Industry · Other
Your industry isn't on our list. That's not a deal-breaker.
We publish landing pages for the verticals where we have the most clients and the deepest experience. We work with plenty of businesses outside those. The criteria for becoming a CCP client are about your size, your security posture, and how you want to run IT, not the sector you operate in.
What being outside the named industries changes
What you lose is sector-specific marketing. What you keep is everything else.
The named industries on our other pages exist because we have enough clients in each one to recognise the patterns: the regulators, the practice-management software, the buyer-driven security questionnaires, the failure modes specific to that sector. The pages talk to those patterns directly. If you are outside those eight, what you lose is sector-specific marketing copy. What you keep is the same managed-IT engagement.
Most of what we do for a client does not depend on the industry they operate in. The security baseline runs the same way. New starters get drop-shipped devices that configure themselves the same way. Backups get tested on the same schedule. The Microsoft 365 stack we standardise on works the same way for a warehousing operator as it does for a law firm. Where the industry matters is in the overlay (a specific compliance framework, a particular line-of-business application, a contract clause with a Tier 1 customer), and we scope that part per engagement rather than per plan tier.
What we will not do is pretend to be a specialist when we are not. If a question comes up during scoping where a deeper sector-specific MSP would genuinely serve you better, we will say so and recommend one. Most of the time the answer is that you do not need a sector specialist. You need a provider who will do the basics properly, who will ask questions before selling you anything, and who will be honest when something sits outside their scope.
Frameworks that turn up in the room
The obligations and frameworks that apply regardless of your sector.
- ASD Essential Eight
- The Australian Signals Directorate's eight mitigation strategies. Increasingly the baseline cyber insurers, large corporate clients, and government-adjacent contracts score every supplier against, regardless of sector. We move clients through the maturity model and produce the evidence at each level.
- Privacy Act 1988 and the Australian Privacy Principles
- Every Australian business holding personal information sits inside the APPs to some degree, with formal obligations once you cross the small-business threshold (and Tranche 2 is widely expected to remove that exemption for ~100,000 more businesses). Access, correction, breach notification and retention all have a technical machinery underneath them.
- Notifiable Data Breaches scheme
- Mandatory notification to the OAIC and affected individuals when a breach is likely to result in serious harm. The trigger is technical (did the data leave, what did it contain), but the deadline is regulatory. Without logs and retention, you cannot answer either side credibly.
- Cyber insurance questionnaires
- Insurer questionnaires now read like audit checklists regardless of the policy size. MFA coverage, backup testing, patching cadence, offboarding discipline, EDR deployment. The questions are roughly the same across insurers and across industries; the difference is whether your stack can answer them with evidence.
- Customer-driven and contract-driven security obligations
- Tier 1 customers, government-adjacent clients, head contractors and landlords increasingly attach security clauses to commercial contracts. A 30-seat firm with a single large customer can end up with the same evidence demands as a 300-seat firm. The work to satisfy those clauses is largely the same regardless of which industry you operate in.
Common questions
The things first-time visitors from unlisted industries ask.
- Do you have a list of industries you will not work with?
- We do not actively pitch government departments or government agencies. The procurement rhythm, panel arrangements and security-clearance overhead are not a fit for how we work, and you would be better served by specialists who do that work daily. Outside of government, we do not have a published 'no' list. We will decline an engagement during scoping if we cannot do it well, and we will tell you why.
- What size of business do you typically work with?
- Our sweet spot is 20 to 250 staff, with most of our clients sitting around 50. The minimum we will take on a managed-IT engagement is ten seats. Below ten seats the per-seat economics do not work for either side, and you are usually better served by a smaller-scale arrangement we are happy to recommend you to.
- We're in retail, manufacturing, logistics, or warehousing. Does that count as 'other'?
- Yes, and we have clients in all of those. The named verticals on our other pages reflect where we have enough clients to recognise sector-specific patterns, not the full set of sectors we work in. The shape of a managed-IT engagement does not change much across those industries. The line-of-business apps differ, but the security baseline, identity, devices, M365, backups and patching cadence are the same.
- Our industry has very specific line-of-business software. Can you support it?
- We manage the environment the software runs on (the M365 tenant, the devices, the network, the identity, the backups), and we know where the boundary sits between our work and the vendor's. Where the vendor provides a cloud-hosted version, we integrate it into your security and identity stack. Where it is on-premises, we host or manage the server it runs on. Application-level workflow questions stay with the software vendor; everything around the application is ours.
- We're between 10 and 20 staff. Are we too small for a proper engagement?
- No. Ten seats is the floor. The economics work, and a business of that size usually benefits the most from a real engagement because the failure modes (one person on holiday and nothing gets patched, the office manager wearing too many hats, the backup that has never been tested) are the most acute. Most of our long-tenure clients started smaller than they are now.
- Our setup is unusual. How long does onboarding take?
- Three months, included in the engagement at no extra charge. Unusual setups extend specific work-streams (a more complicated identity migration, a deeper documentation gap on the inbound side), but the overall window holds. We would rather spend the extra time during onboarding than discover the gap two years in.
The qualifier
Let's see if we're a fit.
Seven questions, one moment of your time. We'd rather tell you now than three months in.