100% independent. Vendor-neutral. Board-defensible audits.1300 791 277
Beyond Technology
ACSC Essential Eight Specialists

Essential Eight ML0 Baseline Audit

Evidence-based, board-defensible baseline for Australian Enterprise

Get an evidence-based baseline audit that shows exactly why Maturity Level 1 is not yet met, what evidence is missing, and what to do next. Independent, vendor-neutral findings only, with no software sales agenda.

Request a 15-minute Scoping CallDownload the ML0 Board Pack
ML0 evidence matrix mapped to Essential Eight
Control-by-control gap map with verification notes
Board-ready executive summary for governance committees
Prioritised uplift plan to ML1, including sequencing
“The baseline gave our Board clarity on what was verified, what was assumed, and what needed funding first. We stopped debating opinions and started governing evidence.”
CFO, Critical Infrastructure

Trusted by Leading Australian Organisations

Trusted by leading Australian organisations

Who This Is For

Designed for Australian enterprise environments where governance, operational complexity, and audit defensibility require evidence-led assessment.

Board
Defensibility, governance evidence
CFO
Risk, cost-to-remediate clarity
CIO
Sequencing, operational impact
CISO / Risk
Assurance, evidence trail
Internal Audit
Verification, auditability
Multi-domain identity and access
Regulated governance and audit obligations
Complex endpoint fleets
Mixed on-prem and cloud
Third-party supplier dependencies

What ML0 Really Means in Practice

Maturity Level 0 usually means controls are partial, inconsistent, or not evidenced in a way that stands up to governance scrutiny. Our ML0 baseline audit focuses on demonstrated evidence, control consistency, and practical uplift sequencing.

Request a 15-minute Scoping Call

Get clarity on the scope before you spend on controls.

Book now

Why Most ML0 Assessments Fall Short

Not all audits are created equal. See the difference between a checkbox exercise and a defensible, board-ready baseline.

Checkbox Audit

Evidence standard

Policy and attestations accepted as sufficient

Independence and conflicts

May be linked to product or service upsell

Control validation method

Limited sampling, low-depth review

Board translation

Technical outputs with limited governance framing

Practical uplift sequencing

Generic recommendations

Assessor seniority

Variable, often junior-heavy delivery

Output usability

Often delayed, fragmented, or generic
RECOMMENDED

Beyond Technology

Evidence standard

Technical and governance evidence validated against practical operation

Independence and conflicts

Independent, vendor-neutral, no software or managed service sales

Control validation method

Structured verification across representative enterprise scope

Board translation

Board-ready risk translation with defensibility context

Practical uplift sequencing

Prioritised, operationally realistic sequencing to ML1 and ML1 plus

Assessor seniority

Engineering-led assessment by senior consultants

Output usability

Consolidated pack designed for executive and technical action in 10 business days

What It Means for Your Board

Undetected gaps expose you to regulatory penalties and cyber liability.
Commercial conflicts in audit advice create unnecessary capex.
Non-defensible findings rejected by regulators and insurers.
Generic reports prevent informed board decision-making.
Junior assessments miss sophisticated attack vectors.
Biased advice always leads to vendor lock-in and double spending.
Delayed outputs mean governance gaps persist longer than necessary.

We do not sell software, licensing, or managed services. Our only output is defensible findings and a prioritised uplift plan that your leadership team can govern with confidence.

See Exactly What You Receive

What You Receive in 10 Business Days

Complete, board-ready deliverables that establish your evidence baseline and chart a defensible path to ML1.

ML0 evidence matrix

A defensible baseline showing where evidence exists, where it is partial, and where it is missing.

  • Mapped evidence status per assessed control area.
  • Confidence rating on evidence quality and consistency.

Control-by-control gap map

A practical view of specific blockers preventing ML1 readiness.

  • Gap statements tied to observed control behaviour.
  • Clear distinction between design gap, implementation gap, and governance gap.

Board-ready executive summary

Decision-grade reporting that translates technical gaps into governance and risk context.

  • Priority findings with business impact framing.
  • Governance actions for executive oversight and accountability.

Prioritised uplift plan to ML1

A staged path that stabilises foundational controls and builds towards stronger assurance.

  • Priority sequence by risk reduction and feasibility.
  • Milestones for ML1 outcomes and ML1 plus progression.

Implementation sequencing plan

A realistic delivery model that minimises disruption and clarifies ownership.

  • Workstream sequencing by dependency and change window suitability.
  • Ownership guidance across security, infrastructure, operations, and governance teams.

Retest readiness plan

A clear route to verifying uplift progress with minimal ambiguity.

  • Evidence checkpoints for each uplift milestone.
  • Retest scope guidance and timing options.

What We Assess

Identity and access control operation across enterprise domains
Patch governance and coverage across server, endpoint, and critical workloads
Application control readiness and exception governance
Macro control implementation and enforcement consistency
User application hardening configuration and verification
Administrative privilege governance and recertification discipline
Backup integrity, restoration assurance, and recovery test evidence
Logging quality, monitoring coverage, and evidence capture maturity
Exceptions governance, compensating controls, and risk acceptance traceability
Cross-team ownership model for sustained control operation

Our Five-Step Process

Board-ready outputs in 10 business days from evidence access.

We work within approved maintenance windows and low-traffic hours

1

Scoping Call

Confirm business scope, system boundaries, and evidence pathways. 15–30 minutes.

2

Evidence Collection

Gather artefacts, validate operation, and map exceptions across your environment.

3

Control Scoring

Produce structured control findings with traceable evidence links.

4

Board-Ready Report

Executive summary plus detailed technical findings for assurance teams.

5

Uplift Roadmap

Define practical sequence, ownership, and verification points for ML1.

Board-ready outputs delivered

What we need from you

Named enterprise contact
Read-only access where possible
Workshop attendance, 1 to 2 sessions
Change window guidance
List of critical systems and business services
Free Download

ML0 Board Pack

Defensible Governance Starter Kit

Give your Board and CFO a practical governance starter kit to oversee ML0 uplift with confidence. Use it to frame decisions, track evidence readiness, and align remediation priorities.

What's Inside

  • Board oversight checklist aligned to Essential Eight governance
  • Evidence readiness checklist
  • Exception handling template for governance committees
  • Risk acceptance framework for executive decision records
  • 90-day uplift prioritisation worksheet
  • Executive reporting template
  • Budget framing guide for uplift work
  • Questions to ask internal teams and vendors
  • Common enterprise pitfalls list
  • ML0 vs ML1 definitions for non-technical stakeholders
Prefer to talk it through?

✓ No spam. Unsubscribe anytime.

✓ Vendor-neutral. No product sales.

ML0 Gap Snapshot

Use this quick self-assessment to estimate your current evidence readiness. It helps leadership teams decide whether to move straight to a scoped ML0 baseline.

1Do you have current, central evidence for control operation across critical systems?
2Are privileged access reviews documented and repeatable across business units?
3Can you show consistent patch governance across endpoint and server estates?
4Are application control exceptions governed and time-bound?
5Can you demonstrate macro and user application hardening enforcement?
6Is backup restoration tested with evidence linked to critical services?
7Do governance forums receive evidence-based status, not only policy updates?
8Is there an agreed uplift sequence with named owners and milestones?

Scoring guidance

Add 1 point for each Yes. Total score range: 0 to 8.

0 to 2

High likelihood ML0

3 to 5

Mixed evidence, verify

6 to 8

Likely ML1-ready, confirm

Email me the scoring guide

Frequently Asked Questions

Everything you need to know about the ML0 baseline audit.

Still have questions?

Book a 15-minute call with our team to discuss your specific audit needs.

Request a Scoping Call
15-Minute Call

Request a Scoping Call

Confirm your environment scope, governance context, and evidence access pathways. You will speak with a senior consultant, not a sales queue.

✓ No spam. We respond within 24 hours.

✓ We do not sell or share your details.

Not ready for a call? Get the Board Pack instead