Enterprise Managed Service Provider Tender Template & Guide
A copy-ready structure with selective procurement guidance for enterprise, state and local government buyers preparing to tender cloud, infrastructure and managed services. Strip the commentary to leave a clean, organisation-ready tender.
How to use this guide
This guide is for organisations preparing to outsource, modernise or re-platform enterprise infrastructure, cloud, connectivity, backup, disaster recovery and managed services. It combines a conventional tender structure with selective procurement guidance in the areas where apparently simple wording can materially change risk, cost or service outcomes.
To produce a clean tender: keep the Suggested Tender Requirement blocks, populate the bracketed placeholders, add the organisation-specific schedules in the appendices, and remove any commentary that is not relevant. Use the Clean template toggle above to hide all guidance at once.
Drafting note. This is general-purpose guidance, not legal advice. Requirements should be reviewed against the organisation's sector, the Privacy Act 1988 and Australian Privacy Principles, records and archives obligations, the SOCI Act where applicable, insurance conditions and internal risk appetite. The intent is vendor-neutral: strong requirements should reward providers that can evidence mature delivery, regardless of size or brand.
Invitation and Procurement Overview
Outcome State the procurement purpose, the business outcomes sought and the rules for a comparable response.
1.1 Purpose
[Organisation] invites proposals for the provision of enterprise cloud, infrastructure and managed services to support its current and future technology environment.
The procurement seeks a provider capable of delivering secure, resilient and scalable services together with ongoing operational management, transparent governance, predictable commercial arrangements and an orderly transition into and out of the service.
1.2 Procurement objectives
The successful solution should, where applicable:
- replace or reduce dependency on ageing customer-owned infrastructure;
- improve resilience, recoverability and security maturity;
- provide flexible access to compute, storage, network and managed-service capacity;
- reduce lifecycle and supply-chain risk;
- provide clear operational accountability and escalation;
- support future growth without repeated major procurements;
- provide transparent costs and minimise unexpected professional-services charges; and
- preserve practical portability and exit options throughout the contract term.
1.3 Tender conditions and response format
Bidders must respond to each mandatory and desirable requirement using the response schedules provided. Any qualification, dependency, assumption or exclusion must be stated explicitly.
Where a bidder relies upon a related entity, subcontractor, hyperscale cloud platform, carrier, software vendor or other third party, that dependency must be identified.
1.4 Procurement method and applicable schemes
[Organisation] identifies the procurement method, governing rules and any prequalification scheme, panel or standing offer under which this process is conducted.
Bidders confirm eligibility to participate and, where a prequalification scheme applies, state their registration status, tier and registration identifier. For example, under the NSW SCM0020 Prequalification Scheme: ICT Services, bidders identify whether they are a Registered or Advanced Supplier.
Organisation Background and Current Environment
Outcome Give bidders enough information to design and price responsibly without forcing the organisation to prescribe the future architecture.
2.1 Organisation profile
[Organisation] provides a concise profile covering business functions, user population, operating hours, critical services, regulated activities, geographic footprint and expected growth.
2.2 Current environment
[Organisation] provides a current-state summary and appends detailed schedules (see Appendix A) covering:
- sites and locations;
- users and identity platforms;
- physical and virtual servers;
- virtualisation technologies and versions;
- operating systems and application platforms;
- storage capacity, performance and growth;
- network and internet connectivity;
- firewalls, VPN and remote access;
- backup, retention and archive;
- disaster recovery arrangements;
- monitoring and security tooling;
- licensing and vendor dependencies; and
- known end-of-life or capacity risks.
2.3 Application criticality and recovery profile
Bidders complete the workload schedule (Appendix B) identifying business owner, application dependency, data sensitivity, recovery priority, target RPO, target RTO, maintenance constraints and supported technology requirements for each material workload.
Objectives, Scope and Desired Outcomes
Outcome Define what is being bought and what success looks like, while preserving room for better technical approaches.
3.1 In-scope services
Bidders address all applicable services, including design, compute, storage, networking, connectivity, security, backup, disaster recovery, monitoring, service management, transition, ongoing management, reporting, professional services and exit assistance.
3.2 Out-of-scope services
[Organisation] identifies application ownership, end-user computing, business application support, software development and other functions that remain outside scope unless proposed as optional services.
3.3 Alternative solutions
Bidders may propose alternative architectures where they can demonstrate improved security, resilience, operability or whole-of-life value. Alternatives must be clearly separated from the conforming response and must identify all material assumptions and dependencies.
Solution and Architecture Requirements
Outcome Obtain an understandable target architecture with clear responsibility boundaries and evidence the design can be operated for the full contract term.
4.1 Architecture response
Bidders provide a logical and physical architecture description showing service boundaries, availability zones or failure domains, network flows, management planes, backup paths, recovery dependencies, security controls and third-party services.
4.2 Responsibility model
Bidders provide a detailed responsibility matrix (RACI, Appendix K) covering infrastructure, hypervisor or cloud layer, operating systems, databases, applications, identity, backups, security controls, patching, monitoring, incident response, certificates, firewalls and recovery testing.
4.3 Design for growth
Bidders describe how the proposed solution supports organic growth, temporary demand, acquisitions, new sites, additional workloads and technology refresh without requiring a complete redesign or new procurement.
Compute and Generic Resource Services
Outcome Create a flexible resource model that supports known workloads and future demand without binding the organisation to a fixed list of virtual machines.
5.1 Generic resource catalogue
Bidders provide a catalogue and unit pricing for generic resources, including vCPU, memory, standard and high-performance storage, backup capacity, public IP addresses, bandwidth, load balancing and other commonly consumed services. Identify minimum increments and any minimum commitments.
5.2 Performance and contention
Bidders describe resource allocation, performance management and contention controls, including how CPU, memory, storage and network performance are protected during periods of high utilisation. Identify any relevant fair-use, burst or throttling policies.
5.3 Compatibility
Bidders identify supported virtualisation formats, operating systems, CPU architectures, guest tools, clustering technologies and any workload classes that require dedicated or specialised infrastructure.
5.4 Capacity management
Bidders describe capacity monitoring, growth forecasting, alert thresholds and the process for adding capacity before service risk emerges.
Storage and Data Services
Outcome Ensure storage is sized for capacity, performance, recoverability and future portability rather than price per terabyte alone.
6.1 Storage classes
Bidders describe available storage classes, performance characteristics, resilience model, snapshots, replication, encryption, capacity increments and applicable limits. State how performance is measured and governed.
6.2 Data movement
Bidders describe supported methods for bulk import and export of data, including online transfer, physical transfer where available, bandwidth options, expected timeframes, formats and charges.
6.3 Snapshot and replication semantics
Bidders identify whether snapshots and replicas are crash-consistent or application-consistent, their failure-domain separation, retention limits and whether they are independently protected from privileged compromise of the production environment.
Network and Connectivity Services
Outcome Treat connectivity as part of the service architecture, with clear demarcation and resilience, rather than as an afterthought between "cloud" and the business.
7.1 Connectivity scope
Bidders describe capabilities for internet, private WAN, SD-WAN, VPN, direct connectivity, cross-connects, carrier services, BGP, public IP addressing, IPv6, DDoS protection and remote-site connectivity where applicable.
7.2 Existing connectivity review
As part of transition, bidders review the existing connectivity estate and recommend opportunities to improve resilience, reduce unnecessary services, simplify routing or consolidate cost. Recommendations must preserve required diversity and business continuity.
7.3 Diversity and failure domains
Bidders identify carrier, path, facility, power and equipment diversity for each critical connectivity service. Where true physical diversity cannot be confirmed, this must be stated explicitly.
7.4 Network operational responsibility
Bidders define who diagnoses and coordinates incidents that span the provider platform, carrier network, customer site, firewall and third-party services. Identify escalation paths and after-hours arrangements.
Security Governance and Operational Security
Outcome Assess security as an operating system of governance, people, process and technology — not a checklist of products.
8.1 Security management framework
Bidders describe the information security management framework governing the proposed services, including risk management, policies, control ownership, incident management, internal review, external assurance and continual improvement.
Where certifications are claimed, bidders identify the certification body, current certificate, scope statement, expiry or surveillance status, and exactly which proposed services, locations and operational functions fall within scope. Material exclusions must be identified.
8.2 Independent security assurance
Bidders provide relevant independent assurance evidence. This may include ISO/IEC 27001 certification, PCI DSS validation where applicable, penetration testing, external audit or other evidence appropriate to the proposed service. State the scope and date of each assurance activity.
8.3 Physical and infrastructure security
Bidders describe physical security, datacentre access control, visitor management, asset handling, secure disposal, media handling, infrastructure administration and separation of customer and management environments.
8.4 Logical security controls
Bidders describe encryption in transit and at rest, key management, MFA, privileged access, role-based access control, administrative segmentation, firewalling, secure remote access, logging, vulnerability management, endpoint protection and configuration hardening.
8.5 Patch and vulnerability management
Bidders provide patch and vulnerability management processes for all layers within provider responsibility, including hypervisors, operating systems, network devices, storage systems, firmware, management platforms and security appliances.
State standard and emergency remediation targets, exception governance, customer notification requirements and how unsupported software is handled.
8.6 Security governance cadence
Bidders describe recurring security governance included within the service, such as risk review, security metrics, patch compliance, vulnerability trends, incident review, control exceptions, improvement actions and executive reporting. State the proposed cadence and attendees.
8.7 Included security operations and charges
Bidders complete the Security Service Inclusion Schedule (Appendix C), identifying for each activity whether it is included in recurring charges, subject to a usage allowance, provided at time-and-materials rates, or excluded.
Data, Operational and Legal Sovereignty
Outcome Understand the complete service delivery model — not merely the street address of the primary datacentre.
Bidders describe all material sovereignty characteristics and overseas dependencies of the proposed service, including data storage, backups, disaster recovery, logs, telemetry, support systems, monitoring, privileged administration, security operations, AI-assisted services, subcontractors, legal entities and critical technology dependencies.
For each material component, identify the country or countries involved, the responsible legal entity, the nature of access or processing, and whether the arrangement may change during the contract term. Responses are recorded in the Sovereignty and Subprocessor Schedule (Appendix F).
9.1 Dimensions to assess
| Dimension | What to examine |
|---|---|
| Data | Primary data, backups, replicas, logs, tickets, diagnostics and metadata. |
| Operational | Where engineers, NOC/SOC teams and support personnel are located; who can administer systems. |
| Legal | Contracting entities, parent control, applicable jurisdictions and potential foreign-law dependencies. |
| Security | Control of keys, identity, privileged access, logging, incident response and security tooling. |
| Supply chain | Cloud platforms, carriers, software vendors, datacentres, subcontractors and critical spares. |
| Technology | Dependence on externally controlled encryption, AI, licensing, export-controlled or restricted capabilities. |
| Commercial | Currency, taxation, tariffs, licensing, egress, price-control and unilateral service-change dependencies. |
9.2 Change control for sovereignty arrangements
Bidders state whether countries, subcontractors, support locations, AI services, monitoring platforms or privileged-access arrangements may change during the contract. Material changes must be notified in advance and, for defined high-risk changes, be subject to [Organisation] approval or an agreed right to exit.
9.3 Strategic dependency risk
Bidders identify material service dependencies that could be affected by foreign sanctions, export controls, encryption restrictions, AI capability restrictions, trade disputes, tariffs, taxation changes, currency exposure or termination of an upstream technology service. Describe available mitigations and substitution options.
Privacy, Offshore Processing and Subprocessors
Outcome Identify who can access personal or sensitive information, where that access occurs, and whether the buyer has practical control and enforceable remedies.
Bidders identify whether any customer data, metadata, logs, backups, support tickets, diagnostic exports, screen-sharing sessions, monitoring data or AI/automation outputs may be accessed, processed, viewed or stored by personnel or systems outside the customer-approved locations.
Identify all relevant countries, legal entities and subprocessors; the purpose and nature of access; access controls; logging; contractual protections; audit rights; breach notification; and the mechanism by which changes are notified and approved.
10.1 Personnel controls
Bidders describe controls applying to employees, contractors and subcontractors with access to customer environments or information, including screening (e.g. police checks, and Australian Government security clearances where relevant), confidentiality, least privilege, MFA, privileged access management, session controls, monitoring, data-loss prevention, disciplinary processes and termination of access.
10.2 Optional high-sensitivity position
For designated high-sensitivity services, no offshore personnel access, offshore processing or new offshore subprocessor shall be introduced without prior written approval from [Organisation].
Backup and Cyber Recovery
Outcome Ensure the organisation can recover usable systems and data after operational failure, malicious deletion or ransomware.
Bidders describe the backup and cyber-recovery service, including coverage, frequency, retention, immutability, encryption, administrative separation, failure-domain separation, monitoring, restore methods, recovery testing, reporting and charges. Detailed responses are recorded in the Backup and Recovery Schedule (Appendix E).
11.1 Recovery objectives
For each workload class, bidders state achievable RPO and RTO assumptions and identify dependencies that may prevent those objectives from being met. Distinguish backup completion objectives from service recovery objectives.
11.2 Immutability and administrative separation
Bidders describe how backup copies are protected from compromise of production credentials, privileged administrators, ransomware and malicious deletion. Identify any separate identity, account, tenant, platform or administrative boundary.
11.3 Recovery testing
Bidders state the frequency, scope and method of restore testing included in recurring charges. Testing should include representative file, application and full-system recovery where applicable, with documented outcomes and remediation of failures.
11.4 Backup portability
Bidders describe the ability to export backup data or recovered workloads to another environment, including formats, tooling, transfer rates and charges.
Disaster Recovery and Business Continuity
Outcome Test whether the whole service can recover — including identity, networking, DNS, firewall policy and operational coordination — not just whether a second site exists.
Bidders describe disaster recovery architecture, geographic and failure-domain separation, replication, failover, failback, orchestration, recovery sequencing, dependency management, testing and governance.
12.1 DR tests
Bidders state the number and scope of DR tests included per year, expected customer participation, whether tests are disruptive, how findings are tracked, and whether retesting after remediation is included.
12.2 Partial and cyber failover
Bidders describe support for partial workload failover, isolated recovery environments and recovery from cyber incidents where production credentials or management systems may be untrusted.
Availability, Hardware Lifecycle and Restoration Capability
Outcome Measure the provider's practical ability to keep and restore service, including how failed hardware is actually replaced.
Bidders describe the resilience model, redundancy, failure domains, hardware lifecycle strategy, refresh approach, firmware management, critical spare-parts strategy, component replacement process and restoration targets for infrastructure supporting the service.
13.1 Spare parts and field capability
Bidders identify which classes of critical spares are held by the provider, where they are held, expected access time, who performs replacement, after-hours capability, and which failures depend on OEM or third-party dispatch.
13.2 Lifecycle management
Bidders state normal refresh cycles, handling of end-of-life equipment, capacity refresh, migration responsibility, secure disposal and whether lifecycle replacement is included in recurring charges.
13.3 Availability architecture
Bidders identify N+1 or other redundancy assumptions, automatic failover behaviour, maintenance without outage, storage protection, network redundancy and any single points of failure.
Service Management, Support and Escalation
Outcome Understand how incidents are handled in practice, who the customer can reach, and how quickly expertise is engaged.
14.1 Support model
Bidders describe the service desk, NOC/SOC where applicable, hours of coverage, major-incident management, escalation tiers, direct access to infrastructure engineers, after-hours arrangements, subcontractors and vendor escalation paths.
14.2 Incident priorities
Bidders provide proposed priority definitions, acknowledgement targets, technical engagement targets, update frequency, restoration targets and escalation triggers. Distinguish response from restoration.
14.3 Change management
Bidders describe standard, normal and emergency change processes; approval; maintenance windows; rollback; customer communication; and which routine changes are included within recurring charges.
14.4 Problem management
Bidders describe root-cause analysis, recurring-incident review, corrective action tracking and post-incident reporting for material events.
Monitoring, Reporting and Continuous Improvement
Outcome Make the managed service improve over time instead of becoming a static hosting arrangement.
Bidders describe monitoring, alerting, capacity management, service reporting, governance meetings and continuous-improvement activities included in the service.
15.1 Minimum service reporting
Monthly or agreed periodic reporting should include, as applicable: availability, incidents, SLA performance, capacity, growth, backup success and restore testing, patch compliance, vulnerability status, security events, changes, risks, lifecycle issues, cost trends and improvement actions.
15.2 Service reviews
Bidders provide operational service reviews at an agreed cadence and executive or strategic reviews at least [quarterly / biannually]. Maintain an action register with owners and due dates.
15.3 Continuous improvement
At least annually, bidders provide an infrastructure health assessment and forward roadmap covering capacity, lifecycle, security, resilience, cost optimisation, technical debt and material improvement opportunities.
Managed Operating Systems and Platform Services
Outcome Remove ambiguity around the layers above infrastructure that often become security and cost gaps.
For each managed platform layer, bidders define supported versions, onboarding standards, patching, monitoring, backup integration, configuration management, vulnerability remediation, escalation and end-of-support treatment.
16.1 Supported technologies
Bidders provide supported technology matrices for operating systems, databases, web platforms, containers, directory services and other managed components offered.
16.2 Responsibility boundaries
Bidders complete the RACI schedule (Appendix K) for operating systems, middleware, databases, applications, agents, certificates, backups, monitoring, vulnerability remediation and configuration changes.
Transition, Migration and Acceptance
Outcome Require a controlled move with discovery, rollback and measurable acceptance rather than treating migration as an informal prelude to the contract.
Bidders provide a transition plan covering discovery, dependency mapping, design validation, connectivity, build, data migration, workload migration, testing, change control, rollback, coexistence, cutover, hypercare, documentation and handover. Milestones are recorded in the Transition and Acceptance Schedule (Appendix L).
17.1 Migration assumptions
Bidders state all assumptions regarding customer effort, application vendor involvement, downtime, data-transfer rates, licensing, unsupported systems, third-party approvals and remediation required before migration.
17.2 Acceptance criteria
Bidders propose objective acceptance criteria for each transition stage, including performance, monitoring, backup, restore, security, connectivity, documentation and operational handover.
17.3 Rollback
Bidders provide rollback criteria, decision authority, maximum rollback window and treatment of data divergence for material migrations.
Commercial Model and Pricing Transparency
Outcome Make competing bids comparable and expose the costs most likely to emerge after contract signature.
Bidders provide complete pricing using the Pricing Schedule (Appendix H). Clearly distinguish recurring charges, usage charges, minimum commitments, implementation costs, licences, support, professional services, third-party charges, taxes (including GST treatment), indexation, data transfer, egress and exit charges.
18.1 Included versus chargeable activities
Bidders complete a Service Inclusion Schedule that classifies each recurring operational activity as: Included; Included subject to stated allowance; Time and Materials; Project Quote; or Excluded.
18.2 Unit rates
Bidders provide time-and-materials rates by role, after-hours multipliers, minimum charge increments and any annual rate adjustment mechanism. Rates should also apply to optional transition and exit assistance unless otherwise stated.
18.3 Resource price catalogue
Bidders provide unit prices for common compute, storage, backup, connectivity and managed-service increments to support growth and downsizing during the term.
18.4 Total cost comparison
Bidders provide a [3 / 5]-year total-cost model using stated assumptions, including implementation, recurring services, forecast growth, licences, bandwidth, backup, support, professional-services allowances and exit costs.
Portability, Vendor Lock-in and Exit Assistance
Outcome Preserve the practical ability to move workloads and data, not merely a contractual right to terminate.
The proposed solution must support practical portability of customer workloads and data throughout the contract term and on exit.
Bidders describe supported export formats and procedures for virtual machines, disks, files, object data, databases, backups, configuration data, firewall and network configuration, logs and other customer-owned information.
Identify all proprietary dependencies that could materially increase the cost, complexity or time required to migrate to another provider or to customer-operated infrastructure. Detailed responses are recorded in the Portability and Exit Schedule (Appendix G).
19.1 VM and workload export
Bidders state the ability to export virtual machines and disks on demand in commonly supported or documented formats. Identify supported formats, snapshot consistency, expected export time, self-service capability, bandwidth constraints and charges.
19.2 Storage and bulk data export
Bidders describe online and offline bulk export options, standard protocols and APIs, physical transfer options where available, expected throughput, charges and any provider-imposed egress limits.
19.3 Configuration and operational handover
On request and on exit, bidders provide current documentation and exportable customer-specific configuration reasonably required for transition, including architecture, IP addressing, firewall rules, VPN configuration, DNS dependencies, backup policy, monitoring configuration, asset inventory, open risks and operational procedures, subject to legitimate provider intellectual-property protections.
19.4 Exit assistance
Bidders provide transition and handover assistance at pre-agreed time-and-materials rates unless included in the service. Assistance should be available to the customer and its nominated replacement provider, subject to reasonable security controls.
19.5 No hostage dependencies
Bidders identify any customer data, workload or configuration that cannot be exported without proprietary provider tooling or conversion. State conversion methods, costs and expected timeframes.
19.6 Exit charges and egress
Bidders disclose all charges that may apply to termination, data export, egress, media, engineering, early termination, licence conversion and decommissioning. Charges not disclosed in the tender response should not be introduced solely because the customer is exiting.
19.7 Data deletion
After verified transition and customer authorisation, bidders securely delete residual customer data in accordance with the agreed retention and destruction process and provide confirmation of completion, subject to lawful retention obligations.
Service Levels and Contractual Operating Principles
Outcome Define measurable service obligations without confusing fast ticket acknowledgement with service restoration.
20.1 Availability
Bidders provide service-specific availability commitments, measurement points, calculation methodology, exclusions, planned-maintenance treatment, reporting and service credits.
20.2 Incident service levels
Bidders provide targets for acknowledgement, technical engagement, update frequency and restoration by priority. Define clock start/stop conditions and customer dependency treatment.
20.3 Maintenance
Bidders describe standard maintenance windows, notice periods, emergency maintenance, customer veto or deferral rules, and whether the architecture supports maintenance without customer-visible outage.
20.4 Audit and assurance
Bidders provide reasonable access to relevant assurance evidence and support customer audits subject to confidentiality, security and proportionality. State charges, if any, for routine evidence versus bespoke audit assistance.
Vendor Capability and Evidence
Outcome Assess the organisation that will operate the service, not just the architecture proposed by the sales team.
Bidders provide evidence of organisational capability, including ownership, financial standing, years of operation, relevant customer experience, engineering capability, support locations, certifications, insurance, critical subcontractors and reference customers.
21.1 Delivery personnel
Bidders describe the roles and locations of personnel who will design, operate, support and secure the service. Identify use of subcontractors and the escalation path to senior engineering.
21.2 Evidence over claims
Bidders support material claims with evidence where reasonably available, such as certification scope, audit evidence, measured service performance, sample reports, recovery-test outputs, references or demonstrations.
21.3 Business continuity of the provider
Bidders describe the provider's own business continuity arrangements, key-person resilience, operational succession, remote-work capability, supply-chain resilience and ability to continue support during facility or regional disruption.
Response Schedules and Evaluation
Outcome Force responses into a form that can be scored consistently and audited later.
22.1 Required schedules
Bidders complete the following schedules in addition to the narrative proposal:
- Requirement compliance matrix;
- Solution architecture and dependency schedule;
- Service responsibility / RACI matrix;
- Security assurance and certification scope schedule;
- Security service inclusion schedule;
- Sovereignty, country and subprocessor schedule;
- Backup and recovery schedule;
- SLA schedule;
- Transition and migration schedule;
- Pricing schedule;
- Generic resource catalogue;
- Vendor lock-in and portability schedule; and
- Exceptions, assumptions and exclusions schedule.
22.2 Indicative evaluation model
| Evaluation area | Indicative weight |
|---|---|
| Technical solution and architecture | 20% |
| Service delivery and operational maturity | 20% |
| Security, privacy and sovereignty | 20% |
| Resilience, backup and disaster recovery | 15% |
| Transition, portability and exit | 10% |
| Commercial value and transparency | 15% |
22.3 Evaluation principles
Evaluation should consider whole-of-life value, evidence quality, material exceptions, operational dependencies, transition risk and exit cost. Where appropriate, [Organisation] reserves the right to conduct clarification workshops, technical demonstrations, reference checks and due diligence before final award.
Response Schedules
Populate these schedules with organisation-specific detail. Rows shown in a tinted example style are worked examples to illustrate the level of detail expected — delete or overwrite them before issuing.
Appendix A · Current Environment Data Schedule
| Category | Information to provide |
|---|---|
| Organisation | Users, sites, operating hours, critical services, growth assumptions |
| Compute | Hosts, VMs, vCPU, RAM, OS, clustering, utilisation, growth |
| Storage | Capacity, used, growth, IOPS/latency needs, protocols, snapshots |
| Applications | Owner, criticality, dependencies, vendor support, maintenance windows |
| Network | Sites, carriers, circuits, bandwidth, routing, VPN, public IP, firewalls |
| Identity | Directory, SSO, MFA, privileged access, service accounts |
| Backup | Protected systems, frequency, retention, immutability, restore history |
| DR | Current recovery site, RPO/RTO, tests, dependencies |
| Security | EDR, SIEM, vulnerability, patching, logging, certifications |
| Constraints | Licensing, data location, vendor support, regulatory, end-of-life |
Appendix B · Workload Inventory Template
| Workload | Owner | Crit. | vCPU/RAM | Storage | OS/Platform | RPO | RTO | Dependencies |
|---|---|---|---|---|---|---|---|---|
| ERP / Finance | CFO | High | 8 / 64 GB | 2 TB SSD | Win Srv 2022 / SQL | 15 min | 4 hrs | AD, SQL, payment gateway |
| Public website | Comms | Med | 4 / 16 GB | 200 GB | Linux / container | 1 hr | 2 hrs | CDN, DNS, CMS |
| Emergency mgmt | Ops | High | 6 / 32 GB | 1 TB | Win Srv 2022 | 5 min | 1 hr | AD, GIS, SMS gateway |
| [insert] | [insert] | [H/M/L] | [insert] | [insert] | [insert] | [insert] | [insert] | [insert] |
| [insert] | [insert] | [H/M/L] | [insert] | [insert] | [insert] | [insert] | [insert] | [insert] |
Appendix C · Security Service Inclusion Schedule
Require each bidder to classify each activity: Included / Allowance / T&M / Project Quote / Excluded, with notes and limits.
| Activity | Commercial treatment | Limits / notes |
|---|---|---|
| Firewall rule changes | Allowance | 10 changes/month included; excess at T&M |
| Emergency patching | Included | Critical CVEs within 48 hrs |
| DR testing | Included | 1 test/yr; retest at T&M |
| Periodic firewall rule review | [select] | [insert] |
| VPN changes | [select] | [insert] |
| OS patching | [select] | [insert] |
| Hypervisor patching | [select] | [insert] |
| Network/storage firmware | [select] | [insert] |
| Vulnerability scanning | [select] | [insert] |
| Vulnerability remediation | [select] | [insert] |
| Certificate lifecycle | [select] | [insert] |
| Security incident investigation | [select] | [insert] |
| Log/SIEM onboarding | [select] | [insert] |
| Audit evidence / pen-test remediation | [select] | [insert] |
Appendix D · Connectivity and Site Schedule
| Site / service | Region | Carrier | Bandwidth | Routing / IP | Diversity | Crit. |
|---|---|---|---|---|---|---|
| HQ primary | Sydney | Carrier A | 1 Gbps | BGP / /24 | Diverse path | High |
| HQ failover | Sydney | Carrier B | 500 Mbps | BGP failover | Separate DC entry | High |
| [insert] | [insert] | [insert] | [insert] | [insert] | [insert] | [H/M/L] |
| [insert] | [insert] | [insert] | [insert] | [insert] | [insert] | [H/M/L] |
Appendix E · Backup and Recovery Schedule
| Workload / class | RPO | RTO | Frequency | Retention | Immutable | Recovery test |
|---|---|---|---|---|---|---|
| Tier 1 (critical) | 15 min | 4 hrs | Hourly snap + daily | 35 days + 7 yr archive | Yes — separate tenant | Quarterly |
| Tier 2 (standard) | 24 hrs | 24 hrs | Daily | 30 days | Yes | Annual |
| [insert] | [insert] | [insert] | [insert] | [insert] | [Y/N] | [freq] |
| [insert] | [insert] | [insert] | [insert] | [insert] | [Y/N] | [freq] |
Appendix F · Sovereignty and Subprocessor Schedule
| Service / data type | Country | Legal entity / subprocessor | Access purpose | Can change? |
|---|---|---|---|---|
| Primary data + backups | Australia | Provider Pty Ltd (AU) | Storage & operations | No |
| Tier-3 support (overflow) | Philippines | Support BPO Inc. | Ticket triage (no prod access) | Yes — w/ approval |
| [insert] | [insert] | [insert] | [insert] | [Y/N] |
| [insert] | [insert] | [insert] | [insert] | [Y/N] |
Appendix G · Portability and Exit Schedule
| Asset / capability | Bidder response required |
|---|---|
| Virtual machines | Supported export formats; self-service; charges; time |
| Virtual disks | Formats; snapshot consistency; conversion needs |
| File / object data | Protocols/APIs; bulk export; throughput; egress |
| Databases | Native export/dump options; managed-service dependencies |
| Backups | Export/recovery options; retention during transition |
| Network configuration | Firewall, VPN, IP addressing, routing, DNS dependencies |
| Monitoring / logs | Export formats, retention, API access |
| Documentation | Architecture, inventory, procedures, open risks |
| Engineering handover | T&M rates, availability, replacement-provider cooperation |
| Deletion | Authorisation, timeframe, confirmation, lawful retention |
Appendix H · Pricing Schedule Structure
| Pricing area | Required disclosure |
|---|---|
| Implementation | Discovery, design, migration, testing, hypercare |
| Recurring platform | Compute, storage, network, backup, DR |
| Managed services | Support, monitoring, patching, reporting, governance |
| Licensing | OS, hypervisor, backup, security, database where applicable |
| Connectivity | Circuits, internet, private links, DDoS, cross-connects |
| Usage | Bandwidth, egress, API, transactions or other meters |
| Professional services | Role rates, after-hours, minimum increments |
| Growth catalogue | Unit rates for common resource increments |
| Exit | Egress, media, engineering, decommissioning, early termination |
| Indexation | Mechanism, frequency, caps or reference indices (e.g. CPI) |
Appendix I · SLA Schedule
| Service / priority | Metric | Target | Measurement | Remedy |
|---|---|---|---|---|
| Core platform | Availability | 99.95% | Monthly, excl. planned maint. | Service credit tiers |
| P1 incident | Technical engagement | 30 min, 24/7 | Engineer engaged (not auto-ack) | Escalation + credit |
| P1 incident | Restoration target | 4 hrs | Service restored, not just ack | Credit + RCA |
| [insert] | [avail/response/restore] | [insert] | [insert] | [insert] |
| [insert] | [avail/response/restore] | [insert] | [insert] | [insert] |
Appendix J · Compliance Matrix
| Req. ID | Requirement | Status | Response / evidence |
|---|---|---|---|
| 8.1 | ISMS scope maps to all proposed services | Comply | ISO 27001 cert + scope statement attached |
| [x.x] | [requirement text] | [Comply/Partial/No] | [insert] |
| [x.x] | [requirement text] | [Comply/Partial/No] | [insert] |
| [x.x] | [requirement text] | [Comply/Partial/No] | [insert] |
Appendix K · RACI Template
R Responsible A Accountable C Consulted I Informed
| Service layer | Customer | Provider | 3rd party |
|---|---|---|---|
| Physical infrastructure | I | R / A | — |
| Operating system | C | R / A | — |
| Application | R / A | C | C |
| Firewall | [ ] | [ ] | [ ] |
| Database | [ ] | [ ] | [ ] |
| Backup | [ ] | [ ] | [ ] |
| Vulnerability remediation | [ ] | [ ] | [ ] |
| Certificates | [ ] | [ ] | [ ] |
Appendix L · Transition and Acceptance Schedule
| Stage / milestone | Owner | Entry criteria | Acceptance evidence | Rollback |
|---|---|---|---|---|
| Discovery & design | Shared | Signed SOW, access granted | Approved design + dependency map | N/A |
| Pilot migration | Provider | Target built, connectivity tested | Non-prod workload verified | Revert to source |
| [insert] | [cust/prov/shared] | [insert] | [insert] | [insert] |
| [insert] | [cust/prov/shared] | [insert] | [insert] | [insert] |
Authoritative References and Further Reading
Useful official sources when tailoring the guide. Requirements should be checked against the organisation's current legal and regulatory position.
- ISO/IEC 27001:2022 — Information security management systems
- Australian Signals Directorate — Information Security Manual (ISM) and Essential Eight maturity model
- Digital Transformation Agency — Hosting Certification Framework
- OAIC — APP 8 (cross-border disclosure) and APP 11 (security of personal information); "Sending personal information overseas"
- Security of Critical Infrastructure (SOCI) Act 2018, where applicable
- NSW Procurement — SCM0020 Prequalification Scheme: ICT Services (Registered or Advanced Supplier)
- Commonwealth Procurement Rules / relevant state procurement frameworks (NSW, VIC, QLD, WA, SA)
- PCI Security Standards Council — PCI Data Security Standard (where card data applies)
A strong tender does not need to be long for its own sake. It needs to make responsibilities, dependencies, risk and commercial treatment visible before contract signature. Standard requirements can remain concise; deeper wording is most valuable where a simple "yes" answer would otherwise hide materially different service models.