Organisations will need to widen cyber planning beyond a checklist as Australia moves to replace the Essential Eight with risk-based Essentials guidance.