MSP Compliance Framework Guide: Navigate Australian Requirements
Your MSP says they are "compliant." Compliant with what? To what standard? Verified by whom?
In the Australian business environment, compliance is not optional. The Privacy Act, Essential 8 framework, industry-specific regulations, and contractual obligations create a web of requirements that your MSP must navigate — and help you navigate.
Understanding which frameworks apply to your business, what your MSP's obligations are, and how to verify compliance is essential for managing risk and meeting your legal obligations.
The Australian Compliance Landscape
Privacy Act 1988 (Cth)
The Privacy Act applies to all organisations with annual turnover over $3 million (and some smaller organisations handling health information). Key obligations:
- APP 11: Take reasonable steps to protect personal information
- NDB Scheme: Notify the OAIC of eligible data breaches
- Cross-border disclosure: Ensure overseas recipients protect personal information
Your MSP is a data processor under the Privacy Act. Both you and your MSP have obligations to protect the data you handle.
Essential 8 (ACSC)
The Essential 8 is Australia's cybersecurity baseline, published by the Australian Cyber Security Centre. It defines eight prioritised mitigation strategies:
- Application control — prevent execution of unapproved programmes
- Patch applications — patch security vulnerabilities in applications
- Configure Microsoft Office macros — restrict macro execution
- User application hardening — reduce attack surface of applications
- Restrict administrative privileges — limit who has admin access
- Patch operating systems — patch security vulnerabilities in OS
- Multi-factor authentication — require MFA for all access
- Regular backups — maintain and test backup capability
Maturity Levels:
| Level | Description | Who Should Achieve |
|---|---|---|
| Level 1 | Baseline protection against commodity threats | All organisations |
| Level 2 | Protection against more capable adversaries | Medium to large businesses, government |
| Level 3 | Protection against sophisticated adversaries | Critical infrastructure, high-value targets |
| Level 4 | Protection against nation-state adversaries | National security, critical infrastructure |
Industry-Specific Frameworks
Financial Services (APRA CPS 234): - Information security capability requirements - Board responsibility for cyber security - Testing and assurance requirements
Healthcare: - My Health Records Act - Health records legislation (state-based) - TGA requirements for medical devices
Legal: - Australian Solicitors' Conduct Rules - Legal profession uniform law - Client confidentiality obligations
Government: - Protective Security Policy Framework (PSPF) - Information Security Manual (ISM) - Digital Transformation Agency requirements
International Frameworks
ISO 27001: - International information security management standard - Certification through accredited auditors - Recognised globally for supply chain assurance
SOC 2: - US-based assurance framework - Trust service criteria: security, availability, processing integrity, confidentiality, privacy - Common for US-facing Australian businesses
PCI DSS: - Payment card industry data security standard - Required for any business handling card payments - Multiple levels based on transaction volume
What to Require From Your MSP
Minimum Compliance Requirements
Your MSP contract should require:
- Essential 8 Maturity Level 1 (at minimum) with evidence of assessment
- Privacy Act compliance including APP obligations
- Cyber insurance at an adequate level
- Security awareness training for all staff
- Incident response capability with defined processes
Evidence to Request
Do not accept verbal assurances. Request:
- Essential 8 assessment report — independent or self-assessed, with evidence
- ISO 27001 certificate (if claimed) — verify with issuing body
- SOC 2 report (if claimed) — review for any qualifications or exceptions
- Penetration test reports — frequency, scope, and findings
- Vulnerability scan results — current status and remediation progress
- Incident history — breaches and near-misses in the past 24 months
Ongoing Compliance Monitoring
Compliance is not a one-time event. Require:
- Annual compliance reviews — updated assessments against current standards
- Quarterly security reports — metrics demonstrating ongoing compliance
- Immediate notification of any compliance gaps or security incidents
- Cooperation with audits — your right to audit the MSP's compliance
Building Your Compliance Programme
Step 1: Identify Applicable Frameworks
Determine which frameworks apply to your business:
- Privacy Act — if turnover > $3M or handling health information
- Essential 8 — recommended for all organisations
- Industry-specific — based on your sector and regulatory requirements
- Contractual — based on obligations to your clients and partners
Step 2: Assess Current State
Evaluate your current compliance against each applicable framework:
- What controls are already in place?
- Where are the gaps?
- What is the risk of each gap?
- What resources are needed to close gaps?
Step 3: Prioritise Remediation
Rank gaps by risk and effort:
| Priority | Criteria | Timeline |
|---|---|---|
| Critical | High risk, low effort | Immediate |
| High | High risk, moderate effort | 30 days |
| Medium | Moderate risk or high effort | 90 days |
| Low | Low risk, high effort | 12 months |
Step 4: Implement Controls
Work with your MSP to implement required controls:
- Technical controls (MFA, patching, monitoring)
- Administrative controls (policies, procedures, training)
- Physical controls (access controls, environmental security)
Step 5: Verify and Monitor
- Conduct regular compliance assessments
- Monitor control effectiveness
- Address drift and non-compliance promptly
- Document everything for audit purposes
Common Compliance Failures
Confusing claims with evidence. "We are ISO 27001 compliant" without a valid certificate is a claim, not evidence. Always verify.
One-time compliance. Compliance is a continuous state, not a point-in-time achievement. An MSP that passed an assessment two years ago may not be compliant today.
Ignoring scope limitations. An ISO 27001 certificate may cover only part of the MSP's operations. Verify that your environment is within the certified scope.
Treating compliance as the MSP's problem. You are ultimately responsible for your business's compliance. The MSP is a partner in achieving it, not the sole owner.
Neglecting emerging requirements. The regulatory landscape evolves. Stay current with new requirements and ensure your MSP adapts.
Related Guides
- Cyber Insurance MSP Requirements — Insurance and compliance requirements
- MSP Data Breach Response Plan — Compliance obligations during breaches
- MSP Cybersecurity Awareness Training — Training requirements
- MSP Quality Management System — Quality frameworks
- MSP Technical Debt Assessment — Technical gaps affect compliance
Was this helpful?