How long does it take to implement Essential Eight?

It depends on your starting point, target maturity level, and the complexity of your environment, but here's a realistic guide:

1. Gap Assessment: 2-4 weeks from scoping session to final report, for most mid-sized to enterprise organisations.
2. Reaching Maturity Level 1: Typically 1-3 months, assuming Microsoft 365 is already in place and the primary work is configuration and policy deployment.
3. Reaching Maturity Level 2: Typically 3-6 months, with the most time-intensive workstreams being phishing-resistant MFA rollout, privileged access governance, and centralised logging.
4. Reaching Maturity Level 3: 6-12+ months, depending on the complexity of your environment and the degree of architectural change required (such as Secure Admin Workstation deployment).

The good news for Microsoft 365 and Azure customers is that much of the required capability already exists in your stack. In many cases, implementation is faster and less costly than organisations expect.