A buyer’s checklist and the red flags that should make you walk away.
Choosing an IT partner is one of the most consequential decisions a growing business makes. The right Managed Service Provider becomes an extension of your team: someone who understands your goals, keeps your infrastructure running, and helps you make better technology decisions. The wrong one becomes a source of frustration, wasted budget, and risk you didn’t know you were carrying.
The challenge is that most MSPs look similar on paper. The proposals use the same language. The slide decks follow the same structure. And the sales conversations all promise the same outcomes. The difference only becomes apparent once you’re six months into the contract and something goes wrong.
This checklist is designed to help you see past the marketing and evaluate what actually matters. Use it during your procurement process, bring it to evaluation meetings, and hold every provider to the same standard. The best MSPs will welcome the scrutiny. The ones who don’t are telling you something important.
Technical capability
This is the foundation. An MSP needs the technical depth to support your environment today and the breadth to help it evolve. Certifications, industry experience, escalation processes, and documented procedures all contribute to this picture.
Certifications relevant to your stack
Microsoft Partner status, relevant vendor certifications, Cyber Essentials Plus. These aren't vanity badges. They indicate that the provider has invested in training and met an external standard of competence. Ask which certifications they hold and when they were last renewed.
Experience with your industry
References from similar-sized businesses in your sector matter more than a generic client list. An MSP that supports law firms will understand case management software, regulatory requirements, and data handling obligations in a way that a generalist simply won't.
A clear escalation path
How do complex issues reach senior engineers? If the answer is vague or amounts to 'we'll figure it out', that tells you everything about how they handle pressure. You want a documented process: first-line, second-line, and a named point of contact for critical incidents.
Documented processes
Written procedures, not tribal knowledge. When your primary engineer is on holiday and something breaks, does the backup engineer know what to do? Documentation separates professional operations from improvisation.
Security focus
Your MSP has privileged access to your entire environment. They hold the keys to your data, your systems, and your users’ identities. Security isn’t a nice-to-have in this relationship. It’s the single most important consideration.
They're Cyber Essentials certified themselves
Ideally Cyber Essentials Plus. An MSP that handles your security but can't demonstrate their own baseline is a contradiction. Ask for the certificate and check the expiry date.
Security is included, not an add-on
Basic security should be part of the standard service, not a premium extra. If endpoint protection, patch management, and MFA enforcement are bolt-on costs, the provider is treating security as a revenue stream rather than a responsibility.
Proactive security reviews
Regular assessments, not just responding to incidents. A good MSP should be telling you about vulnerabilities before they're exploited, reviewing your configuration quarterly, and keeping you ahead of emerging threats.
A clear incident response process
What happens if something goes wrong? Who do you call? What's the communication protocol? How quickly will they contain the issue? These aren't hypothetical questions. They're things you need to know before you need them.
“The best MSPs don’t just fix your IT. They understand your business well enough to anticipate what you’ll need next. If your provider only talks to you when something breaks, they’re not managing. They’re reacting.”
Service delivery
Technical skill means nothing if the service itself is poor. How responsive is the provider? How do they communicate? Do they treat your issues with the same urgency you feel? Service delivery is where the day-to-day experience is shaped.
Transparent SLAs
Clear response and resolution time commitments, in writing. Not 'we aim to respond quickly' but 'critical issues receive a response within 15 minutes and a resolution plan within one hour'. Specificity is the difference between a promise and a commitment.
Multiple contact channels
Phone, email, and a ticketing portal at minimum. Some teams prefer Microsoft Teams integration. The point is that you shouldn't have to work around the provider's limitations. They should adapt to how your people actually work.
UK-based support during business hours
Know where your support is coming from. Offshore first-line support can work for large enterprises with dedicated service management, but for most SMEs it creates friction, cultural misalignment, and longer resolution times.
Regular service reviews
Scheduled check-ins to discuss performance, review tickets, plan upcoming changes, and address concerns. Monthly or quarterly, depending on your size. If the only time you hear from your MSP is when you raise a ticket, they're not managing your IT. They're just fixing it.
Commercial terms
The commercial structure of an MSP contract tells you a great deal about how the provider operates. Transparent pricing, clear scope, and reasonable terms are not just commercial niceties. They’re indicators of how the relationship will work in practice.
Predictable pricing
Per-user or per-device pricing means you know your costs. If the proposal is full of variable charges, excess fees, and small print, you'll end up paying more than you budgeted. Every time.
Clear scope of service
What's included? What costs extra? Where does 'support' end and 'project work' begin? These boundaries should be defined before you sign, not discovered when you receive a surprise invoice three months in.
Reasonable contract terms
Twelve-month contracts are standard. Anything longer should come with meaningful benefits: a price lock, additional services, or a break clause. If the provider needs a three-year lock-in to retain clients, ask yourself why.
Clear exit terms
What happens if you want to leave? How is your data handed over? What's the notice period? A provider that makes it difficult to leave is one that expects you to want to. That's not a good sign.
Red flags to watch for
Some problems are only visible once you’re locked into a contract. Others are visible during the sales process if you know where to look. If you encounter any of the following during your evaluation, proceed with caution or walk away entirely.
They can't provide references
Any reputable MSP should have clients willing to vouch for them. Not just logos on a website, but actual conversations with real people who use the service. If they hesitate, or offer only carefully curated contacts, treat it as a warning.
Pricing is suspiciously low
Quality IT support costs money. If one provider is significantly cheaper than the rest, they're cutting corners somewhere: staffing levels, security tooling, response times, or engineer quality. You'll pay the difference eventually, usually at the worst possible moment.
They promise 'unlimited' everything
Nothing is unlimited. Every 'unlimited support' contract has a fair use policy buried in the terms. The honest providers will tell you what's realistic. The ones selling you a fantasy are the ones who'll push back when you actually need help.
Long lock-in contracts with no flexibility
Three-to-five-year contracts benefit the provider, not you. If the service is good, you won't want to leave. If it isn't, you shouldn't have to stay. Question any provider who needs contractual lock-in to retain their client base.
They can't explain their security practices
If an MSP can't clearly articulate how they protect their own systems, how they manage privileged access to your environment, or what certifications they hold, they're not taking security seriously. And they have the keys to your kingdom.
No dedicated account manager
You should have someone who knows your business, your infrastructure, and your goals. Not just a ticket queue. Account management is what turns a transactional relationship into a strategic partnership. Without it, you're just a number.
They push hardware sales heavily
Some MSPs make their real margin on hardware rather than service quality. If the conversation keeps steering toward new equipment purchases rather than optimising what you have, their incentives aren't aligned with yours.
Vague SLAs or no SLAs at all
If they won't commit to response and resolution times in writing, they won't meet them. An SLA is not a formality. It's the foundation of accountability. Without one, you have no recourse when things go wrong.
“The difference between a good MSP and a bad one is rarely visible in the proposal. It becomes obvious the first time something goes seriously wrong and you need someone who actually understands your environment.”
Questions to ask in evaluation meetings
Don’t rely on the provider’s pitch deck. Come prepared with specific questions and compare the answers across every provider you evaluate. The way they respond is often as revealing as the answers themselves.
About their team
- •How many engineers do you have, and what's the ratio of engineers to clients?
- •What's your staff turnover rate over the last two years?
- •Who would be our main point of contact, and what happens when they're unavailable?
- •What certifications does your team hold, and how do you invest in ongoing training?
About their service
- •What's your average response time across all priority levels?
- •How do you handle out-of-hours emergencies, and what does that cost?
- •Can you walk me through exactly what's included versus what's charged separately?
- •How do you distinguish between support work and project work?
About security
- •Are you Cyber Essentials Plus certified, and when does it expire?
- •How do you manage privileged access to our environment?
- •Walk me through your incident response process for a client-side breach.
- •How do you keep your own internal systems and tooling secure?
About transition
- •What does onboarding look like, and how long does it take?
- •What documentation do you need from us, and what will you produce?
- •How long until you're fully operational and able to support us at agreed SLA levels?
- •If we decide to leave, what's the process for data handover and knowledge transfer?
Evaluation scoring
Rate each provider from 1 to 5 on these ten criteria. A total score out of 50 gives you a simple, comparable framework. But don’t rely on the number alone. A provider that scores 4 across the board is almost certainly a better fit than one that scores 5 in some areas and 1 in others.
What a good MSP relationship looks like
When the partnership is working well, you should feel like your IT is handled. Not perfect, because no environment is, but managed with competence, transparency, and genuine accountability. Here’s what to expect.
response time for critical issues, with a named escalation point
service reviews covering performance, upcoming changes, and strategic planning
on invoices. Predictable costs with clear scope boundaries and fair billing
Looking for a new MSP?
We’d be happy to talk through your requirements and see if we’re a good fit. We work with SMEs across the UK, providing managed IT support, cyber security, and strategic technology advice. No lock-in contracts. No hidden costs. Just reliable, well-managed IT.
If you’re in the middle of an evaluation, bring this checklist. We’ll answer every question on it, and we’ll point out a few things you might not have thought to ask.