Where does your business stand on the Essential Eight?
A free, plain-English self-assessment for Australian small businesses. Answer questions for about 20 minutes and get an indicative maturity snapshot across all eight ASD controls — the same framework insurers and big customers ask about.
No account needed · Progress saves automatically · ~20 minutes
How it works
1. Answer plain-English questions
About 50 questions across the eight controls — MFA, backups, patching, macros, admin rights and more. "Unsure" is a valid answer.
2. See your maturity snapshot
An indicative Level 0–3 for each control and overall, assessed against the ASD Essential Eight Maturity Model (November 2023).
3. Know what to fix first
Your snapshot highlights the gaps holding your overall level down, so you can focus effort where it counts most.
Built for Australian small businesses
If you run a 5–50 person business — a trade, clinic, professional practice or online store — and your insurer, broker or a big customer has asked about your cyber security, this is for you. No consultants, no jargon, no sales calls.
- Facing a cyber insurance application or renewal questionnaire
- Asked by a customer or partner about your security posture
- Getting ahead of Privacy Act obligations for small businesses
- Just want to know your gaps before someone else finds them
Frequently asked questions
- Is this a certification or audit?
- No. Veritas Cyber is a self-assessment tool: you answer questions about your own business, and we turn your answers into an indicative maturity snapshot. It is not a certification, audit, or guarantee — and it is not legal or insurance advice.
- What is the Essential Eight?
- The Essential Eight is a set of eight baseline mitigation strategies published by the Australian Signals Directorate (ASD). Each is assessed at a maturity level from 0 to 3. Many Australian insurers and larger customers ask small businesses to demonstrate their maturity against it.
- Why does cyber insurance keep coming up?
- Australian insurers increasingly ask applicants about controls like multi-factor authentication, backups and patching before offering or renewing cyber cover. A documented self-assessment can help you understand and discuss your posture with your broker — though insurers make their own decisions.
- Do I need technical knowledge?
- No. Questions are written in plain English for business owners and office managers. Every question has a "why we ask" note showing the underlying ASD criterion, and you can answer "unsure" — we treat it conservatively and flag it for follow-up.
- What do you do with my answers?
- Your answers stay in your browser while you complete the assessment. If you choose to email yourself the results, we store your email and the level summary only — never your detailed answers, and never any credentials or system data.