Have you completed and signed Part 4 Return Schedules?

Question:
(a) Account Manager & weekly meetings

Cadence & format: Do you prefer a fixed weekly slot (day/time), and is a 60-minute virtual meeting acceptable, or should we plan shorter operational stand-ups plus a monthly governance review?

Participants: Who from Council will regularly attend (roles)? Should we include finance/procurement in monthly governance?

Agenda & reporting: What KPI/SLA metrics and service reports do you expect in the weekly meeting pack (e.g., tickets by priority, MTTR, changes, risks, actions)?

Decision rights: Can the Account Manager approve routine changes within an agreed threshold, or must all changes follow a formal CAB?

(b) Technical resources in Brisbane or Far North Queensland (FNQ) for routine visits

Sites & travel: Which Council offices/sites should be considered “visit-capable,” their addresses, typical access hours, and any induction requirements?

Common tasks: What typical onsite activities do you foresee (e.g., endpoint build, network patching, printer installs), and what lead time do you expect for routine visits (e.g., 2–3 business days)?

Local spares: Would Council like Ethan to stage a local spares kit (e.g., laptops, switches, consumables)? If yes, who funds replenishment and where should it be stored?

(c) 24-hour emergency (P1) onsite from Brisbane

P1 definition: Please confirm P1 criteria (impact, urgency, examples) and whether remote triage within SLA precedes dispatch.

Mobilisation window: Is “within 24 hours” measured from P1 declaration or dispatch authorisation? Do you require a guaranteed on-site arrival SLA (e.g., =24h) or just dispatch within 24h?

After-hours: Are P1 incidents expected outside business hours/weekends/public holidays? If yes, should after-hours premiums be embedded or presented as a separate rate card?

Travel & access: Are there preferred carriers, flight windows, or local contacts for keys/security escorts during after-hours arrivals?

(d) Australian-based service desk only; offshore usage

Location requirement: Please confirm that all call answering and L1–L3 support must be performed within Australia (no offshore for answering or resolution).

Non-contact functions: May Ethan leverage offshore back-office tasks with no customer interaction (e.g., overnight report generation or scripted patch automation) if data sovereignty remains in Australia and supervision is by Australian staff?

Data & sovereignty: Are there any explicit restrictions beyond answering calls—e.g., data processing, log analysis, or tooling vendors with overseas SOCs?


(We will comply with the “no calls answered offshore” rule. If Council permits limited, non-interactive back-office optimisation offshore, we’ll price a reduced rate option; if not, we’ll present an all-Australia model only.)

(e) 24/7 support desk and daytime-only pricing option

Coverage tiers: If Council selects business-hours-only (e.g., 8:00–18:00 AEST), should P1 be exempt (i.e., still covered 24/7), or strictly within business hours?

Handover windows: Do you require formal evening/overnight handovers or “follow-the-sun” style updates (still Australia-based)?

Alerting: Should critical monitoring remain 24/7 even under a daytime-only plan, with billable call-outs after hours?

Rate structure: Would you prefer a dual price (24/7 vs business-hours) or a modular add-on for after-hours coverage?

(f) Enhanced VIP service

VIP roster: How many VIPs (roles), and what enhancements do you expect—e.g., priority queuing, shorter SLAs, direct access to L2/L3, device loaners, or white-glove onboarding?

SLA deltas: What target response/restoration times should apply to VIPs vs standard users?

Availability: Do VIPs require extended hours coverage, on-site preference, or dedicated contact channels?

(g) Scale up/down with minimum staffing

Minimums: Please confirm the minimum number of staff/functions you require (e.g., named Account Manager, SDM, Service Desk FTE, Field Engineer), even during downscaling.

Notice period: What notice do you require for scale changes (e.g., ±20% users/devices) and how frequently can volumes be adjusted (monthly/quarterly)?

Price mechanics: Should price scale linearly per user/device or by tier bands (e.g., 10–15 users, 16–25 users) to avoid micro-fluctuations?

Project vs BAU: For sudden scale-ups (e.g., new site fit-out), do you prefer project-based pricing outside BAU?

Transition plan (4-week delivery; full transition by 30 March 2026)

Start date: Can Council confirm the transition start week so that the 4-week plan aligns with the 30 March 2026 target (or provide acceptable alternative date)?

Access & discovery: When will we receive network diagrams, device inventories, admin credentials, and vendor lists to complete Week-1 discovery?

Tooling & security: Are there mandated platforms (e.g., chosen RMM/EDR/backup), or should Ethan propose standard tooling with data residency in Australia?

Change windows: What maintenance/change windows are approved for cutover tasks (evenings, weekends) and are CAB meetings weekly or ad-hoc?

Success criteria: What acceptance criteria define “transition complete” (incident volumes, SLA adherence, documentation delivered, knowledge-transfer sign-off)?

Dependencies & third parties: Please list third-party carriers or vendors needing coordination and the Council owner for each.


Optional inclusions (we can add to our response if Council welcomes them)

Local spares & staging: Offer to stage a regional spares kit to improve P1 responsiveness.

Community engagement: Propose Indigenous cadetship placements or digital literacy initiatives aligned to Croydon.

Runbook appendices: Provide an Emergency Mobilisation Playbook and VIP Care Charter as attachments.

Answered on 14/Jan/2026 10:12 AM:
(edited on 14/Jan/2026 11:49 AM)


A. Preference is weekly, generally less than 30 mins. which could change to fortnightly/monthly depending on stability

a. Participants – Generally Director Corporate Services or CEO in their absence . (Croydon is a small Council with limited personnel)

b. Agenda/Reporting – Generally to address concerns, identified problems and planning

c. Changes generally approved by Council

B. Council is only located in Croydon township, no satellite offices, - One town LGA – General hours 8:15am – 4:45pm, Induction can be completed online

a. Onsite tasks generally completed by Council staff with phone support as required for workstation setup, installs. Larger/complex tasks will require on site support or appropriate contractor – e.g. Rewiring, comms room upgrades, CCTV maintenance – Routine visits as required, however most support is done remotely.

b. Local spares stored in Croydon on site, Council has some supplies eg. Monitors, older devices to cover emergencies

C. For critical emergencies dispatch within 24 hrs

a. After hours access within reason, subject to issue and critical importance.

b. Site visits can occur out of normal hours if required and arrangements can be made for after hours access to buildings

D. Preference is for onshore processing to create employment opportunities within Australia however offshore is permitted to meet business needs as required.

a. Non contact - Yes with appropriate security levels and Essential 8 requirements

b. Data and Sovereignty – Preference is for all services to remain with Australia

E. Support during normal business hours as preferred

a. Handover – A “follow the sun” style updates with Council acceptance and approval based on an agreed IT service management plan.

b. Alerting – Yes

c. Rate Structure – a modular add on for after-hours coverage will suit Council, however the Supplier as a trusted partner will recommend a value for money solution

F. VIP roles- 4, CEO and 3 Exec Managers

a. SLA – 1-3 hours subject to nature of issue

b. Availability – No

G. Scale – Council requires network infrastructure and application management/monitoring with a service desk that do not require Full time support staff.

a. Council workforce stable with number of users consistent throughout year at around 35 devices

b. Tier bands are acceptable and should be scaled based on small user group

c. Project based pricing to allow for budget consideration

d. Start Date – Council anticipates commencement around the 10th of April 2026 to be agreed with Council.

e. Access and Discovery – Yes immediately upon Notice of Tender award, network diagrams, device inventories, admin credentials, and vendor lists, if available, to complete Week 1 discovery will be part of Suppliers responsibility to work with the incumbent provider to work with incumbent third-party provider to ensure seamless Transition-in process following “ITIL v4 framework best practice”.

f. Tooling – Yes, it is the Suppliers responsibility to inform itself of current infrastructure during transition-in planning and propose standard tooling with data residency in Australia as required by Essential 8 guidelines.

g. Change windows – weekends and as approved/ agreed with nominated responsible Council delegate as agreed in an Account/ Contract Management Plan

h. Success Criteria – notice of completion is signed off by nominated responsible Council delegate as agreed in the Account/ Contract Management Plan

i. Dependencies – current Council third-party providers will be disclosed to the successful Tenderer on Notice of Award

Question:
Good Morning!

Are there mobile devices (iPads, iPhones, Android tablets etc.) to be included in the support? If so, how many please?

Kind regards, Leah

Answered on 19/Jan/2026 09:56 AM:


Hi Leah,

No. Phones are generally set up and managed by Council.

Sincerely,

Joneil

Question:
Please see below clarification questions:

1. Part B - 5. Cyber Security Services Specification - understanding your existing condition

a. Is there an existing or recent risk assessment done?

b. Has an Essential 8 Audit been done?

2. Part B - 5. Cyber Security Services Specification - understanding your appetite

Is there an appetite to develop a custom framework that aligns with ISO27001, Privacy Act, E8, NIST, and Peak services and business context, which enables Peak Services to respond rapidly to changing threat landscape and regulatory obligations?

3. Part B - 5. Cyber Security Services Specification - understanding the depth of the work that you require from us

a. Can you please clarify that all advisory work and any developed artefacts (e.g., policies, procedures, audit report) performed by the vendor would be Peak branded and not vendor branded?

b. Can you please clarify if you would expect QA process for each deliverable from the vendor, or would the vendor draft and finalise together with Peak team under Peak team's supervision? The latter means that vendor is not responsible for QA - this can reduce the amount of effort required from the vendor). "

4. "Part b - 5. Cyber Security Services Specification - 5.3.2. Performance Measurement: Effective management of incidents and breaches.

"Part b - 5. Cyber Security Services Specification - 5.3.2. Performance Measurement: Stakeholder satisfaction and alignment with organisational objectives

a. Can you please clarify further on how you measure "effectiveness" in the “effective management”?

b. Can you please clarify who are the list of the stakeholders that will provide comments and approvals on the deliverables?

5. "Part b - 5. Cyber Security Services Specification

Can you please provide information on which artefacts Peak already has for the following, and when they were last updated? If Peak does not have any, please indicate. This would help us better understand the current condition of these deliverables and the expected effort.

a. Cybersecurity governance framework.

b. Information security risk register

c. Cybersecurity policies, procedures, and standards related to vulnerability management, patch management, endpoint protection, IAM, network security, cloud security controls.

d. Cybersecurity strategy and program.

e. Incident response plan and escalation procedures.

f. Business continuity plan and disaster recovery plan.

g. Vendor and third-party risk management.

Answered on 23/Jan/2026 01:09 PM:


Refer to Addendum 1

Question:
Good Afternoon, seeking further clarification from Council on the questions outlined below.

1. Server, VM & M365 Backup

Please confirm the current backup solution(s) in place for physical servers and virtual machines, including:

• Backup vendor/product for physical servers, on-premises VMs & Azure VMs

• Backup frequency and retention

• Whether backups are stored offsite and data residency location

• Current RPO/RTO targets for physical servers & on-premises VMs

• Services covered for M365 (Exchange, OneDrive, SharePoint, Teams)

2. Azure & CSP billing

• If Azure billing may transition to the successful Tenderer, can Council provide:

• A summary of Azure resources currently in use

• Approximate monthly Azure consumption/spend

3. To support accurate pricing and response assumptions, please advise if Council can provide:

• Approximate number of P1 incidents over the past 12–24 months

• Whether P1 incidents are typically resolved remotely or onsite

• How many P1 incidents required onsite attendance

4. Outside of emergency P1 incidents, does Council expect:

• Any regular scheduled onsite visits, or

• Onsite support to be ad-hoc and reactive only?

Answered on 23/Jan/2026 01:10 PM:


Refer to Part 2 Attachment 1 and Addendum 1

Question:
Good Morning, can we please get an update on our questions that were asked on the 21st Jan?

Answered on 23/Jan/2026 01:10 PM:


Refer to Part 2 Attachment 1 and Addendum 1

Question:
Please provide server specifications, particularly GB volumes that are required to be backed up.

- As per, Document: Part_2_Specification Section 2.7 whether AWS operating systems exist in Croydon's environment. We've been unable to locate any services being hosted in AWS.

- As per, Document: Part_2_Specification Section 2.8 whether this is in scope of the tender. We note reference to an on-prem PBX server without any details of a Teams Voice environment as well as no section in the pricing spreadsheet. If a transition to Teams Voice is required, we will provide call plan/licencing pricing and need to scope the implementation once the tender has been awarded.

Answered on 30/Jan/2026 07:34 PM:


Q1. Please provide server specifications, particularly GB volumes that are required to be backed up.

Q1 Resp. Current MSP supports multiple servers and specifications vary across controllers, mail, apps etc.

All data is being backed up on the servers across on-prem servers, Cloud apps, and cloud infrastructure. About ~18TB in total storage footprint.

Q2. Whether AWS operating systems exist in Croydon's environment. We've been unable to locate any services being hosted in AWS.

Q2 Resp. No AWS hosting. Only MSFT Azure.

Q3. We note reference to an on-prem PBX server without any details of a Teams Voice environment as well as no section in the pricing spreadsheet.

Q3. Resp. Current MSP does not support Council telephony environment. Tenderers are encouraged to provide costing for 25 to 40 users and include it in the pricing spreadsheet..

Question:
Would you be open to upgrading your on-prem CCTV system to a cloud based solution?

Answered on 29/Jan/2026 12:08 PM:


Yes according to the appointed ICT MSP recommendation and business case all ICT platforms are subjected to performance and quality improvement to manage obsolescence. This is a long term contractual arrangement.

Question:
Is the Teams Voice solution currently a direct routing setup or native via Operator Connect? How many users + numbers, DID etc?

Answered on 30/Jan/2026 07:37 PM:


This is currently not supported through the MSP, provide an estimate for managing the Telephony environment for 25 up to 40 users.

Question:
Thank you for the response to our previous questions.

Please see below additional Q&A from the team:

Cybersecurity Governance Framework

- What framework and maturity level are you targeting (basic uplift, full alignment to ISO?27001, Essential Eight Maturity Level 2–3)?

- Do the existing policies, framework and standards to update, or must all be developed from scratch?

Risk Register & Assessments

- Is a current information security risk register available, and what format is it in?

- How often do you expect risk assessments and risk register updates? (e.g., monthly, quarterly)

Security Program and Operations Oversight

- Do you require business case development for investments, as part of the strategy deliverable?

- Do you require onsite presence of cyber resources on a weekly basis, or is that flexible, based on prior notifications?

Incident Response (IR) and Business Continuity

- Do you already have an IR plan or runbooks?

- What level of involvement do you expect during incidents (advisory only, hands on, 24/7 escalation)?

- Do you want cyber service provider to audit backup/restore tests, and provide review reports?

- Do you want cyber service provider coordinate full DR exercises?

Security Training & Awareness

- How frequently should training/ phishing simulations occur?

Audit and Compliance Reports

- Based on your prior audit calendars, how many hour and FTE resources do you estimate to support on internal and external audits, and provide documentation evidencing compliance?

- Is there a preliminary estimation on the hours/days required to collaborate with the IT MSP to ensure remediation of E8 activities are planned, tracked, and verified as part of ongoing security improvement initiatives? OR should we quote only on the initial planning session to arrive at the final efforts, and provide it for your sign-off for further investment?

Penetration Testing

- We understand that the testing scope is comprehensive. For the purpose of quoting a budget, which quote options would you prefer;

o Time-boxed to a few hours/days, which can be used based on scope finalisation

o Sampled assets from the scope in Part_2_Attachment_1_-_Additional_Specifications?

o Comprehensive to cover all assets in the Part_2_Attachment_1_-_Additional_Specifications?

Oversight of MSP Security Operations

- What level of access will be granted to security tools for oversight (read only, advisory-level dashboards)?

- How do you expect triage to be split between MSP and Cyber provider? Will this be led by the cybersecurity services provider (Incident Response specialist) ?

- What is the expected responsiveness SLAs for advisory escalation by the Cyber provider?

- With ~525 tickets/yr across incidents/requests, what subset of security relevant tickets do you expect Cyber service provider to review/resolve?

Third-party and Vendor Risk Management

- How many third party vendors need to be assessed annually?

- Do you require security questionnaires, onsite audits, or only desktop review?

- Are you open to use offshore resources to reduce costing on supplier screenings?

Answered on 30/Jan/2026 07:54 PM:


A report was produced based on the recent Cyber-Security Controls Review 2025.

Please provide you response according to ""best practice ITSM " reasonably and realistically applied to a small organisation with approximately 25 FTE that is resource constrained, preferably no offshore resources even if remotely delivered frequently as required.

All IT service improvement activities mentioned can be discussed on 2 weeks prior to contract commencement or during the 8-year term with the successful Tenderer.

Question:
Please see below additional questions.

Security Training & Awareness

• How frequently should training/ phishing simulations occur?

• Is there currently any cyber security training in place?

• Are you looking for eLearning training modules, live virtual sessions, in person workshops or a blend?

• Are you after a communications plan, for example campaign branding and messaging, email copy, posters, or leadership toolkits?

• Are you looking for role-based scenarios or streams of training?

• How frequently do you want ongoing communications or threat updates? (Monthly, Bi-monthly, ad hoc)

• What Learning Management System or internal platforms do you currently use?

• Do you currently have a learning or training platform for cyber security?

• Is incident response or crisis management training in scope for this project?

• Are you currently running any phishing campaigns?

Answered on 02/Feb/2026 02:35 PM:


Please see below responses to additional questions.

Security Training & Awareness

• How frequently should training/ phishing simulations occur? Map it to ISO 27001 / NIST / Essential Eight- ? Annual awareness training

? Monthly phishing simulations ? Immediate training for new starters ? Extra focus on high-risk role

• Is there currently any cyber security training in place? Yes. However, is open to "Best Practice to cater for 25 to 40 staff".

• Are you looking for eLearning training modules, live virtual sessions, in person workshops or a blend? Yes, a blend according to "Best Practice" to cater for 25 to 40 staff".

• Are you after a communications plan, for example campaign branding and messaging, email copy, posters, or leadership toolkits? Yes, a blend according to "Best Practice" to cater for 25 to 40 staff".

• Are you looking for role-based scenarios or streams of training? Yes, a blend according to "Best Practice" to cater for 25 to 40 staff".

• How frequently do you want ongoing communications or threat updates? (Monthly, Bi-monthly, ad hoc) Monthly Yes, according to "Best Practice" to cater for 25 to 40 staff".

• What Learning Management System or internal platforms do you currently use?

• Do you currently have a learning or training platform for cyber security? No

• Is incident response or crisis management training in scope for this project? Yes

• Are you currently running any phishing campaigns? Anti-Phishing educational campaigns? No. Please include "Best Practice" to cater for 25 to 40 staff".

Question:
Essential Eight & Security Uplift

What is Council’s current Essential Eight maturity level?

Is there a defined target maturity level for the contract term?

Should Essential Eight uplift activities be limited to technical controls only, or include:

Governance

Documentation

Staff awareness and process maturity?

Will Essential Eight reporting be required on a monthly or quarterly basis?

Answered on 04/Feb/2026 09:59 AM:


Dear David,

Based on the ACSC E8 audit and compliance requirements, Councils current maturity level is 0, however many individual criteria of the various maturity control items are met.

Council requires compliance to regulatory and legal requirements including reporting as outlined in the E8 "best practice guidelines" to Local government in Australia.

Your response should detail your approach and methodology to addressing ACSC E8 and demonstrate your understanding of the E8 framework including reporting requirements on a monthly or quarterly basis according to "best practice" standards for local government outlined in your offer.

Please refer to Addendum 1 Part 2 – Specification Attachment 2 Key Controls.

Question:
what is the current mail protection/filtering solution in place?

Answered on 04/Feb/2026 10:00 AM:


The current solution is provided by the incumbent provider. Respondents are required to implement their recommended solution and priced accordingly.

Question:
what is the email signature solution ?

Answered on 04/Feb/2026 10:01 AM:


The current solution is provided by the incumbent provider. Respondents are required to implement their recommended solution and price accordingly.