Essential Eight ML2 in six weeks - with the audit deadline holding
A 45-partner Melbourne firm needed Essential Eight Maturity Level 2 before a client insurance audit. We rebuilt their security posture in six weeks - no missed deadlines, no disruption to billable work.
Hartley & Reid had been scored at Essential Eight Maturity Level 0 in a baseline assessment commissioned by their professional indemnity insurer. A follow-up audit was scheduled six weeks out, with a threatened premium hike and - worse - a coverage reduction if they didn't move the needle.
The firm had the usual patchwork: a long-tenured in-house IT lead, three different endpoint products across three offices, macros running in legacy Word templates nobody wanted to touch, and local admin rights distributed loosely across the partner cohort. Nothing was broken. Everything was out of compliance.
We started with a posture review against each of the eight controls, turning the ML0 findings into a week-by-week delivery plan. Patch management was consolidated onto a single platform with an SLA the auditor could verify. Application control rolled out in audit mode first, then enforce - catching three shadow-IT tools we were able to either sanction or retire cleanly.
Local admin rights were stripped and replaced with a just-in-time elevation workflow that partners actually adopted (because it was faster than the old request flow). MFA went from inconsistently deployed to enforced across every external-facing service, including the document management system that had been the quiet exception.
Macro policies, Office hardening, and daily backups - each with an evidence artefact we built to match the audit framework exactly. We ran a dress-rehearsal audit in week five. The real audit in week six passed first pass on all eight controls.
Essential Eight ML2 certified in six weeks. Insurance premium held flat. Zero unplanned downtime during the rollout. The in-house IT lead - who'd been worried about being displaced - came out of it with a co-managed relationship that handed him the strategic work he'd been wanting, with us handling the 3am pages.
Eighteen months on, the firm runs an annual ML2 reattestation as standard and is planning its ML3 uplift for the next renewal cycle.
“We'd been told Essential Eight ML2 was a six-month project. Interconnekt finished it in six weeks, on time, and without pulling our team out of client work to do it. The evidence pack they handed us is now a template we reuse every year.”
What we deployed
Compliance
Roadmap, remediation, and ongoing attestation against the CIS Critical Security Controls and the Australian Essential Eight. Frameworks that actually get implemented, not just referenced.
Learn moreCyber Security
Managed MDR, email and endpoint security, security awareness training, and incident response - delivered through vetted partner platforms. Built for SMBs who can't afford an incident.
Learn moreSecurity Assessments
Vulnerability scans, Microsoft 365 audits, security posture reviews, and dark web exposure checks. Know where you stand before an attacker does - with a remediation plan you can actually act on.
Learn moreLeave the MSP that doesn’t pick up.
Tell us what your current setup looks like. We’ll send back a quote, a transition plan, and a firm date you’d be onboarded - within 48 hours.
- Response
- Within 48 hours
- Format
- Written quote
- Discovery call
- Not required
- Contracts
- No lock-in terms