As Australia enhances sovereign capabilities in order to become a world leader in cybersecurity by 2030, local managed service providers will be held to a higher standard when it comes to achieving critical security certifications.
Cybersecurity incidents continue to take a heavy toll on Australia, increasing in both frequency and severity. Reported cyber incidents increased by 11 per cent last year, according to the ASD Cyber Threat Report 2024-2025. The average cost of a cybercrime report for businesses increased by 50 per cent, while large businesses experienced a 219 per cent rise in losses.
In response, the federal government is bolstering efforts to protect the entire nation’s digital infrastructure from cyber threats and foreign interference. This includes formulating the 2023-2030 Australian Cyber Security Strategy, which takes a whole-of-nation approach and lays out a six-part framework to make Australia “a world leader in cybersecurity” by 2030.
Beyond protecting the nation’s critical infrastructure through initiatives such as the SOCI Act, the framework also applies to a much broader range of Australian businesses, in that it directs the government to help industry manage supply chain risks and make informed procurement decisions about the security of products and services.
Rising threat level prompts wake-up call
This enhanced focus on supply chain security serves as a wake-up call for key Australian business partners including managed service providers (MSPs) to bolster their cybersecurity frameworks and enhance their cyber maturity.
Advertisement
Many of the measures incorporated in the new cybersecurity strategy framework align with ISO 27001’s emphasis on continual improvement and risk assessment. This ensures that those MSPs that are proactive when it comes to achieving ISO 27001 certification are best placed to play a key role in Australia’s push to become a cybersecurity world leader.
ISO 27001 is a compliance framework for ensuring information security, through the implementation of an information security management system (ISMS).
The certification helps organisations protect the sensitive information they manage by establishing, implementing and maintaining a risk-based approach to security that covers people, processes and technology across 93 controls.
While Australian organisations in both the public and private sectors are increasingly demanding ISO 27001 certification from their MSPs, other certifications such as ISO 42001 for artificial intelligence management systems are also growing in demand.
When it comes to achieving ISO certifications, one of the biggest mistakes that Australian MSPs make is waiting until there is an urgent need to be certified – usually at the customer’s request with a firm deadline – rather than taking a proactive approach to certification, says Jason Maricchiolo, founder and managing director of Australian compliance-as-a-service (CaaS) provider ISO365.
ISO365 helps clients address costs by managing the certification process through Microsoft 365 and Sharepoint.
Recognised in this year’s AFR Fast Lists, ISO365 is an ISO compliance system implementer which helps Australian MSPs and their clients achieve and maintain certifications such as ISO 27001, 42001, 9001, 14001 and 45001.
As a compliance-as-a-service provider, ISO365 charges a monthly fee rather than an upfront lump sum. It also helps clients address costs by managing the certification process through Microsoft 365 and Sharepoint, rather than requiring clients to implement a standalone governance, risk and compliance (GRC) software platform.
When there is no mandatory requirement for ISO certification for Australian MSPs, Maricchiolo says some get on the front foot and use certifications as a key differentiator, while others hold off for as long as possible.
Some also make the mistake of assuming the ISO certification is only affordable and achievable for the largest enterprises.
“When you think about it, an MSP of any size handling a client’s data is one of that client’s biggest security risks,” Maricchiolo says.
“Australia’s increased focus on cybersecurity is really going to hammer home the significance of that risk for a lot of businesses.”
ISO365 managing director Jason Maricchiolo (left), with director of services Shaun Harper and director of operations Michael Weaver.
Steady, ongoing support is key
Driven by initiatives such as the 2023-2030 Australian Cyber Security Strategy, Maricchiolo expects that many more Australian organisations will enhance their procurement due diligence and start to demand security certifications such as ISO 27001 of their MSPs.
“Even today, we often get last-minute calls from people who are scrambling because their biggest client just insisted they become certified and the clock is ticking,” he says.
“The pressure is only going to increase as the importance of certifications like ISO 27001 becomes more widely recognised in the years ahead.”
MSPs chasing quick certification turnaround times should be wary of compliance implementation providers that promise to speed them through the audit preparation process.
If the implementation provider recommends using an offshore auditor, the auditor must still be accredited by the Joint Accreditation System of Australia and New Zealand (JASANZ), otherwise the integrity of the certification is compromised, and can often be deemed invalid.
“There are people out there who might promise to get you ISO 27001 certified in weeks, but we say it takes at least six months to do it right, when working with a trusted compliance implementation provider,” Maricchiolo says.
“It’s important to plan ahead – especially if you want an implementation partner who won’t just get you across the line but will also stay by your side during the annual surveillance audits and full recertification audit after three years.”
