In today’s digital landscape, where cyber threats are ever-evolving, organisations are under constant pressure to ensure the security of their systems and data. The Australian Signals Directorate (ASD) has developed a set of strategies to help organisations mitigate cyber threats, bolstering their security and improving their resilience. This set of strategies is known as the Essential Eight. When reviewing the implementation of these security controls, there’s a crucial choice to make: should an organisation rely on verbal intent and policy statements, or should the controls be put to the test with simulated activities? In this post, we will explore why conducting a quality ASD Essential 8 review is best achieved through testing controls with simulated activities.
Understanding the ASD Essential 8
Before diving into the importance of testing controls with simulated activities, let’s briefly review what the ASD Essential 8 is. It is a set of security strategies developed by the ASD to help organisations protect against a wide range of cyber threats. These strategies encompass various aspects of cybersecurity, from application control to multi-factor authentication, all aimed at safeguarding an organisation’s digital assets.
It is worth highlighting what ASD consider the stardards are for evidence quality as per the Essential Eight Assessment Process Guide:

The Problem with Verbal Intent and Policy Statements
Lack of Assurance: Relying solely on policy statements and verbal intent does not provide the necessary assurance that security controls are in place and effective. Verbal commitments and written policies may not always align with the actual state of an organisation’s cybersecurity measures.
False Sense of Security: A policy document can give the illusion of compliance when, in reality, controls might be improperly implemented or even non-existent. Organisations can mistakenly believe they are secure, only to discover vulnerabilities during an actual cyberattack.
Dynamic Threat Landscape: The cybersecurity landscape is dynamic, with attackers continuously developing new tactics and methods. Relying on static policy documents without testing controls leaves organisations vulnerable to emerging threats.
The Case for Simulated Activities
Real-World Validation: Simulated activities, such as attempting to run an application to check application control rulesets, provide real-world validation of security controls. This hands-on approach ensures that controls are not just theoretical but functional.
Identifying Weaknesses: Simulated activities can uncover weaknesses and gaps in control implementation that may be missed by policy reviews. This proactive approach enables organisations to address vulnerabilities before they can be exploited by attackers.
Adaptation to Evolving Threats: Simulated activities allow organisations to adapt to the evolving threat landscape. By regularly testing controls, organisations can stay ahead of new and emerging cyber threats, ensuring their cybersecurity posture remains robust.
Evidence-Based Compliance: Simulated activities produce concrete evidence of control effectiveness, making compliance assessments more straightforward and reliable. This evidence-based approach is crucial for audits and regulatory compliance.
To validate controls are in place, organisations should conduct quality ASD Essential 8 reviews that involve testing controls with simulated activities using industry based assessment tooling where possible. This hands-on approach provides real-world validation, identifies weaknesses, and allows for adaptation to evolving threats. In an environment where cyberattacks are a constant threat, the choice between simulated activities and policy/interview based intent should be clear.
If you would like to discuss your Essential 8 requirements and testing practices, please reach out to us at [email protected] or call us or call us on 1300 430 933.

Comments are closed.