The Right to Disconnect: What It Means for Your IT and After-Hours Access

The right to disconnect lets employees refuse to monitor, read or respond to work contact outside their working hours unless that refusal is unreasonable. It is Fair Work law, not an IT rule. But the email, Teams and mobile settings your MSP controls are what turn a policy on paper into something that actually holds.

What the right to disconnect actually says

The right to disconnect was added to the Fair Work Act and took effect on 26 August 2024 for medium and larger employers. For small business employers (fewer than 15 employees), it commenced a year later, on 26 August 2025. So as of now, it applies across the board.

The substance is narrow but important. An employee may refuse to monitor, read or respond to contact (or attempted contact) from their employer outside their working hours, unless the refusal is unreasonable. The same applies to contact from a third party — a client, a supplier — if it relates to their work. Whether a refusal is unreasonable depends on factors the legislation spells out: the reason for the contact, how it is made and how disruptive it is, whether the employee is compensated for being available, the employee’s role and level of responsibility, and their personal circumstances including family or caring responsibilities.

Note what it does not say. It is not a ban on after-hours contact. An employer can still send a message at 9pm. What changes is that the employee is generally entitled not to engage with it until they are back on the clock, and they cannot be punished for that. Disputes are meant to be worked out at the workplace first, and if that fails, the Fair Work Commission can deal with them.

This is workplace-relations law, and the genuinely hard questions — what counts as “working hours” for a salaried manager, how an on-call allowance is structured, what your enterprise agreement or award says — are HR and legal questions. Get advice on those. What we deal with as a Melbourne MSP is the layer underneath: the systems that decide whether a notification lands on someone’s phone at all, and whether your roster and monitoring arrangements line up with what you have told staff.

The IT controls that make a policy real

A right to disconnect policy that says “please don’t email after hours” and changes nothing in Microsoft 365 is theatre. Staff still hear the buzz, still feel the pull, and the more conscientious ones still answer. The controls below are the ones that actually shift behaviour, and most of them are already sitting in your tenant waiting to be turned on.

Quiet hours and scheduled send in Outlook and Teams

Microsoft Teams has a built-in quiet hours and quiet days feature in the mobile app, so notifications are silenced outside the hours a user sets. The catch is that it is per-user and opt-in by default — most people never find it. The fix is to make it part of standard onboarding and to actually show people where the setting lives, rather than burying it in a policy PDF.

On the sending side, Outlook’s scheduled send (Delay Delivery) lets a manager who genuinely does their thinking at 10pm queue the email to land at 8am. That one habit removes most of the after-hours pressure without anyone having to ignore anything. We usually pair it with a short signature line on out-of-hours senders — something like “I work flexible hours; I don’t expect a reply outside yours” — which the Fair Work Ombudsman’s own guidance points to as good practice.

If you want notifications properly switched off rather than left to each person, that is configurable through Microsoft 365 administration and device policy. This is part of the day-to-day work in any managed Microsoft 365 environment, and it is the kind of thing worth getting right once across the whole organisation rather than user by user.

Mobile device management and conditional access

The real after-hours leak is the phone. Work email and Teams on a personal mobile means contact follows people into the lounge room. Mobile device management (through Microsoft Intune) and conditional access policies give you proper levers here.

You can enforce app protection so work data stays inside managed apps, and you can use conditional access to shape when and how people connect. For specific roles — not everyone — you can even restrict access to corporate apps to particular hours or locations, so that someone who is genuinely off the roster is not technically able to be pulled back in. Used carefully, this turns a written rule into an enforced boundary. Used clumsily, it locks out the on-call engineer at 2am, so it has to be designed around your actual roster rather than applied with a blunt instrument.

A professional services firm in Hawthorn we work with had the opposite problem to most: their junior staff were answering partner emails at all hours because the Teams app pinged their personal phones and nobody had told them they didn’t have to. The remedy was not a stern memo. It was switching most of the team to managed app access with notifications off outside business hours, leaving a small after-hours group properly resourced, and writing the policy to match what the systems now did.

On-call rosters and the compensation question

The right to disconnect bites hardest where there is no clear on-call arrangement. If you expect certain people to be reachable after hours, that should be a defined roster with an allowance or overtime attached — not a vague cultural expectation that everyone is always on. The legislation explicitly weighs whether the employee is compensated for being available when judging if a refusal is unreasonable.

From the IT side, that means your access controls and notification rules should mirror the roster. The on-call person this week gets the alerts and the access; everyone else doesn’t. We run our own 24/7 NOC out of Tecoma on exactly this model, with a defined roster and the tooling configured so the engineers who are off are genuinely off. The technology and the employment arrangement have to agree with each other, or one of them is lying.

Monitoring, alerts and overtime creep

System monitoring is where this gets subtle. Automated alerts from a server, a backup job or a security tool are not “the employer contacting you” in the Fair Work sense — they are machines. But if a human is expected to act on those alerts after hours, that expectation is exactly what the right to disconnect is about, and it should be rostered and paid like any other on-call duty.

The practical move is to route after-hours monitoring to whoever is actually on call, not to a whole team’s inboxes. Alert fatigue and silent unpaid overtime usually come from the same root cause: everyone gets every alert, so everyone feels vaguely responsible at all hours. Tightening alert routing is both better security operations and a cleaner employment boundary. This is core to how a managed security operations capability should be run regardless of the legislation.

Writing a policy your systems can back up

The order of operations matters. Plenty of businesses write the policy first, then discover their systems don’t support it. Do it the other way around: decide what the systems will enforce, then write a policy that describes that reality.

A workable right to disconnect policy generally covers:

  • Working hours by role — what they are, and who, if anyone, is on a defined after-hours roster.
  • Contact expectations — that staff are not expected to respond outside their hours, and won’t be penalised for not doing so.
  • The genuine exceptions — emergencies, the on-call roster, and how those people are compensated.
  • The tools — quiet hours, scheduled send, managed notifications — and that the business has configured them, not just recommended them.
  • How to raise a concern — the internal process before anything goes near the Fair Work Commission.

The wording and the workplace-relations judgement calls belong with your HR adviser or employment lawyer. The Fair Work Ombudsman publishes plain-English guidance on the right to disconnect that is a sensible starting point for that conversation. Our job is the other half: making sure the tenant settings, device policies and alerting genuinely do what the document claims. When we take on a new client we treat this as part of the broader managed IT baseline, alongside the security and identity controls that touch the same systems.

Frequently asked questions

Does the right to disconnect ban after-hours emails?

No. Employers can still send messages outside working hours. What the law changes is that employees are generally entitled not to monitor or respond to them until they are back at work, and they can’t be disadvantaged for that — unless their refusal is unreasonable in the circumstances. Scheduled send is the easy way to avoid the issue entirely.

Does it apply to my small business?

Yes. The right to disconnect commenced on 26 August 2024 for employers with 15 or more employees and on 26 August 2025 for small business employers under 15 staff. Both dates have now passed, so it applies regardless of size.

Can IT settings actually enforce this?

To a large degree, yes. Quiet hours in Teams, managed-app notifications through Intune, and conditional access policies can stop most after-hours pings reaching staff who aren’t on call. They can’t make legal judgements about what’s reasonable, but they remove the temptation and the pressure that cause the problem in the first place.

What about our on-call engineers and after-hours support?

Genuine on-call work is fine — it just needs to be a defined roster with proper compensation, and your access and alert routing should match it so only the on-call person is pinged. The law specifically considers whether someone is paid for being available when deciding if declining contact is reasonable.

Is this a security or a compliance issue?

It is primarily a workplace-relations issue, so the policy and any disputes are HR and legal territory. But the controls that make it work — identity, device management, conditional access, alert routing — are the same ones that underpin your security posture, which is why it tends to land on the IT plate.

Where TechAssist fits

We’re a Melbourne MSP, founded in 2014, with 13 Australian-employed engineers — no offshore call centre — and we run this kind of configuration work across professional services, construction, manufacturing and healthcare clients every week. The right to disconnect is one of those rules where the legal text is short but the implementation lives entirely in settings most businesses have never opened.

If you want your Microsoft 365 tenant, mobile device policies and after-hours alerting set up so they actually back the policy you’re putting in writing, get in touch. We’ll handle the IT half; pair it with your HR adviser for the rest.

SOC 2 is an independent attestation report, produced under American Institute of Certified Public Accountants (AICPA) standards, that tells your customers an external auditor has examined your security controls. It is not a certification you pass. For Australian SaaS firms selling into the US or to enterprise buyers, it has become the price of entry.

If you build software in Melbourne and your sales pipeline runs through US accounts or large Australian enterprises, you have probably hit a security questionnaire that asks one blunt question: “Do you have a SOC 2 report?” The honest answer for most early-stage Australian SaaS companies is no, and that “no” stalls deals. This post explains what SOC 2 actually is, how it differs from ISO 27001, what the audit involves, and what it realistically costs in time and money.

What SOC 2 actually is

SOC 2 (System and Organization Controls 2) is a reporting framework owned by the AICPA. A licensed CPA firm examines how you manage customer data and issues a report describing your controls and whether they were designed, and in some cases operating, effectively. The deliverable is a report, not a logo or a certificate. You cannot self-certify, and there is no central registry to check against — your customers read the report under NDA.

The report is built around the Trust Services Criteria. There are five of them, and you choose which apply to your business:

  • Security — the only mandatory criterion (often called the “common criteria”). Covers access control, change management, risk assessment, monitoring and incident response.
  • Availability — uptime, performance monitoring, disaster recovery. Relevant if you make uptime commitments in SLAs.
  • Processing Integrity — data is processed completely, accurately and on time. Matters for payments, payroll or anything that transforms data.
  • Confidentiality — protection of information designated as confidential, including encryption and retention controls.
  • Privacy — collection, use, retention and disposal of personal information in line with your privacy notice.

Most SaaS companies scope their first report to Security alone, then add Availability and Confidentiality once customers ask. Privacy is the least commonly included because, for Australian companies, the Privacy Act 1988 and the Australian Privacy Principles already govern that ground — and bolting it onto SOC 2 adds work for limited buyer benefit.

Type I versus Type II

This distinction trips people up, so be clear on it before you commission anything.

AspectSOC 2 Type ISOC 2 Type II
What it testsWhether controls are designed appropriatelyWhether controls operated effectively over time
TimingA single point in timeA monitoring period, typically 3 to 12 months
EvidencePolicies and configurations as they stand on the dateEvidence sampled across the whole window
Buyer confidenceModest — proves intentHigh — proves you actually do it
Typical useA first step to show momentumThe report enterprise buyers actually want

A Type I says “on 30 June, these controls were in place and well designed.” A Type II says “across the six months to 30 June, these controls ran and here is the audit evidence.” Serious buyers want Type II. Many Australian SaaS firms do a Type I first to demonstrate progress to a waiting prospect, then run a Type II over the following six to twelve months. That is a sensible path, but do not expect a Type I alone to clear an enterprise security review.

Why Australian SaaS companies pursue it

The driver is almost always commercial, not regulatory. SOC 2 is not law anywhere — it is a market expectation that crystallised in US procurement and has spread to large Australian buyers running mature vendor risk programmes.

If your product touches a customer’s data and you want to sell to a US fintech, a healthcare platform, or any ASX-listed enterprise, their security team will ask for a SOC 2 Type II report early in the process. Without one you get stuck in a back-and-forth of bespoke questionnaires, and procurement treats you as a higher-risk vendor. The report short-circuits all of that: it answers most of the questionnaire in one document and signals that you take security seriously enough to pay an auditor to check.

A logistics-tech startup in Cremorne we work with hit exactly this wall — a US enterprise prospect wouldn’t progress past security review without a Type II, and the deal was large enough that the audit cost was a rounding error against the contract value. That is the usual shape of it: SOC 2 pays for itself the moment it unlocks one enterprise account.

SOC 2 versus ISO 27001

This is the question every founder asks, and the honest answer is that they overlap heavily but serve different audiences.

SOC 2ISO 27001
OriginAICPA (United States)ISO/IEC (international)
OutputAttestation report from a CPA firmCertificate from an accredited certification body
NatureAuditor’s opinion on your controlsCertification of a management system (ISMS)
Recognised byUS buyers, North American enterpriseEurope, UK, Australia, global enterprise
RenewalReport covers a period; reissued annuallyThree-year cycle with annual surveillance audits
Public proofPrivate report shared under NDAPublic certificate

The control sets behind them are largely the same — access management, change control, risk assessment, vendor management, incident response. The difference is the wrapper. SOC 2 is an auditor describing and testing your controls; ISO 27001 certifies that you run a documented Information Security Management System that continuously improves.

Do you need both?

If your buyers are overwhelmingly North American, SOC 2 alone is usually enough. If you sell into Europe, the UK and Australia, ISO 27001 carries more weight and is the more recognised brand. Plenty of Australian SaaS companies end up doing both because their customer base spans regions — and the marginal effort is smaller than it looks, since one set of controls and one evidence library can support both audits. Build the controls once, attest and certify twice. If you are weighing the options, our cybersecurity services team can map your buyer base to the right framework before you spend a cent on auditors.

The audit process and the role of a security partner

A SOC 2 engagement has two distinct phases, and conflating them is where budgets blow out.

Readiness

Readiness is everything you do before the auditor arrives. You define scope, write or tidy policies, implement the controls, and stand up the tooling that proves they work — multi-factor authentication everywhere, centralised logging, formal access reviews, change management tied to your code pipeline, vendor risk records and an incident response plan you have actually tested. For most Australian SaaS companies this is the real work, and it is where an MSP or security partner earns its fee. The auditor will not help you fix gaps; their job is to observe, not advise.

This is what a security partner does in readiness: run the gap assessment against the Trust Services Criteria, prioritise the controls that matter, deploy the technical guardrails, and set up evidence collection so you are not scrambling at audit time. Much of the Security criterion overlaps with hardening work we already do for clients — the Essential Eight mitigation strategies map cleanly onto SOC 2’s access control, patching and application hardening expectations, so if you are already Essential Eight aligned you are further down the road than you think.

Evidence collection and continuous controls

Type II is won or lost on evidence. The auditor samples across the monitoring period and asks for proof that each control operated every time it should have — access reviews completed each quarter, every code change approved, every alert triaged, every offboarding done within policy. If those records do not exist, the control fails for the period regardless of how good your intentions were.

This is why continuous controls monitoring matters. Compliance automation platforms such as Vanta, Drata or Secureframe connect to your cloud, identity provider and code repositories and collect evidence automatically, flagging drift the moment a control slips. They do not make you compliant — they make the evidence trail survivable. A partner who already runs your SIEM and managed detection stack is well placed to wire these tools into your environment and keep the controls green between audit windows. TechAssist runs a 24/7 NOC out of Tecoma and our engineers are Australian-employed, so the monitoring that underpins your evidence is staffed locally, not handed to an offshore queue.

Realistic timeline and cost

Be wary of anyone promising SOC 2 in a few weeks. Here is the honest shape of it for an Australian SaaS company starting from a reasonable baseline.

  • Readiness: two to four months for an early-stage company with decent foundations; longer if your access controls and logging are immature.
  • Type I report: issued shortly after readiness, reflecting a point in time.
  • Type II monitoring window: three months at minimum, but six to twelve months is what enterprise buyers expect to see.
  • Annual reissue: SOC 2 is not one-and-done. A Type II report covers a stated period, so you run a fresh audit each year to keep a current report on hand.

On cost, the auditor’s fee for a Type II from a reputable CPA firm typically runs into the tens of thousands of dollars (AUD), and that is before tooling and the internal or partner effort to get ready. Compliance automation platforms add an annual subscription. The readiness work — the controls, the policies, the engineering — is usually the larger line item, especially the first time through. Budget for the whole programme, not just the audit invoice, and treat year one as the expensive one.

Frequently asked questions

Is SOC 2 a certification?

No. It is an attestation report issued by a CPA firm under AICPA standards. There is no certificate and no public registry — you receive a report describing your controls and the auditor’s opinion, which you share with customers under NDA. Calling it a “certification” is common shorthand, but technically wrong.

Should an Australian company do SOC 2 or ISO 27001?

It depends on who buys from you. North American buyers expect SOC 2; European, UK and Australian buyers lean on ISO 27001. If your customer base spans both, doing both is common and the underlying controls are largely shared, so the second framework costs far less effort than the first.

Does SOC 2 satisfy Australian privacy law?

Not on its own. The Privacy Act 1988 and the Australian Privacy Principles still apply to your handling of personal information regardless of any SOC 2 report. SOC 2 can include a Privacy criterion, but it is a US framework — it is not a substitute for meeting your obligations under Australian law.

Can an MSP get us SOC 2 ready?

A security partner can run the gap assessment, implement and harden the controls, stand up evidence collection and keep controls monitored continuously between audits. The CPA auditor must remain independent, so the same firm cannot both prepare you and issue the report — but the readiness work is exactly where an MSP adds value.

Where TechAssist fits

We are a Melbourne MSP, founded in 2014, with thirteen Australian-employed engineers. We do not issue SOC 2 reports — that is the auditor’s job, and it has to stay independent — but we do the readiness and the continuous controls work that gets you there and keeps you there. That means hardening your Microsoft 365 and cloud environment, standing up logging and detection, wiring in compliance automation, and making sure the evidence trail your auditor samples actually exists every time. If a SOC 2 report is gating your next enterprise deal, get in touch and we will map the gap before you commit to an audit timeline.

If your business gets hit by a data breach that’s likely to seriously harm the people whose data you hold, the law gives you a tight window: assess it fast, then notify the regulator and the affected individuals as soon as practicable. Get the timing wrong and the penalties now run into the millions.

That’s the short version of the notifiable data breaches scheme, and it catches far more Melbourne SMEs than most directors realise. Here’s what it actually requires, who it covers, and the incident-handling steps you should have ready before anything goes wrong.

What the NDB scheme actually is

The notifiable data breaches scheme sits under Part IIIC of the Privacy Act 1988 (Cth) and has been in force since February 2018. It’s administered by the Office of the Australian Information Commissioner (OAIC). The core obligation is simple to state and harder to live by: if you experience an eligible data breach, you must notify both the OAIC and every affected individual.

It isn’t a “tell us if you feel like it” arrangement. Notification is mandatory once the threshold is met, and the clock starts the moment you have reason to suspect something has gone wrong. The scheme exists so people can take protective steps — change passwords, watch their bank accounts, put a credit ban in place — before stolen data is used against them.

Who the Privacy Act covers

The Act applies to “APP entities” — organisations bound by the Australian Privacy Principles. The headline test is annual turnover. If your business turns over more than $3 million a year, you’re almost certainly covered. Plenty of directors stop reading there and assume they’re exempt. That’s a mistake, because the exceptions sweep in a lot of smaller operators.

You’re covered regardless of turnover if you:

  • Are a health service provider that holds health information — this includes GPs, allied health, dentists, physios, psychologists and pharmacies, no matter how small the practice.
  • Trade in personal information (buying or selling it).
  • Are a credit reporting body or provide credit.
  • Are a contractor delivering services under a Commonwealth contract.
  • Are a tax file number recipient (most employers handle TFNs).

A three-chair dental practice in Camberwell with $1.2 million turnover is covered because it holds health information. A logistics broker handling TFNs and credit checks gets pulled in through those activities. The $3 million line is a floor for ordinary businesses, not a free pass for everyone under it. If you handle health data specifically, our write-up on healthcare IT support and OAIC obligations goes deeper on the sector rules.

What counts as an “eligible data breach”

Not every lost laptop or misdirected email triggers notification. An eligible data breach has three ingredients:

  1. There’s unauthorised access to, or unauthorised disclosure of, personal information you hold — or that information is lost in circumstances where unauthorised access or disclosure is likely.
  2. A reasonable person would conclude the breach is likely to result in serious harm to one or more affected individuals.
  3. You haven’t been able to prevent that likely serious harm through remedial action.

That third point matters. If you act quickly enough that serious harm is no longer likely — say, you remotely wipe a stolen, encrypted laptop before anyone could read it — the breach may not be notifiable at all. Remediation is a genuine off-ramp, but only if it’s fast and effective.

The “serious harm” test

“Likely to result in serious harm” is the pivot the whole scheme turns on, and there’s no fixed checklist. The OAIC asks you to weigh factors including the kind of information involved (health records and financial details rank high; a publicly listed business name does not), its sensitivity, whether it was encrypted or otherwise protected, who is now likely to have it, and what they could do with it.

Serious harm can be physical, psychological, emotional, financial or reputational. A breach exposing identity documents and bank details is far more likely to clear the bar than one exposing a marketing mailing list. The judgement is yours to make, but you have to be able to defend it — the OAIC can and does ask to see your reasoning.

The timeframes you have to hit

This is where SMEs get caught out, so be precise about the two clocks.

The assessment clock. If you only suspect an eligible data breach has occurred — you’re not yet sure it clears the serious-harm threshold — you must carry out a reasonable and expeditious assessment. The word “expeditious” means you start straight away, not when it’s convenient. The Act sets an outer limit of 30 calendar days from when you became aware of the grounds for suspicion. Thirty days is a ceiling, not a target. If you can resolve it in three, do it in three.

The notification clock. Once you’ve decided you have an eligible data breach, you must notify the OAIC and affected individuals as soon as practicable. There’s no fixed day count here — “as soon as practicable” is judged on your circumstances — but it is not weeks of internal deliberation. You prepare a statement, lodge it with the Commissioner through the OAIC’s online form, and notify individuals by whatever method you normally use to contact them.

People often talk about a “72-hour rule” for data breaches. That figure comes from the EU’s GDPR, not the Australian Privacy Act. Australia’s standard is the “as soon as practicable” test, with the 30-day assessment ceiling sitting behind it. Treating 72 hours as your internal working deadline is sensible discipline — just don’t mistake it for the letter of Australian law.

The 2024 reforms and the new penalty regime

The penalties for getting this wrong are no longer trivial. Reforms that began with the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 and continued through the Privacy and Other Legislation Amendment Act 2024 sharpened the OAIC’s teeth considerably.

For serious or repeated interferences with privacy, the maximum penalty for a body corporate is now the greater of $50 million, three times the value of any benefit obtained from the misuse of information, or 30 per cent of the entity’s adjusted turnover for the relevant period. That’s a dramatic jump from the old cap and it’s aimed squarely at organisations that treat privacy as optional.

The 2024 reforms also introduced a statutory tort for serious invasions of privacy, gave the Commissioner new mid-tier and low-tier civil penalty powers for less severe contraventions, and added powers to issue infringement notices. The practical effect for an SME: there is now a graduated enforcement ladder, so even a moderate compliance failure can attract a penalty rather than just a stern letter. Australia’s privacy framework is being progressively tightened, and the direction of travel is more obligations, not fewer.

What an SME should have ready before a breach

The businesses that handle a breach well aren’t the ones that read the Privacy Act after the fact — they’re the ones who decided in advance who does what. A data breach response plan doesn’t need to be a 40-page document. It needs to answer a handful of questions before the pressure is on.

ElementWhat good looks like
Response leadOne named person who owns the assessment and can convene the team within the hour.
DetectionLogging and alerting that actually tells you when data is accessed or exfiltrated — not a customer phoning to ask why their details are on a forum.
Assessment templateA repeatable way to record what was breached, who’s affected, and your serious-harm reasoning, dated and saved.
Containment runbookSteps to isolate systems, revoke credentials and preserve evidence without destroying it.
Notification draftsPre-drafted OAIC statement and individual notice you only have to fill in, not write from scratch at 11pm.
Contact listOAIC, your insurer, your lawyer, your MSP and the ACSC’s ReportCyber — current numbers, not guesswork.

A construction firm in Box Hill we work with discovered a compromised mailbox after a finance staffer’s credentials were phished. Because the logging was already in place, we could see exactly which messages and attachments the attacker had opened, scope the affected individuals within a day, and confirm that the exposed data did clear the serious-harm threshold. The notification went out fast and clean — not because they panicked well, but because the plan already existed. That kind of visibility is exactly what our cybersecurity services and managed detection and response are built to deliver.

Where most breaches actually start

In practice, the overwhelming majority of breaches we see trace back to compromised credentials and email — phishing, business email compromise, reused passwords. The single highest-value control for an SME is strong identity protection: multi-factor authentication everywhere, conditional access on Microsoft 365, and monitoring that flags anomalous sign-ins. Tightening identity is cheaper than any post-breach notification exercise, and it’s the foundation the Essential Eight is built on.

How TechAssist helps

TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk. Our 24/7 NOC operates out of Tecoma in the eastern suburbs, with a second office in the Melbourne CBD at 575 Bourke Street. When a breach is unfolding, response time is everything: we target sub-15-minute response on critical incidents, which is the difference between containing a compromise and explaining it to the OAIC.

The realistic goal isn’t never having an incident — it’s detecting fast, containing faster, and being able to make a defensible serious-harm decision inside your timeframes. If you’re not confident you could do that today, that’s the gap worth closing. Have a look at our broader managed IT services, or get in touch and we’ll pressure-test your breach readiness before something forces the issue.

Frequently asked questions

Does the NDB scheme apply to my business if I turn over under $3 million?

Possibly. The $3 million turnover threshold is the general rule, but exceptions bring in any size of business that provides health services, handles credit information, trades in personal information, or operates under a Commonwealth contract. Most healthcare providers are covered regardless of turnover.

Is there really a 72-hour deadline to report a data breach in Australia?

No — the 72-hour figure is a GDPR (European) rule. Under the Australian Privacy Act you must notify the OAIC and affected individuals “as soon as practicable” after deciding you have an eligible data breach, and you have up to 30 days to assess a suspected breach. Acting within 72 hours is good practice, not the legal test.

What if I fix the breach quickly — do I still have to notify?

Not necessarily. If you take remedial action fast enough that serious harm is no longer likely, the breach may not be “eligible” and notification isn’t required. The catch is that the remediation has to genuinely remove the risk, and you need to document why it did.

Who do I actually notify, and how?

You notify the OAIC by lodging a statement through its online Notifiable Data Breach form, and you notify affected individuals directly using your usual contact method. If you can’t reasonably contact individuals one by one, you publish the statement and take steps to publicise it.

What happens if I don’t comply?

Failing to comply is an interference with privacy and can attract enforcement by the OAIC. Following the 2024 reforms, penalties for serious or repeated breaches reach the greater of $50 million, three times any benefit gained, or 30 per cent of adjusted turnover — alongside new mid- and low-tier penalty powers for lesser failures.

If your business stores, processes or transmits card payment data, PCI DSS compliance applies to you. It’s the security standard the card brands enforce on every merchant that touches cardholder data. The good news for most Australian SMEs: with the right payment setup, your obligations are smaller than you’d think.

What PCI DSS actually is

PCI DSS stands for the Payment Card Industry Data Security Standard. It’s not Australian law or a government regulation. It’s a contractual standard maintained by the PCI Security Standards Council, owned by the major card brands: Visa, Mastercard, American Express, Discover and JCB. When you signed your merchant agreement, you agreed to comply with it.

The current version is PCI DSS 4.0.1, a minor revision of version 4.0. The old v3.2.1 standard was retired in March 2024, and the future-dated v4 requirements that were optional during the transition became mandatory from 31 March 2025. So if you ticked “best practice, not yet required” against those controls at your last assessment, that grace period is over. The v4 requirements push harder on multi-factor authentication for all access into the cardholder environment, tighter password rules, anti-phishing controls and scripts on payment pages.

Who has to comply

The rule is blunt: any business that stores, processes or transmits cardholder data must comply, whether you take ten transactions a year or ten thousand. A florist in Camberwell on an EFTPOS terminal is in scope, just as a national retailer is. The standard scales, but never switches off.

Cardholder data means the primary account number (the long number on the front of the card) plus cardholder name and expiry date. A stricter category, sensitive authentication data, covers the full magnetic stripe, the CVV/CVC code and the PIN. That must never be stored after a transaction is authorised, full stop. A surprising number of Australian SMEs breach this by keeping card details in an email, spreadsheet or CRM note.

The four merchant levels

Merchants are sorted into four levels by annual card transaction volume. The level decides how you validate, from a heavyweight external audit at the top to a self-assessment at the bottom. The Visa and Mastercard tiers below are the ones almost everyone uses.

LevelAnnual transaction volume (per card brand)How you typically validate
Level 1Over 6 million transactionsAnnual on-site audit by a Qualified Security Assessor (QSA), plus quarterly network scans
Level 21 million to 6 millionAnnual Self-Assessment Questionnaire (SAQ), often QSA-reviewed, plus quarterly scans
Level 320,000 to 1 million (e-commerce)Annual SAQ plus quarterly scans
Level 4Under 20,000 e-commerce, or up to 1 million totalAnnual SAQ; scans where applicable

The overwhelming majority of Melbourne SMEs are Level 4: no auditor turns up at your door. You validate by completing the correct Self-Assessment Questionnaire and, depending on your setup, running quarterly external vulnerability scans through an Approved Scanning Vendor.

Self-Assessment Questionnaires in plain English

The SAQ is a checklist you fill in to attest that you meet the relevant controls. There are several types, and using the wrong one means answering hundreds of irrelevant questions or, worse, under-scoping your risk.

  • SAQ A — for merchants who have fully outsourced all cardholder data handling to a compliant third party and never see the card number: the e-commerce shop that redirects customers to Stripe, Square or a hosted payment page. The shortest questionnaire, and where you want to be.
  • SAQ A-EP — for e-commerce merchants whose site doesn’t receive card data directly but controls how the payment page is delivered, for example loading the payment fields via JavaScript from a provider. Your site can affect transaction security, so you carry more responsibility.
  • SAQ B — for merchants using standalone dial-out or IP EFTPOS terminals, or imprint machines, with no electronic card data storage. Common for cafes, trades and small retail.
  • SAQ C — for merchants with an internet-connected payment application, where card data is processed through your own network but not stored. More controls apply because your environment is exposed.
  • SAQ D — the full questionnaire, for everyone who doesn’t fit the simpler categories, including any merchant that stores cardholder data. It covers all applicable requirements and is the most demanding.

The practical goal is to engineer your way down to SAQ A or SAQ B. The further down you sit, the fewer controls you have to build, evidence and maintain.

How compliant providers and tokenisation shrink your scope

“Scope” is the most important word in PCI DSS. It covers every system, person and process that touches cardholder data, or connects to systems that do. So the smartest strategy isn’t building more controls, it’s keeping card data out of your environment entirely.

Two levers do most of the work. The first is a compliant payment provider. If you take payments through a PCI-certified gateway like Stripe, Square, Tyro or Eway, and your systems never see the raw card number, you’ve handed the hardest parts of the standard to a provider built to meet them. That’s the gap between a 20-question SAQ A and a 300-question SAQ D.

The second lever is tokenisation. Instead of storing a customer’s card number for repeat billing, the provider stores it and hands you back a meaningless token. You charge the card by sending the token, never the real number. Because the token is worthless to an attacker, the systems holding it generally fall out of scope. For any business doing subscriptions, retainers or saved-card checkouts, it’s the cleanest way to keep recurring payments running.

Where Australian SMEs trip up

We see the same handful of mistakes again and again across Melbourne, and nearly all are avoidable.

  • Storing card details in email, spreadsheets or CRM notes. A customer phones through a card number and a staff member jots it into an Outlook draft “to process later”. That single act pulls your mail platform and CRM into scope and often breaches the rule against storing the CVV.
  • Assuming the payment provider’s compliance covers you. Stripe being compliant doesn’t make you compliant; you still complete your own SAQ. Outsourcing reduces your obligations; it doesn’t delete them.
  • Treating it as a once-a-year form. PCI DSS 4.0.1 expects controls to operate continuously, not just on assessment day.
  • Conflating it with the Privacy Act. Your obligations to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme are separate. A card data breach can trigger both; meeting one doesn’t satisfy the other.

A professional services firm in Hawthorn we work with had been emailing client card numbers internally for years to process annual retainer invoices. We moved them to tokenised, saved-card billing through their gateway and wiped the historical card data out of their mail and accounting systems, dropping them from SAQ D to a short SAQ A.

How an MSP handles the technical side

For businesses that can’t fully outsource card handling, real engineering work is involved, and that’s where an MSP earns its keep.

Network segmentation

The fastest way to cut scope where card data does flow is segmentation: isolating the cardholder data environment from the rest of your network with firewalls and VLANs, so a compromise of the office Wi-Fi can’t reach the payment systems. Done correctly, it takes dozens of machines out of scope. Done badly, your entire flat network is in scope. This is core to our cybersecurity services and overlaps with the controls we deploy under our Essential Eight compliance work.

Logging and monitoring

Version 4 is strict about logging. You need to capture access to cardholder systems, retain those logs, and actually review them, not just generate them. For most SMEs that means feeding logs into a SIEM with alerting, which is what our security operations team runs. When a bank or assessor asks for six months of access logs, having them already searchable is the difference between a quick answer and a panic.

The everyday technical controls

The rest is the disciplined IT hygiene that underpins the whole standard: MFA on every account that can reach the cardholder environment, prompt patching, hardened firewall rules, anti-malware, encrypted transmission of card data and tightly controlled access. None of it is glamorous; all of it is the work, and the controls slip the moment no one owns them. As a Melbourne managed IT services provider founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma, TechAssist keeps them running year-round, not just at audit time.

Frequently asked questions

Is PCI DSS a legal requirement in Australia?

Not directly. There’s no Australian statute that says “thou shalt be PCI compliant”. It’s a contractual obligation you accepted in your merchant agreement. Non-compliance can mean fines passed on by your acquirer, higher transaction fees, or in serious cases losing the ability to take card payments. A breach can also trigger separate obligations under the OAIC’s Notifiable Data Breaches scheme.

We only take payments through Square. Are we still in scope?

Yes, but your scope is small. If card data never lands in your own systems, you’ll typically complete the short SAQ A and confirm you don’t store card details anywhere. The risk is staff quietly creating shadow records, a card number in an email or spreadsheet, which drags other systems back into scope.

How often do we have to validate, and what’s the easiest way to stay compliant?

Validation is annual for most merchants: you complete the relevant SAQ each year, plus quarterly external vulnerability scans through an Approved Scanning Vendor if your setup requires them. The underlying controls are expected to operate year-round under PCI DSS 4.0.1. The single biggest thing you can do to make it easier is get card data out of your environment, using a compliant gateway and tokenisation so you never handle the raw card number.

Getting it sorted

For most Melbourne SMEs, PCI DSS compliance is far more achievable than the standard’s bulk suggests, provided you keep card data out of your hands and lock down whatever’s left. If you’re not sure which SAQ applies, or you suspect card numbers are lurking in your email and CRM, that’s worth fixing before an incident forces the issue. Get in touch with our team and we’ll map your scope and the controls you need.

SMB1001 is an Australian-developed cyber security certification standard built specifically for small and medium businesses. It uses five ascending tiers — Bronze, Silver, Gold, Platinum and Diamond — so a business can prove it has sensible controls in place without the cost and overhead of an enterprise framework like ISO 27001.

If you have heard it referred to as “Cyber Certification” or under the Dynamic Standards branding, that is the same lineage. SMB1001 is the named standard that sits behind those schemes. For a Melbourne SME being asked by a larger customer or insurer to “prove your security,” it is increasingly the answer that gets accepted — and it is far more achievable than people assume.

What SMB1001 actually is

SMB1001 is a tiered, multi-level cyber security standard aimed squarely at the businesses that the bigger frameworks were never written for: the 5-person bookkeeping firm, the 30-person fabrication shop, the family logistics operation running three trucks and a back office. These businesses still hold client data, still process payments, still get phished — but they do not have a CISO, a security budget, or the appetite to spend six months and tens of thousands of dollars on an ISO audit.

The standard’s strength is that it is designed to be self-assessed at the lower tiers and independently certified at the higher ones. You do not need to boil the ocean. You pick a tier that matches your size, risk and what your customers are demanding, implement the controls, and certify against it. As your obligations grow, you climb.

It is genuinely useful, and it is genuinely not a silver bullet. A certificate on the wall does not stop a determined attacker, and the lower tiers in particular set a floor, not a ceiling. Treated as a starting point and a discipline rather than a finish line, though, it does real work.

The five tiers, and roughly what each requires

The whole point of the tiered model is that the requirements scale with the business. Bronze is a sensible baseline that almost any micro-business can reach; Diamond approaches the kind of maturity you would expect from an organisation handling sensitive data at scale. Here is the broad shape of it.

TierWho it suitsRoughly what it asks for
BronzeMicro-businesses and sole traders new to cyberFoundational hygiene: multi-factor authentication, backups, patching/updates, basic staff awareness, antivirus. Self-assessed.
SilverSmall businesses wanting to show baseline diligenceEverything in Bronze plus tighter controls — documented processes, account management, a basic incident response approach. Self-assessed.
GoldGrowing SMEs, or those being asked for proof by customersMore formalised governance, access control, logging and a written security policy. Independent certification typically required.
PlatinumEstablished businesses with real compliance exposureStronger technical and procedural controls, risk management, supplier and data handling requirements, independently certified.
DiamondSMEs handling sensitive data or operating in higher-risk supply chainsThe most comprehensive set — closer to a small-scale information security management system, independently certified and reviewed.

The exact control list at each tier is defined by the standard itself and is refreshed periodically, which is part of the “dynamic” idea — the requirements move as the threat picture moves, so a Bronze in 2026 is not the Bronze of several years ago. Treat the table above as the shape, not the letter of the law. When we scope this for a client we work from the current published control set, not memory.

Who SMB1001 suits

The honest answer is most Australian SMEs that have never certified against anything. If you have been muddling along with decent-enough IT, an MSP keeping the lights on, and a vague sense that you “should do something about cyber,” SMB1001 gives you a structured, affordable way to start — and a credential at the end that means something to the people asking.

It fits particularly well for businesses in supply chains. A construction subcontractor in Box Hill bidding for work with a tier-one builder, a manufacturer supplying a listed company, a professional services firm acting for larger corporate clients — all of these are increasingly being asked, in tender documents and vendor onboarding forms, to demonstrate a baseline of security. SMB1001 is built to answer that question proportionately. We see it most across the construction, manufacturing and professional services clients we work with.

How it differs from — and complements — the Essential Eight and ISO 27001

This is where a lot of business owners get confused, so it is worth being precise. The Essential Eight, ISO 27001 and SMB1001 are three different things that overlap rather than compete.

The Essential Eight is a set of eight technical mitigation strategies published by the Australian Cyber Security Centre (ACSC). It is a controls framework, not a certification scheme — there is no certificate you receive at the end, only maturity levels you self-assess or have assessed against. It is excellent at telling you what to harden (application control, patching, MFA, restricting macros and so on) but it does not, by itself, give you a credential to wave at a customer. We cover this in detail in our guide to Essential Eight compliance for Melbourne businesses.

ISO 27001 sits at the other end. It is an international standard for a full information security management system (ISMS) — risk-driven, documentation-heavy, externally audited annually, and respected globally. It is the right answer for businesses that need international credibility or are contractually required to hold it. It is also a serious undertaking in time and cost, which is exactly why it is overkill for a 15-person business that simply needs to prove it is not negligent.

SMB1001 lands in the gap between them. It borrows the practical, control-based spirit of the Essential Eight, packages it into a certifiable, tiered credential like ISO 27001 offers, and scales it down to SME reality. The tiers map sensibly onto the others: the lower tiers cover much of the same ground as the Essential Eight’s foundational maturity, while the upper tiers start to resemble a lightweight ISMS. None of them cancels the others out.

SMB1001Essential EightISO 27001
TypeTiered certification standardTechnical controls frameworkFull ISMS certification
OriginAustralian, SME-focusedAustralian (ACSC)International (ISO/IEC)
Gives you a certificateYes (independently at higher tiers)No — maturity levels onlyYes — externally audited
EffortLow to moderateLow to high by maturityHigh
Best forSMEs needing proof, proportionateAny business hardening its techLarger or globally-facing firms

In practice we often run them together. We will harden a client against the Essential Eight because the controls are sound, then certify the business under SMB1001 because that is the thing a customer or insurer actually recognises. The work overlaps heavily, so doing both is far less than twice the effort.

Why customers and primes are asking for it

Three forces are driving the demand. First, supply-chain security has become a procurement issue — larger organisations have woken up to the fact that their weakest link is often a small supplier with the keys to their data, so they are pushing security requirements down the chain. Second, cyber insurers have tightened underwriting and want evidence of basic controls before they will quote, let alone pay a claim. Third, regulators expect more: under the Privacy Act and the OAIC’s Notifiable Data Breaches scheme, a business that suffers a breach has to be able to show it took reasonable steps, and “we had nothing in place” is not a defensible position.

SMB1001 gives an SME a clean, recognised way to satisfy all three at once. It is a credential a prime contractor’s procurement team will accept, a data point an insurer’s underwriter understands, and evidence of diligence if the worst happens. That is why it is showing up in tender packs and vendor questionnaires far more often than it did two years ago. If cyber insurance is part of your thinking, our cyber insurance guide for Australian SMEs covers how these pieces fit together.

The certification path, effort and cost

The route through SMB1001 is deliberately straightforward. You scope which tier you need — driven by your size, your risk and, frankly, whatever your biggest customer is demanding. You implement the controls for that tier. At Bronze and Silver you self-assess and attest; at Gold and above you engage an authorised assessor for independent certification. Certification is then maintained and renewed periodically rather than being a one-off.

On effort: for a business with reasonable IT already in place, Bronze or Silver can be a matter of tidying up MFA, backups, patching and staff awareness, then documenting it — weeks, not months. Gold and above take longer because the governance and evidence requirements are real, and because independent assessment means you actually have to demonstrate the controls, not just claim them. Where there is groundwork to do — and there usually is — the gap is the controls, not the paperwork.

On cost: SMB1001 is markedly cheaper than ISO 27001, which is the whole point. The certification fees scale with the tier, and the larger expense for most businesses is the remediation work to actually meet the controls rather than the certification itself. As a rough guide, the lower tiers are a modest annual outlay; the upper tiers cost more but remain a fraction of an ISO programme. Figures move, so we scope it per-business rather than quoting a number that ages badly.

A heads-up worth giving plainly: the certificate is the easy bit. The controls are what protect you, and they only protect you if they are maintained — MFA stays enforced, backups keep being tested, patches keep landing, leavers keep getting offboarded. A business that certifies and then lets it all drift has a piece of paper and a false sense of security. That ongoing discipline is exactly what a managed arrangement is for.

How TechAssist approaches it

We are a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk. We are Essential Eight aligned and ISO 27001 capable, which means the controls underneath SMB1001 are bread and butter for us. When a client comes to us holding a tender that demands certification, we scope the right tier, close the control gaps, and get them through assessment — then keep the controls live afterwards under fixed per-user monthly pricing so they do not quietly rot.

A recent example of the pattern: a transport and logistics operator in Dandenong we work with was told by a national client that ongoing work depended on demonstrating a baseline of cyber controls. They had no certification and a tender deadline. We mapped their environment, lifted the gaps — MFA across Microsoft 365, tested backups, patching discipline, basic staff training — and put them in a position to certify at a sensible tier without blowing the budget. The work doubled as genuine risk reduction, not box-ticking. Our cyber security services are built around exactly this kind of proportionate, evidence-backed uplift.

Frequently asked questions

Is SMB1001 mandatory in Australia?

No. SMB1001 is a voluntary certification standard. There is no law requiring you to hold it. The pressure to certify is commercial — customers, primes and insurers asking for proof of security — rather than legal. That said, demonstrating reasonable security steps does help your position under the Privacy Act and the OAIC’s breach-notification obligations.

Which SMB1001 tier should we aim for?

Start from what is driving the decision. If a specific customer or tender names a tier, that is your target. If you are certifying proactively, Bronze or Silver is a sensible entry point for most small businesses, with Gold and above reserved for those handling sensitive data or facing stronger contractual demands. We scope this per-business rather than guessing.

Does SMB1001 replace the Essential Eight or ISO 27001?

No — they complement each other. The Essential Eight tells you which technical controls to harden, SMB1001 gives you a recognised certificate proving you have a sensible baseline, and ISO 27001 is the heavyweight option for businesses needing international-grade assurance. Many SMEs run the Essential Eight controls underneath an SMB1001 certification.

How long does it take to get certified?

For a business with reasonable IT already in place, the lower tiers can be achieved in weeks once the remediation is done. Higher tiers take longer because of the governance and independent assessment involved. The timeline is driven mostly by how much control gap there is to close, not by the certification paperwork.

Where to start

If a customer, prime contractor or insurer has put SMB1001 in front of you — or you simply want a structured, affordable way to prove your business takes security seriously — the first step is an honest look at where your controls actually stand. We will tell you which tier is realistic, what it takes to get there, and whether the bigger frameworks are worth it for you. Get in touch and we will scope it properly.

The SOCI Act directly captures owners and operators of designated critical infrastructure assets across 11 sectors. Most small and mid-sized Melbourne businesses are not caught. But if you supply, manage IT for, or sit in the supply chain of one of these entities, its obligations can land on your desk regardless.

That gap — between “the law doesn’t name me” and “I’m still on the hook” — is where most of the confusion sits. Here is who is actually captured, what they have to do, and how to tell whether any of it touches your business.

What the SOCI Act actually is

The Security of Critical Infrastructure Act 2018 (Cth) is Commonwealth legislation administered by the Department of Home Affairs through the Cyber and Infrastructure Security Centre (CISC). When it first passed it covered four sectors and did little more than require an asset register for electricity, gas, water and ports.

Two rounds of amendments changed that dramatically. The Security Legislation Amendment (Critical Infrastructure) Act 2021 expanded the sectors and introduced mandatory cyber incident reporting and government assistance powers. The 2022 Act, shortened to SLACIP, added the Risk Management Program obligation and enhanced duties for “systems of national significance”.

So the SOCI Act today means the 2018 Act as amended by those packages — the expanded version that now reaches businesses that never thought of themselves as critical infrastructure.

The 11 critical infrastructure sectors

The amended Act defines 11 sectors. If your organisation owns or operates an asset inside one of these, you are potentially in scope.

  • Communications
  • Financial services and markets
  • Data storage or processing
  • Defence industry
  • Higher education and research
  • Energy
  • Food and grocery
  • Health care and medical
  • Space technology
  • Transport
  • Water and sewerage

Being in a sector is not the same as being captured. The Act bites on specific critical infrastructure assets defined by rules and thresholds within each sector. A small clinic in Camberwell sits within “health care and medical”, but the obligations attach to large hospitals and designated systems, not every GP practice. The sector tells you to keep reading; the asset thresholds tell you whether you are actually in.

The three core obligations

For captured entities, the Act imposes a tiered set of duties. Three are worth understanding in plain terms.

The asset register

Responsible entities must provide ownership and operational information about their assets to the Register of Critical Infrastructure Assets, held by the CISC: who controls the asset, who has access, and where interest or control sits offshore. The register is not public. It exists so government has visibility of who runs the country’s important infrastructure.

The Risk Management Program

This is the heart of the SLACIP amendments. Captured entities must adopt, maintain and comply with a Critical Infrastructure Risk Management Program (CIRMP) that identifies and manages hazards across four domains: cyber and information security, personnel, supply chain, and physical and natural hazards. Boards must approve it, and entities submit an annual report confirming the program is current and signed off at board level.

For the cyber domain, the rules point entities towards a recognised framework such as the Essential Eight maturity model or an equivalent standard like ISO 27001. This is where security posture stops being a nice-to-have and becomes a documented, board-signed legal obligation.

Mandatory cyber incident reporting

Captured entities must report cyber security incidents to the Australian Signals Directorate (ASD), in practice through the Australian Cyber Security Centre and coordinated with the CISC. There are two clocks, and the difference matters:

Incident typeReporting deadlineMethod
Critical incident — significant impact on availability of an essential serviceWithin 12 hours of becoming awareVerbal report acceptable, written follow-up
Other incident — relevant impact on the assetWithin 72 hours of becoming awareVerbal or written report

Twelve hours is a brutal window if you have not planned for it. A captured entity needs an incident response process that can detect, triage and report inside half a day — overnight, on a weekend, during a holiday. That is operational maturity, not a policy in a drawer, which is why our managed detection and response work exists.

Be honest: most Melbourne SMEs are not directly captured

This gets glossed over by anyone trying to sell you compliance product. The vast majority of small and mid-sized businesses in Melbourne are not responsible entities under the SOCI Act. A 25-person law firm in the CBD, a manufacturer in Dandenong, a logistics operator in Footscray — these are not critical infrastructure assets, and the asset register, CIRMP and 12-hour reporting clock do not apply to them directly.

The obligations are deliberately aimed at scale and national consequence: major energy networks, large hospitals, designated data centres, financial market operators, telecommunications carriers, significant ports and rail. If a cyber attack on you would disrupt an essential service for a meaningful slice of the population, you are the target of this law. If it would mostly hurt you and your customers, you almost certainly are not directly captured. Anyone telling a 30-person SME it must file a Risk Management Program because of the SOCI Act is either confused or selling something.

Why it still matters to SMEs: the supply chain flow-down

Direct capture is not the only way SOCI obligations reach you. The Risk Management Program explicitly requires captured entities to manage supply chain hazards — a legal duty to assess and control the security risk posed by their vendors, contractors and IT providers.

So the obligation flows downhill through contracts. A captured hospital cannot meet its CIRMP duty unless it can demonstrate its suppliers are secure, so it pushes security requirements into procurement and supplier agreements. If you sell software, provide IT support, host data, supply equipment or deliver professional services to a captured entity, you will increasingly be asked to prove your security posture as a condition of doing business.

We see this constantly. A professional services firm in Hawthorn that works for a captured energy operator suddenly receives a security questionnaire demanding evidence of multi-factor authentication, patching cadence, access controls and an incident response plan — Essential Eight territory. The firm is not captured by the SOCI Act, but its client is, and the client’s obligation has become the firm’s commercial reality.

This is the honest reason SMEs should care. Not because the regulator is coming for you, but because your captured customers are. Losing a contract because you cannot answer a supplier security assessment is a far more immediate risk than any enforcement action. Aligning to the Essential Eight is the most efficient way to be ready, and it is the same framework the captured entities are pointed to.

How do I know if any of this applies to me?

A practical test, in order:

  1. Are you in one of the 11 sectors? If not, the SOCI Act does not directly apply, though you may still face flow-down obligations if you supply someone who is.
  2. Do you own or operate a defined critical infrastructure asset? Each sector has thresholds — capacity, customer numbers, designation by the Minister. Most SMEs fall well under them. The CISC publishes the authoritative guidance on which assets are caught.
  3. Have you been notified? Responsible entities are generally aware they are captured; the framework is not a hidden trap. If no regulator or rule has identified you as one, you very likely are not.
  4. Do your contracts impose security obligations? This is the one that catches SMEs. Read your supplier agreements and any new security schedules from larger clients — that is where SOCI reaches you in practice.

If you are genuinely unsure whether you are captured, that is a legal question worth getting right. Where we add value is the technical side: building the controls and evidence that either satisfy a direct CIRMP obligation or answer the supplier assessments flowing down from your captured clients. Our virtual CIO engagements often start here — turning a vague “our client wants us to be secure” into a concrete, costed plan.

What TechAssist does about it

We are a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma. That on-shore, around-the-clock capability matters here, because the 12-hour reporting clock does not respect business hours. For captured entities, we build the cyber domain of a Risk Management Program: Essential Eight uplift, documented controls, monitoring, and an incident response process that can actually meet a 12-hour deadline. For the far larger group of SMEs facing flow-down pressure, we get your posture to where supplier questionnaires become a formality rather than a fire drill. Either way it is real engineering, not a compliance binder, and it sits inside our standard cybersecurity services.

Frequently asked questions

Does the SOCI Act apply to small businesses?

Almost never directly. The Act captures owners and operators of defined critical infrastructure assets, which are large-scale and nationally significant. A typical Melbourne SME is not a responsible entity. The real exposure is indirect — security obligations flowing down through contracts from captured customers.

What are the SOCI Act reporting timeframes?

Captured entities must report a critical cyber incident with significant impact within 12 hours of becoming aware, and an incident with relevant impact within 72 hours. Reports go to the Australian Signals Directorate via the Australian Cyber Security Centre.

What is a Risk Management Program under the SOCI Act?

The CIRMP, introduced by the 2022 SLACIP amendments, requires captured entities to identify and manage hazards across cyber, personnel, supply chain and physical domains, have the board approve it, and report annually that it is current.

I supply a captured entity. What will they ask me for?

Typically evidence of multi-factor authentication, patching, access controls, backup and recovery, logging, and an incident response plan — broadly the Essential Eight. Getting these in place and documented is the most efficient way to keep those contracts.

The short version

The SOCI Act is real and serious, and mostly not aimed at you if you run a Melbourne SME. What is aimed at you is the security pressure your captured customers are now legally required to push down their supply chains. The smart move is not to panic about direct capture, but to get your security posture to a standard that satisfies both your clients and your own risk. For a straight answer on where you sit, talk to us.

A FY27 IT budget template for a specific persona: a 50-person Melbourne professional services firm, $12 million revenue. Numbered line items, real dollar ranges, IT-spend-as-percentage-of-revenue benchmarks, and the four lines most SMEs forget. Built for CFOs who want defensible numbers, not vendor guesswork.

The persona this budget is built for

Specifics matter; a generic IT budget is useless. The numbers below are sized for:

  • 50 staff total (45 desk-based knowledge workers, 5 partners or executives)
  • Melbourne-based, single office plus remote work, typical CBD or inner-suburb location
  • Professional services (consulting, legal, accounting, architecture, engineering consultancy) – knowledge-worker firm with no manufacturing, no point-of-sale, no production line
  • Approximately $12 million annual revenue
  • Microsoft 365 stack, hybrid cloud (light on-prem footprint, most workloads in Azure or SaaS)
  • Standard cyber insurance requirements; aligned to Essential Eight Maturity Level 1 minimum
  • No internal IT staff; engagement with an MSP on per-user fixed monthly pricing

If your business is materially different – 50 staff with a manufacturing plant in Dandenong, or a 50-staff healthcare practice with clinical software, or a 50-staff retailer with 12 store locations – the totals will move significantly. Use this as a baseline to adjust from. Our sector-specific guidance for Melbourne manufacturers, healthcare, and law firms covers the variations.

The benchmark: IT spend as a percentage of revenue

Industry benchmarks vary by sector, but for Australian professional services firms in the 30 to 100 staff band, IT spend as a percentage of revenue typically lands between 1.5% and 3.5%. The drivers of where you sit in that range:

Position in rangeProfile
1.5% – 2.0%Mature firm, stable headcount, established systems, no major projects, light security stack
2.0% – 2.5%Typical steady-state for a well-run firm with appropriate security and a 3-year hardware refresh
2.5% – 3.0%Growth phase, projects in flight, security uplift, M&A or office relocation
3.0% – 3.5%Major transformation – platform migration, post-incident rebuild, compliance project, AI rollout
3.5%+Either temporary spike or something is wrong; investigate

For our persona ($12 million revenue), the FY27 budget should land between $240,000 and $360,000 in steady state, or up to $420,000 in a project-heavy year. The template below targets the middle of that range and produces a defensible $295,000 to $345,000 total. If your number is above this, look first at the projects line; if it is well below, look first at security and backup.

The line-itemed FY27 template

All numbers are in AUD, annual, for the persona above. Ranges reflect actual variance across our managed book in Melbourne; the midpoint is what we would budget for a typical firm in this segment.

1. Microsoft 365 licensing

The single largest recurring line for most professional services firms.

ItemPer user / monthAnnual (50 users)
Microsoft 365 Business Premium (recommended baseline)$32.10$19,260
OR Microsoft 365 E3 + Entra ID P2 + Defender for Office P2$54 – $62$32,400 – $37,200
Copilot for M365 (selected users, typically 30-50%)$45$8,100 – $13,500 (for 15-25 users)
Power BI Pro (for analyst users)$15$1,800 (for 10 users)

Subtotal for M365: $29,000 – $52,000. For our persona, $35,000 is realistic – Business Premium across the firm, Copilot for 20 selected users, Power BI for the analyst pool. The Business Premium vs E3 conversation hinges on whether you need the deeper compliance and identity protection of E3+P2; for most 50-staff professional services firms, Business Premium is sufficient.

2. Security stack (beyond what is included in M365)

Microsoft 365 Business Premium includes Defender for Business, Intune, and Entra ID P1. That is a strong baseline. Additional security tooling for a 50-staff firm typically covers:

ItemAnnual
SIEM / managed detection and response (MDR) service$18,000 – $36,000
Email security additional layer (Mimecast, Proofpoint, Avanan)$6,000 – $10,000
DNS filtering (Cisco Umbrella, DNSFilter)$1,800 – $3,000
Password manager (1Password Business, Bitwarden Enterprise)$3,000 – $4,500
Vulnerability scanning / external attack surface monitoring$3,000 – $7,000

Subtotal for additional security: $32,000 – $60,000. For our persona, $42,000 is realistic – MDR through the MSP, additional email security, DNS filtering, password manager, light external attack surface monitoring. This line item is where SMEs traditionally underspent and where the post-2023 cyber insurance market has forced the conversation. Our Melbourne cyber security services wrap most of these into a managed stack.

3. Managed IT services retainer (MSP)

For a 50-staff firm engaging an MSP on per-user fixed monthly pricing, the typical Melbourne market rate in 2026 is $110 to $170 per user per month for a comprehensive engagement that covers unlimited support, security operations, vendor management, and proactive maintenance.

ItemPer user / monthAnnual (50 users)
Comprehensive managed IT (low end)$110$66,000
Comprehensive managed IT (typical)$140$84,000
Comprehensive managed IT (high end / specialist)$170$102,000

Subtotal: $66,000 – $102,000. For our persona, $80,000 to $90,000 is realistic. Co-managed models (where you have some internal capability and the MSP fills gaps) typically land 30 to 40% lower; pure break-fix models are cheaper still but rarely advisable at this scale. For the context on what to expect from a Melbourne MSP at this price band, see our guide to choosing an MSP in Melbourne.

4. Hardware refresh sinking fund

The mistake most SMEs make is treating hardware as a lumpy capex purchase every three years. Better: a smooth annual sinking fund that covers the rolling refresh.

ItemAnnual
Laptops (50 units on a 4-year cycle, $2,200 each)$27,500
Docking stations and monitors (refresh on 5-year cycle)$3,500
Network equipment refresh (5-year cycle on switches, APs, firewall)$5,000
Server hardware refresh (if any on-prem footprint)$2,000 – $4,000

Subtotal: $38,000 – $40,000. Hold this as a separate fund; do not blend it into operational expense. When the refresh cycle hits, the fund pays for it without a quarterly cost spike. The 4-year laptop cycle assumes mid-range business laptops (Dell Latitude, HP ProBook, Lenovo ThinkPad mid-tier); premium devices (MacBook Pro, ThinkPad X1) push the per-unit number to $3,500 and the line to $44,000.

5. Projects budget

The line item that gets cut first when revenue softens and then has to be reinstated when something breaks. Better to budget it explicitly:

ItemAnnual
Planned projects (system upgrade, office move, integration)$25,000 – $50,000
Unplanned or reactive projects$15,000 – $25,000

Subtotal: $40,000 – $75,000. For our persona, $50,000 is realistic. A typical FY27 project list might include a SharePoint information architecture rebuild, an Entra ID conditional access refresh, a CRM integration, and the office Wi-Fi upgrade. Whatever the list is, it should be in the budget at the start of the year, not added quarter by quarter.

6. Cyber insurance

Cyber insurance premiums for Australian professional services SMEs in 2026 land around 0.4% to 0.8% of revenue for $5 million to $10 million of cover with reasonable retentions, assuming the security posture meets the underwriter’s requirements (MFA, EDR, backups, training, vendor risk management).

ItemAnnual
Cyber insurance premium for $5M cover$28,000 – $52,000
Broker fee (if applicable)$1,500 – $3,000

Subtotal: $30,000 – $55,000. For our persona, $42,000 is realistic. The premium has stabilised after the sharp increases of 2022-2024 but remains sensitive to your control posture; gaps in your security stack will push the premium up materially or trigger a coverage decline. The conversation with the broker is now half technical (controls), half financial (limits and retentions).

7. Training

Easily skipped, easily justified to skip, and the highest-ROI security spend in the budget.

ItemAnnual
Security awareness training platform (KnowBe4, Phriendly Phishing, MetaCompliance)$3,500 – $6,000
Microsoft 365 / Copilot productivity training$3,000 – $8,000
Role-specific training (project management, technical skills)$3,000 – $6,000

Subtotal: $9,500 – $20,000. For our persona, $12,000 is realistic. Phriendly Phishing has strong Australian content and is our default recommendation for clients who want locally relevant training.

8. Contingency

10% of the total budget as a contingency reserve, held against unexpected events that the projects line cannot absorb (an early hardware failure outside the refresh cycle, a regulatory change forcing a tooling addition, a vendor that hikes prices unexpectedly).

Subtotal: $25,000 – $35,000.

The four line items most SMEs forget

Across hundreds of budget reviews with Melbourne SMEs, four line items show up in good budgets and are missing from average ones.

1. Vendor risk tooling and process

Either a dedicated platform (rarely justified at SME scale) or the time cost of running the lite vendor risk programme. We typically include this within the MSP retainer for our managed clients, but if you are running it internally, budget for 8 to 16 hours per month of someone’s time. For a 50-staff firm, this is $8,000 to $15,000 a year that often shows up nowhere.

2. AI licences you already pay for

Most firms now have Copilot for M365, ChatGPT Team or Enterprise, Claude.ai for Work or Teams, a specialised AI tool for their sector, and one or two pilots that grew into production. The cumulative AI line is rarely consolidated; it lives in expense claims, in a marketing budget, in a partner’s personal spend. Sum it up. For our persona, total AI tooling is typically $15,000 to $35,000 a year by FY27.

3. M365 backup

As discussed at length in our buyer’s guide on the topic, Microsoft does not back up your M365 data in a way that helps you recover from real incidents. Third-party M365 backup for 50 users is $1,800 to $3,600 a year. Cheap, essential, and missing from most budgets.

4. Exit and transition reserve

The unpleasant truth: at some point in the next 5 to 10 years, you will change MSPs, change your primary cloud platform, or be acquired. The cost of a clean exit is real – typically 4 to 12 weeks of overlap, documentation work, data extraction fees, and project management. Budget 5% of annual IT spend in a reserve, held separately, that exists for this purpose. For our persona, that is $15,000 a year sitting in a reserve account. You may not need it in any given year, but when the day comes, you will be glad it is there.

The CapEx vs OpEx question for FY27

The classic SME CFO question – ‘should we buy the laptops outright or lease them, should we buy the server or rent the cloud workload’ – has shifted meaningfully in the SaaS era. For most line items in this budget, the choice has been made for you: there is no CapEx option. Microsoft 365 is OpEx. The MSP retainer is OpEx. Cyber insurance is OpEx. The MDR service is OpEx.

The remaining CapEx choices are:

  • Laptops: Buy outright is usually cheaper over a 4-year cycle than Device-as-a-Service, but DaaS smooths cash flow and includes refresh management. For a 50-staff firm, the financial difference is around $4 to $6 per device per month either way; the operational difference is more meaningful.
  • Network equipment: Almost always CapEx. The lifespan is 5 to 7 years, and the rental models for switches and APs don’t make financial sense at this scale.
  • Server hardware (if any): If you still run on-prem servers, CapEx remains the norm. The question to ask annually is whether the workload should be in Azure rather than on the server at all.

Our default recommendation for FY27 is to keep laptops and network equipment as CapEx with a sinking fund, and treat everything else as OpEx. Don’t over-engineer this.

The FY27 total

Adding the midpoints together for our persona:

Line itemFY27 budget
1. Microsoft 365 licensing$35,000
2. Security stack (beyond M365)$42,000
3. MSP retainer$85,000
4. Hardware refresh sinking fund$38,000
5. Projects$50,000
6. Cyber insurance$42,000
7. Training$12,000
8. Contingency$30,000
Forgotten items (vendor risk, AI, M365 backup, exit reserve)$22,000
Total$356,000

$356,000 against $12 million revenue is 2.97% – in the upper half of the steady-state range. If FY27 is genuinely a steady-state year with no major projects, you could pull this back toward $300,000 by trimming the projects line. If FY27 has a major piece of work (M&A integration, platform migration, office relocation), the projects line should grow and the total can reasonably push past $400,000.

A real-world worked example

A 48-staff consulting firm in Collingwood approached us in 2025 with an FY26 IT budget of $185,000 that they suspected was too low. The reality check confirmed it: their security stack was a few years out of date, their MSP retainer was a break-fix arrangement that produced a constant stream of unbudgeted incidents, and there was no projects line.

The rebuild brought them to $310,000 for FY26, then approximately $330,000 for FY27 (this template). The increase landed in three categories: an additional $35,000 in security tooling and MDR, a $40,000 increase in the MSP retainer for a comprehensive managed model, and the previously-invisible projects budget at $50,000. Their cyber insurance premium dropped $9,000 the following year because the upgraded posture qualified them for a better rate. Net true cost increase: about $116,000, or just under 1% of revenue.

The conversation with the partners took two meetings. The first meeting was about why the number was going up; the second was about what they got for it (a defensible security posture, predictable monthly costs, no more invoice surprises, a real DR position, alignment with Essential Eight Maturity Level 1). The decision was unanimous after the second meeting. The lesson: SMEs underspend on IT because the value of the spend is invisible. Make it visible and the budget conversation gets easier.

How TechAssist works with the FY27 budget

For managed clients on our per-user fixed monthly pricing, the MSP retainer line on this template covers our entire engagement: the sub-15-minute P1 response from our 24/7 NOC at Tecoma, the same-business-day on-site response across Melbourne metro from either our Tecoma office or our 575 Bourke Street CBD office, and the work of our 13 Australian engineers across helpdesk, projects, security operations and vendor management. Founded in 2014, we have built the engagement model specifically for SMEs like the persona in this template: 30 to 150 staff, professional services or similar, Microsoft-aligned, Essential Eight focused.

The security tooling line, the M365 licensing, the cyber insurance premium and the hardware are direct vendor relationships that we manage on behalf of the client but bill at vendor cost. The projects line is scoped separately at the start of the financial year. The result is a budget that is predictable to within 5% across the year, which is what makes the CFO conversation work. For the broader picture of how the engagement is structured, see our MSP Melbourne page or reach the team through contact.

Frequently Asked Questions

We are smaller than 50 staff – how do we scale this down?

The fixed costs (cyber insurance, baseline security stack) don’t scale linearly with headcount. A 25-staff firm typically spends 3.0% to 4.0% of revenue on IT – higher than the 50-staff number – because the fixed costs are spread across fewer users. The per-user costs (M365 licensing, MSP retainer per user, hardware sinking fund) scale linearly. Apply the same template, adjust for size, and expect the percentage of revenue to be higher.

What about firms larger than 100 staff?

Past 100 staff, the conversation usually splits: an internal IT manager or director appears in the org chart, the security stack moves toward enterprise tooling, and the MSP relationship becomes co-managed rather than fully outsourced. Total IT spend as a percentage of revenue typically drops to 1.5% to 2.5% as scale efficiencies kick in.

How much of this should be CapEx versus OpEx for tax purposes?

This template lands roughly 90% OpEx and 10% CapEx (the hardware sinking fund). The OpEx-heavy mix is structurally favourable for cash flow but means the depreciation argument for tax is smaller than it was a decade ago. Talk to your accountant; the tax treatment of cloud and SaaS spend changes most years.

Should we budget for AI separately?

Yes. The AI line will grow meaningfully through FY27 and into FY28 as Copilot, agent-based tools, and sector-specific AI products scale up. Separating the AI line makes the growth visible and lets the leadership team make explicit decisions about it rather than discovering it on the credit card statement.

What is the most common budget mistake for a firm this size?

Underspending on security and overspending on premium hardware. We see firms with $3,500 MacBooks for every user but no MDR service and a self-managed Microsoft tenant. Inverting that ratio – mid-tier hardware, comprehensive security – produces a more defensible posture for the same total spend.

How do we benchmark our actual spend against this template?

Pull together your actual line items, map them to the eight categories above, calculate the percentage of revenue, and compare. If you would like an external review, we run IT budget assessments as a discrete piece of work for non-clients, with a one-page summary and a remediation list. Reach the team through the contact page.

Melbourne SMEs buying disaster recovery for the first time get stuck between three product categories, unrealistic RTO numbers, and a Microsoft 365 backup conversation nobody told them about. This is the buyer’s guide: what you are choosing between, the realistic 2026 price brackets, and the eight questions to ask any DR vendor before signing.

What this guide is and is not

This is not a planning guide. It is not ‘how to write a business impact analysis.’ It is the conversation you have once you have decided you need to buy something and you are trying to work out what to buy.

Three product categories cover almost every Melbourne SME DR purchase in 2026:

  1. DRaaS – replicating production workloads to a cloud target so they can be failed over (Azure Site Recovery is the dominant Australian play, with VMware Cloud Disaster Recovery and Zerto in specialised cases)
  2. On-premises BCDR appliances – a local appliance that backs up your servers and can stand them up locally or in the vendor’s cloud (Datto, Axcient, Acronis, Arcserve, Veeam with a hardware partner)
  3. SaaS backup – third-party backup for Microsoft 365 and Google Workspace, which the platform vendors do not back up for you (Keepit, Backupify, CloudAlly, Veeam for M365, AvePoint, Dropsuite)

Most SMEs need pieces of all three, in different combinations. A 60-staff professional services firm in Richmond probably needs Azure Site Recovery for the two on-premises servers, a third-party M365 backup, and not much else. A 90-staff manufacturer in Dandenong with a line-of-business ERP, a SQL database, and a need for fast local recovery probably needs a BCDR appliance plus SaaS backup. A 100% cloud-native software company needs SaaS backup plus a workload-specific backup of their cloud database. The product mix follows the workload.

For the planning side of the conversation – the BIA, the RTO and RPO targets, the runbook – see our backup and disaster recovery 2026 guide, which is the companion piece to this one.

Category 1: DRaaS (Disaster Recovery as a Service)

The model is: your production workload runs where it is (on-prem, in Azure, in AWS), and a replication layer copies it continuously to a standby environment in a cloud target. When something fails, you fail over to the standby and run there until you can return to primary.

Azure Site Recovery (ASR)

The default option for Australian SMEs running on Hyper-V or VMware on-prem, or running production workloads in Azure. Replicates VMs to a secondary Azure region (typically Australia East to Australia Southeast, or vice versa). Failover is orchestrated, and you can test failover into an isolated network without disrupting production.

Strengths:

  • Native Microsoft, integrates with the rest of the Azure estate
  • Australia-sovereign target regions
  • Pricing is genuinely SME-friendly: about $25 to $30 per protected instance per month for ASR itself, plus the storage and (during failover) the compute
  • Failover testing is non-disruptive and well-supported

Weaknesses:

  • RPO is typically 5 to 15 minutes for app-consistent recoveries; not the sub-minute that some marketing claims
  • Complex to configure properly; SMEs often deploy it half-configured
  • The compute cost during a real failover catches CFOs off guard – if you fail over 12 VMs and run them in DR for two weeks while you rebuild, that is a real Azure bill
  • Requires Azure expertise that not every MSP has at the level needed for reliable orchestration

VMware Cloud Disaster Recovery

For SMEs running VMware on-premises with a meaningful estate. Replicates to a VMware Cloud target on AWS or to an alternative pilot-light site. Usually overkill for under-50-VM environments.

Zerto

The premium DRaaS choice. Continuous data protection rather than scheduled replication, RPOs measured in seconds, mature failover orchestration. Priced accordingly. We deploy Zerto for clients who genuinely need sub-minute RPO on critical workloads; it is not the right answer for an average SME.

Category 2: On-premises BCDR appliances

The model is: a physical or virtual appliance lives at your office or data centre, takes regular image-level backups of your servers (and often endpoints), and can either restore locally (fast) or stand the workloads up in the vendor’s cloud (slower, but works if your office is gone).

Datto

The category-defining product. Datto Siris appliances are sold exclusively through MSPs. The local appliance has its own compute, so it can stand up a failed server as a virtual instance on the appliance itself within minutes. Off-site copies replicate to Datto’s cloud (in Australia, hosted in Sydney and Melbourne data centres).

Strengths:

  • Fast local recovery; the on-appliance virtualisation actually works
  • Cloud failover is real, not theoretical, and Datto runs the orchestration
  • Hardware refresh is part of the agreement; the appliance gets replaced on a cycle without a capex spike
  • Good for SMEs that want a single thing to point at when the auditor asks ‘show me your DR’

Weaknesses:

  • Per-protected-server pricing; can become expensive for environments with many small servers
  • Vendor lock-in; getting your backup data out of Datto if you change providers is a project
  • Local appliance is a single point of failure for local recovery; needs the off-site copy to be real
  • The MSP-only sales channel means you cannot evaluate it without going through a partner

Axcient

Similar concept to Datto, with the local appliance and the cloud failover. Often the right answer for slightly smaller environments where Datto’s pricing is over the budget. The cloud failover capability is solid; the on-appliance virtualisation is functional but slightly less polished.

Veeam with hardware

The build-your-own option. Veeam is the backup software, paired with a Dell PowerEdge or HPE ProLiant or a purpose-built backup appliance (Dell PowerProtect, HPE StoreOnce). More flexible and often cheaper at scale than the all-in-one appliances, but requires the MSP or internal team to design, build, and operate the stack rather than buying it as a service.

This is what we recommend for clients who already have Veeam expertise and who want to avoid the vendor lock-in of the all-in-one appliances. It is what we run in our own environment.

Acronis and Arcserve

Adjacent options in this category, both with valid use cases. Acronis Cyber Protect adds a security overlay (anti-malware, anti-ransomware) on top of the backup product, which appeals to SMEs that want fewer products to manage. Arcserve UDP has a strong reputation for hybrid workloads. Both worth evaluating if Datto and Axcient don’t fit.

Category 3: SaaS backup (the conversation nobody told you about)

The single most common gap we see in Melbourne SME DR posture: Microsoft does not back up your Microsoft 365 data in a way that helps you recover from accidental deletion, ransomware encryption, malicious insider activity, or a SharePoint policy gone wrong. They protect their infrastructure, not your content. This is the Microsoft 365 shared responsibility model, and it is documented in their own service description.

What Microsoft does:

  • Geo-redundant storage so a data centre failure does not lose your data
  • Retention policies you configure (litigation hold, retention labels)
  • Recycle bin and version history for a default period
  • Point-in-time recovery for Exchange Online within a window

What Microsoft does not do:

  • Full long-term backup of your mailboxes, OneDrive, SharePoint, and Teams content
  • Granular recovery to a point earlier than the retention or recycle bin window
  • Recovery of an entire tenant if it is wiped by a compromised admin
  • Export of mailbox data in a portable, restorable format outside of Microsoft’s tooling

The conversation to have with your IT lead: ‘If a user gets compromised and the attacker deletes the contents of their OneDrive and emails, and we do not notice for 45 days, can we recover the data?’ The honest answer from native Microsoft is usually no – the 30-day default retention window has passed.

Third-party M365 backup tools solve this. Pricing is per-user-per-month, typically $3 to $6 in the Australian market, retention is configurable up to ‘forever,’ and recovery is granular (a single email, a single OneDrive file, a single Teams chat). The leaders:

VendorStrengthsWatch-outs
KeepitIndependent vendor, Australian data residency, strong UI, good retention modelMid-market pricing
Veeam Backup for M365Same Veeam platform if you already use it on-prem, flexible storage targetsStorage costs are your problem; not all-in pricing
Backupify (Datto)Polished UI, MSP-friendly, good for Datto customersVendor lock-in
AvePoint Cloud BackupStrong on SharePoint and Teams, mature retention policiesHigher learning curve
DropsuitePer-user pricing, simple to manageLess granular than the leaders
CloudAllyLower-cost option, decent retentionSmaller vendor, fewer enterprise features

For every Melbourne SME we manage that uses Microsoft 365 – which is all of them – a third-party M365 backup is part of the baseline stack. We default to Keepit for new deployments because the Australian data residency, retention model, and recovery experience are the best of the options, and the pricing is defensible for SME budgets.

Realistic price brackets for 2026

The number that comes out of a vendor sales call is rarely the number you end up paying once setup, support, replication storage, failover compute, and the inevitable additions are included. Approximate all-in monthly numbers for a 60-user Melbourne SME with 4 production VMs:

SolutionPer-month all-inWhat you get
Azure Site Recovery + Keepit M365$650 – $950Cloud failover for 4 VMs, M365 backup, MSP-managed
Datto BCDR + Backupify M365$1,400 – $2,200Local appliance with cloud failover, M365 backup, MSP-managed
Axcient BCDR + Dropsuite M365$1,100 – $1,700Mid-tier appliance + cloud failover, M365 backup
Veeam + Dell PowerProtect + Veeam M365$1,200 – $1,800Build-your-own appliance approach with M365 backup, requires expertise
Zerto + Keepit M365$2,200 – $3,500Premium sub-minute RPO for critical workloads

Add the implementation cost (typically $4,000 to $15,000 one-off depending on complexity) and the annual failover test (typically half a day of MSP time, billed at the going rate). For most 60 to 100 staff Melbourne SMEs, total DR spend lands between $14,000 and $30,000 per year all-in.

RTO and RPO: what vendors quote versus what they deliver

Vendor marketing materials quote ‘RTO of 5 minutes’ or ‘RPO of seconds.’ These numbers refer to the absolute best-case mechanical capability of the product under controlled conditions on the vendor’s test bench. They are not what you get in a real disaster.

Realistic numbers for the three categories under SME conditions, based on incidents we have run for clients:

ScenarioVendor-quoted RTORealistic RTOWhy the gap
Azure Site Recovery, single VM failure5-15 minutes30-90 minutesNetwork reconfiguration, DNS, application validation
Azure Site Recovery, full site failover30-60 minutes4-12 hoursDependency ordering, user redirection, internal communication
Datto local recovery, single server5 minutes15-45 minutesPerformance on appliance compute, application checks
Datto cloud failover, full site1-2 hours4-10 hoursVPN setup, user routing, app validation
Zerto, critical workloadSub-minute10-30 minutesCloser to spec because the product is designed for it
M365 mailbox restoreMinutes1-4 hoursIdentifying what was lost, scoping the restore

The gap between vendor-quoted and realistic is not the vendor lying; it is the difference between the mechanical recovery time and the business-readiness time. When you negotiate, make sure the RTO in the contract is the business-readiness time, not just the time for the system to come up. Otherwise you are signing for a number that does not mean what you think it means.

The eight questions to ask any DR vendor before signing

  1. What is your contracted RTO and RPO, and is it measured to system-online or business-ready? If they cannot answer this clearly, walk away.
  2. Where is the off-site copy stored, and is the storage in Australia? Sovereign data residency matters for many SMEs, especially those with health, legal or government-adjacent data.
  3. What is the additional cost during a real failover (compute, egress, storage)? The DR product price is the steady-state cost; the failover cost can be substantial.
  4. How often do you test failover, who tests it, and what is the success rate? Untested DR is a hope, not a plan. Insist on at least an annual test.
  5. What does it cost to extract our data if we leave? Vendor lock-in is real. Get the exit number on the contract.
  6. What is the support model during an incident – phone, ticket, named engineer? When you are actually failing over, the time to get a human matters more than any other metric.
  7. Who else like us are you protecting in Melbourne, and can we speak to them? Reference checks from similar-sized businesses cut through the marketing fast.
  8. What is the upgrade and hardware refresh cycle, and who pays? For appliance-based products, this affects the multi-year total cost.

One client of ours – a 40-staff law firm in Kew – went to contract with a national MSP that quoted a 30-minute RTO. The contract small print clarified that 30 minutes was system-online. When we ran their first DR test under our co-managed arrangement, business-ready was 5 hours. We renegotiated the contract on renewal to specify business-ready RTO with measurable check points. Different number, more honest contract.

Sample DR scope checklist (30 to 100 user SME)

The scope of work conversation with a DR vendor is where mistakes get baked in. Use this as a starting checklist:

ItemIn scope?Notes
Production VMs (on-prem)YesList by name, OS, role, criticality
Production VMs (Azure / AWS / GCP)YesCross-cloud DR is a separate conversation
SQL or other databasesYes, with app-consistent backupsApplication-consistent, not just crash-consistent
Microsoft 365 (Exchange, OneDrive, SharePoint, Teams)Yes, via third-party SaaS backupMicrosoft does not back this up for you
Line-of-business SaaS (Xero, CRM, practice mgmt)Vendor-specificEach vendor’s backup policy is different; verify each
Endpoint data (laptops)OptionalOneDrive sync usually covers this; check the policy
File sharesYesOften the largest data set
Active Directory / Entra IDYesAD system state for on-prem; Entra ID via M365 backup
Network configurations (firewalls, switches)Yes, as config exportsOften missed; documented configs accelerate recovery
Documentation runbooksYesStored outside the systems being recovered
Annual testYesSpecify isolated network test, not a paper exercise
Incident response on-callYesWho do you call at 2 a.m. Sunday?

If a vendor proposal does not cover every row of this table or does not explicitly note items as out of scope with a reason, ask before signing. A DR proposal that omits Microsoft 365 backup is a flag, not because the vendor is dishonest but because the gap will surface during a real incident at the worst possible time.

How TechAssist delivers this

We are vendor-agnostic on DR. Our default stack for a typical Melbourne SME is Azure Site Recovery for IaaS, Keepit for M365 backup, and Veeam for environments that need a richer on-prem appliance story. We also run Datto where it is the right answer and Zerto where the RPO requirement justifies it.

The delivery is what makes the difference. Our 24/7 NOC at Tecoma monitors backup jobs and replication health on every managed client, with sub-15-minute response for P1 events. When a real incident hits, our 13 Australian engineers (no offshore tier-one queue) take the call, and the same-business-day on-site response in Melbourne metro means an engineer can be at your office before lunchtime if hands on the equipment are needed. The per-user fixed monthly pricing model includes the DR management on managed engagements; the DR product cost is a separate, transparent line item passed through at the vendor rate. The two Melbourne offices – Tecoma and 575 Bourke Street CBD – give clients access in both directions of the metro area, with the CBD office useful for CBD-based clients who want a quick face-to-face during planning.

Founded in 2014, our DR practice has now run incidents across professional services, healthcare admin, manufacturing, and not-for-profit clients. The pattern across all of them is the same: the DR posture that works is one that has been tested, documented, owned, and reviewed annually. The product choice matters less than the discipline around it. To talk through your specific environment, our team is reachable through the contact page, or for the broader managed services context the Melbourne managed IT services page covers how DR sits in the overall engagement.

Frequently Asked Questions

Is Microsoft 365 backup really necessary if we have litigation hold?

Litigation hold is a retention control, not a backup. It prevents end users from permanently deleting items, but it does not protect against a compromised admin wiping the tenant, does not give you a portable export, and does not provide point-in-time recovery for arbitrary historical states. For any SME holding meaningful business data in M365 – which is all of them – a third-party backup is a baseline control, not an option.

Can we just rely on the local appliance and skip the cloud failover?

If the disaster is a ransomware attack that encrypts the local appliance, or a fire that takes the office, the local-only configuration is no protection at all. The cloud or off-site copy is what makes the DR posture survive a real disaster. Local appliance plus cloud copy is the minimum; local-only is not DR, it is backup with extra steps.

What is the difference between backup and disaster recovery?

Backup is the data; DR is the ability to operate from that data after a major incident. A nightly backup of your server is backup. The ability to fail that server over to a working environment within a contracted time is DR. Most SMEs need both, in coordinated form, not one or the other.

How often should we test failover?

At least annually for a full test, quarterly for component tests, and continuously for the automated health checks the platform should be running. A DR plan that has not been tested in 18 months is no plan; it is a hope.

Will our cyber insurance cover the cost of a DR failover?

Sometimes yes, sometimes no. Read the policy. Many cyber policies cover business interruption losses but exclude or limit the actual restoration costs. The cleanest approach is to budget for the failover cost as a separate line, and treat any insurance recovery as upside.

Does the same DR product work for our on-premises servers and our Azure workloads?

Mostly no. The categories were designed for different starting points. Azure Site Recovery covers both Azure-native and on-prem to Azure. The appliance-based BCDR products are typically on-prem first, with limited cloud-native coverage. If your workload split is meaningful in both directions, expect to run two products. Our Melbourne cloud services page has more on hybrid architecture.

Azure costs for Melbourne SMEs grow 30 to 50% a year without anyone noticing. Enterprise FinOps assumes a $5 million cloud spend; this is the SME version, sized for the $50k to $500k reality. Eight quick wins, governance guardrails that stick, and the three traps that catch almost every business.

Why SME Azure spend creeps

It is rarely one decision. A pilot tenant becomes a production tenant. A test virtual machine becomes a forgotten orphan with a 1 TB premium SSD attached. Defender for Cloud gets enabled on a free trial, ends up on the Standard tier across every subscription, and nobody can find the off switch by the time the invoice arrives. The dev environment that was ‘just for two weeks’ is still running 18 months later because no one wants to be the person who turned it off.

We see the same pattern across our managed clients. A business signs up for Azure at $3,000 a month. Two years later it is $11,000 a month, the workloads have not materially expanded, and the CFO is asking the right question for the first time. By then the answer is harder than it would have been at $4,000.

FinOps as a published discipline (the FinOps Foundation maintains the framework, Microsoft has published its own opinionated version) assumes you have a cloud platform team, a financial analyst, and an executive sponsor. For a 60-staff Melbourne business with a quarter-million-dollar Azure footprint, that is overkill. The lite version below takes the parts of FinOps that apply at SME scale and ignores the rest. We have run this with clients across professional services in the CBD, manufacturers out around Dandenong, and not-for-profits across the eastern suburbs as part of our Melbourne cloud services work.

What ‘normal’ SME Azure spend looks like

Some benchmarks from our managed book, useful as sanity checks on whether your number is in the right zone.

Workload profileTypical monthly Azure spendSpend per user per month
30-staff professional services, M365-heavy, light IaaS$2,500 – $4,500$80 – $150
60-staff hybrid, file server + 4 to 6 LOB VMs in Azure$5,500 – $9,500$90 – $160
100-staff with line-of-business SQL workloads in Azure$11,000 – $19,000$110 – $190
120-staff manufacturer with ERP, AVD, and DR replication$18,000 – $28,000$150 – $230

If your number is materially above the band for your profile, there is almost certainly waste. If your number is materially below, either you are doing something genuinely clever or you have under-provisioned somewhere that will cause a production incident later.

The eight quick wins

Most SMEs can take 20 to 35% off their Azure bill in a fortnight of focused work, without changing anything about what the business does. The targets in order of effort-to-saving ratio:

1. Rightsize the virtual machines

The Azure Advisor and the Azure Migrate tools both flag VMs running well below their provisioned capacity. The reality is most SMEs have two or three D8s_v5 instances that were sized off a panicked guess at the start of a migration and have been running at 8% CPU ever since. Moving them down two or three sizes typically saves 60 to 75% of the per-VM cost. Validate with seven days of metrics first; do not just take Advisor’s word for it.

One client of ours – a 55-staff engineering consultancy in South Melbourne – was running their file server VM as a D16s_v5 because the original migration consultant ‘matched the on-prem CPU count.’ Seven days of metrics showed 4% average CPU. Rightsizing to a D2s_v5 saved $720 a month with zero user-visible impact.

2. Kill the orphaned disks

Every time someone deletes a VM through the portal, the OS disk and any data disks survive unless deletion was explicitly chosen. Over a few years, an SME tenant will accumulate 20 to 60 orphaned managed disks, often premium SSDs at $0.15 per GB-month. A 1 TB orphaned premium disk is $150 a month for storing absolutely nothing useful.

Run a quick KQL query in Azure Resource Graph to find disks where ManagedBy is empty. Validate that none of them are being held intentionally (some teams keep a disk for a few months as a ‘soft delete’ before truly removing it), then delete the rest. Easy win, usually $400 to $1,200 a month.

3. Reserved instances or savings plans for the steady-state workloads

Anything that runs 24/7 in steady state – production servers, domain controllers, a SQL VM, a file server – is paying full pay-as-you-go pricing by default. A one-year Reserved Instance is roughly 30% cheaper; three years is closer to 50%. The Azure Savings Plan for compute is more flexible (it covers any VM family in any region for the commitment amount) but a slightly lower discount.

The decision rule we use: if the workload is going to run for at least the next 12 months as-is, take the one-year reservation. If it might move, resize, or change family within that window, take the savings plan. Three-year commitments only for genuinely static workloads.

4. Auto-shutdown for dev and test

Dev and test VMs do not need to run on weeknights or weekends. A standard Azure Automation runbook or the built-in Azure DevTest Labs auto-shutdown can cut a non-production VM bill by 65 to 75%. The cost is two hours of configuration and a 30-second wake-up delay when someone needs the box at 7am Monday. We have yet to meet a dev team that genuinely objected once the saving was shown.

5. Azure Hybrid Benefit

If you have Windows Server or SQL Server licences with active Software Assurance, the Azure Hybrid Benefit lets you bring those licences to Azure VMs and stop paying the per-hour Windows or SQL surcharge. The saving on a Windows Server VM is typically 40%; on a SQL VM it can be 60 to 75%. Almost every SME with Software Assurance is leaving this on the table because nobody enabled the toggle at deployment.

Check your existing fleet through Cost Management. Filter by ‘Windows’ or ‘SQL Server’ as a meter category. Anything not marked as Azure Hybrid Benefit is overpaying.

6. Archive cold storage

Storage account blobs default to the Hot tier. Anything older than 30 days that you have not touched should be in Cool ($0.0152 per GB-month versus $0.0184 for Hot) or, for compliance archives, the Archive tier ($0.00099 per GB-month). Lifecycle policies on the storage account do this automatically.

For a healthcare client of ours in Box Hill with a 14 TB compliance archive, moving the long-tail blobs from Hot to Archive saved about $230 a month. A small number per month but a clean, automated saving that compounds as the archive grows.

7. Kill unused public IPs

A standard static public IP is roughly $4.50 a month. Trivial individually, but most SMEs have 15 to 40 of them, half of which are unattached from their original VM or load balancer. Run an Azure Resource Graph query for public IPs with no associated resource, validate, delete.

8. Review egress

Outbound data transfer (egress) from Azure to the internet is roughly $0.087 per GB after the first 100 GB free per month. Backup tools that pull data out of Azure, a misconfigured replication target that goes through public endpoints rather than peering, a video conferencing recording archive that streams out to a local NAS – all of these can quietly produce $400 to $1,500 a month in egress charges that nobody knows about.

The fix is usually a routing change (route the traffic through a private endpoint or service endpoint) or a topology change (move the target into Azure rather than pulling the data out). The win is identifying the source first; Cost Management broken down by Meter Subcategory shows you where the egress lives.

The governance guardrails that actually stick

Quick wins are easy. Stopping the spend from creeping back up over the next 12 months is the hard part. The lightweight controls we recommend for SMEs – the parts of the textbook that work at this scale:

Subscription-level budgets and alerts

One budget per subscription, set to the monthly run rate plus 15%, with alerts at 80%, 100%, and 120%. The alerts should go to a real person (the CFO and the IT lead), not a shared mailbox. The 80% alert is the one that catches the problem before it becomes a quarterly variance discussion.

Do not bother with budgets at the resource group level for an SME; the maintenance overhead is not worth the precision. The subscription is the right granularity.

Tagging that the team will actually do

Enterprise FinOps documents will tell you to enforce 14 mandatory tags. The team will rebel. For SME purposes, three tags are enough: Environment (Prod / Dev / Test), CostCentre (or Department), and Owner (a person, not a generic mailbox). Enforce them with Azure Policy at subscription creation time so any new resource without the three tags is blocked.

Three tags get used. Fourteen tags get ignored, and then nothing gets used.

Quarterly cost review

One hour every three months. The IT lead and the CFO sit down with Cost Management, look at the trend, look at the top ten cost drivers, look at the variance against budget, and decide whether to act. That is the entire process. The output is a one-page note for the leadership team and a list of remediation actions for the next quarter.

This is the rhythm we run with our managed clients. It is also the rhythm where most of the savings actually surface, because it forces someone to look at the data on a cadence that catches problems while they are small.

The three traps

Three patterns catch almost every SME on Azure. Worth understanding them before they catch you.

Trap 1: Lift-and-shift over-provisioning

The most expensive single mistake we see. A business migrates 12 servers from VMware to Azure and tells the migration partner to ‘match the existing VM sizes.’ The existing on-premises VMs were sized for peak load that occurs maybe twice a year, on hardware that was bought five years ago. The Azure VMs run hot for two hours a quarter and idle the other 99% of the time, but are billed at peak capacity every hour. Add up across 12 VMs and you are paying three times what the workload needs.

The fix is to size for Azure metrics, not on-prem habits. Migrate first, then watch the metrics for two to four weeks, then rightsize aggressively. We have done this exercise often enough now that we build the rightsizing step into the migration plan from the start. If the migration partner does not include a post-migration optimisation phase, that is a warning sign.

Trap 2: The dev environment that became production

A developer or contractor spins up a dev environment to test a workload. The business comes to rely on it. Three years later it is processing real production data on a ‘temporary’ subscription with no monitoring, no backup, no DR, and no reserved instances. It is also costing twice what it should because no one ever optimised it.

The fix is governance at the subscription creation step. No new subscription without a documented owner and an explicit lifecycle (this is a permanent prod subscription, or this is a 90-day project subscription with an automatic shutdown date). Cleaning up after the fact is harder than preventing it.

Trap 3: Defender for Cloud tier sprawl

Defender for Cloud is genuinely good, and the Standard tier offerings (Defender for Servers, Defender for SQL, Defender for Storage, Defender for Containers, Defender for App Service, and so on) protect real attack surfaces. The trap is that they bill per resource and the tiers are enabled per subscription. Click the wrong toggle and you have Defender for Servers Plan 2 running on every VM across every subscription for $24 each per month.

We have seen SMEs paying $4,000 a month for Defender coverage when their actual security need would be served by $800 of targeted enablement. The fix is to choose the plans deliberately, enable per subscription, and review quarterly. Defender for Servers Plan 2 on the workloads that need it; off everywhere else. Defender for Storage on accounts with sensitive data; off on the public assets bucket. The protections matter; the indiscriminate enablement does not.

For the security-side conversation about what to leave on, our Melbourne cyber security services page outlines the decisions we apply on the managed side. Cost and security are the same conversation in Azure; you cannot optimise one without involving the other.

What the FinOps tooling landscape looks like for SMEs

The third-party FinOps tools (CloudHealth, Cloudability, Apptio Cloudability, Flexera) are excellent but enterprise-priced. For an SME at $50k to $500k annual Azure spend, the native Azure tooling is enough:

ToolWhat it doesSME relevance
Cost Management + BillingCost analysis, budgets, alerts, exportsEssential. Use weekly.
Azure AdvisorRightsizing, reserved instance, idle resource recommendationsEssential. Review monthly.
Azure Resource GraphKQL queries across resources, perfect for orphan huntsUseful. Quarterly.
Microsoft Cost Management Power BI appPre-built dashboards over Cost Management exportsNice to have for the CFO.
Microsoft FinOps Toolkit (open source)Bicep templates, KQL queries, automation runbooksUseful if you have someone technical to deploy it.

If your spend grows past $1 million a year, the third-party tools become defensible. Below that, the native tooling is fine and the discipline matters more than the platform.

A small-business worked example

A 65-staff manufacturing business in Bayswater came to us in late 2025 with an Azure bill of $14,800 per month and a CFO who could not get a straight answer about why. Two weeks of focused work:

  • Rightsized seven over-provisioned VMs, saving $2,100 per month
  • Deleted 23 orphaned premium disks, saving $1,400 per month
  • Applied Azure Hybrid Benefit to 12 Windows VMs (they had Software Assurance through their CSP and no one had enabled the toggle), saving $1,800 per month
  • Switched the steady-state production workloads to one-year savings plans, saving $1,200 per month
  • Set up auto-shutdown on the dev and test environments, saving $600 per month
  • Identified and re-routed an egress problem through a private endpoint, saving $400 per month
  • Trimmed Defender for Cloud tier coverage to the workloads that actually needed Plan 2, saving $700 per month

Total monthly saving: $8,200, or about 55% of the original bill. The new run rate of $6,600 per month is a defensible number for the workload, with no production impact and no reduction in security posture (in fact a more deliberate one). Subscription budgets, three-tag enforcement, and quarterly review cadence are now in place. The job took us about 70 hours across two engineers from our 13-strong Melbourne team and was delivered alongside the regular per-user fixed monthly managed IT engagement.

FinOps and the broader cloud strategy

Cost optimisation is one strand of a wider conversation about whether the cloud architecture is right for the business. Sometimes the answer to a high bill is to optimise; sometimes it is to redesign. A 24/7 SQL workload that processes a fixed batch overnight may be better suited to Azure SQL serverless or even a scheduled VM. A file server that nobody touches for three months at a time might belong in Azure Files cool tier with a small AVD presence on demand. These are not quick wins; they are architecture changes. But once the quick wins are taken, the conversation moves to design.

For Melbourne SMEs that want a second opinion on whether the architecture is right before committing to another year of the existing spend, we run cloud architecture reviews as a discrete piece of work, separate from ongoing managed services. They are useful at the 12-month mark of any non-trivial Azure deployment. Reach us through the contact page if that is the conversation you need.

Frequently Asked Questions

Should we move away from Azure to save money?

Almost never the right answer for a workload that is already in Azure. Egress fees on a full re-platform are punishing, the operational disruption is real, and the cost difference between Azure, AWS and GCP for SME-typical workloads is usually under 15% once both are properly optimised. Optimise what you have before considering a move. The exception is a workload that genuinely fits a different platform’s primitives better (a heavy GCP BigQuery analytics workload, for example).

How often should we revisit our reserved instance commitments?

At the renewal point and at any major workload change. The Azure Savings Plan is more flexible than the older Reserved Instances because it does not lock you to a VM family; if your workloads shift, the savings plan keeps applying. We typically recommend a mix: reservations for the most stable workloads (domain controllers, file servers, the SQL VM that has run unchanged for three years), savings plans for the rest.

What does FinOps mean for our cloud backup and DR spend?

Backup storage tends to live outside the day-to-day cost conversation and grows quietly. Same principles apply: tier the storage (most backup data can live in cool or archive after 30 days), review retention against actual recovery needs, and watch the egress when you do a restore. Our companion piece on backup and disaster recovery for Melbourne businesses goes deeper on the design decisions.

Do we need a dedicated FinOps person?

Not at SME scale. The work is two to four hours a month for an experienced engineer plus a quarterly review with the CFO. We run it as part of the managed engagement for clients on our per-user fixed monthly pricing model. Hiring a dedicated FinOps person is a sensible move at around $2 to $3 million annual cloud spend, not before.

Will the optimisation work introduce risk to production?

It can if it is done carelessly. The discipline is: validate against metrics before any resize, take a backup before any storage change, do the work in a maintenance window, and have a rollback path. We have done hundreds of these exercises with our MSP Melbourne clients without a production incident, but the process matters. A weekend cowboy resize of a production SQL VM is how you cause an incident.

What is the role of the CFO in cloud cost management?

The CFO owns the budget and the variance conversation; the IT lead and the MSP own the technical optimisation. The quarterly review is the meeting where those two functions talk to each other. Most SME cost creep we see comes from a lack of that conversation rather than from any technical failure.

Enterprise vendor risk management assumes you have a four-person governance, risk and compliance team. Most Melbourne SMEs have zero. This is a deliberately stripped ‘lite’ framework for businesses with 20 to 200 staff: three vendor tiers, a one-page questionnaire, the only evidence that matters, and the playbook for when a critical vendor fails the assessment.

Why the enterprise playbook fails for SMEs

Open any vendor risk management framework written for a bank or a listed company and you will find a 130-question security questionnaire, a quarterly review cadence, on-site audits, and a control library mapped to NIST CSF, ISO 27001, SOC 2, PCI DSS and the APRA standards. It works because there is a team paid full-time to run it.

An accounting firm in Hawthorn with 45 staff cannot run that programme. The office manager who ‘owns IT’ has neither the hours nor the technical background to read a SOC 2 Type II report properly, let alone challenge the boundaries it covers. And yet that same firm now uses 60 to 90 SaaS products that touch client data: Xero, a practice management system, an e-signature tool, four AI products, a payroll bureau, a document portal, a cloud archive, a CRM, and so on. The risk surface is the same as a mid-market enterprise. The team to manage it is not.

The lite framework below is what we run with our co-managed clients. It is opinionated, it ignores parts of the textbook on purpose, and it produces a defensible position that holds up in a cyber insurance application or a Privacy Act incident review. We have refined it across 12 years of running managed IT services in Melbourne since founding TechAssist in 2014, and it has now been deployed across professional services, healthcare admin, light manufacturing and not-for-profit clients.

The three-tier vendor categorisation

The single most useful move you can make is to stop treating all vendors the same. About 80% of the SaaS in a typical SME is low-risk; about 5% will hurt badly if it is breached or goes down. Sort the list once, properly, and you can focus your effort on the 5%.

Tier 1: Critical

A vendor is Tier 1 if any one of these is true:

  • They process or store regulated personal data at scale (health records, financial accounts, legal matters, identity documents)
  • Their outage stops the business from operating within 24 hours (your finance system, your line-of-business platform, your phone system, Microsoft 365)
  • They have privileged access into your network, your identity provider, or your endpoints (your MSP, your security tooling, your remote support tools)
  • They handle payments or move money

Expect 5 to 12 Tier 1 vendors in a typical SME. These get the full questionnaire, evidence requirements, and an annual review.

Tier 2: Important

A vendor is Tier 2 if they hold business data that you would care about leaking, but their outage is tolerable for a few days, or the data set is limited. Examples: your CRM, your marketing automation tool, your e-signature service, an HR information system that holds employee records, project management tools.

Expect 15 to 30 Tier 2 vendors. They get the short questionnaire and a light evidence check (the security page on their website is acceptable if it lists the right certifications).

Tier 3: Everyone else

Free productivity tools, internal-only utilities, vendors that hold nothing more sensitive than a contact list. The control is the procurement gate (someone signs off before the credit card goes in) and an annual list review. No questionnaire, no evidence, no annual reassessment.

Expect 30 to 60 Tier 3 vendors. The point is to have them on the list, not to spend any meaningful time on them.

The 12-question questionnaire that fits on one page

Long questionnaires (the SIG, the CAIQ, an internal 140-item monster) do not produce better risk decisions for SMEs. The vendor copies their answers from the last questionnaire, you have no way to verify most of it, and you sign anyway because you need the product. Strip it down to 12 questions that you will actually read.

#QuestionWhat you are checking
1Where is our data physically stored? List countries and providers (AWS, Azure, GCP, on-prem).Australian Privacy Principle 8 obligations on cross-border disclosure
2Do you hold a current SOC 2 Type II, ISO 27001, or IRAP assessment? Please attach.Independent third-party assurance of controls
3What is your data breach notification timeline to customers, in hours?Whether they can meet your 72-hour OAIC obligation
4Do you support single sign-on through Entra ID or Okta on our plan?Identity hygiene; ability to off-board staff cleanly
5Do you support multi-factor authentication for all users, including admins, on our plan?The number-one preventable control
6Are customer data encrypted at rest and in transit? Which algorithms?Baseline cryptography
7What is your data return and deletion process at contract end? Confirm timeline in days.Off-boarding readiness
8Do you subcontract any processing? List sub-processors and their function.Fourth-party risk; same Privacy Act exposure
9What is your published uptime target and the contractual remedy for missing it?Service level reality vs marketing
10How frequently do you back up customer data and what is the recovery point objective?What you actually lose in a vendor incident
11Have you had a security incident affecting customer data in the last 24 months?History; willingness to disclose
12Who is the named contact for security issues and what is their response time SLA?Whether anyone will pick up the phone at 2 a.m.

Twelve questions. One page. Most credible vendors can answer it in 30 minutes; if a Tier 1 vendor takes three weeks to respond or sends boilerplate that does not address the question, that is your answer. We have seen serious Australian SaaS vendors fill this out in a working day. We have also seen offshore platforms ignore it entirely. Both outcomes are useful information.

What ‘evidence’ you actually need

The textbook says: review their SOC 2 report, walk through their controls, validate their penetration testing, examine their incident response runbooks. In practice, for an SME, the evidence stack is much simpler. Either the vendor has an independent third-party attestation that you can rely on, or they do not.

Accept (Tier 1 and Tier 2)

  • SOC 2 Type II covering at least the last 12 months and covering the product you are using. Type I is a snapshot and is worth far less. The scope matters – if the SOC 2 covers their corporate environment but not the production service you are buying, it is window dressing.
  • ISO 27001 certification with a recent certificate (within the three-year cycle) and a scope statement that includes the relevant systems. Insist on the scope statement, not just the certificate number.
  • IRAP assessment at PROTECTED or higher, for any vendor handling government-adjacent or sensitive data.

Acceptable with caveats (Tier 2 only)

  • A current public security page that lists controls in detail and names specific frameworks they align with.
  • A signed letter from their CISO or equivalent stating the controls in place, where no certification exists.

Not acceptable for Tier 1

  • ‘We follow industry best practice.’
  • ‘We are SOC 2 compliant’ with no report attached.
  • ‘Our hosting provider (AWS) is certified.’ AWS being certified does not certify the customer running on AWS.
  • A self-assessment questionnaire as the only evidence.

This is where most SME vendor programmes drift. The temptation is to accept a marketing page and move on because the alternative is to delay a project. Hold the line on Tier 1. Be pragmatic on Tier 2.

The playbook for when a key vendor fails

Here is what the textbook gets wrong: it implies that a failed vendor risk assessment means you switch vendors. In SME reality, you almost never do. You have a contract, you have integrations, you have user training, and switching costs are punishing. The realistic outcome of a failed assessment is risk acceptance with compensating mitigations.

The playbook we run with clients has five steps.

Step 1: Identify the specific gap

Not ‘they failed the questionnaire.’ Specifically: they have no SOC 2, their breach notification is 30 days, they do not support SSO on our tier, they will not name their sub-processors. Write down the actual gap.

Step 2: Quantify the exposure

What is the worst credible outcome if this gap is exploited? Loss of which data set, of what volume, with what regulatory and reputational consequences? Document the number of records and the personally identifiable information categories.

Step 3: Design compensating controls

Most gaps can be mitigated on your side. If they do not support SSO on your tier, enforce a strong password manager policy, rotate the shared credentials quarterly, and put an alert on the account. If their breach notification is 30 days, monitor publicly available breach feeds yourself. If they will not name sub-processors, restrict the data set you send them. If they do not have MFA on admin accounts, do not send them your most sensitive data.

Step 4: Document the acceptance

A risk acceptance document that names the gap, the mitigations, the residual risk, the business benefit of continuing, and the executive who signed off. This is what makes the position defensible later. Insurance underwriters and OAIC investigators do not expect perfection; they expect documented, considered decisions.

Step 5: Set a review date

Twelve months from now, are the mitigations still in place? Has the vendor improved their controls? Should the risk acceptance be renewed, withdrawn, or escalated?

A 70-staff law firm in Camberwell we work with ran this playbook recently on a US-based legal AI vendor. The vendor had no SOC 2, no SSO on the relevant tier, and stored data in US-East. The partners wanted the product. The compensating controls: a dedicated tenant configuration that limited what content could be sent to the tool, an enforced data classification policy on the matter management side, quarterly review of the vendor’s audit log exports, and a contractual addendum on breach notification. Risk accepted, documented, signed by the managing partner, reviewed annually. That is a defensible position.

The Australian Privacy Act 1988 angle

The Privacy Act amendments that came through in 2024 and 2025 changed the conversation for SMEs. The small business exemption is being narrowed; the maximum penalty for serious or repeated breaches is now the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover during the breach period. Vendor risk management is now a Privacy Act obligation in practice if not in name. The OAIC has been clear: if your vendor has a breach involving your customers’ data, you are the entity that has obligations to notify and remediate, not the vendor.

Australian Privacy Principle 8 (cross-border disclosure) is the clause that catches most SMEs. Sending personal information overseas – which you do every time you sign up for a US SaaS – generally requires that you take reasonable steps to ensure the overseas recipient does not breach the APPs. Your vendor risk assessment is the ‘reasonable steps’ evidence. Without it, you are exposed.

For the detail on what this means in practice, see our companion piece on the Australian Privacy Act for SMBs and what your IT team must do. The vendor risk programme described here is one of the four foundational pieces of that broader compliance posture, alongside data minimisation, identity hygiene, and breach response readiness.

The cyber insurance vendor list creep problem

Cyber insurance applications now routinely ask for a vendor list. Some carriers want the top 10 by data sensitivity; some want every vendor with access to your systems; the more thorough underwriters want the questionnaire results for your Tier 1 vendors. Three observations from running these applications for clients over the past two years.

First, the list grows every year and the questions get sharper. A 2023 application that asked ‘do you use any third-party SaaS providers’ became a 2025 application that asks ‘list all third-party providers with access to personal information, the data categories involved, and your last review date for each.’ Expect this trajectory to continue. Your vendor list and tiering work is also insurance application work.

Second, an inaccurate disclosure on the insurance application can void the policy. We have seen clients tick ‘all critical vendors reviewed in the last 12 months’ when the answer was closer to ‘three of them.’ If a breach involves an unreviewed vendor, the carrier may decline. Be honest on the form, even if the answer is uncomfortable.

Third, insurers increasingly want evidence that you have an MSP or internal team running this programme. A client of ours in Box Hill had a cyber renewal in late 2025 where the carrier asked for proof of an MSP relationship covering vendor risk before they would renew on the existing premium. The co-managed IT support arrangement we had in place satisfied the underwriter; without it, the renewal would have been 40% more expensive.

What to run yourself versus what to delegate

The split we recommend for a 30 to 150 staff SME is:

ActivityCadenceOwner
Maintain the vendor list (additions, terminations)ContinuousInternal (finance or operations)
Procurement gate for new vendorsPer requestInternal sign-off, MSP triage
Tier assignment for new vendorsPer requestMSP
Questionnaire issuance and reviewAnnually for Tier 1, on signup for Tier 2MSP
Evidence collection and storageAnnuallyMSP
Risk acceptance documentationPer findingInternal (executive) with MSP support
Breach intelligence monitoringContinuousMSP NOC
Annual programme reviewYearlyJoint

The work the MSP does is the technical assessment and the document handling. The work the business owns is the procurement decision and the risk acceptance. That separation matters. Risk acceptance is a business decision, not an IT decision; the MSP should not be signing it off, but should provide the analysis that informs it.

Our own approach at TechAssist is to maintain a vendor register for each managed client, run the questionnaire cycle from our 24/7 NOC at Tecoma, and bring findings to the client quarterly. When a P1 event involves a vendor (a Microsoft 365 outage, a confirmed third-party breach, a vendor that fails an audit), our sub-15-minute P1 response runs from the same NOC, and our 13 Australian engineers are the team that does the assessment work. No offshore questionnaire mills, no automated tooling that emails the vendor and walks away from the answer.

A realistic first 90 days

If you have nothing in place today and you want to start, here is the shape of the first quarter.

Weeks 1 to 2: List every SaaS, every vendor with a login, every contractor with system access. Pull it from your accounting system (every recurring expense), your password manager, and your single sign-on tenant. Expect to find 30 to 50 more than anyone thought existed.

Weeks 3 to 4: Tier the list. Most vendors will be Tier 3 in five minutes. The Tier 1 conversation is the one that takes time and judgement.

Weeks 5 to 8: Issue the 12-question questionnaire to Tier 1. Chase, read, file. Note the gaps.

Weeks 9 to 12: Risk acceptances or remediations for each Tier 1 gap. Document the position. Schedule the 12-month review. Brief the executive on residual risk.

At the end of 90 days you have a defensible vendor risk position, a paper trail for insurance and Privacy Act purposes, and a list that you can maintain in two to four hours a month rather than rebuilding from scratch every year. That is the goal of the lite programme: defensible, sustainable, and proportionate.

Frequently Asked Questions

Do we need a vendor risk programme if we are under the small business turnover threshold for the Privacy Act?

The small business exemption (under $3 million turnover) is being narrowed by the Privacy Act reforms, and even today the exemption does not apply to health service providers, businesses that buy or sell personal information, contractors to the Commonwealth, and a few other categories. More practically, your customers, your insurers, and your enterprise prospects increasingly require vendor risk evidence regardless of whether the Act technically applies to you. We recommend a lite programme for every SME with more than 20 staff.

Is a SOC 2 Type I report sufficient for Tier 1 vendors?

No. SOC 2 Type I is a point-in-time review and tells you very little about how the vendor actually operates the controls over time. For Tier 1, insist on a SOC 2 Type II covering at least six months and ideally twelve. Type I is acceptable for Tier 2 alongside other evidence.

What do we do about vendors that refuse to respond to the questionnaire?

For Tier 1, non-response is the answer. Either escalate to their account team (often the account manager can move the request through their internal security team) or accept that you cannot use them for Tier 1 workloads. For Tier 2, document the non-response, look at their public security page, and consider whether the gap is acceptable. Some smaller vendors genuinely do not have the team to respond, and that is itself a risk signal.

Should we use an automated vendor risk platform?

Probably not for an SME under 100 staff. The platforms (UpGuard, SecurityScorecard, BitSight, OneTrust) are excellent but priced for an enterprise budget and produce more data than a small team can act on. A spreadsheet, a shared mailbox for evidence collection, and a calendar reminder for annual review will do the job for most SMEs. Revisit the tooling question if you grow past 200 staff or if your customers start asking for vendor risk evidence in a specific format.

Who in the business should own vendor risk?

The accountability should sit with a named executive (CFO, COO or general manager in a typical SME). The day-to-day work can be delegated to an office manager, an internal IT lead, or your MSP. The risk acceptance decisions cannot be delegated below executive level.

How does this fit with our existing cyber security work?

Vendor risk is one pillar of a broader programme that also includes endpoint and identity controls, backup and recovery, and incident response. Our Melbourne cyber security services wrap these pillars together for managed clients, and the vendor risk lite framework is part of the standard offering. If you want to talk through how the pieces fit for your business, our team is reachable through the contact page.

Ready to Make IT Your
Competitive Advantage?

Book a free consultation with our team. No pressure, no jargon — just a clear-eyed look at where you stand and what's possible.