Questions to ask Managed Service Providers

Download ASD Protect: Questions to ask Managed Service Providers (PDF), March 2017
Published March 2017


  1. This document has been developed to provide practical questions to ask managed service providers to ensure the security of ICT services they deliver to your organisation.

Are you implementing ASD’s cyber security guidance?

  1. ASD’s Strategies to Mitigate Cyber Security Incidents is designed to provide practical advice to assist in risk managing the threat from:
    1. targeted cyber intrusions and other external adversaries who steal data
    2. ransomware denying access to data for monetary gain
    3. external adversaries who destroy data and prevent computers/networks from functioning
    4. malicious insiders who steal data such as customer details or intellectual property
    5. malicious insiders who destroy data and prevent computers/networks from functioning.
  2. For more information, see ASD’s Strategies to Mitigate Cyber Security Incidents.

Are you undertaking activities to assess our cyber security posture?

  1. In order to protect systems and the information that they process, store or communicate, it is essential that managed service providers are aware of, and appropriately risk manage, security vulnerabilities in the ICT services they provide. This includes the conduct of vulnerability assessment, vulnerability analysis and vulnerability management activities.
  2. For more information, see ASD’s Know and Minimise Your Vulnerabilities Before They Are Used Against You.

Are you protecting our users from socially-engineered emails?

  1. Socially-engineered emails are one of the most common ways that users are targeted by adversaries. Whether to convince users to execute malicious software on their system, visit a malicious website, disclose their credentials or wire money to foreign bank accounts, a number of practical security measures can be implemented by both users and email infrastructure managers to reduce this risk.
  2. For more information, see ASD’s Detecting Socially-Engineered Messages for users and Malicious Email Mitigation Strategies for email infrastructure managers.

Are you backing up our data?

  1. Organisations can be significantly impacted, both in terms of productivity and financial loss, due to data loss or destruction from a cyber security incident. Ensuring that your managed service provider has a process for identifying and backing up your data is essential. This process should be regularly tested to ensure backups are correctly performed and successful restoration is possible.

Are you prepared for, and able to respond to, cyber security incidents?

  1. Experiencing a cyber security incident is not a question of if but when. The effective preparation for, and management of, a cyber security incident can greatly decrease its impact.
  2. For more information, see ASD’s Preparing for and Responding to Cyber Security Incidents and Cyber Security Incidents: Are You Ready?

Are you actively reporting cyber security incidents?

  1. Depending on the extent of a cyber security incident, additional assistance by specialists may be required to contain the incident and remediate any security vulnerabilities that were exploited. Actively reporting cyber security incidents can assist in the early and effective management of cyber security incidents by specialists trained in this field.
  2. For more information, see ASD’s cyber security incident reporting guidance.


Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.