Auditing the Essential Eight using COBIT 5
February 24, 2017

 David Berkelmans, Executive Director


Recently the Australian Signals Directorate released the ‘Essential Eight’.

The Essential Eight comprises eight mitigation strategies that, if implemented, will make it harder for adversaries to compromise your IT systems.

The eight strategies include the ‘ASD top 4’. The top four are compulsory for Australian Government entities to implement. The eight are:

  • Application whitelisting (Top 4)
  • Patch applications (Top 4)
  • Disable untrusted Microsoft Office macros
  • User application hardening
  • Restrict administrative privileges (Top 4)
  • Patch operating systems (Top 4)
  • Multi-factor authentication
  • Daily backup of important data

Although not yet compulsory for any organisation, there will be a push among public and private sector organisations to implement the Essential Eight.

Whenever new frameworks are implemented, auditors are generally asked to come in and review compliance. This occurred a year or two after the Top 4 was introduced. I suspect in 12-24 months’ time, there will be a number of Essential Eight audits cropping up in audit programs. Organisations may even want to understand where they’re at right now, so some audits may occur almost immediately.

It’s important for auditors to start thinking about how they will audit the Essential Eight now.  I have previously written an article on how to audit the ASD top 4 using COBIT 5.

The same principles in this article apply when you consider auditing the Essential Eight.  Instead of applying a yes/no approach to each of the eight mitigation strategies, auditors will need to consider the underpinning enablers that support each of these strategies. This ensures that consideration is given to whether there are structures in place to support ongoing compliance.

The COBIT 5 enablers are below:











What an auditor needs to do, is consider each of the seven enablers for each of the eight mitigation strategies. An example of how you would do this for the daily back up strategy is below:

Enabler What the auditor needs to consider
Principles, policies and Framework Do principles, policies and a framework exist? Outline how daily back ups will be done and what data will be backed?
Processes Are the daily backs up occurring (this is where you ask the yes/no questions)?
Organisational structures Is the responsibility for daily back ups assigned to someone?
Culture, ethics and behaviours Has the importance of daily back ups been communicated and is it supported by senior management?
Information Is reporting being done to determine the completion and success of back ups?
Services, infrastructure and applications Does the organisation have the system and infrastructure to perform and store daily back ups?
People, skills and competencies Does the organisation have the resources with the right capabilities to undertake daily back ups?

It’s now just a simple case of turning these high level questions into a detailed audit test program and then repeating this across the other seven mitigation strategies.

Once the test program is complete, you will know if your organisation is compliant with the Essential Eight. You will also know if your organisation has the enablers in place to support ongoing compliance.