Essential 8 Readiness · Deep dive 03

When the E8 dashboard is green and you are still exposed

Automated assurance is harder than the tooling admits. Where the green tick lies, and what real evidence actually takes.

Draft outline · Assurance / honesty lens
The anchor

ASD's own assessment guidance stresses that maturity is about implementation effectiveness, not tool output. Several E8 controls (macro configuration, application control, user hardening) are routinely reported as compliant by tools while not actually being enforced. The gap between a green dashboard and real assurance is the subject.

Sources we build on
Primary

Government guidance on how E8 is actually assessed, and why tool output is not evidence.

Journalism
iTnews / independent AU tech journalism

Local reporting on real assessment findings and where organisations over-report maturity.

Article outline
  1. The comfort of green. Why dashboards over-report maturity.
  2. Three controls that lie. Macros, application control, user hardening as worked examples.
  3. Implementation vs configuration. The distinction assessors actually test.
  4. What real evidence looks like. Sampling, testing, and proving effectiveness.
  5. Designing for assessability. Building so the evidence exists by default.
How it aligns to what we do

The anti-marketing piece, and one of the most trust-building we can publish. It says out loud what vendors hide, which lands hard with a sceptical, burned reader. No re-title needed beyond sharpening; the honesty is the differentiator.

Points to hit
Control it ratifies
ISM / E8 Meta-control: supports credible assessment against all E8 strategies and the ISM's emphasis on control effectiveness over existence.