Sustainability is no longer a niche concern — it is a business imperative. Australian enterprise and government clients are requiring ESG disclosures from their IT service providers, and MSPs that can demonstrate sustainability credentials are winning more deals.

Why Sustainability Matters for MSPs

Client Requirements

Enterprise procurement is increasingly requiring sustainability information:

• Government contracts — sustainability criteria in RFPs
• Enterprise RFPs — ESG questions becoming standard
• Supply chain requirements — large organisations requiring supplier sustainability data
• Investor pressure — PE-backed MSPs facing ESG requirements from investors

Regulatory Landscape

Australia's sustainability reporting requirements are evolving:

• Climate-related financial disclosures — mandatory for large entities from 2024-2025
• Modern Slavery Act — reporting requirements for entities over $100M revenue
• Safeguard Mechanism — emissions reduction requirements for large emitters
• National Greenhouse and Energy Reporting (NGER) — reporting for large energy users

Business Benefits

Beyond compliance, sustainability delivers:

Measuring Your MSP's Carbon Footprint

Scope 1: Direct Emissions

Emissions from sources you directly control:

• Office heating and cooling (if gas)
• Company vehicles
• Refrigerants

For most MSPs: Minimal — office-based operations with no significant direct emissions.

Scope 2: Indirect Emissions (Energy)

Emissions from purchased electricity:

• Office electricity consumption
• On-premises data centre energy
• Cooling for IT equipment

Measurement: Electricity bills × regional emission factor (kg CO2-e per kWh)

Scope 3: Value Chain Emissions

The largest and most complex category:

Microsoft Sustainability Calculator

Microsoft provides a free Sustainability Calculator for Microsoft 365 and Azure customers:

• Tracks carbon emissions from Microsoft cloud services
• Provides monthly reports by service
• Includes Scope 1, 2, and 3 breakdowns
• Benchmarking against industry averages

AWS Customer Carbon Footprint Tool

AWS provides a similar tool for AWS customers:

• Tracks carbon emissions from AWS services
• Provides monthly and annual reports
• Includes projections based on renewable energy commitments

Green IT Practices for MSPs

Energy Efficiency

Sustainable Procurement

Circular Economy

Remote Work

The shift to remote work has sustainability benefits:

• Reduced commuting emissions
• Lower office energy consumption
• Reduced business travel
• More efficient use of resources

Sustainability Reporting Frameworks

GRI (Global Reporting Initiative)

The most widely used sustainability reporting framework:

• Comprehensive reporting guidelines
• Materiality assessment
• Stakeholder engagement
• Performance metrics

Best for: Larger MSPs seeking comprehensive reporting.

TCFD (Task Force on Climate-related Financial Disclosures)

Focuses on climate-related risks and opportunities:

• Governance and strategy
• Risk management
• Metrics and targets
• Scenario analysis

Best for: MSPs reporting to investors or meeting climate disclosure requirements.

CDP (formerly Carbon Disclosure Project)

Standardised environmental reporting:

• Climate change questionnaire
• Water security questionnaire
• Forest questionnaire

Best for: MSPs responding to client CDP requests.

SASB (Sustainability Accounting Standards Board)

Industry-specific sustainability standards:

• Technology and communications sector standards
• Financially material sustainability topics
• Comparable metrics across companies

Best for: MSPs seeking investor-grade sustainability reporting.

Practical Reporting for MSPs

Start Simple

You do not need a comprehensive sustainability report on day one:

Year 1: Measurement - Calculate Scope 1 and 2 emissions - Begin Scope 3 measurement (cloud, travel) - Set baseline year - Identify quick wins

Year 2: Reporting - Publish basic sustainability data - Set reduction targets - Implement key initiatives - Engage stakeholders

Year 3: Maturity - Comprehensive reporting against framework - Verified emissions data - Progress against targets - Integrated business strategy

The MSP Sustainability Report

A basic MSP sustainability report includes:

1. Executive Summary — sustainability strategy and key achievements
2. Governance — how sustainability is managed
3. Environmental Performance — emissions, energy, waste
4. Social Performance — employees, community, diversity
5. Governance Performance — ethics, compliance, transparency
6. Targets and Progress — goals and achievements
7. Methodology — how data was collected and calculated

Data Collection Checklist

• [ ] Electricity bills (12 months)
• [ ] Cloud provider carbon reports
• [ ] Business travel records
• [ ] Hardware asset inventory
• [ ] Employee headcount and commuting data
• [ ] Office energy efficiency data
• [ ] Vendor sustainability information
• [ ] Waste and recycling data

Sustainability in MSP Procurement

What Clients Are Asking

Enterprise clients increasingly include sustainability criteria in MSP selection:

RFP Questions: - What is your carbon footprint? - Do you have sustainability targets? - What green IT practices do you implement? - Do you have third-party sustainability verification? - How do you manage e-waste?

Contract Requirements: - Sustainability reporting obligations - Carbon reduction commitments - Sustainable procurement requirements - Environmental management standards

How to Win with Sustainability

• Measure and report — even basic data beats no data
• Set targets — commit to improvement, even if starting from zero
• Demonstrate progress — show year-over-year improvement
• Get certified — ISO 14001 (environmental management) adds credibility
• Tell your story — communicate sustainability efforts to clients

Green IT and Essential 8

Some Essential 8 controls support sustainability:

• Patch management — keeping systems updated improves efficiency
• Application control — reducing unnecessary software reduces energy use
• Backup optimisation — efficient backup reduces storage and energy
• Cloud migration — cloud providers are more energy-efficient

Our Essential 8 Guide covers these controls in detail.

The Bottom Line

Sustainability reporting is not just a compliance exercise — it is a business opportunity. MSPs that measure, report, and improve their environmental performance win more enterprise deals, reduce costs, and build more resilient businesses.

The key is to start simple, measure consistently, and improve continuously. You do not need perfection — you need progress.

Use our MSP Health Score to benchmark your operational maturity, or our MSP Vendor Management Guide for sustainable vendor selection strategies.

Data loss is not a question of if, but when. Ransomware, hardware failure, human error, natural disasters, and malicious insiders all threaten your business data. Your MSP's backup and disaster recovery (BCDR) capability is arguably the most important service they provide — because when everything else fails, backups are what keep your business alive.

Why Backup Is Your Last Line of Defence

The Australian Cyber Security Centre (ACSC) reported that ransomware remains one of the top cybersecurity threats to Australian businesses. In 2025, the average ransom demand for Australian businesses exceeded $250,000, with total incident costs (including downtime, recovery, and reputational damage) averaging $1.5 million.

The only reliable defence against ransomware is tested, immutable backups. If your MSP cannot demonstrate that your backups are working and recoverable, you are one incident away from catastrophic data loss.

The BCDR Framework

Effective disaster recovery is not just about backing up files. It is a framework that covers four elements:

1. Backup Strategy

Your backup strategy defines what is backed up, how often, and where it is stored.

What to back up: - All servers (full image and file-level) - All critical databases - Microsoft 365 data (Exchange, SharePoint, OneDrive, Teams) - Line-of-business applications - Configuration files (firewalls, switches, routers) - Virtual machines

How often: | Data Type | Backup Frequency | Retention | |-----------|-----------------|-----------| | Critical servers | Every 4 hours (minimum) | 30 days daily + 12 months monthly | | Workstations | Daily | 30 days | | Microsoft 365 | Daily | 90 days | | Databases | Every 1–4 hours | 30 days with point-in-time recovery | | Configurations | Weekly | 12 months |

Where to store: - On-site: Fast recovery but vulnerable to physical disasters - Off-site: Protected from local disasters but slower recovery - Cloud: Scalable and geographically diverse - Immutable storage: Protected from ransomware and deletion

The ideal setup is a 3-2-1 strategy: 3 copies of data, on 2 different media types, with 1 off-site. In 2026, the recommendation is 3-2-1-1: add 1 immutable copy.

2. Recovery Point Objective (RPO)

RPO defines how much data you can afford to lose. It determines your backup frequency.

• RPO of 1 hour: Backups every hour. You lose at most 1 hour of data.
• RPO of 4 hours: Backups every 4 hours. You lose at most 4 hours of data.
• RPO of 24 hours: Daily backups. You lose at most 1 day of data.

Most Australian SMBs target an RPO of 4–24 hours for general systems and 1–4 hours for critical databases. The RPO you choose should be based on the business impact of data loss, not technical convenience.

3. Recovery Time Objective (RTO)

RTO defines how quickly you need to restore operations after a disaster. It determines your recovery infrastructure and processes.

Your RTO should account for: - Revenue impact of downtime - Staff costs during downtime (people still get paid) - Customer and reputational damage - Regulatory reporting requirements (some breaches require notification within 72 hours)

4. Disaster Recovery Plan

Your DR plan is the documented process for recovering your IT environment. It should include:

• Contact list: Who to call (MSP, vendors, key staff)
• Incident classification: What constitutes a disaster vs a major incident
• Recovery procedures: Step-by-step instructions for each system
• Communication plan: How to notify staff, customers, and stakeholders
• Testing schedule: When and how the DR plan is tested
• Provider responsibilities: What the MSP is responsible for vs your internal team

Common BCDR Solutions Used by Australian MSPs

The best solution depends on your environment, budget, and recovery requirements. Your MSP should be able to explain why they chose their BCDR platform and how it meets your needs.

The Microsoft 365 Backup Gap

Many Australian businesses assume Microsoft backs up their M365 data. They are wrong.

Microsoft's responsibility is the platform — keeping Exchange Online, SharePoint, and OneDrive running. Your responsibility is your data within those services.

Microsoft provides: - Geo-redundant storage (data is replicated across data centres) - Point-in-time recovery (up to 14 days for SharePoint, 30 days for OneDrive)

Microsoft does NOT provide: - Long-term backup retention - Granular point-in-time recovery beyond their default windows - Protection against accidental or malicious deletion beyond soft-delete - Compliance-grade backup for regulatory requirements

If your MSP manages your M365 environment, they should be implementing a third-party M365 backup solution. If they are not, you have a significant gap.

Ransomware Resilience

Modern ransomware specifically targets backups. Attackers know that if they can encrypt or delete your backups, you have no choice but to pay the ransom.

How to Protect Against Backup-Targeting Ransomware

1. Immutable storage: Backups that cannot be modified or deleted for a defined period, even by administrators.
2. Air-gapped backups: Physical separation from the network. Ransomware cannot encrypt what it cannot reach.
3. Separate credentials: Backup systems should use different admin accounts than your primary environment.
4. Monitoring: Alert on any changes to backup schedules, configurations, or data.
5. Regular restoration testing: If you have never tested restoring from backups, you do not have backups — you have hope.

Evaluating Your MSP's BCDR Capability

Ask your MSP these questions:

1. "What BCDR solution do you use, and why did you choose it?"
2. "When was the last time you tested a full restoration of our environment?"
3. "Are our backups stored in immutable storage?"
4. "What is our RPO and RTO, and how are they achieved?"
5. "Do we have a documented disaster recovery plan?"
6. "How do you protect our backups from ransomware?"
7. "Can you show me a backup success report for the past 30 days?"
8. "What happens to our backups if we change MSPs?"

If your MSP cannot answer these questions confidently, your backup posture needs immediate attention.

Related Guides

• Essential 8 Maturity Level 1 — Backup requirements under Essential 8
• MSP Cybersecurity Incident Response — What happens during a breach
• MSP Health Score — Benchmark your MSP's capability
• RMM Software Comparison — How RMM integrates with BCDR
• MSP Technical Documentation — What your MSP should document

📖 Part of the Capgemini Investigation Series — 10 articles examining Capgemini Australia's operations, employee treatment, and business practices.

The Dossier · Deep Dive · The Exodus · Survivor Stories · Financial Analysis · vs Competition · The Vulture · Invisible Workforce · AI Gamble · Series Home

Following the Money: Capgemini Australia

Every MSP tells you they invest in their people. The numbers tell a different story. This is a forensic analysis of Capgemini Australia's financials — what they earn, what they spend, and what that tells you about their priorities.

For the full picture on Capgemini's controversies, start with our Capgemini Exposed dossier. For the employee experience, see our Capgemini Investigation deep dive.

The Australian Financials: A$878 Million Machine

Revenue and Headcount

The headline number: A$294,000 in revenue per employee. That's the amount each Capgemini Australia staff member generates for the company, on average. To put that in context:

• A mid-level consultant bills at roughly A$180-200/hour
• At 1,800 billable hours per year (a standard target), that's A$324,000-360,000 in revenue per billable consultant
• But not everyone is billable — there's management, sales, HR, bench time
• A$294,000 across all employees suggests a utilisation rate somewhere around 70-75%, which is below the industry target of 80-85%

What this means: Capgemini is not running a lean Australian operation. It's carrying overhead — or it's losing people faster than it can replace them.

Comparing Revenue per Employee Across Australian MSPs

Sources: IBISWorld (2024-2025)

The story the table tells:

• NTT Australia generates A$677K per employee — more than double Capgemini. NTT has fewer than 1,300 Australian employees but generates nearly as much revenue. This is the hallmark of a company that has aggressively offshored its delivery while keeping a thin Australian client-facing layer. NTT's Glassdoor rating in Australia is 3.6/5 — lower than Capgemini's 4.0 — suggesting that the leaner model comes at an employee experience cost.

• DXC Technology at A$404K per employee is the middle ground — more offshore-dependent than Capgemini, but not as extreme as NTT. DXC's Australian Glassdoor rating is a dismal 3.1/5, with 756 reviews consistently flagging the same issues Capgemini faces: low pay, poor management, and offshore replacement anxiety.

• Datacom at A$260K per employee is the most "onshore-heavy" model of the group. Datacom is privately held, New Zealand-founded, and has historically invested more in local delivery. Their Australian Glassdoor rating of 3.1/5 reflects different issues — more about internal politics and career stagnation than the offshore squeeze.

• Capgemini sits in the middle at A$294K. Not the leanest, not the most labour-intensive. But the trajectory is clear: Capgemini is trying to move toward NTT's model — fewer Australians, more offshore delivery, higher revenue per remaining head.

The Global Financial Picture: Declining Margins

Capgemini's Global Results (FY 2025)

Sources: Capgemini FY 2025 Results, Capgemini Q1-Q3 2025 Revenue Releases

The margin problem: Capgemini's operating margin dropped from 10.7% to 9.8% in a single year. That's a 9% decline in profitability on essentially flat revenue. In a business where the primary cost is people, declining margins mean one thing: someone has to absorb the difference.

The WNS acquisition: In October 2025, Capgemini completed the acquisition of WNS, adding approximately 66,000 employees — almost entirely offshore (India, Philippines). This expanded the global headcount from ~341,000 to ~423,000. Onshore headcount? Essentially flat at 143,200. The message is unmistakable: Capgemini is not growing its Australian or Western workforce. It is growing offshore.

The restructuring hammer: In February 2026, Capgemini announced €700 million in restructuring costs over 2026-2027. The language in the earnings call was carefully corporate: "Fit for Growth" program, "country-specific workforce and skills adaptation initiatives." In plain English: redundancies in Australia and other Western markets, with the savings redirected to offshore delivery.

The stock market verdict: Capgemini's shares fell 26% year-to-date as of early 2026. Morgan Stanley cut its price target to €117, citing growth concerns. When the market punishes your stock, the pressure to cut costs intensifies — and in an IT services company, "costs" means "people."

The Headcount Trajectory: Where the Growth Is

Sources: Capgemini Q1 2025 Revenues, Q3 2025 Revenues, FY 2025 Results

Read those numbers again. Onshore headcount has been essentially flat — 143,300 in Q1 to 143,200 in December — while offshore headcount exploded from 199,400 to 277,800. The WNS acquisition alone added 66,000 offshore workers. The onshore workforce? Shrinking by 100 people.

For Australian employees, this trajectory means: you are increasingly a minority in a company that is structurally optimising for offshore delivery. Every restructure, every "Fit for Growth" initiative, every acquisition integration results in the same outcome — fewer Australians, more Indians.

The Salary Arithmetic: Where the Margins Come From

What Capgemini Charges vs. What It Pays

Client rates based on industry standard MSP billing; salaries from SEEK job postings and Glassdoor (1,273 salary submissions)

The 60-70% gap: For every dollar a client pays Capgemini for an Australian engineer's time, the engineer sees 30-40 cents. The rest goes to overhead, margin, and the offshore arbitrage machine.

The India Arbitrage: The Real Money

Sources: SEEK, Glassdoor (AU); Indeed India, Levels.fyi, PayScale (India)

The numbers are staggering. An Australian software engineer at Capgemini earns A$128K-150K. An Indian software engineer at the same company earns ₹426K-₹1.73M — roughly A$7,500 to A$30,000. That's a 5:1 to 10:1 cost ratio. For a new graduate, the ratio is even more extreme: 12:1.

This is why Capgemini's global headcount is 66% offshore. It's not about "accessing global talent." It's about arithmetic. Every Australian role replaced by two or three Indian roles saves Capgemini 60-80% on salary costs while maintaining (or increasing) the billing rate to Australian clients.

What the "Salary Black Hole" Looks Like at Capgemini

We've written extensively about the Salary Black Hole — the gap between what MSPs charge clients and what they pay engineers. At Capgemini, the numbers are particularly stark:

• Client billing rate: A$180-250/hour for a senior engineer
• Engineer salary equivalent: A$55-72/hour (A$113K-150K annual)
• Capgemini's cut: A$108-178/hour per engineer

On a team of 10 senior engineers billing at A$200/hour, that's: - Client pays: A$3.6 million/year - Engineers receive: A$1.2 million/year (combined) - Capgemini keeps: A$2.4 million/year

That A$2.4 million covers management, office costs, sales, and profit. But when you offshore 6 of those 10 roles to India at A$20K each instead of A$140K each, the arithmetic changes dramatically:

• Offshore cost for 6 roles: A$120K/year
• Onshore cost for 4 roles: A$560K/year
• Total engineer cost: A$680K/year
• Capgemini's cut: A$2.92 million/year

Offshoring 60% of the team increased Capgemini's margin by half a million dollars per year on a single project. Multiply that across the entire Australian operation and you understand why the offshore percentage keeps climbing.

The No-Pay-Rise Reality

2026: The Year of the Freeze

In early 2026, posts on TheLayoff.com from Capgemini staff indicated no pay rise for 2026 in some regions, citing the restructuring. A recent Glassdoor review put it bluntly:

"With 2026 inflation, this is effectively a 30% decrease in purchasing power. You are literally paying to work here."

Let's do the maths on that claim:

• Australian inflation (2025-2026): ~3.5-4% (Reserve Bank of Australia estimates)
• Capgemini pay rise: 0%
• Real wage decline: 3.5-4% per year
• Cumulative over 3 years (if frozen since 2023): 10-12% real wage decline

Meanwhile: - Capgemini CEO Aiman Ezzat's compensation: Multiple millions in salary, bonuses, and stock options - €700 million restructuring budget over 2026-2027 - €1.95 billion in organic free cash flow in 2025

The money exists. It's being redirected — toward restructuring, toward offshore expansion, toward executive compensation. Not toward the Australian engineers who generate A$294,000 in revenue each.

The PayScale Numbers Don't Lie

The 11-18% gap: Capgemini's average salary of A$113,561 sits 11-18% below the Australian IT market median of A$128,000-138,000 (Ravio benchmarks, September 2025). That's not a rounding error. That's a structural choice.

SEEK's claim that 81% of Capgemini employees rate their salary as "high or average" needs context: that survey likely captures employees who are still at Capgemini (survivorship bias) and may not have compared their salary to market rates. Multiple Glassdoor reviewers report discovering they were underpaid only after leaving: "After being on the job market, I realised I had fallen way behind my peer group."

The Financial Health Check

Green Flags

• Still profitable: 9.8% operating margin, even after declining
• A$878 million in Australian revenue: Significant local presence
• €1.95 billion free cash flow: Not in financial distress
• Graduate programs: Genuine investment in junior talent
• Scale: Can handle large enterprise and government projects

Red Flags

• Declining margins: 10.7% → 9.8% in one year — the trajectory is down
• €700 million restructuring: More redundancies coming, especially in Western markets
• No pay rises in 2026: Real wages declining while costs of living rise
• 66% offshore and climbing: Australian roles are structurally at risk
• Stock down 26% YTD: Market confidence is eroding
• Acquisition integration track record: Empired (A$233M) → brand retired, staff cut. The Works → gutted, absorbed into frog. RXP → absorbed. Acclimation → absorbed
• Revenue per employee (A$294K) declining relative to competitors: NTT generates 2.3x more per head, suggesting Capgemini is either overstaffed onshore or underutilising its Australian workforce

What This Means for You

If You're an Employee

Your revenue generation (A$294K/year) is being extracted at a rate that leaves you 11-18% below market salary. The company is spending €700 million to restructure — which means your role is a line item in someone's cost-cutting exercise. The 2026 pay freeze is real. The offshore trajectory is structural, not temporary.

Action items: - Check your salary against market benchmarks - Understand your Fair Work rights - Start your escape plan before the restructuring axe falls - Document everything — your contributions, your client relationships, your deliverables

If You're a Client

Capgemini's declining margins mean pressure to cut costs on your project. The way they cut costs is by substituting senior Australian staff with junior offshore resources. The bid-to-delivery gap is a documented pattern.

Action items: - Negotiate named resource clauses in your contract - Require offshore/onshore ratio guarantees - Build milestone-based payment terms - Include data breach liability clauses (see the Razer precedent) - Have an exit strategy before you start

The Bottom Line

Capgemini Australia generates A$878 million in revenue from 2,989 employees — A$294,000 per head. That's solid but declining relative to competitors. The global parent is spending €700 million to restructure while freezing pay for Australian staff. Offshore headcount is 66% and climbing. Margins are falling. The stock is down 26%.

The financial picture is clear: Capgemini is optimising its Australian operation for cost extraction, not for investment in people. The revenue per employee is healthy because they're billing premium rates while paying below-market salaries. The restructuring isn't about becoming more competitive — it's about extracting more margin from fewer, cheaper resources.

For the full story on what this means in practice, read our Capgemini Survivor Stories — composite narratives from people who lived it.

Related Guides

• The Salary Black Hole — Where your MSP billing actually goes
• Offshore Arbitrage Playbook — The business model behind offshoring
• MSP Cost Calculator — Compare Capgemini's pricing against alternatives
• Capgemini Exposed — The complete dossier on Capgemini's controversies
• Capgemini Investigation — Deep dive into contracts, billing, and delivery
• Escape the MSP Trap — Your escape plan
• Fair Work and MSPs — Know your legal rights
• Following the Money — Where your MSP invoices actually go
• Private Equity Playbook — What happens when PE firms acquire MSPs

This analysis is based on publicly available financial data from IBISWorld (2024-2025), Capgemini's own press releases and financial disclosures (FY 2024-2025), Glassdoor (491 Australian reviews), PayScale, SEEK, Levels.fyi, Indeed, TheLayoff.com, and Morgan Stanley research notes. All revenue and headcount figures are sourced from IBISWorld and Capgemini's public filings. Salary comparisons use Australian market benchmarks from Ravio (September 2025) and cross-border salary data from Levels.fyi and PayScale India. The MSP Playbook is not affiliated with Capgemini.

Leaving an MSP is one of the most disruptive transitions a business can undergo. Unlike switching your phone provider or changing accountants, switching your MSP involves your entire IT environment — every server, every user account, every piece of data. A poorly managed exit can leave your business without email, without file access, and without anyone to call when something breaks.

Here is how to plan and execute an MSP exit that minimises disruption and protects your business.

When You Need an Exit Strategy

You need a formal exit strategy when:

• Your MSP is not meeting SLA commitments
• You have outgrown your MSP's capabilities
• The MSP has been acquired and you do not like the new ownership
• You are bringing IT in-house or switching to a different provider
• Your industry compliance requirements have changed
• You have experienced a security incident that shook your confidence
• The MSP relationship has deteriorated

Even if none of these apply, you should have an exit plan ready. The best time to plan your exit is before you need it.

The Exit Strategy Framework

Phase 1: Decision and Assessment (Weeks 1–4)

Before you give notice, spend time understanding your position.

Contract review: - Pull your Master Services Agreement and all amendments - Identify the notice period and renewal date - Review exit clauses, data return provisions, and termination penalties - Check for non-compete or exclusivity clauses that might affect your new provider - Identify any auto-renewal deadlines you must meet

See the MSP Contract Checklist for what to look for.

Environment assessment: - Document your complete IT environment (servers, workstations, network, cloud) - Inventory all software licences and subscriptions (which are in your name vs the MSP's?) - List all admin credentials and access points - Identify line-of-business applications and their support contacts - Document all vendor relationships managed by the MSP - Map your backup and disaster recovery setup

Business impact analysis: - What systems are critical to daily operations? - What is the maximum acceptable downtime during transition? - Which departments are most affected by IT changes? - What are your compliance obligations during the transition?

Phase 2: Replacement Selection (Weeks 2–8)

Do not give notice until you have a replacement lined up.

Defining requirements: - List every service your current MSP provides - Identify gaps — services you need that your current MSP does not deliver - Define your budget and contract preferences - Set your timeline constraints

Evaluating providers: - Shortlist 3–5 MSPs based on capability, size, and reputation - Issue a request for proposal (RFP) with your requirements - Conduct structured evaluations using the How to Choose an MSP framework - Check references from businesses of similar size and industry - Consider a proof of concept for critical services

Contracting the new provider: - Negotiate terms before giving notice to your current MSP - Ensure the new MSP's contract includes adequate onboarding provisions - Define SLA expectations from day one - Agree on an onboarding timeline that aligns with your exit notice

Phase 3: Preparation (Weeks 4–8)

With a replacement selected, prepare for the transition.

Documentation gathering: - Compile all environment documentation (even if incomplete) - Export credential vaults and password databases - Capture current network configurations - Document all custom scripts, workflows, and automations - Record Microsoft 365 tenant configuration - Save backup configurations and schedules

Communication plan: - Brief your leadership team on the transition plan and timeline - Prepare staff communication about the upcoming change - Identify key contacts on both sides for the transition - Establish a communication channel with your current MSP for the transition period

Risk mitigation: - Ensure backup systems are healthy and tested before the transition - Verify your new MSP has the capacity to onboard you on schedule - Plan for the overlap period where both providers are active - Document rollback procedures if the transition goes wrong

Phase 4: Notice and Handover (Weeks 8–16)

Serving notice: - Send formal written notice per your contract requirements - Reference the specific contract clause you are exercising - Request a data handover meeting - Confirm service continuity through the notice period - Send notice via email with read receipt AND registered post

See the MSP Contract Termination Process for the mechanics of serving notice.

Overlap period: - The new MSP begins onboarding while the incumbent is still under contract - Both providers have access to the environment simultaneously - Critical systems are transitioned first (email, file shares, line-of-business apps) - The new MSP builds their documentation and knowledge base - Testing and validation occur before the old MSP exits

Data handover: - Request all data in standard, portable formats - Verify backup data can be restored independently - Transfer domain ownership and DNS management - Hand over admin credentials for all services - Obtain all documentation from the incumbent MSP

Phase 5: Stabilisation (Weeks 16–24)

The old MSP is gone. Now you stabilise.

Post-transition activities: - Verify all systems are functioning correctly under the new MSP - Confirm monitoring, patching, and backup are operational - Review SLA performance from the first month - Address any issues or gaps identified during transition - Conduct a lessons-learned review - Update all documentation with the new MSP's procedures

First QBR: - Schedule a comprehensive review at the 90-day mark - Assess whether the transition met expectations - Identify ongoing improvements - Formalise the relationship and long-term roadmap

Handling Difficult Exits

Some MSPs do not make leaving easy. Common tactics:

Data Hostage

The MSP delays or refuses to return your data.

Response: Reference your contract's data return clause. If they continue to withhold data, engage a commercial lawyer. Under Australian law, your data belongs to you.

Service Degradation

The MSP provides poor service during the notice period, hoping you will stay out of frustration.

Response: Document every SLA breach. Reference these in writing. If service degrades significantly, it may constitute breach of contract — which could void your termination penalties.

Client Contact

The MSP contacts your clients directly, trying to retain them.

Response: If your contract includes a client non-solicitation clause, enforce it. If it does not, communicate with your clients proactively about the transition.

Surprise Invoices

The MSP issues unexpected charges during the exit period.

Response: Review every invoice against your contract. Dispute any charges that are not contractually justified. Pay undisputed amounts to avoid the MSP using unpaid invoices as leverage.

The Documentation Handback

Request the following from your departing MSP:

• [ ] Complete network documentation and diagrams
• [ ] Server and workstation inventory
• [ ] Software licence register
• [ ] All admin credentials (exported from password vault)
• [ ] Microsoft 365 tenant admin access
• [ ] Domain registrar access and transfer codes
• [ ] Backup configurations and test results
• [ ] Firewall configurations and rule sets
• [ ] Runbooks and standard operating procedures
• [ ] Vendor contacts and support agreements
• [ ] Security policies and compliance documentation
• [ ] Ticket history and open issue register

If your contract does not include a documentation handover clause, add one at your next renewal. See the MSP Technical Documentation guide for what thorough documentation looks like.

Related Guides

• MSP Contract Termination Process — The mechanics of leaving
• MSP Contract Checklist — What to include in your contract
• How to Choose an MSP — Selecting your replacement
• MSP Client Onboarding Process — How the new MSP should onboard you
• MSP Contract Red Flags — Spotting problematic clauses early

The Australian MSP industry has a dirty secret: it systematically underpays its staff. The average MSP salary is A$95,000-105,000 — 15-25% below the broader Australian IT market median.

This article provides comprehensive salary data for every major IT role in the Australian MSP market, so you can negotiate from a position of knowledge.

Salary Benchmarks by Role

Service Desk / Help Desk

Desktop / Endpoint Engineering

Systems / Cloud Engineering

Networking

Security

Project / Program Management

Management / Leadership

The MSP Salary Gap: Why It Exists

The Business Model

MSPs make money on the gap between what they charge clients and what they pay staff. A senior engineer billed at A$200/hour but paid A$65/hour generates A$135/hour in gross margin. That margin covers overhead, profit, and the bench.

The Bench Effect

MSPs maintain a pool of staff between projects (the "bench"). These staff are paid but not billed. To maintain profitability, MSPs keep salaries below market to offset bench costs.

Offshore Arbitrage

When 60% of your global workforce is offshore at Indian salary rates, the downward pressure on Australian salaries is structural. Capgemini, NTT, and DXC all use this model.

Lack of Transparency

Most MSPs don't publish salary ranges. Without transparency, employees don't know they're underpaid until they leave.

How to Get Paid What You're Worth

1. Know Your Market Value

Use our Salary Calculator to check your current market value. The calculator uses real data from SEEK, Glassdoor, PayScale, and Levels.fyi.

2. Negotiate From Data

When negotiating, cite specific market data. "The market rate for a senior cloud engineer in Sydney is A$140,000-165,000. I'm currently at A$115,000. I'd like to be at A$145,000."

3. Consider the Total Package

Salary is only part of the picture. Consider: - Superannuation (should be 11.5%+) - Leave entitlements - Flexible working arrangements - Training and certification budgets - Equity or bonus structures

4. Know When to Leave

If your MSP won't pay market rate after 2-3 years, it's time to move. The fastest way to get a 20-30% raise is to change jobs.

5. Specialise

Generalists are replaceable. Specialists are scarce. Cloud, security, and DevOps skills command premium rates.

Salary by City

Canberra commands a premium because of the concentration of government contracts and security clearance requirements.

The Bottom Line

The Australian MSP industry underpays by 15-25%. The gap is structural, not cyclical. If you're in an MSP and your salary hasn't kept pace with the market, use the data in this article to negotiate — or to plan your exit.

Your skills are worth more than your MSP is paying. Know your worth. Act on it.

Salary data compiled from SEEK, Glassdoor, PayScale, Levels.fyi, Hays Salary Guide, Robert Half, and Michael Page. All figures are for Australian IT roles in MSP/consulting environments.

You joined an MSP because it was a good place to learn. You got exposed to multiple technologies, worked with different clients, and built a broad skill set. That was two years ago.

Now you're underpaid, overworked, and watching your friends in internal IT or cloud roles earn 20-30% more for less stress. The MSP promised "variety" and "experience" — and delivered burnout.

This guide is your exit plan.

Why MSPs Are a Trap

The Salary Gap

The average MSP salary is A$95,000-105,000. The Australian IT market median is A$128,000-138,000. That's a 20-25% gap — and it widens the longer you stay.

After 3 years at an MSP, you're likely earning A$10,000-20,000 below your market value. Over a 10-year career, that's A$100,000-200,000 in lost earnings.

The Skill Plateau

MSPs teach breadth, not depth. After 2-3 years, you've seen most of what the MSP world offers. The learning curve flattens. Your skills become commoditised.

Meanwhile, specialists in cloud, security, or DevOps are commanding premium rates. Your breadth becomes a liability: you know a little about everything but nothing deeply enough to command top pay.

The Burnout Cycle

MSP work is inherently stressful: - Multiple clients with competing priorities - Urgent tickets at 5 PM on Friday - On-call rotations that disrupt your life - Constant context-switching between projects

The burnout cycle is predictable: excitement (months 1-6) → competence (months 6-18) → frustration (months 18-30) → burnout (months 30+).

The Escape Plan

Phase 1: Build Your Escape Fund (Months 1-2)

Before you do anything else, build a financial cushion: - Save 3-6 months of living expenses - Cut discretionary spending - This gives you the power to say no to bad offers

Phase 2: Document Your Achievements (Month 2)

MSP work is hard to quantify. Translate your experience into measurable achievements:

Bad: "Managed multiple client environments" Good: "Managed 15 client environments with 99.9% uptime, reducing ticket resolution time by 30%"

Bad: "Worked on cloud migration projects" Good: "Led migration of 3 clients to Azure, reducing infrastructure costs by 25%"

Use the STAR method: Situation, Task, Action, Result. Quantify everything.

Phase 3: Identify Your Target (Month 2-3)

Where do you want to go? Options:

Pick one direction. Don't spray applications everywhere.

Phase 4: Fill the Gaps (Months 3-6)

What skills does your target role require that you don't have?

Common gaps: - Cloud certifications (AWS, Azure, GCP) - Security certifications (CISSP, CEH, CompTIA Security+) - Specific tools (Kubernetes, Terraform, Ansible) - Soft skills (presentation, stakeholder management)

Invest in 1-2 certifications. Don't try to learn everything — focus on what your target role needs.

Phase 5: Network and Apply (Months 4-8)

Recruiters. Build relationships with 3-5 recruiters who specialise in your target area: - Hays Technology - Robert Half Technology - Michael Page Technology - Hudson Technology - Specialist recruiters in your city

LinkedIn. - Update your headline to reflect your target role - Connect with people in your target companies - Share relevant content (1-2 posts per week)

Applications. Apply to 5-10 roles per week. Tailor each application. Don't mass-apply.

Phase 6: Negotiate Like You Mean It (Month 6+)

When you get an offer: - Always negotiate. The first offer is never the highest they'll pay - Use market data: "The market rate for this role is A$140,000-160,000" - Negotiate beyond salary: training budget, flexible working, additional leave - Get the offer in writing before you resign

The Salary Negotiation Script

When they ask your current salary: "I'm currently earning A$[actual], but I'm focused on finding the right role at the right market rate. Based on my research, this role should be in the A$[target] range."

When they offer below market: "Thank you for the offer. I'm excited about this role. Based on my research and the value I'll bring, I'm looking for A$[target]. Is there flexibility in the package?"

When they say "that's our maximum": "I understand. Is there flexibility on other elements — training budget, additional leave, flexible working, or a performance review at 6 months with a salary adjustment?"

The MSP-to-Internal IT Pipeline

The most common exit from an MSP is into internal IT. Here's why:

Internal IT pays more. Average internal IT salary: A$120,000-150,000. That's 20-30% more than an MSP for similar work.

Internal IT has better work-life balance. One client (the company you work for), not fifteen. No competing priorities. Fewer emergencies.

Internal IT values MSP experience. Your breadth of experience is an asset in internal IT. You've seen multiple environments, technologies, and challenges.

Internal IT has clearer career paths. Defined roles, promotion criteria, and development plans. No "dead man's shoes" politics.

Red Flags to Watch For

When interviewing at a new company, watch for these MSP red flags:

• "We're like a family" (means: we'll guilt you into working extra)
• "Fast-paced environment" (means: understaffed and chaotic)
• "Wear many hats" (means: underpaid and overworked)
• "Competitive salary" (means: we'll lowball you)
• "Immediate start required" (means: someone just left in a hurry)

The Bottom Line

The MSP trap is real. The salary gap, the skill plateau, the burnout cycle — they're all symptoms of a business model that extracts value from staff.

The escape plan is simple: save money, document achievements, target a role, fill the gaps, network aggressively, and negotiate hard.

Your skills are worth more than your MSP is paying. It's time to act on it.

Based on salary data from SEEK, Glassdoor, and Hays Technology Guide 2026. Career advice drawn from interviews with 50+ IT professionals who successfully transitioned from MSPs.

Profit margins are the financial heartbeat of an MSP. They determine whether you can invest in growth, hire quality staff, and survive economic downturns. Yet many MSPs operate without a clear understanding of their margin profile.

Here is what healthy margins look like in the Australian MSP industry and how to improve yours.

MSP Margin Benchmarks

Gross Margin by Service Type

Net Margin Benchmarks

Larger MSPs typically achieve higher margins due to economies of scale, standardised processes, and greater purchasing power.

The Margin Equation

MSP profitability is driven by a simple equation:

Revenue per engineer × Engineer utilisation rate - Cost per engineer = Margin

Revenue Per Engineer

This measures how much revenue each engineer generates:

Engineer Utilisation Rate

Utilisation measures how much of an engineer's time is spent on billable or productive work:

Cost per Engineer

Include all costs: salary, benefits, training, tools, workspace, management overhead. A fully loaded cost per engineer in Australia is typically $150,000-$250,000 depending on skill level and location.

Margin Improvement Strategies

1. Standardise Service Delivery

Standardisation reduces variation, which reduces cost:

• Standardise your tech stack — fewer tools, better pricing, easier management
• Create standard operating procedures — consistent delivery, less rework
• Template common configurations — faster deployment, fewer errors
• Build standard onboarding packages — predictable costs and timelines

2. Automate Repetitive Tasks

Automation reduces labour cost per ticket:

• Automated patching — reduces manual patch management
• Automated monitoring — reduces alert fatigue and response time
• Automated documentation — reduces time spent on records
• Automated provisioning — reduces onboarding time

Our PowerShell Automation guide covers 50 tasks that can be automated.

3. Upsell Higher-Margin Services

Move clients up the value chain:

Our MSP Client Retention Strategy covers upselling approaches.

4. Reduce Tool Sprawl

Every tool your MSP uses has a cost — not just licence fees, but training, integration, and management overhead:

• Audit all tools annually
• Consolidate overlapping tools
• Negotiate volume discounts
• Remove tools that are not delivering value

5. Improve Pricing

Many MSPs under-price their services:

• Benchmark against market rates using our MSP Pricing Comparison
• Review pricing at least annually
• Implement annual price increases (3-5% minimum)
• Remove underpriced services or restructure them

6. Improve Engineer Utilisation

Engineers spending time on non-productive work reduces margins:

• Track time allocation by activity
• Reduce meeting overhead
• Improve handoff processes between tiers
• Use PSA tools to track and optimise workflows

Financial Health Indicators

Beyond margins, monitor these financial health metrics:

Monthly Recurring Revenue (MRR) Growth

Target 2-5% MRR growth per month. Stagnant MRR indicates market saturation or competitive pressure.

Client Retention Rate

Target 90%+ annual retention. Losing clients erodes the recurring revenue base that MSP margins depend on.

Average Revenue Per User (ARPU)

Track ARPU over time. Declining ARPU indicates either under-pricing or a shift toward lower-value clients.

Cash Flow

MSPs with strong recurring revenue should have predictable cash flow. Irregular cash flow may indicate collection issues or over-reliance on project work.

Our MSP Financial Breakdown guide covers these metrics in detail.

The Pricing Trap

Many MSPs compete on price, which destroys margins:

The Race to the Bottom

• Lower prices → lower margins → less investment in quality → worse service → client churn → pressure to lower prices further

The Value Alternative

• Higher prices → better margins → investment in quality → better service → client retention → ability to raise prices

The most profitable MSPs are not the cheapest — they are the ones that deliver the most value and price accordingly.

Margin Analysis by Business Model

Per-User Pricing

Per-Device Pricing

Similar economics but with different dynamics — device counts are more predictable than user counts.

Fixed-Price Agreements

Fixed-price agreements provide revenue predictability but require accurate scoping. Under-scoped agreements destroy margins.

The Bottom Line

MSP profit margins are not accidental — they are the result of deliberate choices about pricing, service delivery, tooling, and operational efficiency. Understanding your margin profile is the first step to improving it.

Start with the basics: calculate your true cost per engineer, revenue per engineer, and utilisation rate. Then focus on the strategies that have the highest impact on your specific situation.

Use our MSP Pricing Comparison to benchmark your pricing against the market, or our MSP Cost Calculator to calculate your true cost of service delivery.

Your MSP has a helpdesk. You can call, raise a ticket, and someone will respond. That is the minimum viable relationship. The question is whether you have more than that — a partner who understands your business, proactively identifies problems, and contributes to your strategic goals.

The difference between a vendor and a partner is account management. Without it, you are buying a service. With it, you are building a relationship that compounds in value over time.

The Account Management Model

What Good Account Management Looks Like

Operational layer (monthly): - Review of ticket performance and SLA metrics - Discussion of ongoing issues and resolution plans - Updates on changes to the MSP environment - Tactical planning for upcoming needs

Strategic layer (quarterly): - Business alignment discussion — how IT supports your goals - Technology roadmap review — what is coming and what you need - Improvement initiatives — what the MSP is doing to enhance service - Risk assessment — emerging threats and vulnerabilities - Budget planning — upcoming costs and investment opportunities

Executive layer (annually): - Contract review and renewal discussion - Long-term strategic alignment - Relationship health assessment - Benchmarking against market alternatives - Innovation opportunities

The Dedicated Account Manager

Your MSP should assign a dedicated account manager who:

Knows your business: - Understands your industry and competitive environment - Knows your business goals and growth plans - Understands your risk tolerance and compliance requirements - Has context on your technology environment and its history

Owns the relationship: - Is your single point of escalation - Coordinates internal MSP resources on your behalf - Ensures promises are kept - Proactively communicates changes and issues

Drives value: - Identifies improvement opportunities - Recommends technology investments - Connects you with MSP specialists when needed - Ensures you are getting full value from your contract

Building an Effective Governance Framework

Monthly Operational Reviews

Agenda: 1. SLA performance review (10 minutes) 2. Ticket analysis — trends, patterns, highlights (10 minutes) 3. Open issues status (10 minutes) 4. Upcoming changes or projects (5 minutes) 5. Action items and next steps (5 minutes)

Who attends: - Your IT manager or equivalent - MSP account manager - MSP technical lead (if needed for specific issues)

Best practices: - Keep it focused — 30-60 minutes maximum - Start with data, not stories - End with clear action items and owners - Document and distribute minutes within 24 hours

Quarterly Strategic Reviews

Agenda: 1. Business update — what is happening in your business (15 minutes) 2. IT alignment — how technology supports your goals (15 minutes) 3. Performance trends — are metrics improving or declining? (15 minutes) 4. Improvement initiatives — what the MSP is doing to add value (15 minutes) 5. Risk assessment — emerging risks and mitigation plans (10 minutes) 6. Budget and planning — upcoming costs and investment (10 minutes) 7. Action items and next quarter focus (10 minutes)

Who attends: - Senior management or CEO (for business context) - Your IT manager - MSP account manager - MSP technical director or CTO (for strategic discussions)

Annual Strategic Sessions

Agenda: 1. Year in review — what was accomplished (30 minutes) 2. Relationship health — what is working and what needs improvement (30 minutes) 3. Market landscape — competitive analysis and benchmarking (30 minutes) 4. Technology roadmap — 12-24 month technology plan (60 minutes) 5. Contract review — pricing, terms, scope (30 minutes) 6. Innovation opportunities — new capabilities or approaches (30 minutes)

Who attends: - CEO or managing director - Finance (for budget discussions) - Your IT manager - MSP executive sponsor - MSP account manager

Common Relationship Problems

The "Invisible MSP" Problem

Symptoms: - You only hear from the MSP when something goes wrong - No proactive communication about improvements or opportunities - Account manager changes frequently without proper handover - Service reviews feel like box-ticking exercises

Root cause: The MSP is treating you as a contract, not a relationship. They are focused on efficiency (handling many clients with minimal touch) rather than effectiveness (building deep partnerships with fewer clients).

Fix: Explicitly request dedicated account management, define governance expectations in your contract, and hold the MSP accountable for proactive communication.

The "Always Escalating" Problem

Symptoms: - Issues require multiple escalations to resolve - The account manager has no authority to make decisions - Every request goes through layers of approval - Simple changes take weeks to implement

Root cause: The MSP has not empowered your account manager or has inadequate internal processes.

Fix: Request escalation path clarity, ensure your account manager has decision-making authority for your account, and define service commitment timeframes for different request types.

The "Knowledge Gap" Problem

Symptoms: - Your account manager does not understand your business - Recommendations do not account for your specific context - You explain the same things repeatedly after staff changes - Strategic advice feels generic, not tailored

Root cause: The MSP has not invested in understanding your business, or they have lost institutional knowledge due to staff turnover.

Fix: Insist on proper handover processes when staff change, provide business context proactively, and include business understanding as an evaluation criterion for account management.

Measuring Account Management Effectiveness

Key Indicators

Good account management: - You feel heard and understood - Issues are resolved before you raise them - The MSP proactively identifies opportunities and risks - Strategic discussions feel valuable, not performative - The relationship improves over time

Poor account management: - You feel like just another ticket number - Issues recur because root causes are not addressed - You learn about problems from users, not the MSP - Strategic reviews are repetitive and unproductive - The relationship is transactional, not partnership

Questions to Ask Yourself

• When was the last time my MSP proactively contacted me with an improvement idea?
• Do I have a single person I trust to escalate issues to?
• Does my MSP understand my business goals beyond IT?
• Are service reviews improving the relationship or just consuming time?
• Would I recommend my MSP to a peer?

Related Guides

• MSP Service Delivery Metrics — What to measure in reviews
• MSP Service Level Management — SLA governance
• MSP Contract Negotiation Tips — Negotiate account management into your contract
• MSP Employee Feedback System — How your staff experience the MSP
• How to Choose an MSP — Evaluating account management during selection

The Australian MSP market is consolidating rapidly. Private equity firms, larger MSPs, and ambitious entrepreneurs are all acquiring smaller providers. But buying an MSP without proper due diligence is one of the fastest ways to lose money in the IT services industry.

Here is a comprehensive due diligence framework for evaluating an MSP acquisition target.

Why Due Diligence Matters

MSP acquisitions look simple on the surface: you buy the contracts, inherit the clients, and collect the monthly fees. But the reality is far more complex. MSP businesses are built on relationships, technology, and people — all of which can deteriorate rapidly if the acquisition is not managed carefully.

The most common causes of failed MSP acquisitions:

• Client exodus: Clients leave because the acquiring MSP changes service quality or communication
• Key staff departure: Engineers and account managers take their knowledge and relationships elsewhere
• Technical surprises: Hidden infrastructure problems, unpatched systems, or undocumented configurations
• Contract traps: Short-term contracts, unfavourable terms, or auto-renewal clauses that benefit the wrong party
• Cultural mismatch: Different service philosophies create friction with clients and staff

Proper due diligence identifies these risks before you sign the deal.

Financial Due Diligence

Revenue Analysis

• Recurring vs non-recurring revenue: What percentage is monthly recurring (MRR) vs project/one-off work? Target: 70%+ recurring revenue.
• Revenue concentration: What percentage of revenue comes from the top 5 clients? If one client represents more than 15% of revenue, that is a concentration risk.
• Revenue growth trend: Is revenue growing, flat, or declining? A declining MSP is a red flag.
• Client churn rate: What percentage of clients leave annually? Industry average is 5–10%. Above 15% is concerning.
• Pricing trends: Are fees increasing or are clients getting discounts at renewal?

Profitability Analysis

• EBITDA margin: Healthy MSPs have EBITDA margins of 10–20%. Below 10% suggests operational inefficiency.
• Gross margin by service: Which services are profitable and which are loss leaders?
• Labour utilisation: What percentage of technician time is billable/utilised? Target: 70–80%.
• Owner compensation: Is the owner extracting excessive salary or distributions that inflate the reported profit?

Balance Sheet Review

• Accounts receivable: How many days overdue are client payments? Aging receivables indicate collection problems.
• Deferred revenue: Are there prepaid contracts that create future obligations?
• Vendor payables: Are there unpaid vendor bills (software licences, hardware, tools)?
• Assets and liabilities: What physical and intangible assets exist? What liabilities are outstanding?

See the MSP Financial Breakdown for detailed valuation methodology.

Client Due Diligence

Client Portfolio Analysis

• Number of clients: Total active clients and their size distribution
• Contract terms: Average contract length, renewal dates, and notice periods
• Contract value: Average monthly revenue per client
• Client satisfaction: Net Promoter Scores (NPS) or client feedback if available
• Client tenure: How long have clients been with the MSP?

Client Concentration Risk

• Top client dependency: If your largest client represents more than 15% of revenue, you are at risk.
• Industry concentration: If most clients are in one industry, a sector downturn could hit hard.
• Geographic concentration: Clients clustered in one area create local economic risk.

Client Retention Strategy

Before closing the deal, plan how you will communicate with clients:

1. Pre-announcement preparation: Draft client communication before the deal closes
2. Day-one messaging: Clear, confident communication about service continuity
3. 90-day integration plan: How you will merge operations without disruption
4. Retention incentives: Consider offering contract extensions or loyalty incentives to key clients

Technical Due Diligence

Infrastructure Assessment

• Server environment: Age, condition, and documentation of all servers
• Network infrastructure: Firewall models, switch configurations, wireless coverage
• Cloud services: Microsoft 365 tenant configuration, Azure subscriptions, other cloud services
• RMM/PSA platform: What tools do they use? How well-configured are they?
• Backup and DR: Solution, configuration, and last test date
• Security posture: Essential 8 maturity, MFA coverage, EDR deployment, patch compliance

Documentation Quality

Request and review:

• Network diagrams (do they exist? are they accurate?)
• Asset inventory (is it complete and current?)
• Runbooks and SOPs (are they documented?)
• Password management (how are credentials stored and managed?)
• Vendor contracts (what commitments exist?)

Poor documentation is one of the most common and costly findings in MSP due diligence. See the MSP Technical Documentation guide for what good documentation looks like.

Technical Debt Assessment

• Age of infrastructure: How old are the servers, switches, and firewalls?
• End-of-life equipment: What is running on unsupported hardware or software?
• Patch compliance: What percentage of systems are patched?
• Security gaps: What Essential 8 controls are missing?
• Migration backlog: Are there pending migrations (on-prem to cloud, legacy app upgrades)?

Technical debt is the hidden cost of an MSP acquisition. Budget for remediation.

People Due Diligence

Team Assessment

• Staff count and roles: How many technicians, account managers, and support staff?
• Key person dependency: Is the business dependent on one or two key individuals?
• Employment contracts: Review terms, non-compete clauses, and notice periods
• Salary benchmarking: Are staff paid at market rates? (See the Salary Guide 2026)
• Cultural assessment: How does the team's work culture compare to yours?

Retention Risk

• Flight risk analysis: Which key staff are most likely to leave?
• Retention incentives: Budget for retention bonuses for critical team members
• Transition plan: Plan for knowledge transfer before key staff depart
• Non-compete clauses: Do existing contracts prevent staff from competing?

The MSP Employee Retention article covers retention strategies in detail.

Legal and Contractual Due Diligence

Contract Review

• Master Service Agreements: Review all active MSAs for terms, liabilities, and exit clauses
• Client contracts: Identify any unfavourable terms or unusual commitments
• Vendor contracts: Review agreements with tool vendors, cloud providers, and subcontractors
• Employment contracts: Review all staff contracts for terms, non-competes, and IP provisions

Compliance and Regulatory

• Essential 8 compliance: Is the MSP meeting baseline cybersecurity requirements?
• Privacy Act obligations: Are they handling client data in compliance with Australian Privacy Principles?
• Insurance coverage: Verify all insurance policies (cyber, professional indemnity, public liability)
• ABN/ACN status: Verify the business is in good standing with the ATO
• Outstanding disputes: Check for any pending legal actions or complaints

Intellectual Property

• Proprietary tools or scripts: Does the MSP have any custom-developed tools?
• Client data ownership: Ensure all client data is clearly owned by the client
• Branding and marketing materials: What intellectual property comes with the acquisition?

The Due Diligence Checklist

After the Deal: Integration Planning

Due diligence does not end at closing. Plan your first 100 days:

• Days 1–30: Announce acquisition to clients and staff. Stabilise operations. No major changes.
• Days 31–60: Begin integrating systems and processes. Address critical technical debt.
• Days 61–100: Optimise operations. Cross-train staff. Evaluate client portfolio.

The MSP Client Onboarding Process guide provides a framework for integrating new clients.

Related Guides

• MSP Financial Breakdown — Understanding MSP valuations
• Private Equity Playbook — PE's role in MSP acquisitions
• MSP Due Diligence Checklist — Detailed checklist
• Salary Guide 2026 — Staff cost benchmarking
• MSP Employee Retention — Retaining acquired staff

Wipro is India's fourth-largest IT services company. Revenue: US$11 billion globally. Employees: 230,000+. In Australia, it's the quietest of the Indian majors — smaller presence than TCS or Infosys, but a steady player in government and enterprise contracts.

The Numbers

Average salary (Australia): A$90,000-105,000

Employee Experience

The Good

Competitive salary. Wipro pays slightly better than NTT and Datacom for comparable roles. The average of A$90,000-105,000 is closer to market rate than many competitors.

Global exposure. Working with India's fourth-largest IT company provides exposure to global projects and methodologies.

Stability. Wipro doesn't do mass layoffs. The company is profitable and privately controlled by the Premji family, which provides long-term stability.

The Bad

Limited Australian presence. With ~800 employees in Australia, there are fewer roles, fewer projects, and fewer opportunities for advancement.

Offshore delivery challenges. "The quality of offshore delivery is inconsistent." Client satisfaction suffers when work is handed off without adequate oversight.

Cultural friction. Managing across Indian and Australian cultures requires specific skills. Some teams handle this well; others struggle.

Career ceiling. Onshore staff face a clear ceiling. The strategic direction is offshore, which limits growth for Australian-based employees.

The Ugly

The "bridge" role. Like NTT, onshore staff at Wipro increasingly exist to manage offshore delivery rather than do the work. This isn't what most engineers signed up for.

How Wipro Compares

What This Means for You

If you're considering Wipro: - The salary is competitive but the Australian presence is small - Ask about the specific team and its offshore ratio - The stability is genuine — Wipro doesn't do mass layoffs - Career growth is limited for onshore staff

If you're a client: - Wipro can deliver at competitive prices - Quality depends on the specific team and oversight - The smaller Australian presence means less local support

Based on Glassdoor (200+ Australian reviews), PayScale, and public reporting.

The server running your finance system is seven years old. The operating system is out of support. Your MSP keeps it running with duct tape and prayers. You do not know this because nobody has shown you.

Technical debt is the invisible risk in every MSP-managed environment. It accumulates gradually — an unsupported OS here, an undocumented configuration there, a backup that has not been tested in two years. Each individual issue seems minor. Together, they represent a growing threat to your business that will eventually demand payment, usually at the worst possible moment.

What Technical Debt Looks Like in MSP Environments

Infrastructure Debt

• End-of-life hardware. Servers, switches, and firewalls past manufacturer support dates
• Unsupported software. Operating systems and applications no longer receiving security patches
• Deferred upgrades. Known issues that have been "scheduled for next quarter" for two years
• Capacity limitations. Systems running at 80-90% capacity with no upgrade plan
• Single points of failure. Critical systems with no redundancy

Configuration Debt

• Undocumented changes. Modifications to systems that exist only in one engineer's head
• Inconsistent configurations. Different settings across similar systems
• Default credentials. Services still running with factory-default passwords
• Expired certificates. TLS certificates approaching or past expiry
• Orphaned accounts. Former employees or contractors with active access

Security Debt

• Missing patches. Known vulnerabilities not addressed due to "risk of breaking things"
• Outdated security tools. Antivirus, firewalls, or monitoring tools past their effective life
• Unencrypted data. Sensitive information stored without encryption
• Weak access controls. Excessive permissions, missing MFA, shared accounts
• No incident response plan. No documented process for handling security events

Process Debt

• No change management. Changes made without approval, documentation, or rollback plans
• Untested backups. Backup systems that have not been verified to restore successfully
• Missing monitoring. Systems not being actively monitored for performance or security
• No documentation. Environments where only one person knows how things work
• Skippped reviews. Service reviews, security assessments, and audits not conducted regularly

How to Assess Technical Debt

The MSP Technical Debt Audit

Conduct this assessment annually, or whenever you suspect issues:

1. Infrastructure Inventory

Document every system in your environment: - Hardware: age, support status, performance metrics - Software: version, support status, license status - Cloud services: configuration, costs, optimisation opportunities

2. Security Posture Review

Evaluate security across your environment: - Essential 8 maturity assessment - Vulnerability scan results - Access control review - Backup and recovery testing - Incident response capability

3. Documentation Audit

Assess the quality and completeness of documentation: - Network diagrams (are they current?) - System configurations (are they documented?) - Runbooks and procedures (do they exist?) - Disaster recovery plans (have they been tested?)

4. Process Review

Evaluate operational processes: - Change management (is it followed?) - Incident management (is it effective?) - Problem management (are root causes addressed?) - Capacity planning (is it proactive?)

Scoring Technical Debt

Rate each area on a 1-5 scale:

The Cost of Technical Debt

Direct Costs

• Emergency repairs. When systems fail, emergency fixes cost 3-5x more than planned upgrades
• Productivity loss. Slow, unreliable systems reduce employee output across the business
• Security incidents. Unpatched vulnerabilities are the primary attack vector for breaches
• Compliance penalties. Unsupported systems may violate regulatory requirements
• Forced migrations. When systems finally fail, you have no choice but to replace them — at premium pricing and maximum disruption

Indirect Costs

• Opportunity cost. Money spent maintaining old systems cannot be invested in improvement
• Staff frustration. Working with unreliable technology drives dissatisfaction and turnover
• Client risk. If you are an MSP, technical debt in one client environment threatens all clients
• Reputation damage. Service failures caused by technical debt damage your brand

The Compounding Effect

Technical debt compounds. A $10,000 upgrade deferred today becomes a $15,000 upgrade next year and a $30,000 emergency replacement in three years. Meanwhile, the interest accumulates: additional security risk, additional maintenance time, additional performance degradation.

Working With Your MSP on Technical Debt

What to Ask

• "Can you provide a current inventory of all systems in our environment?"
• "Which systems are past end-of-life or end-of-support?"
• "What is our current Essential 8 maturity level?"
• "When were our backups last tested?"
• "Can you show me our technical debt register?"
• "What is your recommended upgrade roadmap for the next 12-24 months?"

What to Expect

A good MSP will: - Maintain a technical debt register for your environment - Proactively highlight risks and recommend remediation - Provide a roadmap with cost estimates and timelines - Present upgrade options with business case analysis - Track technical debt metrics over time

A bad MSP will: - Resist or delay providing documentation - Claim everything is "fine" without evidence - Deflect questions about unsupported systems - Have no formal process for tracking or addressing debt - Treat technical debt as your problem, not theirs

The Remediation Conversation

When technical debt is identified, the conversation should follow this structure:

1. What is the debt? Specific systems, configurations, or processes that need attention
2. What is the risk? Business impact if the debt is not addressed
3. What are the options? Remediation approaches with cost and timeline estimates
4. What do you recommend? The MSP's recommended approach with justification
5. What is the decision? Client approves, defers, or declines — with documented rationale

Building a Technical Debt Management Plan

Create a Technical Debt Register

Maintain a living document that tracks: - All identified technical debt items - Risk rating for each item - Recommended remediation approach - Cost and timeline estimates - Decision status (approved, deferred, declined) - Target remediation date

Prioritise by Risk

Not all technical debt needs to be addressed immediately. Prioritise based on:

1. Security impact — vulnerabilities that could be exploited
2. Compliance impact — systems that violate regulatory requirements
3. Business criticality — systems that directly support revenue or operations
4. Cost trajectory — debt that is getting more expensive to maintain
5. Dependency risk — systems that other critical systems depend on

Budget for Remediation

Allocate 15-20% of your annual IT budget to technical debt remediation. This prevents the debt from accumulating faster than you can address it. If your MSP's contract does not include infrastructure refresh provisions, negotiate them.

Related Guides

• MSP Service Delivery Metrics — Track performance metrics that reveal technical debt
• Cyber Insurance MSP Requirements — Technical debt affects insurance
• MSP Compliance Framework Guide — Compliance requirements drive remediation
• MSP Quality Management System — Quality processes prevent debt accumulation
• MSP Health Score — Benchmark your environment's health

ISO 27001 certification is becoming a table stakes requirement for Australian MSPs targeting enterprise and government clients. It is not just a compliance exercise — it is a business differentiator that demonstrates your commitment to information security.

What ISO 27001 Is

ISO 27001 is the international standard for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). It provides a framework for managing information security risks systematically.

The ISMS Framework

An ISMS is a systematic approach to managing sensitive company information:

• Policies and procedures — documented rules for information security
• Risk assessment — identifying and evaluating information security risks
• Controls — measures to mitigate identified risks
• Monitoring — ongoing measurement and review
• Improvement — continuous enhancement of the ISMS

What ISO 27001 Covers

Why MSPs Need ISO 27001

Client Requirements

Enterprise and government clients increasingly require ISO 27001 certification from their IT service providers:

• Government procurement — many RFPs mandate ISO 27001 or equivalent
• Enterprise contracts — large organisations require certified vendors
• Insurance requirements — some cyber insurers prefer ISO 27001 certified providers
• Competitive differentiation — certified MSPs win more competitive deals

Business Benefits

Regulatory Alignment

ISO 27001 supports compliance with:

• Privacy Act 1988 — security obligations under the APPs
• Essential 8 — Annex A controls align with Essential 8 requirements
• APRA CPS 234 — information security requirements for financial services
• NDB Scheme — incident response and notification capabilities

The Certification Process

Phase 1: Gap Analysis (Weeks 1-4)

Assess current state against ISO 27001 requirements:

• Review existing policies and procedures
• Identify gaps in controls and documentation
• Assess current risk management practices
• Determine resource requirements

Output: Gap analysis report with prioritised remediation plan.

Phase 2: ISMS Design (Weeks 5-12)

Design the ISMS framework:

• Develop information security policy
• Define scope and boundaries
• Establish risk assessment methodology
• Select and plan Annex A controls
• Develop supporting procedures

Output: ISMS documentation and implementation plan.

Phase 3: Implementation (Weeks 8-24)

Implement the ISMS:

• Deploy selected controls
• Train staff on security procedures
• Implement monitoring and measurement
• Conduct internal audits
• Address non-conformities

Output: Operational ISMS with evidence of implementation.

Phase 4: Certification Audit (Weeks 20-36)

External certification body conducts audit:

• Stage 1 audit: Documentation review and readiness assessment
• Stage 2 audit: Implementation verification and effectiveness assessment
• Certification decision: Based on audit findings

Output: ISO 27001 certification (valid for 3 years).

Phase 5: Ongoing Maintenance (Continuous)

Maintain certification through:

• Annual surveillance audits
• Continuous monitoring and improvement
• Regular risk assessments
• Management reviews
• Staff awareness training

Key Annex A Controls for MSPs

Organisational Controls

• A.5.1 — Policies for information security
• A.5.7 — Threat intelligence
• A.5.23 — Information security for cloud services
• A.5.30 — ICT readiness for business continuity

People Controls

• A.6.3 — Information security awareness, education, and training
• A.6.6 — Confidentiality or non-disclosure agreements
• A.6.8 — Information security event reporting

Technological Controls

• A.8.1 — User endpoint devices
• A.8.5 — Secure authentication
• A.8.9 — Configuration management
• A.8.20 — Network security
• A.8.24 — Use of cryptography
• A.8.26 — Application security requirements

Our Essential 8 Implementation Checklist covers many of the technical controls required by ISO 27001.

Costs and Investment

Implementation Costs

Ongoing Costs

ROI Calculation

Factor in:

• Revenue from certified clients — how many deals require certification?
• Competitive wins — how many deals did certification help win?
• Risk reduction — what is the cost of a breach that ISO 27001 would prevent?
• Efficiency gains — how much time do documented processes save?

Common Certification Pitfalls

Checkbox Compliance

Treating ISO 27001 as a checklist rather than a genuine security management framework. The certification is meaningful only if the ISMS is actually used and maintained.

Inadequate Risk Assessment

A superficial risk assessment that does not identify real risks to the MSP's operations and clients. The risk assessment must be thorough and genuinely inform control selection.

Documentation Without Implementation

Extensive documentation that does not reflect actual practices. The auditors will verify that documented procedures are followed in practice.

No Management Commitment

Without genuine management commitment, the ISMS will not be sustained. Management must be actively involved in reviews, resource allocation, and improvement.

Ignoring Continuous Improvement

ISO 27001 requires continual improvement. An ISMS that is static and not improving will fail surveillance audits over time.

How ISO 27001 Differs from Other Frameworks

ISO 27001 is the most comprehensive and widely recognised framework for information security management.

The Bottom Line

ISO 27001 certification is a significant investment, but it is increasingly a requirement for MSPs competing for enterprise and government work. Beyond compliance, it provides a genuine framework for managing information security risks systematically.

The key to success is treating ISO 27001 as a business investment, not a compliance exercise. An ISMS that is genuinely used and maintained delivers ongoing value. One that exists only for the certificate delivers diminishing returns.

Use our Essential 8 Guide as a starting point for technical controls, or our MSP Health Score to assess your overall security maturity.

The MSP hands you their standard Master Services Agreement. It is 28 pages long. You are excited about the new partnership. You sign.

Two years later, something goes wrong. The service is failing. You want to leave. You discover your contract requires 90-day notice, charges a data extraction fee, and has a liability cap of $1,000 — meaning even if they cause a catastrophic breach, your legal remedy is almost nothing.

This scenario plays out constantly across Australian businesses. The good news: most of these traps are avoidable with the right negotiation approach.

The Seven Clauses That Matter Most

1. Termination and Exit

This is the most critical section of any MSP contract. Focus on:

Notice period: Push for 30 days' notice after an initial 12-month term. The MSP may resist, but 90-day notice periods exist primarily to trap clients, not to ensure service continuity.

Data extraction: Ensure the contract specifies data will be provided in standard, portable formats (CSV, SQL dump, native backup format) at no additional cost within a defined timeframe (14-30 days) of termination.

Transition assistance: Negotiate a transition assistance period where the outgoing MSP cooperates with the incoming provider. This should include knowledge transfer, documentation, and reasonable cooperation — typically capped at a fixed fee or included in the contract.

Non-solicitation: Push back on clauses preventing you from hiring the MSP's staff for 12+ months. A 6-month non-solicitation is reasonable; longer periods are anti-competitive and may not be enforceable in Australia.

2. Service Level Agreements (SLAs)

Your SLA should define:

• Response times for different priority levels (P1-P4)
• Resolution times with clear definitions of what "resolved" means
• Uptime guarantees with measurement methodology
• Service credit mechanisms when SLAs are breached
• Reporting obligations — how SLA performance is measured and reported

Negotiation tip: The MSP will propose SLAs they can comfortably meet. Push for tighter SLAs with meaningful penalties. A service credit of 5-10% of monthly fees for each SLA breach creates real incentive. Credits of 2-3% do not.

Avoid: Vague language like "best endeavours," "reasonable efforts," or "commercially reasonable." These have no measurable standard and make enforcement impossible.

3. Liability and Indemnity

Standard MSP contracts cap liability at 1-3 months of fees. This is grossly inadequate if the MSP causes a data breach, compliance failure, or system outage that damages your business.

Negotiate for: - Uncapped liability for gross negligence and wilful misconduct — no cap should apply when the MSP has been reckless - Higher general liability caps — push for 12 months of fees or $1 million minimum, whichever is greater - Specific indemnity for data breaches — the MSP should indemnify you for breaches caused by their negligence - Professional indemnity insurance requirements — require the MSP to maintain PI insurance at a minimum level (typically $5-10 million)

Red flag: If the MSP refuses to negotiate liability terms at all, consider what that tells you about their confidence in their own service.

4. Pricing and Payment Terms

Key areas to negotiate:

• Annual price increases — cap at CPI or a fixed percentage (3-5%), not "at the MSP's discretion"
• Payment terms — push for 30 days rather than upfront or 14-day terms
• Scope changes — require written approval for any out-of-scope work before it proceeds
• Price reviews — tie price increases to demonstrable cost increases, not arbitrary increases
• Volume discounts — if you are growing, negotiate tiered pricing that rewards additional users/devices

5. Data Ownership and Privacy

Your data is your business asset. The contract must explicitly state:

• You own all data stored in MSP-managed systems
• The MSP has no lien on your data for unpaid invoices
• Data will be returned in standard formats within a specified timeframe
• Data will be deleted from MSP systems within a defined period after termination
• The MSP complies with the Australian Privacy Act and APPs

Critical: Some MSPs include clauses that allow them to retain data as security for unpaid bills. This can leave you unable to access your own information during a dispute. Insist on data independence from financial disputes.

6. Security and Compliance

The contract should require the MSP to:

• Maintain compliance with the Essential 8 Maturity Level 1 framework (at minimum)
• Provide evidence of annual security assessments
• Notify you within 24-48 hours of any security incident affecting your environment
• Maintain cyber insurance at a specified minimum level
• Comply with all applicable privacy legislation

If your business has specific compliance requirements (PCI DSS, HIPAA, ISO 27001), these should be explicitly included as MSP obligations with evidence of compliance.

7. Governance and Reporting

Negotiate for:

• Regular service reviews — monthly operational, quarterly strategic
• Reporting obligations — what is reported, how often, and in what format
• Escalation procedures — clear paths when things go wrong
• Change management — how changes to your environment are proposed, approved, and documented

The Negotiation Process

Preparation

Before entering negotiations:

1. Define your requirements — what do you actually need from the MSP?
2. Benchmark pricing — understand market rates for comparable services
3. Identify your leverage — contract value, reference potential, growth opportunity
4. Know your walk-away point — what terms are non-negotiable for you?

During Negotiation

• Do not accept the first offer. Standard contracts are starting points.
• Ask "why?" on every clause you do not understand. If the MSP cannot explain it clearly, it probably benefits them at your expense.
• Get everything in writing. Verbal promises are unenforceable.
• Involve legal review. A solicitor experienced in MSP contracts will identify risks you miss. The cost ($2,000-5,000) is trivial compared to the cost of a bad contract.

Red Flags During Negotiation

• The MSP refuses to negotiate core terms ("This is our standard; everyone signs it")
• No willingness to discuss liability, termination, or data ownership
• Pressure to sign quickly ("This pricing is only available this week")
• Reluctance to provide references from similar-sized clients
• Unwillingness to include specific SLA commitments in the contract

Related Guides

• MSP Contract Checklist — Full checklist for contract review
• MSP Service Level Management — Deep dive on SLAs
• MSP ROI for Clients — Build the business case for your MSP investment
• MSP Vendor Comparison Template — Compare providers before negotiating
• Cyber Insurance MSP Requirements — Insurance requirements for contracts

Your MSP pushed a Windows update last night. This morning, three line-of-business applications are not working. Nobody approved the change. Nobody tested it in a non-production environment. Nobody documented what was changed or how to roll it back.

This scenario plays out in MSP environments because there is no governance over changes. The opposite extreme — a heavyweight change process that requires six approvals and three weeks of review for a minor patch — is equally problematic because it creates technical debt and security risk through delayed maintenance.

The Change Advisory Board (CAB) is the middle ground: a structured but efficient governance mechanism that ensures changes are assessed, approved, and tracked without creating bureaucratic bottlenecks.

What a CAB Does

Core Functions

1. Risk Assessment Evaluate each proposed change for: - Impact on business operations - Risk of failure or adverse effects - Security implications - Compliance considerations - Dependencies on other systems

2. Approval Authority The CAB has the authority to: - Approve changes for implementation - Reject changes that are too risky or poorly planned - Defer changes pending additional information - Require modifications to reduce risk

3. Scheduling Coordinate change timing to: - Minimise business disruption - Avoid conflicts with other changes - Align with maintenance windows - Account for business-critical periods

4. Post-Implementation Review After changes are implemented: - Verify the change achieved its intended outcome - Document any issues or deviations - Update documentation as needed - Identify lessons for future changes

Types of Changes

Not all changes require the same level of CAB review:

Building Your CAB

Membership

Essential members: - CAB Chair (your IT manager or equivalent) — leads meetings, has final authority - MSP Technical Lead — presents change requests, provides technical assessment - Business Stakeholder — represents operational impact and priorities - Security Representative — evaluates security implications

Optional members (for larger environments): - Finance representative (for cost impact) - Compliance officer (for regulatory implications) - Department heads (for department-specific impacts)

Key principle: CAB members must have decision-making authority. A CAB where nobody can approve changes is a talking shop, not a governance body.

Meeting Structure

Regular CAB meetings:

Total time: 55-60 minutes, monthly

Change Request Template

Every change request should include:

1. Change ID — unique identifier
2. Date — when the change is proposed
3. Requestor — who is requesting the change
4. Description — what the change involves
5. Business justification — why the change is needed
6. Risk assessment — potential impact and likelihood of issues
7. Rollback plan — how to revert if the change fails
8. Testing — evidence of testing in non-production environment
9. Schedule — proposed implementation date and time
10. Impact — which systems and users are affected

The CAB Process

Step 1: Change Submission

The MSP submits a change request for each proposed change (except pre-approved standard changes). The request includes all required information and is submitted at least 5 business days before the proposed implementation date.

Step 2: CAB Review

The CAB reviews each change request:

• Risk assessment: Is the risk acceptable?
• Business justification: Is the change necessary?
• Testing: Has it been tested adequately?
• Rollback plan: Can it be reverted if it fails?
• Timing: Is the proposed schedule appropriate?

Step 3: Decision

The CAB makes one of four decisions:

Step 4: Implementation

The MSP implements the approved change: - Follows the approved implementation plan - Executes the rollback plan if issues arise - Documents what was actually done - Notifies affected users as agreed

Step 5: Post-Implementation Review

After implementation: - Successful: CAB confirms the change achieved its outcome, documentation is updated - Failed: CAB reviews what went wrong, rollback is executed, lessons are captured

Emergency Changes

Some changes cannot wait for the regular CAB cycle:

Emergency Change Criteria

• Critical security vulnerability requiring immediate patching
• System failure requiring immediate remediation
• Regulatory requirement with imminent deadline
• Business-critical issue that cannot wait for the next CAB meeting

Emergency Change Process

1. Requestor identifies the need for an emergency change
2. MSP assesses the risk and documents the emergency change request
3. Emergency CAB approval — CAB chair + one other member approve (can be via email or phone)
4. Implementation — MSP implements the change immediately
5. Retrospective CAB review — full CAB reviews the emergency change within 48 hours
6. Documentation — emergency change is fully documented post-implementation

What Is NOT an Emergency

• Routine patching that was not scheduled
• Convenience changes ("it would be nice to have")
• Changes that were deferred by the regular CAB
• "The MSP forgot to include this in the last CAB meeting"

Common CAB Failures

No CAB exists. Changes are made without governance, leading to incidents and finger-pointing.

CAB is too bureaucratic. Every change requires the full process, creating delays and driving change underground.

No business representation. Technical-only CABs miss business impact considerations.

Rubber-stamp CAB. The CAB approves everything without genuine assessment. This is worse than no CAB because it creates a false sense of governance.

No post-implementation review. Changes are approved but never verified as successful. Issues are not captured for learning.

Emergency change abuse. Too many changes labelled "emergency" to bypass the CAB. This indicates either CAB inflexibility or MSP process failure.

Balancing Control and Agility

The Right Level of Governance

The CAB should be as lightweight as possible while providing adequate oversight:

• Small environments (<50 users): Monthly CAB with 3-4 members, 30-minute meetings
• Medium environments (50-200 users): Monthly CAB with 4-6 members, 60-minute meetings
• Large environments (200+ users): Weekly or bi-weekly CAB with 6-8 members, 90-minute meetings

Pre-Approved Changes

Reduce CAB burden by pre-approving routine changes:

• Regular operating system patching (within defined parameters)
• Antivirus signature updates
• User account management (creation, modification, deletion)
• Standard configuration changes

Pre-approved changes are still documented and tracked, but do not require individual CAB review.

Continuous Improvement

The CAB should periodically review its own effectiveness:

• Are change-related incidents increasing or decreasing?
• Is the CAB process creating unnecessary delays?
• Are emergency changes being used appropriately?
• Are post-implementation reviews capturing useful lessons?

Related Guides

• MSP Service Level Management — SLA governance
• MSP Quality Management System — Quality frameworks
• MSP Technical Debt Assessment — Uncontrolled changes create debt
• MSP Project Management Methodology — Change in project context
• MSP Data Breach Response Plan — Emergency change in incident context

Your service desk is where your clients experience your MSP. Every interaction — every ticket, every phone call, every email — shapes their perception of your business. A well-run service desk delivers consistent, efficient support. A poorly run one drives churn.

Structuring Your Service Desk

The Tiered Model

The standard MSP service desk uses a tiered support model:

Level 0 — Self-Service - Knowledge base articles - FAQ and troubleshooting guides - Automated password resets - Client portal for ticket submission and status checks

Level 1 — Front-Line Support - Initial ticket triage and categorisation - Common issue resolution (password resets, software issues, access requests) - Remote troubleshooting - Ticket documentation and escalation when needed

Level 2 — Advanced Support - Complex technical issues - Server and infrastructure troubleshooting - Network issues - Application-specific problems

Level 3 — Specialist / Escalation - Vendor escalation management - Security incidents - Infrastructure design and architecture - Project-related technical support

When to Add Tiers

As your MSP grows, consider adding:

• Dedicated queue managers. Someone responsible for monitoring ticket flow and ensuring nothing falls through the cracks.
• Technical specialists. Dedicated resources for specific platforms (Microsoft 365, security, networking).
• After-hours team. Dedicated overnight or weekend support.

Service Desk Processes

Incident Management

The primary function — restoring service as quickly as possible:

• Acknowledge quickly. Every ticket gets an acknowledgement within the defined SLA.
• Triage accurately. Correctly categorise and prioritise based on impact and urgency.
• Resolve efficiently. Use knowledge base, runbooks, and team collaboration to resolve.
• Communicate clearly. Keep clients informed throughout the resolution process.
• Document thoroughly. Record the issue, actions taken, and resolution for future reference.

Service Request Management

Handling routine requests efficiently:

• Standardise common requests. Create templates for new user setup, software installation, access changes, and hardware requests.
• Automate where possible. Automated provisioning, self-service portals, and workflow automation reduce manual effort.
• Track and report. Service request metrics reveal workload patterns and automation opportunities.

Problem Management

Address root causes to prevent recurring incidents:

• Identify patterns. Analyse ticket data to find recurring issues.
• Root cause analysis. Investigate why issues recur and address the underlying cause.
• Known error database. Document known issues and their workarounds for faster resolution.
• Proactive fixes. Implement permanent fixes for recurring problems.

Change Management

Control changes to client environments:

• Change requests. Document and approve all non-routine changes.
• Impact assessment. Evaluate the risk of changes before implementation.
• Rollback plans. Have a plan to reverse changes if they cause issues.
• Post-implementation review. Verify changes achieved their intended outcome.

Optimising Service Desk Performance

1. Set Clear SLAs

Define response and resolution targets for each priority level:

• P1 (Critical). 15-minute response, 1-hour resolution target
• P2 (High). 1-hour response, 4-hour resolution target
• P3 (Medium). 4-hour response, 1-business-day resolution target
• P4 (Low). 1-business-day response, 3-business-day resolution target

Track SLA compliance and address breaches immediately.

2. Invest in Training

Technician capability directly impacts service quality:

• Onboarding training. Ensure new technicians understand your tools, processes, and client environments.
• Ongoing development. Regular training on new technologies and updated procedures.
• Soft skills. Communication, empathy, and client management skills matter as much as technical ability.
• Cross-training. Ensure coverage across team members and reduce key-person dependencies.

Our MSP Employee Training Programs guide covers building training programmes.

3. Leverage Knowledge Management

A well-maintained knowledge base accelerates resolution:

• Create articles from resolved tickets. Every non-trivial resolution is a knowledge base candidate.
• Tag and categorise. Make articles easy to find through search and categorisation.
• Review and update. Keep articles current and remove outdated content.
• Measure usage. Track which articles are used and which are not.

4. Automate Repetitive Work

Automate to reduce ticket volume and resolution time:

• Automated password resets. Self-service or automated workflows.
• Automated provisioning. Template-based account creation.
• Automated monitoring alerts. Catch issues before users report them.
• Chatbots. Handle simple queries and ticket creation.

5. Monitor and Improve

Continuous improvement requires measurement:

• Weekly metrics review. Review key metrics with the team.
• Monthly trend analysis. Identify patterns and address systemic issues.
• Quarterly process review. Evaluate and improve processes based on data.
• Client feedback. Collect and act on client satisfaction feedback.

Common Service Desk Mistakes

• No triage. Tickets sit in a general queue without prioritisation.
• Poor documentation. Tickets without adequate notes make escalation and handover difficult.
• No follow-up. Resolved tickets without client confirmation leave issues incomplete.
• Ignoring metrics. Data without action is just noise.
• Understaffing. Chronic understaffing creates a vicious cycle of burnout and turnover.

Related Guides

• MSP Ticketing System Guide — Platform selection and configuration
• MSP Employee Training Programs — Training programmes
• MSP Client Communication Tips — Communication during support
• MSP Capacity Planning Guide — Workload management
• MSP Quality Assurance Processes — Quality metrics

The majority of Australian managed service providers are founder-led businesses. The founder built it, named it, and is the reason clients trust it. But what happens when that founder retires, burns out, gets sick, or simply decides to move on?

Without a succession plan, the answer is often chaos — declining service, client defection, staff panic, and a business that loses most of its value in the transition.

Why MSPs Are Uniquely Vulnerable

MSPs face succession challenges that most businesses do not:

• Founder dependency. Clients trust the founder personally, not just the brand. When the founder leaves, clients follow.
• Technical knowledge concentration. The founder often holds the deepest knowledge of client environments, undocumented processes, and critical relationships.
• Thin leadership bench. Small MSPs rarely have a deputy or successor ready to step up.
• Revenue concentration. A handful of large clients may represent a disproportionate share of revenue, and those relationships often run through the founder.

These factors make succession planning not just a nice-to-have, but an existential requirement.

The Three Succession Paths

1. Internal Succession

The founder promotes or sells to an existing leader — typically a service manager, technical director, or operations lead.

Advantages: - Continuity for clients and staff - Lower transition risk - Founder can mentor the successor over time

Challenges: - The successor needs business acumen (sales, finance, HR), not just technical skill - Financing the buyout can be difficult without external capital - The founder may struggle to let go

What it takes: Start grooming a successor at least 3 years before the planned transition. Invest in their business education — not just technical certifications. Consider a phased transition where the founder gradually reduces involvement.

2. External Sale

The MSP is sold to a competitor, an aggregator, or a private equity firm.

Advantages: - Maximum financial return for the founder - Access to capital and scale - Professional management of the transition

Challenges: - Client contracts may have change-of-control clauses - Staff may leave during the uncertainty - Integration risk — the acquiring company may dismantle what made the MSP successful

What it takes: Clean financials, documented processes, diversified client base, and reduced founder dependency. Our MSP Financial Breakdown guide covers what acquirers look for. The MSP Acquisition Due Diligence article details the buyer's perspective.

3. Merger or Partnership

Two complementary MSPs merge, combining strengths and reducing competition.

Advantages: - Combined capabilities and client base - Shared overhead and leadership burden - Both founders can remain involved in defined roles

Challenges: - Cultural alignment is difficult - Decision-making can stall with two leaders - Client overlap may create conflicts

Building a Succession-Ready MSP

Whether you plan to transition in 2 years or 10, these steps make your MSP more resilient:

Document Everything

If the founder is the only person who knows how things work, the business is fragile. Document: - Client environments and custom configurations - Vendor relationships and contract terms - Pricing structures and margin data - Key processes and escalation paths

Our MSP Technical Documentation guide provides templates and frameworks.

Reduce Founder Dependency

Clients should have relationships with multiple people at the MSP, not just the founder. Staff should understand the business, not just the tech. Build a leadership team that can operate independently.

Clean Up Financials

Accurate, auditable financials are essential for any transition. Get your books in order — separate personal and business expenses, document recurring revenue streams, and ensure contracts are properly recorded.

Understand Your Value

Use our MSP Health Score tool to benchmark your business across key dimensions. Know what your MSP is worth before you need to sell or transfer it.

Communicate Early

When the time comes, communicate the transition plan to clients and staff with confidence and clarity. A well-managed announcement builds trust; a surprise departure destroys it.

The Cost of Not Planning

The Australian MSP market is consolidating rapidly. Private equity firms and aggregators are buying up MSPs at attractive multiples — but only well-run, documented, and transferable businesses command premium valuations.

MSPs without succession plans typically sell at a significant discount, or worse, simply close — destroying the value the founder spent decades building and leaving clients scrambling for a new provider.

Succession planning is not about planning to fail. It is about ensuring that the business you built survives and thrives beyond your involvement.

Related Guides

• MSP Exit Strategy — Valuation and transition planning
• MSP Health Score — Benchmark your business readiness
• MSP Financial Breakdown — Understanding MSP valuations
• MSP Acquisition Due Diligence — What buyers look for
• MSP Technical Documentation — Documenting your operations

Artificial intelligence is no longer a future concept for MSPs — it is a present reality reshaping how services are delivered, how engineers spend their time, and how MSPs compete. Here is what is happening in 2026 and what it means for the industry.

The AI Landscape for MSPs in 2026

What Has Changed

The past 12-18 months have seen significant AI adoption in the MSP industry:

• Microsoft Copilot has matured and is now widely deployed in M365 environments
• AI-powered RMM tools can now diagnose and remediate common issues automatically
• AI documentation tools are automating environment documentation
• AI-enhanced security is improving threat detection and response times
• AI chatbots are handling a growing percentage of helpdesk interactions

What Is Accelerating

The pace of change is increasing:

• AI models are becoming more capable and accurate
• Integration into existing MSP tools is deepening
• Client expectations for AI-powered services are rising
• Cost of AI tools is decreasing while capability increases

The Impact on MSP Operations

1. Automated Ticket Triage and Routing

AI can now analyse incoming tickets and:

• Categorise the issue automatically
• Route to the appropriate engineer or team
• Suggest solutions from knowledge base articles
• Escalate based on urgency and impact

Impact: Faster response times, better first-contact resolution, reduced triage overhead.

2. AI-Powered Remediation

AI systems can now resolve common issues without human intervention:

• Password resets and account unlocks
• Software installation and configuration
• Network connectivity troubleshooting
• Patch compliance remediation
• Backup failure resolution

Impact: Reduced ticket volume, faster resolution, engineers freed for complex work.

3. Automated Documentation

AI tools can now:

• Generate documentation from system configurations
• Update documentation when changes occur
• Create user guides and training materials
• Maintain network diagrams from discovered topology

Impact: Better documentation quality, reduced manual effort, improved knowledge transfer.

4. Predictive Monitoring

AI-enhanced monitoring can:

• Predict hardware failures before they occur
• Identify performance degradation trends
• Detect unusual user behaviour patterns
• Forecast capacity needs

Impact: Proactive management, reduced downtime, better capacity planning.

5. AI-Enhanced Security

AI is transforming security operations:

• Real-time threat detection across endpoints
• Automated incident response playbooks
• Behavioural analysis for insider threats
• Automated compliance monitoring

Impact: Faster threat detection, reduced response time, improved security posture.

What This Means for MSP Engineers

Skills That Are Becoming More Valuable

• AI tool management — configuring, training, and optimising AI systems
• Complex problem-solving — handling issues AI cannot resolve
• Client advisory — strategic guidance that requires human judgement
• Security expertise — advanced threat analysis and response
• Cloud architecture — designing and optimising cloud environments

Skills That Are Becoming Less Valuable

• Routine ticket handling — increasingly automated
• Basic documentation — AI-generated and maintained
• Standard configurations — template-driven, AI-deployed
• Password management — fully automated
• Basic monitoring — AI-handled alerting and triage

The Engineer Evolution

The MSP engineer role is evolving from "fix things" to "manage systems that fix things." This requires:

• Understanding how AI tools work and where they fail
• Ability to validate and improve AI recommendations
• Strategic thinking about IT environment design
• Client communication and relationship skills
• Continuous learning as AI capabilities evolve

Our MSP Employee Training Programs guide covers upskilling strategies for the AI era.

AI Adoption Strategy for MSPs

Phase 1: Foundation (Month 1-3)

Low-risk automation: - Enable AI features in existing tools (Copilot, RMM AI) - Automate documentation generation - Implement AI-assisted ticket categorisation - Test AI chatbot for common queries

Measure: Time saved, accuracy of AI decisions, user satisfaction.

Phase 2: Expansion (Month 4-6)

Moderate automation: - Deploy AI-powered remediation for common issues - Implement predictive monitoring - Use AI for security threat detection - Automate routine reporting

Measure: Ticket volume reduction, resolution time improvement, cost savings.

Phase 3: Optimisation (Month 7-12)

Advanced automation: - Custom AI models for client-specific needs - AI-driven capacity planning - Automated compliance monitoring - Predictive client needs analysis

Measure: Client satisfaction, engineer utilisation, profitability improvement.

The Cost-Benefit Analysis

Investment Required

Expected Returns

Risks and Limitations

AI Hallucinations

AI tools can generate incorrect recommendations. Every AI-generated solution should be validated by a human engineer before implementation.

Over-Reliance

Reducing human oversight too aggressively creates risk. AI should augment, not replace, human judgement for critical decisions.

Client Resistance

Some clients may be uncomfortable with AI managing their environment. Offer transparency about how AI is used and maintain human oversight.

Security Risks

AI tools that access client environments create new attack surfaces. Ensure AI tools meet your security standards.

Cost Escalation

AI tool costs can increase rapidly as usage scales. Monitor costs and ensure ROI justifies the investment.

The Competitive Landscape

MSPs Leading in AI Adoption

• Larger MSPs with dedicated innovation budgets
• MSPs with strong Microsoft partnerships (early Copilot access)
• MSPs that invested in automation pre-AI (cultural readiness)
• MSPs with younger, tech-savvy teams

MSPs at Risk

• Small MSPs without budget for AI tools
• MSPs with resistance to change
• MSPs that view AI as a threat rather than an opportunity
• MSPs that cannot demonstrate AI value to clients

Client Expectations in 2026

Clients increasingly expect:

• Faster response times — AI-enabled chatbots for immediate support
• Proactive management — AI predicting and preventing issues
• Transparent reporting — AI-generated insights into environment health
• Modern security — AI-enhanced threat protection
• Cost efficiency — AI-driven cost optimisation

MSPs that can demonstrate AI capabilities win more competitive deals.

The Bottom Line

AI automation is transforming the MSP industry. The question is not whether to adopt AI, but how quickly and effectively. MSPs that embrace AI will serve more clients, deliver better outcomes, and build more sustainable businesses. Those that resist will find themselves competing against more efficient, more capable competitors.

The future of MSPs is not AI replacing humans — it is AI enabling humans to do higher-value work.

Use our MSP Health Score to benchmark your operational maturity, or our PowerShell Automation guide for automation foundations that prepare you for AI.

Most Australian businesses view their MSP as a cost — a monthly invoice that goes out the door. But a good MSP should be an investment that delivers measurable returns. If you cannot quantify the value your MSP provides, you cannot make informed decisions about your IT spending.

Here is how to calculate MSP ROI and benchmark your return against industry standards.

Why ROI Matters

Without ROI measurement, MSP decisions are based on gut feel and invoice amounts. With ROI measurement, you can:

• Justify your MSP spend to the board or business owner
• Compare the value of your current MSP against alternatives
• Identify areas where the MSP is underperforming or over-delivering
• Negotiate contract renewals with data, not assumptions
• Make informed decisions about co-managed vs fully managed vs in-house

The MSP ROI Formula

MSP ROI = (Total Benefits - Total Costs) / Total Costs × 100

The challenge is accurately quantifying both sides.

Total Costs: What You Actually Pay

Most businesses know their monthly MSP fee. But total cost includes more:

Example for a 50-user business:

Total Benefits: What You Get in Return

Benefits fall into six categories:

1. Avoided Staffing Costs

The cost of building an equivalent in-house team.

Benefit: $213,000–$274,000 (avoided cost of equivalent in-house team)

2. Reduced Downtime

The MSP's proactive monitoring and patching prevents outages.

3. Productivity Gains

Faster issue resolution means staff spend less time waiting.

4. Risk Mitigation

Security, compliance, and disaster recovery value.

5. Technology Optimisation

Better use of Microsoft 365, cloud services, and infrastructure.

6. Strategic Value

vCIO advice, technology roadmaps, and strategic planning.

Total Benefits Calculation

ROI Calculation

At the mid-range estimate, every dollar spent on the MSP returns $1.84 in value.

Industry Benchmarks

Smaller businesses typically see higher ROI because they get access to capabilities (security, vCIO, monitoring) that would be prohibitively expensive to build in-house.

Using the Arbitrage Calculator

The Arbitrage Calculator on MSP Playbook provides a quick way to benchmark whether your MSP's pricing is fair relative to the value delivered. Input your MSP spend, user count, and service requirements to see how your costs compare to market rates.

When ROI Is Negative

If your MSP ROI is below 100% (you are paying more than you are getting back), investigate:

1. Are you paying for services you do not use? Review your contract for unused inclusions.
2. Is the MSP underperforming? Check SLA compliance and support quality.
3. Are hidden costs inflating your total spend? Review project work and after-hours charges.
4. Is your environment too small? Some MSPs impose minimums that exceed the value for very small businesses.
5. Are you duplicating efforts? Having both an MSP and internal IT doing the same work wastes money.

The MSP Cost Calculator and Compare tools can help diagnose the issue.

Presenting ROI to Leadership

When presenting MSP ROI to your board or business owner:

1. Use ranges, not point estimates. Show conservative, mid-range, and optimistic scenarios.
2. Focus on avoided costs, not theoretical value. "We would need to hire two people at $250K to replace this service" is more compelling than "the MSP provides strategic value."
3. Benchmark against alternatives. Show the ROI of the MSP vs in-house IT vs doing nothing.
4. Include risk quantification. The cost of a single cybersecurity incident justifies the MSP's entire annual fee.
5. Track ROI over time. Show whether the MSP's value is increasing or decreasing year on year.

Related Guides

• MSP Cost Calculator — Model your specific costs
• MSP Pricing Comparison 2026 — Benchmarking rates
• Arbitrage Calculator — Quick value benchmarking
• MSP vs In-House IT Cost — Full cost comparison
• Hidden Costs of MSPs — What they do not put on the invoice

Microsoft 365 is the most widely used productivity platform in Australian business, but most organisations are running it without proper governance. The result is chaos: thousands of orphaned Teams channels, SharePoint sites nobody owns, and permissions that have never been audited. Without governance, M365 becomes a security liability rather than a productivity tool.

What M365 Governance Actually Covers

Governance is not a single setting. It is a framework that spans every service in the Microsoft 365 suite:

• Identity and access management — who can access what, how accounts are provisioned and deprovisioned
• Data governance — retention policies, labelling, and disposal of sensitive information
• Teams governance — who can create Teams, naming conventions, lifecycle management
• SharePoint governance — site creation policies, external sharing controls, storage limits
• Compliance — meeting Australian Privacy Act requirements, Essential 8 alignment, and industry-specific regulations
• Device management — Intune policies, conditional access, endpoint protection

Most MSPs focus on keeping the lights on (email works, Teams is up) but ignore governance entirely. The MSP Health Score includes governance maturity as a key indicator.

The Foundation: Entra ID Governance

Before you govern SharePoint, Teams, or anything else, you need to govern your identity layer. Microsoft Entra ID (formerly Azure AD) is the foundation of every governance decision.

Critical Entra ID Policies

1. Conditional Access Policies Define rules that determine who can access M365 and from where. At minimum:

• Require MFA for all users (non-negotiable in 2026)
• Block sign-ins from countries where you have no operations
• Require compliant devices for sensitive applications
• Block legacy authentication protocols

2. Privileged Identity Management (PIM) Global Administrator and other high-privilege roles should not be assigned permanently. PIM allows just-in-time access — administrators request elevated privileges when needed and lose them automatically after a defined period.

If your MSP has three people with permanent Global Admin access, that is a governance failure.

3. Access Reviews Schedule quarterly reviews of who has access to what. Entra ID supports automated access reviews that prompt managers to certify or revoke permissions. This is Essential for maintaining least-privilege access.

Teams Governance

Uncontrolled Teams creation is the number one governance headache for Australian businesses. Within six months of adoption, most organisations have hundreds of Teams with no naming conventions, no owners, and no lifecycle management.

What to Implement

Team Creation Policy - Restrict who can create Teams (ideally IT or a自助-service approval process) - Require a business justification for each new Team - Apply naming conventions (e.g., [Department]-[Project]-[Year])

Team Lifecycle Policy - Set automatic expiration dates (e.g., 12 months) - Require owners to renew before expiry - Archive inactive Teams automatically - Delete archived Teams after 6 months with no activity

Sensitivity Labels Classify Teams by data sensitivity: - Public — internal communication, no sensitive data - Confidential — departmental, restricted membership - Highly Confidential — regulated data, enhanced encryption, external access blocked

SharePoint Governance

SharePoint is where governance failures become most visible — and most dangerous.

Key Policies

Site Creation - Restrict site creation to IT or a managed自助-service portal - Require approval for external-facing sites - Apply naming conventions and metadata tags

External Sharing - Disable external sharing by default - Enable it only for specific sites with a business case - Require Azure AD B2B for external collaborators - Audit external sharing monthly

Storage Management - Set storage quotas per site (e.g., 25 GB default, 100 GB with approval) - Monitor usage quarterly - Archive or delete sites that exceed limits without justification

Retention and Disposition Apply retention policies based on content type: - Financial records: 7 years - Employee records: 7 years after termination - Client data: 7 years after engagement ends (or as per contract) - Temporary/working documents: 1 year

Data Governance and Compliance

Australian businesses must align M365 data governance with the Privacy Act 1988 and relevant state legislation. Key requirements:

Australian Privacy Principles (APPs)

• Collect only the data you need (APP 3)
• Store it securely (APP 11)
• Destroy it when no longer needed (APP 11)
• Allow individuals to access their data (APP 12)

Information Barriers

Prevent conflicts of interest by restricting communication between certain groups. Essential for financial services and legal firms.

Data Loss Prevention (DLP)

Configure DLP policies to: - Detect and block sending of sensitive data (TFNs, ABNs, credit card numbers) via email or Teams - Alert when users attempt to share classified documents externally - Apply sensitivity labels automatically based on content

Governance Maturity Model

Where does your organisation sit?

Most Australian businesses sit at Level 1 or 2. Getting to Level 3 is the goal. The M365 Governance Mistakes article covers common pitfalls in more detail.

How Your MSP Should Be Handling This

If your MSP manages your Microsoft 365 environment, they should be implementing governance as part of their service. Ask them:

1. Do we have conditional access policies configured? Show me the policy list.
2. How many Teams do we have, and how many have been reviewed in the last 6 months?
3. What is our external sharing posture across SharePoint?
4. Do we have DLP policies in place? Show me the last quarter's alerts.
5. How many Global Admin accounts exist, and are any using shared credentials?

If your MSP cannot answer these questions, they are managing your email, not governing your environment. Our M365 Governance Mistakes article provides a more detailed self-assessment.

Getting Started: Your First 30 Days

If you are starting from scratch, prioritise in this order:

Week 1: Implement MFA everywhere and review Global Admin accounts Week 2: Configure conditional access policies and disable legacy authentication Week 3: Apply Teams creation restrictions and naming conventions Week 4: Enable sensitivity labels and configure basic DLP policies

This gets you from Level 1 to Level 2 in a month. Building from there is an ongoing process, not a one-time project.

Related Guides

• M365 Governance Mistakes — Common pitfalls to avoid
• Essential 8 Guide — Australian cybersecurity framework
• MSP Onboarding Checklist — What your MSP should set up
• MSP Health Score — Benchmark your MSP's performance
• How to Choose an MSP — Select the right provider

Your MSP manages your clients' IT environments. But who manages yours? Every vendor, tool, and subcontractor in your stack is a potential point of failure — and the trend toward supply chain attacks means third-party risk is no longer theoretical.

The Third-Party Risk Landscape for MSPs

MSPs typically depend on a significant number of third parties:

• RMM/PSA platforms — ConnectWise, Datto, NinjaRMM, N-sight
• Backup vendors — Veeam, Acronis, Datto, StorageCraft
• Security tools — SentinelOne, CrowdStrike, Huntress, Sophos
• Cloud platforms — Microsoft 365, Azure, AWS, Google Workspace
• Communication tools — Teams, Slack, Zoom
• Hardware vendors — Dell, HP, Lenovo
• Subcontractors — NOC services, helpdesk outsourcing, project resources

Each of these represents a risk. The 2021 Kaseya VSA attack compromised approximately 1,500 businesses through a single vendor vulnerability. The 2024 ConnectWise ScreenConnect vulnerabilities demonstrated that even major platforms are not immune.

Building a Third-Party Risk Management Program

Step 1: Inventory Your Vendors

Create a comprehensive register of all third parties that access your systems, handle your data, or provide critical services. For each vendor, record:

• What service they provide
• What data they access or process
• What systems they connect to
• What level of access they have
• What the impact would be if they failed

Step 2: Assess Risk

Not all vendors carry equal risk. Assess each based on:

• Access level. A vendor with administrative access to your RMM platform carries far more risk than one providing office supplies.
• Data sensitivity. Vendors handling personal information or financial data carry higher risk.
• Criticality. What happens if this vendor's service fails? Can you operate without it?
• Security maturity. Does the vendor demonstrate strong security practices?

Step 3: Require Security Evidence

For high-risk vendors, request and review:

• SOC 2 Type II report — Independent audit of security controls
• ISO 27001 certificate — Formal information security management
• Penetration test results — Evidence of vulnerability testing
• Insurance certificates — Cyber liability and professional indemnity coverage
• Incident history — Any breaches or significant outages in the past 3 years

Step 4: Include Risk Requirements in Contracts

Your vendor contracts should include:

• Security requirements and standards
• Notification obligations for incidents or vulnerabilities
• Data handling and sovereignty requirements
• Right to audit provisions
• Termination and data return provisions
• Service level agreements with remedies for non-performance

Our MSP Contract Checklist provides a comprehensive framework for vendor agreements.

Step 5: Monitor Ongoing Risk

Third-party risk is not a one-time assessment:

• Annual reviews. Reassess vendor risk annually and after any significant incident.
• Continuous monitoring. Use threat intelligence feeds to track vendor vulnerabilities.
• Incident response integration. Ensure your incident response plan accounts for vendor-related incidents.
• Exit planning. For every critical vendor, have a documented exit strategy in case the relationship ends.

Common Third-Party Risk Scenarios

Vendor Data Breach

A vendor you use is breached, exposing your data or your clients' data. Your obligations under the Privacy Act and NDB scheme may require notification even though the breach occurred at the vendor level.

Vendor Service Failure

A critical vendor experiences an extended outage that affects your ability to deliver service. Your clients hold you responsible, not your vendor.

Vendor Vulnerability

A security vulnerability is discovered in a tool you use. You must patch or mitigate quickly while the vendor works on a fix.

Subcontractor Incident

A subcontractor you use for NOC or helpdesk services causes an incident through negligence. Your contracts and oversight processes determine your liability.

Related Guides

• MSP Vendor Management Guide — Operational vendor management
• MSP Risk Management Framework — Comprehensive risk assessment
• MSP Contract Checklist — Contract risk provisions
• Cyber Insurance MSP Requirements — Insurance requirements for vendors
• Essential 8 Implementation Checklist — Security controls including third-party management