The Australian Signals Directorate (ASD) recently reiterated its guidance on the cyber security questions every organisation should ask their Managed Service Provider. The premise is sound and important: MSPs hold privileged access to client environments, and if an MSP’s own security posture is weak, that weakness becomes your organisation’s risk.
The ASD identifies five critical questions. Below you’ll find exactly how Evolution Systems answers each of them, with the specific practices and credentials to back it up.
Why the ASD’s MSP Cyber Security Guidance Matters
When organisations engage a managed service provider, they are not simply outsourcing IT tasks. They are extending trust, access, and in many cases administrative control over their most critical systems. The ASD’s guidance recognises that cyber security outcomes for Australian businesses depend directly on the security maturity of the MSPs they engage.
For organisations evaluating managed service providers in Australia, these five questions are not a formality. They are a substantive due diligence test. A credible MSP should be able to answer each one with specific practices and verifiable credentials, not generalised reassurances.
This is how Evolution Systems answers them.
#1 Does Your MSP Implement Better Practice Cyber Security?
The ASD standard: Implementation of the Essential Eight to protect both the MSP and its customers.
How Evolution Systems meets this standard: Essential Eight compliance is built into the architecture of our managed security services, structured across three tiers aligned to ASD maturity levels:
- Our Cyber Foundations tier aligns with Essential Eight Maturity Level 1, covering application control and whitelisting, patch management for both applications and operating systems, Microsoft Office macro controls, user application hardening, multi-factor authentication (MFA), restricted administrative privileges, and regular backups.Â
- Our Cyber Advanced tier aligns with Level 2, adding AI-driven threat monitoring and automated security event management.Â
- Our Cyber Enterprise tier aligns with Level 3, implementing Privileged Access Management (PAM), CISO-as-a-Service, and continuous compliance audits.
Evolution Systems is also ISO 27001:2022 certified and has held this certification for over a decade. Holding ISO 27001 for more than ten years means our information security management practices are not theoretical – they have been independently audited and renewed across multiple cycles, covering how we protect client data, manage access, and respond to security events.
For a deeper look at Essential Eight obligations for Australian businesses, read our guide on Essential Eight compliance in 2026.
#2 Does Your MSP Securely Administer Its Systems and Services?
The ASD standard: Secure administration practices, with particular emphasis on the risk of privileged and remote access.
How Evolution Systems meets this standard: Secure administration is not an optional layer for Evolution Systems. It is the foundation on which every client engagement is built.
Our Cyber Enterprise tier includes Privileged Access Management (PAM), implementing zero-trust security controls to protect privileged accounts, administrative users, and critical business systems from compromise. MFA is enforced across all access points as a standard control from our Cyber Foundations tier upward, ensuring only authorised personnel can access client systems. Restricted administrative privileges are applied as a core Essential Eight control, limiting the attack surface available to any threat actor who gains a foothold.
For clients on our Managed Services and EVOPS platform, our service desk and engineering team operate under defined access control protocols governed by our ISO 27001:2022 certified information security management system. This means the administrative practices applied to client environments are subject to the same independent audit cycle as our own.
#3 Does Your MSP Monitor Activity on Its Systems and Services?
The ASD standard: Active monitoring of systems and services to detect intrusions and insider threats.
How Evolution Systems meets this standard: Continuous monitoring and threat detection are central to our managed security service model. According to the Cost of a Data Breach Report 2025, it takes an average of 241 days to identify and contain a breach without adequate monitoring in place.
Our Cyber Advanced tier delivers 24/7 monitoring, alerting, and managed protection across client environments, backed by Automated Security Event Analysis through SIEM technology. This capability correlates security events across systems in real time, surfacing anomalies and early threat indicators before they can escalate into incidents. Clients also receive a Security Health Dashboard: a centralised, real-time view of threat activity, vulnerabilities, and compliance status across their environment.
For endpoint visibility, our managed security stack includes SentinelOne for AI-driven endpoint detection and response, and ThreatLocker for application control, restricting unauthorised applications from executing and blocking malware at the application layer. Configuration hardening is applied across environments to reduce the attack surface that monitoring then has to cover.
This combination of proactive hardening and active monitoring addresses both the prevention and detection requirements the ASD identifies as critical for MSPs.
#4 Does Your MSP Regularly Assess Its Systems and Services?
The ASD standard: Regular vulnerability assessments to identify and risk-manage weaknesses in MSP systems and client environments.
How Evolution Systems meets this standard: Regular, structured assessment is embedded into our service model at every tier. A review from twelve months ago does not reflect today’s attack methods or today’s environment.
Our Cyber Foundations tier includes Threat and Compliance Risk Assessments to identify security gaps, address vulnerabilities, and verify alignment with Essential Eight, ISO 27001, and PCI DSS requirements. For new clients, our Cyber Baseline Assessment delivers a clear picture of current security posture and highest-priority risks within days, not months. Our Cyber Enterprise tier adds Continuous Compliance and Internal Audits, with ongoing security audits, risk assessments, and governance enforcement built into the service. CISO-as-a-Service is also available at this tier, providing strategic cyber security leadership that connects assessment findings to business risk rather than treating them as isolated technical outputs.
As an ISO 27001:2022 certified organisation, Evolution Systems undergoes external audits of our own information security management system on an ongoing basis. Our security posture is assessed by an independent third party, not self-declared.
For organisations thinking about what robust security assessment looks like in practice, our article on what to look for in a managed security service provider covers the key considerations in detail.
#5 Is Your MSP Prepared to Respond to Cyber Security Incidents?
The ASD standard: Preparedness and response capability for cyber security incidents, including specialist support and active incident reporting.
How Evolution Systems meets this standard: Incident response capability is part of our standard service model, built in before an incident occurs rather than assembled in reaction to one. 60% of SMBs that experience a significant breach close within six months. Cyber resilience is not a technical aspiration – it is a business survival requirement.
Our Cyber Enterprise tier delivers Rapid Incident Response with 24/7 coverage, providing immediate threat containment and security breach mitigation designed to minimise business disruption. For every client engagement, we also build Incident Response Readiness as a structured service: this includes the plans, processes, escalation pathways, and governance documentation your organisation needs to respond with structure rather than improvise under pressure. Basic Security Incident Response Policy and Procedure documentation are developed as part of our structured programs, giving organisations a defensible, tested response framework.
Recovery capability is built into the infrastructure layer as well. Our Disaster Recovery as a Service and Backup as a Service ensure that recovery from a cyber event is a structured, tested process. For clients on Evolution Data Resilience, this extends further to immutable backup and recovery assurance. Our 100% guaranteed data centre availability means the infrastructure required to recover is already in place and verified before an incident occurs.
Security Awareness Training is also included as a standard component, addressing the human vector that precedes the majority of successful cyber incidents against Australian businesses.
The Difference Between an MSP and a Cyber-Mature MSP
The ASD’s questions are designed to separate managed service providers who have genuinely built their own security posture from those who treat it as someone else’s problem. The risk to any client engaging an MSP with weak internal controls is direct and material.
Every question the ASD recommends you ask has a specific, verifiable answer at Evolution Systems: an ISO 27001:2022 certification held for over a decade, a three-tier managed security service model structured around Essential Eight maturity levels, dedicated incident response capability, and a 92% client retention rate across more than 25 years of operating as a trusted managed IT service provider for Australian businesses.
If you are evaluating managed service providers in Australia and want to understand how our managed security services address your organisation’s cyber resilience and cyber maturity requirements, we are ready to have that conversation.
FAQs
What cyber security questions should I ask a managed service provider?
The Australian Signals Directorate recommends asking whether your MSP implements Essential Eight cyber security controls, securely administers its systems with controls like MFA and privileged access management, monitors activity continuously through real-time alerting and threat detection, conducts regular vulnerability assessments, and has a tested incident response capability in place. Each of these questions maps to a specific area of cyber maturity that directly affects your own risk exposure as a client.
Does Evolution Systems comply with the ASD Essential Eight?
The Australian Signals Directorate recommends asking whether your MSP implements Essential Eight cyber security controls, securely administers its
Yes. Evolution Systems’ managed security services are structured across three tiers aligned to Essential Eight Maturity Levels 1, 2, and 3. Our company also holds ISO 27001:2022 certification, independently verifying its information security management practices through external audit over more than ten years.
systems with controls like MFA and privileged access management, monitors activity continuously through real-time alerting and threat detection, conducts regular vulnerability assessments, and has a tested incident response capability in place. Each of these questions maps to a specific area of cyber maturity that directly affects your own risk exposure as a client.
What is a cyber-mature managed service provider?
A cyber-mature MSP is one that applies the same security rigour to its own environment that it recommends for its clients. This includes Essential Eight implementation, continuous monitoring and alerting, regular vulnerability assessments, privileged access management, endpoint protection, and a tested incident response plan with documented policies and procedures.
How does an MSP’s security posture affect my organisation?
MSPs often hold privileged administrative access to client environments. If an MSP’s own systems are compromised, that access becomes a direct attack vector into client infrastructure. This is why the ASD specifically recommends that organisations assess the cyber security maturity of their MSPs before and throughout the engagement.
What managed security services does Evolution Systems offer?
Evolution Systems offers three tiers of managed security services:
Cyber Foundations (Essential Eight Level 1 - application control, patching, MFA, hardening, admin privilege restriction, backups)
Cyber Advanced (Essential Eight Level 2 - 24/7 monitoring, alerting, automated security event analysis, SIEM)
Cyber Enterprise (Essential Eight Level 3 - PAM, CISO-as-a-Service, continuous compliance auditing)
All tiers are supported by Australian-based delivery and are available to businesses of all sizes.
