Procurement Guidance · Tender Template

Enterprise Managed Service Provider Tender Template & Guide

AUSTRALIA

A copy-ready structure with selective procurement guidance for enterprise, state and local government buyers preparing to tender cloud, infrastructure and managed services. Strip the commentary to leave a clean, organisation-ready tender.

View
Commentary is visible. Switch to Clean template to keep only requirement wording and schedules.

How to use this guide

This guide is for organisations preparing to outsource, modernise or re-platform enterprise infrastructure, cloud, connectivity, backup, disaster recovery and managed services. It combines a conventional tender structure with selective procurement guidance in the areas where apparently simple wording can materially change risk, cost or service outcomes.

To produce a clean tender: keep the Suggested Tender Requirement blocks, populate the bracketed placeholders, add the organisation-specific schedules in the appendices, and remove any commentary that is not relevant. Use the Clean template toggle above to hide all guidance at once.

Requirement
Copy-ready wording
Why it helps
Wording rationale
Insight
Common failure mode
Watch-out
Procurement trap
Better comparison
Stronger question

Drafting note. This is general-purpose guidance, not legal advice. Requirements should be reviewed against the organisation's sector, the Privacy Act 1988 and Australian Privacy Principles, records and archives obligations, the SOCI Act where applicable, insurance conditions and internal risk appetite. The intent is vendor-neutral: strong requirements should reward providers that can evidence mature delivery, regardless of size or brand.

01

Invitation and Procurement Overview

Outcome  State the procurement purpose, the business outcomes sought and the rules for a comparable response.

1.1 Purpose

Suggested Tender Requirement

[Organisation] invites proposals for the provision of enterprise cloud, infrastructure and managed services to support its current and future technology environment.

The procurement seeks a provider capable of delivering secure, resilient and scalable services together with ongoing operational management, transparent governance, predictable commercial arrangements and an orderly transition into and out of the service.

1.2 Procurement objectives

Suggested Tender Requirement

The successful solution should, where applicable:

  • replace or reduce dependency on ageing customer-owned infrastructure;
  • improve resilience, recoverability and security maturity;
  • provide flexible access to compute, storage, network and managed-service capacity;
  • reduce lifecycle and supply-chain risk;
  • provide clear operational accountability and escalation;
  • support future growth without repeated major procurements;
  • provide transparent costs and minimise unexpected professional-services charges; and
  • preserve practical portability and exit options throughout the contract term.

1.3 Tender conditions and response format

Suggested Tender Requirement

Bidders must respond to each mandatory and desirable requirement using the response schedules provided. Any qualification, dependency, assumption or exclusion must be stated explicitly.

Where a bidder relies upon a related entity, subcontractor, hyperscale cloud platform, carrier, software vendor or other third party, that dependency must be identified.

Australian context
Government buyers should align the invitation with the applicable procurement framework — for Commonwealth entities the Commonwealth Procurement Rules and AusTender; for states, the relevant treasury/procurement board rules (e.g. NSW Procurement Policy Framework and prequalification schemes such as SCM0020 Prequalification Scheme: ICT Services (Registered or Advanced Supplier); Victorian Government Purchasing Board; Queensland QITC). State the panel or scheme being used and any mandatory local-industry or SME participation obligations up front.

1.4 Procurement method and applicable schemes

Suggested Tender Requirement

[Organisation] identifies the procurement method, governing rules and any prequalification scheme, panel or standing offer under which this process is conducted.

Bidders confirm eligibility to participate and, where a prequalification scheme applies, state their registration status, tier and registration identifier. For example, under the NSW SCM0020 Prequalification Scheme: ICT Services, bidders identify whether they are a Registered or Advanced Supplier.

Australian context
Name the applicable scheme in the invitation — for example NSW SCM0020 Prequalification Scheme: ICT Services (Registered or Advanced Supplier), a relevant AusTender panel, or a state standing offer. Requiring bidders to cite registration tier and identifier up front reduces disputes about eligibility after responses are received.
02

Organisation Background and Current Environment

Outcome  Give bidders enough information to design and price responsibly without forcing the organisation to prescribe the future architecture.

2.1 Organisation profile

Suggested Tender Requirement

[Organisation] provides a concise profile covering business functions, user population, operating hours, critical services, regulated activities, geographic footprint and expected growth.

Worked example
"[Council] is a metropolitan local government serving ~180,000 residents across 6 sites, with ~950 staff and ~1,400 devices. Core services include rates and revenue, planning and development, libraries, and a 24/7 emergency-management function. Operating hours are business hours for corporate systems and 24/7 for the emergency-management platform and public-facing website. Regulated activities include handling of personal information under the Privacy Act and state records obligations. Growth of ~5% p.a. in users and ~15% p.a. in data is expected over the term."

2.2 Current environment

Suggested Tender Requirement

[Organisation] provides a current-state summary and appends detailed schedules (see Appendix A) covering:

  • sites and locations;
  • users and identity platforms;
  • physical and virtual servers;
  • virtualisation technologies and versions;
  • operating systems and application platforms;
  • storage capacity, performance and growth;
  • network and internet connectivity;
  • firewalls, VPN and remote access;
  • backup, retention and archive;
  • disaster recovery arrangements;
  • monitoring and security tooling;
  • licensing and vendor dependencies; and
  • known end-of-life or capacity risks.
Why this wording helps
Detailed current-state information improves solution quality and reduces risk premiums, but the tender should avoid dictating the future product stack unless genuine compatibility, licensing or application constraints require it. Describe outcomes and constraints; let bidders propose the architecture.

2.3 Application criticality and recovery profile

Suggested Tender Requirement

Bidders complete the workload schedule (Appendix B) identifying business owner, application dependency, data sensitivity, recovery priority, target RPO, target RTO, maintenance constraints and supported technology requirements for each material workload.

03

Objectives, Scope and Desired Outcomes

Outcome  Define what is being bought and what success looks like, while preserving room for better technical approaches.

3.1 In-scope services

Suggested Tender Requirement

Bidders address all applicable services, including design, compute, storage, networking, connectivity, security, backup, disaster recovery, monitoring, service management, transition, ongoing management, reporting, professional services and exit assistance.

3.2 Out-of-scope services

Suggested Tender Requirement

[Organisation] identifies application ownership, end-user computing, business application support, software development and other functions that remain outside scope unless proposed as optional services.

3.3 Alternative solutions

Suggested Tender Requirement

Bidders may propose alternative architectures where they can demonstrate improved security, resilience, operability or whole-of-life value. Alternatives must be clearly separated from the conforming response and must identify all material assumptions and dependencies.

04

Solution and Architecture Requirements

Outcome  Obtain an understandable target architecture with clear responsibility boundaries and evidence the design can be operated for the full contract term.

4.1 Architecture response

Suggested Tender Requirement

Bidders provide a logical and physical architecture description showing service boundaries, availability zones or failure domains, network flows, management planes, backup paths, recovery dependencies, security controls and third-party services.

4.2 Responsibility model

Suggested Tender Requirement

Bidders provide a detailed responsibility matrix (RACI, Appendix K) covering infrastructure, hypervisor or cloud layer, operating systems, databases, applications, identity, backups, security controls, patching, monitoring, incident response, certificates, firewalls and recovery testing.

Industry insight
A frequent cause of dispute is not a technology failure but a responsibility gap. "Managed infrastructure" may mean hardware and hypervisor management to one party while the customer assumes operating-system patching, firewall changes, certificate renewals and recovery testing are included. Force every layer into the RACI and require the provider to name the party accountable for each.

4.3 Design for growth

Suggested Tender Requirement

Bidders describe how the proposed solution supports organic growth, temporary demand, acquisitions, new sites, additional workloads and technology refresh without requiring a complete redesign or new procurement.

05

Compute and Generic Resource Services

Outcome  Create a flexible resource model that supports known workloads and future demand without binding the organisation to a fixed list of virtual machines.

5.1 Generic resource catalogue

Suggested Tender Requirement

Bidders provide a catalogue and unit pricing for generic resources, including vCPU, memory, standard and high-performance storage, backup capacity, public IP addresses, bandwidth, load balancing and other commonly consumed services. Identify minimum increments and any minimum commitments.

Why this wording helps
A generic resource catalogue lets the organisation add, resize or retire workloads during the contract without repeatedly negotiating bespoke pricing. It also makes future cost modelling much easier than a static list of named virtual machines.

5.2 Performance and contention

Suggested Tender Requirement

Bidders describe resource allocation, performance management and contention controls, including how CPU, memory, storage and network performance are protected during periods of high utilisation. Identify any relevant fair-use, burst or throttling policies.

5.3 Compatibility

Suggested Tender Requirement

Bidders identify supported virtualisation formats, operating systems, CPU architectures, guest tools, clustering technologies and any workload classes that require dedicated or specialised infrastructure.

5.4 Capacity management

Suggested Tender Requirement

Bidders describe capacity monitoring, growth forecasting, alert thresholds and the process for adding capacity before service risk emerges.

06

Storage and Data Services

Outcome  Ensure storage is sized for capacity, performance, recoverability and future portability rather than price per terabyte alone.

6.1 Storage classes

Suggested Tender Requirement

Bidders describe available storage classes, performance characteristics, resilience model, snapshots, replication, encryption, capacity increments and applicable limits. State how performance is measured and governed.

6.2 Data movement

Suggested Tender Requirement

Bidders describe supported methods for bulk import and export of data, including online transfer, physical transfer where available, bandwidth options, expected timeframes, formats and charges.

6.3 Snapshot and replication semantics

Suggested Tender Requirement

Bidders identify whether snapshots and replicas are crash-consistent or application-consistent, their failure-domain separation, retention limits and whether they are independently protected from privileged compromise of the production environment.

07

Network and Connectivity Services

Outcome  Treat connectivity as part of the service architecture, with clear demarcation and resilience, rather than as an afterthought between "cloud" and the business.

7.1 Connectivity scope

Suggested Tender Requirement

Bidders describe capabilities for internet, private WAN, SD-WAN, VPN, direct connectivity, cross-connects, carrier services, BGP, public IP addressing, IPv6, DDoS protection and remote-site connectivity where applicable.

7.2 Existing connectivity review

Suggested Tender Requirement

As part of transition, bidders review the existing connectivity estate and recommend opportunities to improve resilience, reduce unnecessary services, simplify routing or consolidate cost. Recommendations must preserve required diversity and business continuity.

Why this wording helps
This asks the provider to improve the current design rather than merely reproduce every existing link. It is particularly useful where environments have accumulated circuits, VPNs and point solutions over many years.

7.3 Diversity and failure domains

Suggested Tender Requirement

Bidders identify carrier, path, facility, power and equipment diversity for each critical connectivity service. Where true physical diversity cannot be confirmed, this must be stated explicitly.

7.4 Network operational responsibility

Suggested Tender Requirement

Bidders define who diagnoses and coordinates incidents that span the provider platform, carrier network, customer site, firewall and third-party services. Identify escalation paths and after-hours arrangements.

08

Security Governance and Operational Security

Outcome  Assess security as an operating system of governance, people, process and technology — not a checklist of products.

8.1 Security management framework

Suggested Tender Requirement

Bidders describe the information security management framework governing the proposed services, including risk management, policies, control ownership, incident management, internal review, external assurance and continual improvement.

Where certifications are claimed, bidders identify the certification body, current certificate, scope statement, expiry or surveillance status, and exactly which proposed services, locations and operational functions fall within scope. Material exclusions must be identified.

Why this wording helps
A "yes/no" question about ISO/IEC 27001 is usually too weak. Certification is meaningful only in the context of its scope and the services actually being purchased. A narrowly scoped certificate can be entirely valid while leaving cloud infrastructure, managed operations or support outside the certified ISMS. Ask what is covered, not just whether a certificate exists.
Better comparison
Weaker"Are you ISO 27001 certified?"
Stronger"Provide the certification scope and map each proposed service to the certified ISMS, identifying exclusions and third-party dependencies."

8.2 Independent security assurance

Suggested Tender Requirement

Bidders provide relevant independent assurance evidence. This may include ISO/IEC 27001 certification, PCI DSS validation where applicable, penetration testing, external audit or other evidence appropriate to the proposed service. State the scope and date of each assurance activity.

Australian context
For government workloads, align to the ASD Information Security Manual (ISM) and the Essential Eight maturity model. Where personal information is involved, reference the Hosting Certification Framework for certified/strategic hosting providers.

8.3 Physical and infrastructure security

Suggested Tender Requirement

Bidders describe physical security, datacentre access control, visitor management, asset handling, secure disposal, media handling, infrastructure administration and separation of customer and management environments.

8.4 Logical security controls

Suggested Tender Requirement

Bidders describe encryption in transit and at rest, key management, MFA, privileged access, role-based access control, administrative segmentation, firewalling, secure remote access, logging, vulnerability management, endpoint protection and configuration hardening.

8.5 Patch and vulnerability management

Suggested Tender Requirement

Bidders provide patch and vulnerability management processes for all layers within provider responsibility, including hypervisors, operating systems, network devices, storage systems, firmware, management platforms and security appliances.

State standard and emergency remediation targets, exception governance, customer notification requirements and how unsupported software is handled.

Industry insight
Buyers often discover after award that "managed platform" excludes one or more layers such as guest operating systems, network firmware, appliance software or vulnerability remediation. The result is both a security gap and an unplanned professional-services cost.

8.6 Security governance cadence

Suggested Tender Requirement

Bidders describe recurring security governance included within the service, such as risk review, security metrics, patch compliance, vulnerability trends, incident review, control exceptions, improvement actions and executive reporting. State the proposed cadence and attendees.

8.7 Included security operations and charges

Suggested Tender Requirement

Bidders complete the Security Service Inclusion Schedule (Appendix C), identifying for each activity whether it is included in recurring charges, subject to a usage allowance, provided at time-and-materials rates, or excluded.

Watch-out
Activities commonly assumed to be "managed" but sometimes separately charged include: firewall rule changes and periodic rule reviews; emergency patching and vulnerability remediation; certificate lifecycle work; security architecture advice; incident investigation and evidence gathering; penetration-test remediation; compliance meetings and audit evidence; DR and restore testing; and log/SIEM onboarding and tuning.
09

Data, Operational and Legal Sovereignty

Outcome  Understand the complete service delivery model — not merely the street address of the primary datacentre.

Suggested Tender Requirement

Bidders describe all material sovereignty characteristics and overseas dependencies of the proposed service, including data storage, backups, disaster recovery, logs, telemetry, support systems, monitoring, privileged administration, security operations, AI-assisted services, subcontractors, legal entities and critical technology dependencies.

For each material component, identify the country or countries involved, the responsible legal entity, the nature of access or processing, and whether the arrangement may change during the contract term. Responses are recorded in the Sovereignty and Subprocessor Schedule (Appendix F).

Why this wording helps
Data residency is only one dimension of sovereignty. A service may store primary customer data in-country while depending on offshore support, foreign-controlled management systems, overseas subprocessors, offshore security operations or technology that can be restricted by foreign law or policy. An in-country datacentre, local billing entity or business registration can be relevant, but none alone describes who operates the service, which jurisdictions apply, or which external dependencies can affect future delivery.
Better comparison
Weaker"Is our data hosted in Australia?"
Stronger"Map where the service is stored, operated, administered, monitored, supported and legally controlled, including all material overseas dependencies."

9.1 Dimensions to assess

DimensionWhat to examine
DataPrimary data, backups, replicas, logs, tickets, diagnostics and metadata.
OperationalWhere engineers, NOC/SOC teams and support personnel are located; who can administer systems.
LegalContracting entities, parent control, applicable jurisdictions and potential foreign-law dependencies.
SecurityControl of keys, identity, privileged access, logging, incident response and security tooling.
Supply chainCloud platforms, carriers, software vendors, datacentres, subcontractors and critical spares.
TechnologyDependence on externally controlled encryption, AI, licensing, export-controlled or restricted capabilities.
CommercialCurrency, taxation, tariffs, licensing, egress, price-control and unilateral service-change dependencies.

9.2 Change control for sovereignty arrangements

Suggested Tender Requirement

Bidders state whether countries, subcontractors, support locations, AI services, monitoring platforms or privileged-access arrangements may change during the contract. Material changes must be notified in advance and, for defined high-risk changes, be subject to [Organisation] approval or an agreed right to exit.

Watch-out
A sovereignty assessment performed only at tender time can become obsolete if the provider later changes its support model, introduces a new subprocessor or routes operational data through a new AI or telemetry service. The contract should control material changes, not simply document the initial state.

9.3 Strategic dependency risk

Suggested Tender Requirement

Bidders identify material service dependencies that could be affected by foreign sanctions, export controls, encryption restrictions, AI capability restrictions, trade disputes, tariffs, taxation changes, currency exposure or termination of an upstream technology service. Describe available mitigations and substitution options.

10

Privacy, Offshore Processing and Subprocessors

Outcome  Identify who can access personal or sensitive information, where that access occurs, and whether the buyer has practical control and enforceable remedies.

Suggested Tender Requirement

Bidders identify whether any customer data, metadata, logs, backups, support tickets, diagnostic exports, screen-sharing sessions, monitoring data or AI/automation outputs may be accessed, processed, viewed or stored by personnel or systems outside the customer-approved locations.

Identify all relevant countries, legal entities and subprocessors; the purpose and nature of access; access controls; logging; contractual protections; audit rights; breach notification; and the mechanism by which changes are notified and approved.

Australian context
Privacy risk follows access and processing, not just storage. For organisations subject to the Privacy Act 1988, cross-border handling engages APP 8 (cross-border disclosure) and APP 11 (security of personal information), and — for many disclosures — accountability for acts of the overseas recipient. State and territory public sector bodies may instead be subject to state privacy legislation (e.g. NSW PPIP Act, Vic PDP Act, Qld IP Act). Applicability depends on the circumstances and should be reviewed against current law and sector requirements.

10.1 Personnel controls

Suggested Tender Requirement

Bidders describe controls applying to employees, contractors and subcontractors with access to customer environments or information, including screening (e.g. police checks, and Australian Government security clearances where relevant), confidentiality, least privilege, MFA, privileged access management, session controls, monitoring, data-loss prevention, disciplinary processes and termination of access.

Industry insight
A provider can have strong datacentre security while still carrying material insider and contractor risk through remote support or processing teams. Procurement should examine the people and access model with the same seriousness as the physical facility.

10.2 Optional high-sensitivity position

Suggested Tender Requirement

For designated high-sensitivity services, no offshore personnel access, offshore processing or new offshore subprocessor shall be introduced without prior written approval from [Organisation].

11

Backup and Cyber Recovery

Outcome  Ensure the organisation can recover usable systems and data after operational failure, malicious deletion or ransomware.

Suggested Tender Requirement

Bidders describe the backup and cyber-recovery service, including coverage, frequency, retention, immutability, encryption, administrative separation, failure-domain separation, monitoring, restore methods, recovery testing, reporting and charges. Detailed responses are recorded in the Backup and Recovery Schedule (Appendix E).

11.1 Recovery objectives

Suggested Tender Requirement

For each workload class, bidders state achievable RPO and RTO assumptions and identify dependencies that may prevent those objectives from being met. Distinguish backup completion objectives from service recovery objectives.

11.2 Immutability and administrative separation

Suggested Tender Requirement

Bidders describe how backup copies are protected from compromise of production credentials, privileged administrators, ransomware and malicious deletion. Identify any separate identity, account, tenant, platform or administrative boundary.

11.3 Recovery testing

Suggested Tender Requirement

Bidders state the frequency, scope and method of restore testing included in recurring charges. Testing should include representative file, application and full-system recovery where applicable, with documented outcomes and remediation of failures.

Why this wording helps
A successful backup job proves that data was written somewhere; it does not prove that the required service can be restored within business expectations. Recovery testing should be a defined service activity rather than an assumed capability.
Industry insight
A common commercial surprise is that backup software and storage are included, but recovery testing, large restores, emergency engineering or application-consistent recovery are charged separately.

11.4 Backup portability

Suggested Tender Requirement

Bidders describe the ability to export backup data or recovered workloads to another environment, including formats, tooling, transfer rates and charges.

12

Disaster Recovery and Business Continuity

Outcome  Test whether the whole service can recover — including identity, networking, DNS, firewall policy and operational coordination — not just whether a second site exists.

Suggested Tender Requirement

Bidders describe disaster recovery architecture, geographic and failure-domain separation, replication, failover, failback, orchestration, recovery sequencing, dependency management, testing and governance.

12.1 DR tests

Suggested Tender Requirement

Bidders state the number and scope of DR tests included per year, expected customer participation, whether tests are disruptive, how findings are tracked, and whether retesting after remediation is included.

12.2 Partial and cyber failover

Suggested Tender Requirement

Bidders describe support for partial workload failover, isolated recovery environments and recovery from cyber incidents where production credentials or management systems may be untrusted.

Better comparison
Weaker"Do you provide DR?"
Stronger"Show the failover sequence, measured test results, failback process, dependencies, included test frequency and contractual recovery assumptions."
13

Availability, Hardware Lifecycle and Restoration Capability

Outcome  Measure the provider's practical ability to keep and restore service, including how failed hardware is actually replaced.

Suggested Tender Requirement

Bidders describe the resilience model, redundancy, failure domains, hardware lifecycle strategy, refresh approach, firmware management, critical spare-parts strategy, component replacement process and restoration targets for infrastructure supporting the service.

Why this wording helps
Many providers rely on manufacturer warranty dispatch for failed components. Others maintain their own inventory of critical spares and employ engineers capable of immediate replacement. Evaluate time to restore service, not merely whether hardware is "under support" — a four-hour vendor response is not the same as a four-hour restoration outcome.

13.1 Spare parts and field capability

Suggested Tender Requirement

Bidders identify which classes of critical spares are held by the provider, where they are held, expected access time, who performs replacement, after-hours capability, and which failures depend on OEM or third-party dispatch.

13.2 Lifecycle management

Suggested Tender Requirement

Bidders state normal refresh cycles, handling of end-of-life equipment, capacity refresh, migration responsibility, secure disposal and whether lifecycle replacement is included in recurring charges.

13.3 Availability architecture

Suggested Tender Requirement

Bidders identify N+1 or other redundancy assumptions, automatic failover behaviour, maintenance without outage, storage protection, network redundancy and any single points of failure.

14

Service Management, Support and Escalation

Outcome  Understand how incidents are handled in practice, who the customer can reach, and how quickly expertise is engaged.

14.1 Support model

Suggested Tender Requirement

Bidders describe the service desk, NOC/SOC where applicable, hours of coverage, major-incident management, escalation tiers, direct access to infrastructure engineers, after-hours arrangements, subcontractors and vendor escalation paths.

Why this wording helps
Published response SLAs can look similar while support models differ dramatically. Multiple escalation tiers and outsourced hand-offs may increase time to diagnosis. Ask who actually investigates complex incidents and when that expertise becomes available.

14.2 Incident priorities

Suggested Tender Requirement

Bidders provide proposed priority definitions, acknowledgement targets, technical engagement targets, update frequency, restoration targets and escalation triggers. Distinguish response from restoration.

14.3 Change management

Suggested Tender Requirement

Bidders describe standard, normal and emergency change processes; approval; maintenance windows; rollback; customer communication; and which routine changes are included within recurring charges.

14.4 Problem management

Suggested Tender Requirement

Bidders describe root-cause analysis, recurring-incident review, corrective action tracking and post-incident reporting for material events.

15

Monitoring, Reporting and Continuous Improvement

Outcome  Make the managed service improve over time instead of becoming a static hosting arrangement.

Suggested Tender Requirement

Bidders describe monitoring, alerting, capacity management, service reporting, governance meetings and continuous-improvement activities included in the service.

15.1 Minimum service reporting

Suggested Tender Requirement

Monthly or agreed periodic reporting should include, as applicable: availability, incidents, SLA performance, capacity, growth, backup success and restore testing, patch compliance, vulnerability status, security events, changes, risks, lifecycle issues, cost trends and improvement actions.

15.2 Service reviews

Suggested Tender Requirement

Bidders provide operational service reviews at an agreed cadence and executive or strategic reviews at least [quarterly / biannually]. Maintain an action register with owners and due dates.

15.3 Continuous improvement

Suggested Tender Requirement

At least annually, bidders provide an infrastructure health assessment and forward roadmap covering capacity, lifecycle, security, resilience, cost optimisation, technical debt and material improvement opportunities.

Why this wording helps
Without an explicit improvement obligation, a provider may meet tickets and uptime targets while the environment quietly ages, costs drift and risks accumulate. A light but recurring roadmap requirement keeps the relationship forward-looking.
16

Managed Operating Systems and Platform Services

Outcome  Remove ambiguity around the layers above infrastructure that often become security and cost gaps.

Suggested Tender Requirement

For each managed platform layer, bidders define supported versions, onboarding standards, patching, monitoring, backup integration, configuration management, vulnerability remediation, escalation and end-of-support treatment.

16.1 Supported technologies

Suggested Tender Requirement

Bidders provide supported technology matrices for operating systems, databases, web platforms, containers, directory services and other managed components offered.

16.2 Responsibility boundaries

Suggested Tender Requirement

Bidders complete the RACI schedule (Appendix K) for operating systems, middleware, databases, applications, agents, certificates, backups, monitoring, vulnerability remediation and configuration changes.

17

Transition, Migration and Acceptance

Outcome  Require a controlled move with discovery, rollback and measurable acceptance rather than treating migration as an informal prelude to the contract.

Suggested Tender Requirement

Bidders provide a transition plan covering discovery, dependency mapping, design validation, connectivity, build, data migration, workload migration, testing, change control, rollback, coexistence, cutover, hypercare, documentation and handover. Milestones are recorded in the Transition and Acceptance Schedule (Appendix L).

17.1 Migration assumptions

Suggested Tender Requirement

Bidders state all assumptions regarding customer effort, application vendor involvement, downtime, data-transfer rates, licensing, unsupported systems, third-party approvals and remediation required before migration.

17.2 Acceptance criteria

Suggested Tender Requirement

Bidders propose objective acceptance criteria for each transition stage, including performance, monitoring, backup, restore, security, connectivity, documentation and operational handover.

17.3 Rollback

Suggested Tender Requirement

Bidders provide rollback criteria, decision authority, maximum rollback window and treatment of data divergence for material migrations.

18

Commercial Model and Pricing Transparency

Outcome  Make competing bids comparable and expose the costs most likely to emerge after contract signature.

Suggested Tender Requirement

Bidders provide complete pricing using the Pricing Schedule (Appendix H). Clearly distinguish recurring charges, usage charges, minimum commitments, implementation costs, licences, support, professional services, third-party charges, taxes (including GST treatment), indexation, data transfer, egress and exit charges.

18.1 Included versus chargeable activities

Suggested Tender Requirement

Bidders complete a Service Inclusion Schedule that classifies each recurring operational activity as: Included; Included subject to stated allowance; Time and Materials; Project Quote; or Excluded.

Why this wording helps
This is one of the most effective protections against mid-contract surprises. Two providers can both describe a service as "managed" while one includes routine operational work and the other invoices each change, review or recovery exercise separately.
Industry insight
Examples worth forcing into the schedule include firewall changes, VPN changes, restore requests, DR tests, emergency patching, certificate work, vulnerability remediation, after-hours engineering, audit evidence, security meetings, capacity changes and incident investigations.

18.2 Unit rates

Suggested Tender Requirement

Bidders provide time-and-materials rates by role, after-hours multipliers, minimum charge increments and any annual rate adjustment mechanism. Rates should also apply to optional transition and exit assistance unless otherwise stated.

18.3 Resource price catalogue

Suggested Tender Requirement

Bidders provide unit prices for common compute, storage, backup, connectivity and managed-service increments to support growth and downsizing during the term.

18.4 Total cost comparison

Suggested Tender Requirement

Bidders provide a [3 / 5]-year total-cost model using stated assumptions, including implementation, recurring services, forecast growth, licences, bandwidth, backup, support, professional-services allowances and exit costs.

19

Portability, Vendor Lock-in and Exit Assistance

Outcome  Preserve the practical ability to move workloads and data, not merely a contractual right to terminate.

Suggested Tender Requirement

The proposed solution must support practical portability of customer workloads and data throughout the contract term and on exit.

Bidders describe supported export formats and procedures for virtual machines, disks, files, object data, databases, backups, configuration data, firewall and network configuration, logs and other customer-owned information.

Identify all proprietary dependencies that could materially increase the cost, complexity or time required to migrate to another provider or to customer-operated infrastructure. Detailed responses are recorded in the Portability and Exit Schedule (Appendix G).

Why this wording helps
Vendor lock-in is not limited to a contractual minimum term. It can arise from proprietary VM formats, managed databases, identity dependencies, inaccessible backup sets, expensive data egress, undocumented automation or provider-only configuration. The right question is not "Can we leave?" but "Can we obtain usable workloads, data, configuration and assistance in a form that another environment can consume within a predictable timeframe and cost?"

19.1 VM and workload export

Suggested Tender Requirement

Bidders state the ability to export virtual machines and disks on demand in commonly supported or documented formats. Identify supported formats, snapshot consistency, expected export time, self-service capability, bandwidth constraints and charges.

19.2 Storage and bulk data export

Suggested Tender Requirement

Bidders describe online and offline bulk export options, standard protocols and APIs, physical transfer options where available, expected throughput, charges and any provider-imposed egress limits.

19.3 Configuration and operational handover

Suggested Tender Requirement

On request and on exit, bidders provide current documentation and exportable customer-specific configuration reasonably required for transition, including architecture, IP addressing, firewall rules, VPN configuration, DNS dependencies, backup policy, monitoring configuration, asset inventory, open risks and operational procedures, subject to legitimate provider intellectual-property protections.

19.4 Exit assistance

Suggested Tender Requirement

Bidders provide transition and handover assistance at pre-agreed time-and-materials rates unless included in the service. Assistance should be available to the customer and its nominated replacement provider, subject to reasonable security controls.

19.5 No hostage dependencies

Suggested Tender Requirement

Bidders identify any customer data, workload or configuration that cannot be exported without proprietary provider tooling or conversion. State conversion methods, costs and expected timeframes.

19.6 Exit charges and egress

Suggested Tender Requirement

Bidders disclose all charges that may apply to termination, data export, egress, media, engineering, early termination, licence conversion and decommissioning. Charges not disclosed in the tender response should not be introduced solely because the customer is exiting.

19.7 Data deletion

Suggested Tender Requirement

After verified transition and customer authorisation, bidders securely delete residual customer data in accordance with the agreed retention and destruction process and provide confirmation of completion, subject to lawful retention obligations.

Better comparison
Weaker"Do you have an exit plan?"
Stronger"Demonstrate how we export VMs, storage, backups and configuration; disclose formats, rates, egress, engineering assistance and any non-portable dependencies."
20

Service Levels and Contractual Operating Principles

Outcome  Define measurable service obligations without confusing fast ticket acknowledgement with service restoration.

20.1 Availability

Suggested Tender Requirement

Bidders provide service-specific availability commitments, measurement points, calculation methodology, exclusions, planned-maintenance treatment, reporting and service credits.

20.2 Incident service levels

Suggested Tender Requirement

Bidders provide targets for acknowledgement, technical engagement, update frequency and restoration by priority. Define clock start/stop conditions and customer dependency treatment.

Watch-out
A 15-minute response SLA can be met by an automated acknowledgement while the incident waits for engineering attention. Separate acknowledgement, technical engagement and restoration measures where service criticality warrants it.

20.3 Maintenance

Suggested Tender Requirement

Bidders describe standard maintenance windows, notice periods, emergency maintenance, customer veto or deferral rules, and whether the architecture supports maintenance without customer-visible outage.

20.4 Audit and assurance

Suggested Tender Requirement

Bidders provide reasonable access to relevant assurance evidence and support customer audits subject to confidentiality, security and proportionality. State charges, if any, for routine evidence versus bespoke audit assistance.

21

Vendor Capability and Evidence

Outcome  Assess the organisation that will operate the service, not just the architecture proposed by the sales team.

Suggested Tender Requirement

Bidders provide evidence of organisational capability, including ownership, financial standing, years of operation, relevant customer experience, engineering capability, support locations, certifications, insurance, critical subcontractors and reference customers.

21.1 Delivery personnel

Suggested Tender Requirement

Bidders describe the roles and locations of personnel who will design, operate, support and secure the service. Identify use of subcontractors and the escalation path to senior engineering.

21.2 Evidence over claims

Suggested Tender Requirement

Bidders support material claims with evidence where reasonably available, such as certification scope, audit evidence, measured service performance, sample reports, recovery-test outputs, references or demonstrations.

21.3 Business continuity of the provider

Suggested Tender Requirement

Bidders describe the provider's own business continuity arrangements, key-person resilience, operational succession, remote-work capability, supply-chain resilience and ability to continue support during facility or regional disruption.

22

Response Schedules and Evaluation

Outcome  Force responses into a form that can be scored consistently and audited later.

22.1 Required schedules

Suggested Tender Requirement

Bidders complete the following schedules in addition to the narrative proposal:

  • Requirement compliance matrix;
  • Solution architecture and dependency schedule;
  • Service responsibility / RACI matrix;
  • Security assurance and certification scope schedule;
  • Security service inclusion schedule;
  • Sovereignty, country and subprocessor schedule;
  • Backup and recovery schedule;
  • SLA schedule;
  • Transition and migration schedule;
  • Pricing schedule;
  • Generic resource catalogue;
  • Vendor lock-in and portability schedule; and
  • Exceptions, assumptions and exclusions schedule.

22.2 Indicative evaluation model

Evaluation areaIndicative weight
Technical solution and architecture20%
Service delivery and operational maturity20%
Security, privacy and sovereignty20%
Resilience, backup and disaster recovery15%
Transition, portability and exit10%
Commercial value and transparency15%
Why this wording helps
Weighting should reflect organisational risk, but treating security, operations and exit as real evaluation areas prevents price and feature checklists from overwhelming factors that often determine the long-term success of an outsourced service. Government buyers must also ensure the weighting and method are consistent with the applicable value-for-money and probity obligations.

22.3 Evaluation principles

Suggested Tender Requirement

Evaluation should consider whole-of-life value, evidence quality, material exceptions, operational dependencies, transition risk and exit cost. Where appropriate, [Organisation] reserves the right to conduct clarification workshops, technical demonstrations, reference checks and due diligence before final award.

Appendices & Schedules

Response Schedules

Populate these schedules with organisation-specific detail. Rows shown in a tinted example style are worked examples to illustrate the level of detail expected — delete or overwrite them before issuing.

Appendix A  ·  Current Environment Data Schedule

CategoryInformation to provide
OrganisationUsers, sites, operating hours, critical services, growth assumptions
ComputeHosts, VMs, vCPU, RAM, OS, clustering, utilisation, growth
StorageCapacity, used, growth, IOPS/latency needs, protocols, snapshots
ApplicationsOwner, criticality, dependencies, vendor support, maintenance windows
NetworkSites, carriers, circuits, bandwidth, routing, VPN, public IP, firewalls
IdentityDirectory, SSO, MFA, privileged access, service accounts
BackupProtected systems, frequency, retention, immutability, restore history
DRCurrent recovery site, RPO/RTO, tests, dependencies
SecurityEDR, SIEM, vulnerability, patching, logging, certifications
ConstraintsLicensing, data location, vendor support, regulatory, end-of-life

Appendix B  ·  Workload Inventory Template

WorkloadOwnerCrit.vCPU/RAMStorageOS/PlatformRPORTODependencies
ERP / FinanceCFOHigh8 / 64 GB2 TB SSDWin Srv 2022 / SQL15 min4 hrsAD, SQL, payment gateway
Public websiteCommsMed4 / 16 GB200 GBLinux / container1 hr2 hrsCDN, DNS, CMS
Emergency mgmtOpsHigh6 / 32 GB1 TBWin Srv 20225 min1 hrAD, GIS, SMS gateway
[insert][insert][H/M/L][insert][insert][insert][insert][insert][insert]
[insert][insert][H/M/L][insert][insert][insert][insert][insert][insert]

Appendix C  ·  Security Service Inclusion Schedule

Require each bidder to classify each activity: Included / Allowance / T&M / Project Quote / Excluded, with notes and limits.

ActivityCommercial treatmentLimits / notes
Firewall rule changesAllowance10 changes/month included; excess at T&M
Emergency patchingIncludedCritical CVEs within 48 hrs
DR testingIncluded1 test/yr; retest at T&M
Periodic firewall rule review[select][insert]
VPN changes[select][insert]
OS patching[select][insert]
Hypervisor patching[select][insert]
Network/storage firmware[select][insert]
Vulnerability scanning[select][insert]
Vulnerability remediation[select][insert]
Certificate lifecycle[select][insert]
Security incident investigation[select][insert]
Log/SIEM onboarding[select][insert]
Audit evidence / pen-test remediation[select][insert]

Appendix D  ·  Connectivity and Site Schedule

Site / serviceRegionCarrierBandwidthRouting / IPDiversityCrit.
HQ primarySydneyCarrier A1 GbpsBGP / /24Diverse pathHigh
HQ failoverSydneyCarrier B500 MbpsBGP failoverSeparate DC entryHigh
[insert][insert][insert][insert][insert][insert][H/M/L]
[insert][insert][insert][insert][insert][insert][H/M/L]

Appendix E  ·  Backup and Recovery Schedule

Workload / classRPORTOFrequencyRetentionImmutableRecovery test
Tier 1 (critical)15 min4 hrsHourly snap + daily35 days + 7 yr archiveYes — separate tenantQuarterly
Tier 2 (standard)24 hrs24 hrsDaily30 daysYesAnnual
[insert][insert][insert][insert][insert][Y/N][freq]
[insert][insert][insert][insert][insert][Y/N][freq]

Appendix F  ·  Sovereignty and Subprocessor Schedule

Service / data typeCountryLegal entity / subprocessorAccess purposeCan change?
Primary data + backupsAustraliaProvider Pty Ltd (AU)Storage & operationsNo
Tier-3 support (overflow)PhilippinesSupport BPO Inc.Ticket triage (no prod access)Yes — w/ approval
[insert][insert][insert][insert][Y/N]
[insert][insert][insert][insert][Y/N]

Appendix G  ·  Portability and Exit Schedule

Asset / capabilityBidder response required
Virtual machinesSupported export formats; self-service; charges; time
Virtual disksFormats; snapshot consistency; conversion needs
File / object dataProtocols/APIs; bulk export; throughput; egress
DatabasesNative export/dump options; managed-service dependencies
BackupsExport/recovery options; retention during transition
Network configurationFirewall, VPN, IP addressing, routing, DNS dependencies
Monitoring / logsExport formats, retention, API access
DocumentationArchitecture, inventory, procedures, open risks
Engineering handoverT&M rates, availability, replacement-provider cooperation
DeletionAuthorisation, timeframe, confirmation, lawful retention

Appendix H  ·  Pricing Schedule Structure

Pricing areaRequired disclosure
ImplementationDiscovery, design, migration, testing, hypercare
Recurring platformCompute, storage, network, backup, DR
Managed servicesSupport, monitoring, patching, reporting, governance
LicensingOS, hypervisor, backup, security, database where applicable
ConnectivityCircuits, internet, private links, DDoS, cross-connects
UsageBandwidth, egress, API, transactions or other meters
Professional servicesRole rates, after-hours, minimum increments
Growth catalogueUnit rates for common resource increments
ExitEgress, media, engineering, decommissioning, early termination
IndexationMechanism, frequency, caps or reference indices (e.g. CPI)

Appendix I  ·  SLA Schedule

Service / priorityMetricTargetMeasurementRemedy
Core platformAvailability99.95%Monthly, excl. planned maint.Service credit tiers
P1 incidentTechnical engagement30 min, 24/7Engineer engaged (not auto-ack)Escalation + credit
P1 incidentRestoration target4 hrsService restored, not just ackCredit + RCA
[insert][avail/response/restore][insert][insert][insert]
[insert][avail/response/restore][insert][insert][insert]

Appendix J  ·  Compliance Matrix

Req. IDRequirementStatusResponse / evidence
8.1ISMS scope maps to all proposed servicesComplyISO 27001 cert + scope statement attached
[x.x][requirement text][Comply/Partial/No][insert]
[x.x][requirement text][Comply/Partial/No][insert]
[x.x][requirement text][Comply/Partial/No][insert]

Appendix K  ·  RACI Template

R Responsible   A Accountable   C Consulted   I Informed

Service layerCustomerProvider3rd party
Physical infrastructureIR / A
Operating systemCR / A
ApplicationR / ACC
Firewall[ ][ ][ ]
Database[ ][ ][ ]
Backup[ ][ ][ ]
Vulnerability remediation[ ][ ][ ]
Certificates[ ][ ][ ]

Appendix L  ·  Transition and Acceptance Schedule

Stage / milestoneOwnerEntry criteriaAcceptance evidenceRollback
Discovery & designSharedSigned SOW, access grantedApproved design + dependency mapN/A
Pilot migrationProviderTarget built, connectivity testedNon-prod workload verifiedRevert to source
[insert][cust/prov/shared][insert][insert][insert]
[insert][cust/prov/shared][insert][insert][insert]
Reference

Authoritative References and Further Reading

Useful official sources when tailoring the guide. Requirements should be checked against the organisation's current legal and regulatory position.

  • ISO/IEC 27001:2022 — Information security management systems
  • Australian Signals Directorate — Information Security Manual (ISM) and Essential Eight maturity model
  • Digital Transformation Agency — Hosting Certification Framework
  • OAIC — APP 8 (cross-border disclosure) and APP 11 (security of personal information); "Sending personal information overseas"
  • Security of Critical Infrastructure (SOCI) Act 2018, where applicable
  • NSW Procurement — SCM0020 Prequalification Scheme: ICT Services (Registered or Advanced Supplier)
  • Commonwealth Procurement Rules / relevant state procurement frameworks (NSW, VIC, QLD, WA, SA)
  • PCI Security Standards Council — PCI Data Security Standard (where card data applies)
Closing note

A strong tender does not need to be long for its own sake. It needs to make responsibilities, dependencies, risk and commercial treatment visible before contract signature. Standard requirements can remain concise; deeper wording is most valuable where a simple "yes" answer would otherwise hide materially different service models.