Inside the Northwick Engine Room From Essential Eight to Zero Trust. A 90Day Roadmap for Australian IT Leaders

In Australia IT leaders are juggling hybrid work, legacy systems, and rising regulatory pressure, whilst attackers keep exploiting weak identities and flat networks.

The ACSC Essential Eight is your baseline, it’s the practical, defensible way to cut ransomware and targeted intrusions, and for noncorporate Commonwealth entities it’s mandated at Maturity Level 2 under the Protective Security Policy Framework (PSPF). But the threat model has moved, cloud, SaaS, partners, and BYOD demand Zero Trust (never assume, always verify), so every user, device, and session is checked before access.

This roadmap turns strategy into execution. In 90 days, we’ll lock down identity and email, make device posture the gate to access, break lateral movement with segmentation, and wire in continuous monitoring with automated firsthour response. It’s pragmatic, measurable uplift, built for Australian environments and boardready, so by Day 90 you have controls that stand up to auditors, insurers, and real incidents.

So let’s get started.

Kickoff (Week 0) – Scope, Governance, and Baseline

• Accountability and cadence – name Product Owner (CISO or delegate) and Workstream leads for Identity, Endpoint, Network, Apps/Data, SIEM/XDR.
  • Stand up a weekly steering and a 30/60/90 checkpoint.
• Baseline assessments –
  • Essential Eight maturity (current vs target ML2 or ML3) and risk based prioritisation of high value assets.
  • Zero Trust gap analysis across the seven pillars (identities, endpoints, apps, data, infrastructure, networks, visibility/automation).
• Deliverables – a project plan, RACI, change/comms plan, success metrics (see KPIs below).
• PSPF context – confirm whether PSPF applies; if so, Maturity Level 2 for Essential Eight is required for non-corporate Commonwealth entities.

Days 0–30 – Fix identity and Email (quick wins)

Objectives for this stage – stop credential based compromise, make identity the control plane, and cut BEC/phishing.

• MFA everywhere and Conditional Access
  • Enforce MFA for all users, with stricter policies for admins & remote access (email, VPN, privileged actions, cloud apps).
  • Block legacy/basic authentication; require compliant or Hybridjoined devices for admin roles; high signin risk = block.
  • Evidence: Entra ID Signin logs, CA policies export, Risk dashboards.
• Least privilege and admin separation
  • Separate admin identities, enforce JustInTime/JustEnoughAccess, and no admin accounts for mail/web.
  • Weekly review of privileged roles; remove standing permissions.
• Email authentication and antispoofing
  • Implement SPF, DKIM, DMARC; set p=quarantine/reject; monitor external sends.
  • Evidence – DNS records, DMARC aggregate reports, email headers showing alignment.

KPIs (30day):

• ≥98% MFA coverage; 0 legacy auth.
• ≥90% DMARCaligned sends; drop in successful phishing logins.

Days 31–60 – Device Trust and Network Segmentation

Objectives for this stage – make device health a gate to access; reduce lateral movement.

• Endpoint compliance before access
  • Deploy/validate EDR (e.g., Defender for Endpoint), enforce OS/app patch SLAs (critical ≤14 days), and block Non-compliant endpoints via CA.
  • Evidence – EDR coverage report, Intune compliance dashboard, patch compliance.
• Network segmentation and microsegmentation
  • Build denybydefault segments for user, server, and sensitive workloads; restrict SMB/RDP/SSH laterally; start hostbased microseg on critical systems.
  • Evidence – firewall policy diffs, ACLs, segmentation map, eastwest traffic baselines.
• Credential protection
  • Disable shared local admin, enable Credential Guard, rotate secrets, remove legacy protocols (LLMNR/WPAD).
  • Evidence – GPO/Intune baselines, local admin uniqueness proof, hardening checklist.

KPIs (60day):

• ≥95% compliant endpoints; patch SLA met; measurable reduction in eastwest RDP/SMB; credential hardening completed on crown jewel hosts.

Days 61–90: Continuous monitoring & policy enforcement

Objectives for this stage – instrument for signal driven decisions, automate first hour response, validate recoverability.

• Centralised, time synchronised logging plus SIEM/XDR
  
  • Stream identities, endpoints, apps, and network telemetry into SIEM (e.g., Microsoft Sentinel) and integrate XDR; implement analytics & playbooks for high risk signins, malware, privilege escalation, and data exfil.
  • Evidence – log source register, SIEM data connectors, alert fidelity metrics; playbook runbooks.
• Policy decision & enforcement in front of high value resources
  • Implement perrequest checks (identity, device posture, session risk) and leastprivilege authorisation via app gateways/PEPs, deny by default, allow per policy.
  • Evidence – reference architecture, PEP/PA/PE policies, approved exceptions list.
• Backups and recovery validation plus tabletop
  • Maintain offline/immutable backups; perform restore tests for critical apps; run a tabletop (ransomware + BEC) to prove controls and workflows.
  • Evidence – restore success reports, RPO/RTO by system, tabletop outcomes and action log.

KPIs (90day):

• MTTD < 15 mins, MTTR (containment) < 60 mins on priority incidents
• ≥95% log sources onboarded
• quarterly restore success ≥90%
• policy based access enforced on crown jewel apps

Seven pillars – what we expect to be in place by Day 90

Identities

• MFA plus CA everywhere
• Privileged identities JIT/JEA
• Identity risk analytics feeding SIEM

• Legacy apps –
  that don’t support modern auth, plan for brokers, app modernisation, or compensating controls.
• BYOD/partner devices –
  require app protection policies or conditional access with strict restrictions.
• Log ingestion costs & noise –
  use tiered storage and content tuning; start with priority detections.

• Identities
  
• Endpoints
  
• Applications
  
• Data
  
• Infrastructure
  
• Networks
  
• Visibility/automation