Skip to content
BISTEC IT Services

Managed Security × Financial Services

Managed security for mid-market financial services.

Senior security operations. Named CREST analysts. CPS 234 §15 audit-ready. Essential Eight ML2 alignment with documented uplift roadmap. CPS 230 critical-operations mapping. Foundation, Defence and Resilience tiers — named, not priced.

Talk to usSample CPS 234 Evidence Pack

After the 2025 pension/super-fund wave, three things changed

The 2025 pension/super-fund wave changed three things about how mid-market FS CISOs and Heads of Risk procure security: containment time is the new SLA (acknowledge-time alone is not a control — the audit committee asks: when did you contain). Evidence is the deliverable (quarterly board-grade evidence packs that survive a §15 control test — not a dashboard screenshot). Named accountability is non-negotiable (a queue in a different time zone is the problem you are paying to leave).

Pratfall

We don't claim AI in security operations. Humans do this work.

That is the contrarian, honest position — and the one regulators increasingly expect. "The model decided" is not yet, and may never be, an acceptable answer to APRA.

How we work with mid-market FS

  1. Three modular tiers — named, not priced

    Foundation (business hours, 4-hour acknowledge, quarterly evidence). Defence (24/7/365, 30-min acknowledge / 1-hour containment, monthly evidence, named senior analyst — preferred for most mid-tier banks and pension/super funds). Resilience (24/7 + on-site rotation, 15-min acknowledge / 30-min containment, continuous + board pack, named analyst + dedicated lead).

  2. Senior security operations with named CREST analysts

    Named on your account. CREST credentials. The escalation contact is a person.

  3. Evidence-grade reporting for Risk and Board

    Quarterly pack on Defence and above. CPS 234 §15 control-test mapping. CPS 230 critical-operations alignment. Tolerable-disruption-window narratives in risk language.

  4. CPS 230 paired with CPS 234 throughout

    From 1 July 2025 onward, we pair them by default — critical operations, dependency registers, tolerable-disruption windows.

  5. Mid-market on purpose

    Your named senior analyst does not get reassigned to a Big-4 bank account.

Senior security with named accountability. Engineering depth from Colombo for everything that isn't security.

What's on the contract

  • ISO 27001
  • CPS 234 alignment
  • CPS 230 alignment
  • Essential Eight ML2
  • CREST
  • SOC 2 Type II in flight
  • Microsoft Sentinel partner

We don't claim AI in security operations. Humans do this work. That is the contrarian, honest position.

Sample evidence pack

Sample CPS 234 Evidence Pack

Redacted from a real engagement. Use it as a procurement reference. RACI, control-test summary, sub-processor register, 72-hour notification playbook, last quarter's tabletop minutes.

Request the sample

Talk to a security lead.

Twenty minutes. Named accountability from the first call. Sample evidence pack on request.

Talk to us

or call (+61) 413 649 132

Explore further