Since the Australian Signals Directorate (ASD) first introduced the Essential Eight in 2017, there’s been ongoing discussion in industry forums, blogs, and boardrooms: Will there ever be an Essential Ten? Could two new controls be added to strengthen baseline cyber hygiene? And if so, what should they be?
Some ideas circulating in the market include:
Governance and policy management for small and mid-sized organisations
Supply chain security controls to manage third-party risk
Advanced monitoring for Operational Technology (OT) systems
Expanded identity and access management practices
But before IT teams start planning for new controls, it’s important to cut through the speculation.
The Reality: No Essential Ten Yet
Despite rumours and speculation, there is currently no verified news or official guidance indicating that the Essential Eight will be expanded to an Essential Ten. Analysis of official publications on and recent reporting confirms that the framework remains eight mitigation strategies, with no additional categories announced for 2026.
What is happening, however, is a clear trend towards strengthening and refining the existing controls:
Stricter implementation expectations: Faster patching, tighter admin privileges, and more consistent application control.
Enhanced maturity assessment: Greater scrutiny on evidence, documentation, and adoption of Zero Trust principles.
Sector-specific focus: OT systems, cloud apps, and SaaS environments are increasingly under the Essential Eight lens.
In other words, the baseline isn’t growing, it’s maturing.
Why the Essential Eight Should Stay Eight
From our perspective, the Essential Eight should remain as-is, refined not expanded. Here’s why:
Simplicity drives adoption
Many Australian organisations are smaller than their North American or European counterparts, with lean IT teams and limited InfoSec budgets. Expanding the controls risks creating confusion or low adoption. The Essential Eight’s simplicity is intentional, designed to achieve basic resilience efficiently.Measured effectiveness
When ASD evaluated potential additional controls, the gap between the eighth and ninth candidate was significant. Each control was assessed on ease of implementation and real-world impact, and the current eight remain the most effective set for achieving meaningful baseline protection.Pathways for maturity
Organisations seeking more advanced coverage can layer in frameworks like:These provide governance, supply chain, and operational controls that create a more mature security posture without bloating the baseline.
Looking Ahead: 2026 and Beyond
The direction for 2026 is clear: organisations will be judged on how effectively they implement and maintain the Essential Eight, not on whether they add more controls. For IT leaders, this means:
Prioritising speed and consistency of patching, identity management, and backup resilience.
Applying the controls across OT and cloud environments in line with evolving operational realities.
Leveraging maturity frameworks like NIST and CIS to extend beyond the baseline, if organisational complexity or risk appetite demands it.
Strengthening the Essential Eight provides better return on effort than expanding the list, especially in a market where IT resources are finite and risk tolerance is low.
Bottom Line for IT Leaders
- No Essential Ten is coming in 2026
- Expect stricter enforcement and maturity checks for the existing eight controls
- Focus on effective implementation, not additional categories
- OT, cloud, and SaaS environments will increasingly define how your baseline is assessed
The real opportunity for IT leaders isn’t chasing a hypothetical “Essential Ten”: it’s maximising the impact of the Essential Eight and aligning with broader frameworks to drive operational resilience and governance confidence.
