our team for a business and technical deep dive into the Microsoft Security SPD and why attaining it is great for business.

Watch Video
AvePoint Partner onboarding content

Business

AvePoint Partner onboarding content

AvePoint Partner onboarding content packs are now available from Crayon to help fast track confidence and success for your team.

Learn more
Copilot Partners: Unlock your opportunities

On Demand Webinars

Copilot Partners: Unlock your opportunities

Our latest On-Demand webinar provides a practical, execution focused walk through the full Copilot partner journey, from early adoption to advanced scenarios.

Watch Video
Proving Data Protection Compliance

Blogs

Proving Data Protection Compliance

Fragmented data protection systems and processes create compliance proof-gaps for SMB customers. Scott Hagenus, Director, Cybersecurity here at Crayon explains.

Learn More
Data Protection Resource Round-Up
Featured

Insights

Data Protection Resource Round-Up

Data Protection priorities are shifting for SMBs. Ramp up your ability to respond with curated insights, articles and resources to help you guide every customer conversation with confidence.

Get Started
M365 Copilot Hub
Featured

Insights

M365 Copilot Hub

All the latest insights, articles and resources on M365 Copilot, curated into one place.

Read More
The Microsoft Fabric Partner Guide

Guides and eBooks

The Microsoft Fabric Partner Guide

The Microsoft Fabric Partner Guide curates our recent articles, videos and resources to accelerate Crayon partner learning.

Read more
Data Protection Partner Playbooks for SMB Customers

Blogs

Data Protection Partner Playbooks for SMB Customers

As cybersecurity and continuity converge in platforms and in practice, partners need new playbooks to address modern Data Protection standards. Our in-house cybersecurity pre-sales lead, Michael Brooke explains why.

Learn More
Cybersecurity to 2027: SMB Priorities

On Demand Webinars

Cybersecurity to 2027: SMB Priorities

Explore the business-critical priorities pushing SMBs to invest in cybersecurity and data privacy, with 76% rating it a top concern for 2025.

Watch Video
Cybersecurity to 2027

Insights

Cybersecurity to 2027

Explore how SMBs in APAC are leveraging cybersecurity solutions and AI technologies toward achieving critical business objectives.

Learn More.
Crayon Security Assessment service delivers growth for AfterDark

Case Studies

Crayon Security Assessment service delivers growth for AfterDark

Working with Crayon, AfterDark scaled its ability to build longer-term cybersecurity engagements with customers.

Find out how
Cyber Operatives Field Guide

Guides and eBooks

Cyber Operatives Field Guide

Partners, get your Bond on! Our Cyber Operatives Field Guide breaks down five cybersecurity missions to foil would-be cybercriminals.

Read more
The critical value of the Essential Eight security framework

Insights

The critical value of the Essential Eight security framework

The Essential Eight security framework is a pragmatic and clear-cut way for partners to get their customers on the right track when it comes to improved cybersecurity posture.

Read more
Essential Eight Compliance with Airlock

Case Studies

Essential Eight Compliance with Airlock

Essential Eight Compliance can be tough to maintain for partners and customers. Learn how Airlock simplified the challenge for one MSP, and delivered faster time to value.

Read more
Cloud Security Assessments are a Growth Opportunity

Blogs

Cloud Security Assessments are a Growth Opportunity

Crayon cloud security assessments help partners lock down M365 and Azure environments and build profitable cybersecurity practices. Learn how.

Read more
Visit the crayon.com enterprise site

Subscribe to Crayon Channel APAC news

Receive the latest updates, industry insights and technology developments from around the world, and across the Asia Pacific region.

Thank you for subscribing!

  • Become a Partner
    • Partner Value Guide
  • Solutions
    • Business Applications
    • Business Continuity
    • Cloud Infrastructure
    • Productivity
    • Security
  • Community
    • Partner Value
    • Tech For Good Program
    • ISV Innovation Hub
    • Partner Connections Program
    • PAC
    • Community Events
  • About
    • Careers
    • Contact Us
    • APAC Leadership
    • Visit Crayon Japan
  • Platforms
    • PRISM
    • Cloud-iQ
  • Services
    • Security Services
    • Cloud Migration
    • ERP Implementation
    • Managed Services
    • Support as a Service
    • Cloud Cost Optimisation
  • Access4
  • Acronis
  • Airlock Digital
  • Alibaba
  • Automox
  • AvePoint
  • Backup365
  • ConnectWise
  • ContraForce
  • CoreView
  • Cytrack
  • Delinea
  • DNSFilter
  • Docusign
  • ESET
  • Google
  • Hornetsecurity
  • invicti
  • Lark
  • Layer 8 Security
  • Microsoft
  • Nerdio
  • Netwrix
  • NinjaOne
  • Octopus Cloud
  • Probax
  • Runecast
  • Senserva
  • SigniFlow
  • SmartEncrypt
  • SMX
  • Swoosh.Cloud
  • Trend Micro
  • usecure
  • Veeam
  • VIPRE
  • Virtuozzo
  • VMware by Broadcom
  • Wasabi
  • Zimbra
  • ZIRILIO
  • Zoom
  • View All
Crayon Channel APAC Contact us today
  • Privacy
  • Terms & Conditions
  • Human Rights Transparency Statement

© 2026 Crayon LTD

back to top

Strengthening Data Protection for SMBs

Connect Data Protection to strategic objectives via this Whitepaper

Learn More

Front cover and interior page view of Forrester SMB market study reportch report

Future of Operations 2025

What are the most critical business objectives and solution adoption priorities for SMBs in our region? Download the latest Forrester study to find out!

Download the study

Download Our Partner Value Guide

Our APAC channel business is now part of a global organisation. That means there is a whole new world of value on offer for our partners. We can help you to tap into all of it.

Download Value Guide