Skip to content
BlueStone Tech
Productised offer · $7,500 fixed · money-back

Essential 8 for Melbourne small business — done in 90 days.

We don't sell another audit. We get you to Maturity Level 1, fixed fee, money-back if we miss. Then we hand your broker an evidence pack they recognise.

$7,500

fixed fee · GST inc.

90 days

kickoff to ML1 sign-off

100%

refund if we miss

Patch appsPatch OSMFAAdmin privilegesMacro settingsApp controlBackupsUser hardening CURRENT ML 0.7 target ML1 by 14 Jun
Current maturity ASD ML1 target

Why now

Who's asking Melbourne businesses for Essential Eight — and why.

The Essential Eight is the Australian Cyber Security Centre's short answer to a long problem: eight controls that, implemented together, cut off the attack paths behind most Australian ransomware and business-email-compromise incidents. It isn't legislated for private business — but three groups now treat it as the de facto baseline, and all three have started writing to Melbourne SMBs about it.

Cyber insurers lead. Renewal questionnaires for Victorian businesses routinely walk through the eight controls one by one, and a vague answer either loads the premium or quietly voids the cover you thought you had. Audit and advisory firms come second: when your accountant or a client's auditor runs a security review, the findings are almost always framed against the Essential Eight maturity model. And larger customers — government buyers especially — increasingly put it in supplier questionnaires before a contract is signed.

Maturity Level 1 is the tier that satisfies most of those requests for a business under about 100 staff, and it's the level this program delivers — scored honestly against the ASD's published criteria, not "aligned to" or "working towards". Want to know where you stand before spending anything? Start with our free 30-minute ML1 self-assessment.

The eight controls · what we implement

Eight controls. Our job, not yours.

You don't need to learn the framework — that's what you're paying us for. Here's what we actually do inside your environment for each of the eight, in plain English first and engineer's terms underneath.

01

Application control

We build and enforce an allow-list, so only software you've approved runs on company machines.

Defender / UEMS AppLocker policy, piloted on a small ring first, then org-wide — tuned against your real workload.

02

Patch applications

We automate third-party patching, so browsers, Office and Adobe never sit exposed for weeks.

Auto-deployment with rollback. CVE-to-deployed-patch latency is tracked and lands in your evidence pack.

03

Configure MS Office macros

We lock down macros from the internet — still the cheapest ransomware entry into an SMB.

Office trust-centre policy pushed by UEMS: signed macros only, internet-sourced files blocked.

04

User application hardening

We strip out the legacy plugins and risky browser features attackers lean on.

Browser hardening baseline plus ASR rules; unused legacy components removed tenant-wide.

05

Restrict admin privileges

We remove standing admin rights and give engineers a just-in-time path for when they genuinely need one.

Entra PIM elevation, named admin accounts, quarterly access review — documented every cycle.

06

Patch operating systems

We put Windows and macOS on managed patch rings with a hard 14-day ceiling.

Pilot → production rings, unattended out-of-band patches, monthly compliance report.

07

Multi-factor authentication

We enforce MFA on every account — including the directors nobody wants to nag.

Conditional Access tenant-wide; phishing-resistant MFA and FIDO2 for privileged roles.

08

Regular backups

We back up M365 and endpoints immutably — and prove restores work, in writing.

3-2-1 with an immutable copy, quarterly restore test with sign-off. RPO ≤24h, RTO ≤4h.

The 90-day plan

Week-by-week. No surprises.

Every engagement starts read-only: we score your Microsoft 365 tenant, endpoints and network against the ASD's Information Security Manual before changing anything, so the plan is built on evidence rather than assumptions. From there the uplift lands in weekly increments sized for a working business — no big-bang cutovers, no all-staff downtime. If you have an internal IT person or an incumbent MSP, we run the program co-managed alongside them; the controls land the same way. The final fortnight is spent re-scoring and assembling the evidence pack.

  1. Discovery & evidence base

    Read-only audit of M365 tenant, endpoint estate, network. Maturity scored against ASD's ISM. Baseline report delivered.

  2. Patching, MFA & backup

    Automated 3rd-party patching deployed. MFA hard-rolled for all users. M365 + endpoint backup configured and tested.

  3. Hardening & macros

    Application hardening baseline, ASR rules, Office macro policy. User comms + 30-min training session.

  4. Privileges & application control

    Just-in-time admin elevation, AppLocker pilot, refinement based on real workload. Most users now run without admin.

  5. Evidence pack & sign-off

    Maturity re-scored. Insurance-ready evidence pack delivered (matrices, screenshots, attestations). Leadership readout.

After sign-off, keeping ML1 true is a maintenance job: patch rings need watching, admin access needs its quarterly review, restores need their test. Most clients hand that to the Secure+ plan ($169/user/month), which keeps every control current and refreshes the insurance evidence pack each year — but the retainer is optional, and the evidence pack is yours either way.

Who this is for · where we work

Built for Melbourne firms of 10–75 staff.

The program is sized for owner-led Melbourne businesses — professional-services firms that hold sensitive client data but don't have an internal security team. Most of our Essential Eight work comes from accounting and tax practices, law firms, allied-health clinics, and the businesses that supply larger, compliance-bound customers.

We're based in Mount Waverley and work across metro Melbourne — onsite where the work needs hands on hardware, remote where it doesn't. Throughout the 90 days you deal with the engineer doing the work, by email, not an account manager.

The usual trigger is a letter: a broker's renewal questionnaire, an audit finding, or a tender that wants Essential Eight evidence with three weeks' notice. If that letter has arrived, email us what it says — we'll reply the same business day with whether the 90-day program fits and exactly what it would cover.

Already at ML1 and being pushed to Maturity Level 2 by an auditor or a financial-services obligation? That's a different, larger project — the 12-week ML2 Uplift Sprint we run for audit-firm referrals, $22,000 fixed.

Insurer FAQ

What your broker wants to know.

My broker just sent me an Essential 8 attestation form. What do I do?
Forward it to us. We'll fill it accurately and provide the underlying evidence. Most brokers accept the BlueStone Cyber Insurance Renewal Pack as-is.
Do you guarantee we'll pass an insurer audit?
We guarantee ML1 maturity per ASD's published criteria. Insurer audits ask broader questions — we equip you to answer every question with documented evidence.
Can the $7,500 be invoiced post-renewal?
Yes. Most clients run the 90-day uplift in the 4–6 month window before renewal. We can structure invoicing in three milestones to match cash flow.
What if you don't reach ML1?
Full refund of the $7,500 — and we publish the gap report so you can take it to another provider. We've never had to refund (yet) but the guarantee is real, in writing.
What about ML2 or ML3?
Almost no SMB needs ML2 or ML3. ML1 is what insurers ask for and what regulators reference.
Does this work for businesses on Google Workspace?
Yes — though the ASD's controls map most cleanly onto a Microsoft tenant. We support Google Workspace and will be honest if a Microsoft migration would shorten the path.
Same-business-day email reply · no sales calls

Want a quote for Essential 8 in 90 days? It takes 2 minutes.

We'll email back with a tailored proposal — no calls, no follow-ups you didn't ask for.