Winning Tenders: How Your IT Setup Can Make or Break the Deal

If you've tendered for work in the last two years — especially with a corporate, a government department, or a multinational client — you've probably noticed the questionnaires getting longer. And a lot of those new questions aren't about your service or pricing. They're about your IT.

Do you have a documented information security policy? Where is client data stored? What happens if you're hit by ransomware? Can your IT provider prove they meet international security standards?

For a growing number of South African businesses, the answer to those questions is the difference between winning a tender and being politely thanked for participating. Here's what's changed, and what you can do about it.

Why Tender Requirements Have Shifted

A few years ago, tender documents focused almost entirely on BBBEE status, financials, technical capability, and references. Today, supplier due diligence sections are increasingly weighted towards information security and data handling.

There are a few reasons for this:

• POPIA accountability. When you handle a client's data, they're still legally responsible for it. So they're pushing that responsibility down the supply chain.
• Global supply chain attacks. Big breaches like the Transnet incident and the global SolarWinds attack taught corporate procurement teams that the weakest link is often a small supplier.
• Insurance and audit pressure. Many large companies now have cyber insurance policies that require them to vet suppliers. No vetting, no cover.

The upshot? Your IT posture is now a sales tool. Get it right and you unlock bigger clients. Get it wrong and you're quietly removed from the shortlist.

The Questions Tenders Are Actually Asking

Look through a few recent due diligence questionnaires and you'll see the same themes coming up:

• Do you have an Information Security Policy and an Acceptable Use Policy?
• How do you manage user access, especially for staff who leave?
• What's your backup and disaster recovery strategy, and when was it last tested?
• Do you use multi-factor authentication on email and cloud systems?
• How do you train staff to spot phishing?
• Is your IT provider certified to a recognised security standard (ISO 27001, SOC 2)?
• How do you handle and report security incidents?
• Where is data stored geographically?

Notice that most of these aren't "do you have fancy technology" questions. They're "do you have documented, repeatable processes" questions. That's a very different problem to solve.

Where Most SMBs Fall Short

In our experience helping clients respond to these questionnaires, the gaps usually fall into three categories.

1. No documentation. The business might actually be doing reasonable things — backups run, antivirus is installed, passwords are decent — but nothing is written down. When a procurement team asks for a policy document, there isn't one.

2. No evidence. Saying "yes, we do backups" isn't enough anymore. Tenders want screenshots, logs, test reports, or a letter from your IT provider confirming what's in place.

3. No certified supplier. This is the big one. If your IT is handled by a part-time consultant or an MSP without any independent certification, you can't tick the box that says "our IT partner is certified to an internationally recognised standard." That single missing tick has cost businesses real contracts.

A Practical Pre-Tender Checklist

If you're chasing bigger contracts in the next 12 months, work through this list now — not the night before submission.

Get your policies written down. At minimum: an Information Security Policy, an Acceptable Use Policy, a Password Policy, an Incident Response Plan, and a Data Backup Policy. They don't need to be 80 pages. They need to be real, signed, and reviewed annually.

Lock down user access. Make sure every staff member has their own login (no shared accounts), MFA is enabled on Microsoft 365 and other critical systems, and there's a documented process for removing access when someone leaves. Tenders love asking about this.

Test your backups — and keep the evidence. Run a restore test, document what was restored, how long it took, and who signed it off. That one-page report is gold when an auditor asks.

Run phishing simulations. Even a basic quarterly simulation with a short report showing click rates and training completion looks very professional in a tender pack.

Document your suppliers. Procurement teams want to know who has access to your data. List your IT provider, your cloud platforms, your accounting software, and anything that touches client information.

Choose a certified IT partner. This is the shortcut. When your MSP is ISO 27001 certified, you inherit a huge chunk of credibility. You can attach their certificate to your tender response and answer "yes" to a stack of questions in one go.

The ISO 27001 Shortcut

We'll be honest about this one because it's directly relevant. MiBOT Support is ISO 27001 certified, and we get asked for our certificate almost every week — usually by a client who's been sent a due diligence questionnaire and suddenly needs proof that their IT provider takes security seriously.

ISO 27001 is the international standard for information security management. It means an external auditor has checked that we have documented policies, tested controls, trained staff, and a continuous improvement process. Very few South African MSMs hold it, which is exactly why it carries weight in a tender response.

For our clients, it often means the difference between answering "we believe our provider is secure" and attaching a certificate that ends the conversation.

Start Before the Tender Lands

The worst time to fix your IT documentation is the week the tender closes. The best time is now, while you have breathing room to do it properly.

If you're not sure where you stand, pull out the last due diligence questionnaire you received and try to answer every question with evidence attached. The gaps you find are your roadmap.

And if you'd like a hand working through it — or you just want to know what it would look like to have an ISO 27001 certified IT partner backing your next tender response — the team at MiBOT Support is happy to have that conversation. No pressure, no jargon, just a practical look at what's already strong and what needs tightening.