Questions to ask Managed Service Providers - Australian Cyber Security Centre (ACSC)
ACSC programs and advice are being migrated to (see sidebar)

Questions to ask Managed Service Providers

Download ACSC Protect: Questions to ask Managed Service Providers (PDF), March 2018
First published 2017; updated March 2018


  1. This document has been developed to provide simple yet practical questions to ask managed service providers regarding the cyber resilience of services they provide to your organisation.

Are you implementing best practice cyber security guidance?

  1. The Essential Eight from the Strategies to Mitigate Cyber Security Incidents is designed to provide prioritised and practical advice to manage cyber threats from:
    1. targeted cyber intrusions and other external adversaries who steal data
    2. ransomware denying access to data for monetary gain
    3. external adversaries who destroy data and prevent computers/networks from functioning
    4. malicious insiders who steal data such as customer details or intellectual property
    5. malicious insiders who destroy data and prevent computers/networks from functioning.

Are you regularly assessing our cyber security posture?

  1. In order to protect systems and the information that they process, store or communicate, it is essential that managed service providers are aware of, and appropriately risk manage, security vulnerabilities in the services they provide. This includes regularly conducting vulnerability assessment, vulnerability analysis and vulnerability management activities.

Are you protecting our users from socially-engineered emails?

  1. Socially-engineered emails are one of the most common ways that users are targeted by adversaries. Whether it is to convince users to execute malicious software on their system, visit a malicious website, disclose their credentials or wire money to foreign bank accounts, a number of practical security measures can be implemented to reduce this risk.
  2. For more information, see Detecting Socially-Engineered Messages for users and Malicious Email Mitigation Strategies for email infrastructure managers.

Are you backing up our data?

  1. Organisations can be significantly impacted, both in terms of productivity and financial loss, due to data loss or destruction from a cyber security incident. Ensuring that your managed service provider has a process for identifying and backing up your data is essential. This process should be regularly tested to ensure backups are correctly performed and successful restoration is possible.

Are you prepared for, and able to respond to, cyber security incidents?

  1. Experiencing a cyber security incident is not a question of if but when. The effective preparation for, and management of, a cyber security incident can greatly decrease its impact.
  2. For more information, see Preparing for and Responding to Cyber Security Incidents and Cyber Security Incidents: Are You Ready?.

Are you actively reporting cyber security incidents?

  1. Depending on the extent of a cyber security incident, additional assistance by specialists may be required to contain the incident and remediate any security vulnerabilities that were exploited. Actively reporting cyber security incidents can assist in the early and effective management of cyber security incidents by specialists trained in this field.
  2. For more information, see Cyber Security Incident Reporting.

Further information

  1. The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.
  2. The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.

Contact details

  1. Organisations or individuals with questions regarding this advice can contact the ACSC by emailing or calling 1300 CYBER1 (1300 292 371).

In August 2018 ACSC launched a new website,, to reflect its new organisation.

Cyber security programs and advice are being migrated to Information and advice on this site remains current.

Reports help the ACSC to develop a better understanding of the threat environment and will assist other organisations who are also at risk.

Cyber security incident reports are also used in aggregate for developing new defensive policies, procedures, techniques and training measures to help prevent future incidents.

Information for Australian businesses
Information for individual Australian citizens
Information for Federal, State and Local government agencies