Blogs
Attaining a Security SPD
In the second article in our Security SPD series, Michael Brooke offers tips to help partners gain the insight track from start to finish.
For close to a decade, the Essential Eight (E8) has given Australian organisations a clear and practical starting point for improving cyber resilience. The Australian Signals Directorate (ASD) is now preparing the framework for its next phase.
In this blog – the first of a 3-part series – we’ll break down what this means for current Essential Eight work, how to position announced changes with your customers, and where this evolution opens doors to a wider security conversation.
Assure your customers that E8 remains the current ASD framework.
Customers may see the word ‘retirement’ in recent media coverage and query if this means a pause to current projects and immediate changes to security roadmaps.
It’s important to keep the ASD announcement in context. Current projections have the transition to a broader Essentials series rolling out over at least two years.
Keep current Essential Eight work moving.
The risks addressed by its controls remain active, and ASD has said that existing controls and investments will align strongly with the new guidance.
The capabilities developed through it will provide a strong foundation for the new Essentials guidance.
ASD has opened consultation on a new Essentials series. The first chapter will cover enterprise IT, with additional chapters to follow.
Consultation on Essentials for enterprise IT is open to ASD Cyber Security Network partners until July 12th, 2026.
The official announcement confirms that the guidance will be grounded in the Information Security Manual and provide prioritised, threat-informed mitigations for contemporary technology environments.
The reported direction includes:
While this provides a useful indication of ASD’s direction, it should be treated as provisional until ASD publishes further formal guidance.
Originally published in 2017, the Essential Eight evolved from ASD’s Top Four mitigation strategies, identified through real-world incident response as having the greatest impact on security posture.
It provided a clear, prescriptive baseline for protecting internet-connected, largely on-premises and Microsoft-centric enterprise environments.
The operating landscape is now far more complex. Most organisations span cloud, SaaS, remote endpoints, third-party platforms and interconnected data environments. Many also manage operational technology, industrial systems and emerging AI workloads.
Cloud changes both the control set and the ownership model.
Responsibility is shared across customers, providers and service partners, and controls designed for traditional networks do not always translate cleanly across multiple platforms.
ASD’s proposed Essentials series is intended to address this through domain-specific guidance focused more closely on security outcomes and control intent.
This should give organisations greater flexibility to select controls that suit their architecture while still demonstrating how those controls address the relevant threat and achieve the required outcome.
Essential Eight work is still valuable and important. The controls covered by E8 are the baseline from which the new Essentials framework will grow.
The Essential Eight controls mitigate the most common security risks to business:
Customers will continue to need capabilities that address exposures to common attack techniques, regardless of how the future guidance is structured.
Organisations already using E8 can expect strong alignment between the new guidance and their existing controls and investments.
For partners, this means active assessments, remediation plans and maturity uplift programmes retain their value.
The evidence created through that work will also remain useful. Assessment results, exception registers, control tests, remediation records and risk decisions all help establish the customer’s current position.
The transition to the broader Essentials series gives partners a reason to look beyond customer maturity scores.
The two-year timeframe provides reasonable runway to work with customers on wider security programmes.
Here’s our top 4 tips for positioning this transition with your customers:
Known gaps in patching, identity, administrative access, application control and recovery remain genuine security risks. Delaying remediation while waiting for the final Essentials series would leave those risks unresolved.
Current maturity assessments, remediation records, exception registers and control-testing evidence will help customers demonstrate their starting position as the new guidance emerges. They can also reveal where existing controls are working well and where further investment may be required.
It’s important your customers know the ASD consultation period is active and much yet to be confirmed from this process. Control requirements, assessment methods and the detailed structure of later chapters may change.
Prepare your customers for the direction of travel, but avoid commitments based on an unfinished framework.
The E8 has always been a minimum set of preventative measures rather than a complete cyber-security programme. ASD advises organisations to implement additional controls where their environment or risk profile warrants them. Partners can use this transition to stimulate broader discussion and questions:
For customers that may be more advanced in their AI journey, partners might also query how machine identities, AI agents and automated access are being governed.
In the short to mid-term, it’s going to be about keeping genuine security improvement moving forward. E8 assessments will remain a credible entry point during the transition.
The wider opportunity sits in connecting the customer’s current E8 position with the complete environment they need to protect. This expands the engagement from a defined maturity assessment into an ongoing security-improvement programme that can create demand for capabilities including:
Partners that currently deliver Essential Eight work can begin mapping how their advisory, implementation and managed services extend into these adjacent areas.
The starting point is to review current services against the environments customers now operate.
NB: You don’t need to wait for the completed Essentials series.
Frameworks that can help cover the wider environment include the ASD Information Security Manual, NIST Cybersecurity Framework 2.0, CIS Critical Security Controls v8.1, ISO/IEC 27001 and ISO/IEC 27002 and the Cloud Security Alliance Cloud Controls Matrix.
Our Essential Eight Maturity Assessment service remains available to help partners establish a customer baseline, identify gaps and prioritise remediation.
Where your customer’s requirements extend beyond the eight strategies, partners can also leverage services for:
Our Data Protection focus hub provides partners with access to a series of comprehensive playbooks that map data security, continuity and governance plays to customer maturity across four lifecycle stages.
You’ll also find our latest whitepapers, articles and webinars on data security and protection topics.
The Essential Eight is evolving and our cybersecurity services can help you to respond to updated guidance that emerges from the new Essentials series.
Blogs
In the second article in our Security SPD series, Michael Brooke offers tips to help partners gain the insight track from start to finish.
Blogs
The Australian Signals Directorate has announced changes to the Essential Eight framework will be phased in over the next two years. Our latest blog breaks down what partners need to know now.
Press Release
Crayon has been named a finalist in two categories at the 2026 TechPartner News Impact Awards, recognising its strong performance and impact in the IT channel.
Blogs
Copilot Cowork reached general availability today. Here are five concrete actions Microsoft partners should take now
Blogs
From July 1, Microsoft's new SMB Copilot pricing creates a bigger partner opportunity. Here's what's changed and how to turn it into more sales.
Blogs
Does the investment in Security SPD attainment stack up against the potential for partners to make a strong commercial return? Michael Brooke explores the economics in the last in this three-part series.
Blogs
In the first of a 3-part series, Michael Brooke explains why the buying signals from the market make Security SPD attainment worth a close look for partners.
Press Release
Crayon’s Mathew Howard named in 2026 CRN Australia Channel Chiefs list for driving partner success, innovation, and growth in ANZ IT channels.
Blogs
Learn how Microsoft’s strategic Copilot for All framework combines with Crayon’s inhouse AI expertise to drive practice development and revenue growth for partners.
On Demand Webinars
Watch the on‑demand webinar on turning data risk into revenue. Learn how partners use data protection maturity models to drive recurring revenue and customer trust.
On Demand Webinars
Join our team for a business and technical deep dive into the Microsoft Security SPD and why attaining it is great for business.
Business
AvePoint Partner onboarding content packs are now available from Crayon to help fast track confidence and success for your team.
On Demand Webinars
Our latest On-Demand webinar provides a practical, execution focused walk through the full Copilot partner journey, from early adoption to advanced scenarios.
Blogs
Fragmented data protection systems and processes create compliance proof-gaps for SMB customers. Scott Hagenus, Director, Cybersecurity here at Crayon explains.
Insights
Data Protection priorities are shifting for SMBs. Ramp up your ability to respond with curated insights, articles and resources to help you guide every customer conversation with confidence.
Insights
All the latest insights, articles and resources on M365 Copilot, curated into one place.
Guides and eBooks
The Microsoft Fabric Partner Guide curates our recent articles, videos and resources to accelerate Crayon partner learning.
Blogs
As cybersecurity and continuity converge in platforms and in practice, partners need new playbooks to address modern Data Protection standards. Our in-house cybersecurity pre-sales lead, Michael Brooke explains why.
On Demand Webinars
Explore the business-critical priorities pushing SMBs to invest in cybersecurity and data privacy, with 76% rating it a top concern for 2025.
Insights
Explore how SMBs in APAC are leveraging cybersecurity solutions and AI technologies toward achieving critical business objectives.
Case Studies
Working with Crayon, AfterDark scaled its ability to build longer-term cybersecurity engagements with customers.
Guides and eBooks
Partners, get your Bond on! Our Cyber Operatives Field Guide breaks down five cybersecurity missions to foil would-be cybercriminals.
Insights
The Essential Eight security framework is a pragmatic and clear-cut way for partners to get their customers on the right track when it comes to improved cybersecurity posture.
Case Studies
Essential Eight Compliance can be tough to maintain for partners and customers. Learn how Airlock simplified the challenge for one MSP, and delivered faster time to value.
Blogs
Crayon cloud security assessments help partners lock down M365 and Azure environments and build profitable cybersecurity practices. Learn how.

Connect Data Protection to strategic objectives via this Whitepaper

What are the most critical business objectives and solution adoption priorities for SMBs in our region? Download the latest Forrester study to find out!

Our APAC channel business is now part of a global organisation. That means there is a whole new world of value on offer for our partners. We can help you to tap into all of it.