Customer Login
Cusomter Login

What Should I Look For When Choosing A Managed Service Provider (MSP)?

Choosing a managed service provider means evaluating whether an IT partner can reliably support users, secure systems, recover data, communicate clearly, document responsibilities, and scale with the business. The best MSP is not simply the cheapest provider; it is the provider that proves capability, accountability, transparency, and risk reduction before the contract is signed.

The UK National Cyber Security Centre advises small and medium-sized businesses to scrutinize MSPs because providers often have access to systems, data, and customer information. It recommends asking the right questions before contracting with an MSP to protect data, systems, reputation, and service continuity.

MSP Selection Criteria at a Glance

The most important MSP selection criteria are security maturity, service reliability, relevant experience, clear SLAs, transparent contracts, client references, technical reporting, backup and incident response capability, communication quality, and pricing clarity. A strong provider should support each claim with evidence, not vague assurances.

Selection Criterion What to Look For Evidence to Request
Security maturity MFA, least privilege, patching, EDR/MDR, incident response Security overview, access control process, sample report
Relevant experience Similar business size, sector, systems, and risk profile References, testimonials, case examples
Clear SLA Defined response times, priorities, escalation, reporting SLA matrix and contract language
Backup and recovery Tested backups, RTO/RPO, retention, recovery procedures Backup report and restore test example
Communication Clear escalation, plain-language reporting, regular reviews Sample meeting agenda and monthly report
Transparency Clear inclusions, exclusions, liability, subcontractors, data handling Responsibility matrix
Pricing and value Monthly cost tied to scope, risk, and service level Normalized quote with exclusions
Scalability Ability to support growth, projects, cloud, locations, and new users Roadmap process and technical team depth
Exit terms Smooth transition of data, credentials, documentation, and tools Cancellation and offboarding clause

The selection process should make risk visible. If two MSPs look similar on price, compare how they handle incidents, backups, access control, reporting, and accountability.

Step 1: Define What You Need Before Contacting MSPs

Before contacting MSPs, define your users, devices, locations, cloud platforms, critical applications, security requirements, support hours, compliance obligations, and business continuity needs. Clear requirements prevent vendors from quoting different scopes and make it easier to compare proposals fairly.

Start by documenting your environment. A managed IT proposal is only useful if it reflects the actual business, not a generic support package.

Create a simple inventory:

  1. Number of users.
  2. Number of devices.
  3. Number of servers.
  4. Business locations.
  5. Remote or hybrid workers.
  6. Microsoft 365 or cloud platforms.
  7. Critical applications.
  8. Current cybersecurity tools.
  9. Backup systems.
  10. Compliance or privacy obligations.
  11. Known pain points.
  12. Desired support hours.

The Canadian Centre for Cyber Security recommends that organizations determine which information systems and assets are in scope, including computers, servers, network devices, mobile devices, applications, cloud services, and other systems used to conduct business.

A provider cannot design the right service model without knowing what must be protected, supported, and recovered.

Step 2: Evaluate Security Before Price

Security should be evaluated before price because MSPs often hold privileged access to client systems. A low-cost provider can become expensive if it lacks MFA, patch discipline, backup testing, logging, incident response, least-privilege access, or a clear process for notifying clients during security events.

The NCSC recommends discussing patching, backups, access control, logs, and incident response with MSPs before those services are written into the contract. It also recommends checking whether the MSP protects its access to your systems with two-step verification.

Ask every MSP these security questions:

  1. How do you secure remote access to client systems?
  2. Do all administrative accounts use MFA?
  3. Do you use least-privilege access?
  4. How do you store and rotate credentials?
  5. How do you monitor endpoints, servers, and cloud accounts?
  6. What happens when a high-severity alert is detected?
  7. How quickly are critical patches applied?
  8. How are logs retained and accessed?
  9. What is your incident response process?
  10. How will you notify us if you or we experience a breach?

A strong MSP should answer plainly. A weak MSP will hide behind tool names without explaining process, ownership, and response actions.

Step 3: Check Certifications, Partnerships, and Experience

Certifications, vendor partnerships, awards, and years in business can help validate an MSP, but they should not replace due diligence. Use them as trust signals, then verify whether the provider has relevant client experience, security processes, references, escalation procedures, and support capability for your specific environment.

The NCSC recommends checking recognized security certifications and notes that certifications such as Cyber Essentials Plus, ISO 27001, or SOC 2 can indicate that an organization takes information security seriously. It also recommends asking for testimonials or references from other clients, especially small and medium-sized businesses.

For Netcetera-specific trust signals, consider these credibility markers:

  • Netcetera was established in 1999.
  • Netcetera is based in North Vancouver, BC.
  • Netcetera supports clients across the Lower Mainland and other Canadian regions.
  • Netcetera provides break/fix support and managed service models.
  • Netcetera received Sophos Partner of the Year for Canada recognition in 2016 and 2020.
  • Netcetera and Sophos are described as preferred cybersecurity partners to the Aquilini Group of Companies, including the Vancouver Canucks and Rogers Arena.

These facts are useful credibility markers, but buyers should still ask how the provider will support their own environment, users, risk profile, and budget.

Step 4: Review the SLA in Detail

An MSP SLA should define support hours, priority levels, response targets, escalation steps, reporting cadence, incident notification expectations, exclusions, and responsibilities. Do not accept phrases such as “fast support” or “best effort” when the business needs measurable service commitments.

The NCSC defines response time as the time between logging an issue and the MSP starting to investigate it. It notes that one business day is a standard response time for general service requests or minor issues, while under one hour is standard for urgent issues. It also states that two to three business days can be a good starting point for medium-priority routine resolution or workaround targets.

SLA Item What to Confirm
Support hours Business-hours, after-hours, weekends, holidays
Priority definitions P1, P2, P3, P4 based on business impact
Response time When the MSP starts investigating
Resolution target When the issue is resolved or worked around
Escalation path Who gets involved when issues are not resolved
Incident notification How and when security incidents are reported
Reporting Monthly or quarterly service and risk reviews
Exclusions What is outside the monthly fee
Client responsibilities What the business must approve, provide, or maintain

The SLA should match business impact. A company that loses revenue during downtime needs different commitments than a company where most systems can wait until the next business day.

Step 5: Compare Pricing by Value, Not Monthly Fee Alone

MSP pricing should be compared by scope, risk reduction, included tools, support coverage, security depth, backup capability, reporting, and exclusions. The cheapest monthly quote may cost more if cybersecurity, disaster recovery, after-hours support, onsite work, or project planning are missing.

Normalize each MSP proposal before comparing. A quote that includes advanced endpoint protection, backup testing, executive reporting, and quarterly planning is not equivalent to a quote that only includes helpdesk support and basic monitoring.

Pricing Model How It Works What to Watch
Per user One monthly fee per supported user Shared devices, contractors, and seasonal users
Per device Fee based on computers, servers, or network devices User support may be separate
Tiered packages Different service levels such as basic, standard, advanced Lower tiers may exclude security or backup
Custom managed contract Scope built around the environment Requires careful review of assumptions and exclusions

Ask each MSP to identify one-time onboarding costs, project rates, after-hours rates, onsite fees, licensing costs, hardware costs, third-party charges, and cancellation terms.

A higher monthly fee can be a better value if it includes stronger prevention, faster recovery, clearer reporting, and fewer surprise charges.

Step 6: Validate Backup and Recovery Capability

Backup and recovery capability should be validated before signing because backup failure is often discovered too late. A qualified MSP should explain what is backed up, how often backups run, where backups are stored, who can access them, how restores are tested, and what recovery time is realistic.

The NCSC states that backups are essential to response and recovery and recommends checking what backup arrangements are in place, how often they are tested, where data is stored, who has access, and how services and data would recover from ransomware.

Ask for:

  1. Backup scope.
  2. Backup schedule.
  3. Retention periods.
  4. Cloud storage location.
  5. Encryption status.
  6. Restore test frequency.
  7. RTO by system.
  8. RPO by system.
  9. Local recovery options.
  10. Cloud recovery options.

Do not accept “we back everything up” as a complete answer. A provider should prove that backups can be restored.

Step 7: Assess Communication and Reporting

Communication quality is a major MSP selection factor because IT problems become business problems when expectations are unclear. A strong MSP should provide clear ticket updates, escalation paths, incident notices, monthly reports, risk reviews, and plain-language recommendations for non-technical decision-makers.

The NCSC says a reputable MSP should clearly articulate services, policies, and responsibilities, and that open communication about security incidents and response is critical to maintain trust.

Ask for a sample monthly report. It should include:

  • Ticket volume.
  • Response performance.
  • Recurring issues.
  • Patch status.
  • Backup success and failures.
  • Security alerts.
  • Hardware risks.
  • Cloud license usage.
  • Completed work.
  • Recommended next steps.
  • Decisions required from leadership.

Communication should be proactive. If you only hear from the MSP when something breaks or an invoice is due, the provider is not acting as a strategic partner.

Step 8: Review Contract Terms and Responsibility Boundaries

An MSP contract should clearly define what the provider manages, what the client remains responsible for, how incidents are reported, how liability is handled, what third parties are involved, what reports are delivered, and what happens when the agreement ends. Ambiguous contracts create operational and legal risk.

The NCSC recommends that MSP contracts clearly specify what is and is not included, define roles and responsibilities, agree on incident reporting procedures, establish liability terms, and include technical reporting. It also recommends a responsibility matrix showing what the MSP does and what remains with the customer.

Contract Area What to Check
Scope Covered systems, users, locations, cloud platforms, and services
Exclusions Licensing, equipment, projects, onsite work, after-hours support
Responsibilities MSP responsibilities versus client responsibilities
Incident reporting Who is notified, when, and through which channel
Liability Accountability for vulnerabilities, downtime, data loss, and third parties
Data handling Where data is stored, who can access it, and how it is protected
Subcontractors Whether third parties help deliver service
Renewal terms Auto-renewal, pricing changes, and notice periods
Exit clause Documentation, credentials, data, and transition support

A contract should make accountability clear before a crisis happens.

Step 9: Ask About Privacy and Compliance Support

An MSP can support privacy and compliance by implementing controls, documenting activity, managing access, monitoring systems, protecting backups, and supporting incident response. However, the business usually remains responsible for legal obligations, so the contract should clarify breach notification, records, reporting, and data-handling responsibilities.

Under PIPEDA, organizations must report breaches of security safeguards involving personal information when it is reasonable to believe the breach creates a real risk of significant harm. Organizations must also notify affected individuals as soon as feasible and keep records of breaches.

Ask MSPs:

  1. Where is our data stored?
  2. Where are backups stored?
  3. Who can access personal information?
  4. How is privileged access logged?
  5. How are breach records created?
  6. Who notifies us during an incident?
  7. Can you support cyber insurance evidence requests?
  8. Can you provide audit logs and health reports?
  9. Do subcontractors access client systems?
  10. What compliance responsibilities remain with us?

The MSP does not need to be your lawyer, but it should understand how IT operations support privacy, security, and reporting requirements.

MSP Red Flags

MSP red flags include vague SLAs, unclear exclusions, weak cybersecurity answers, no backup testing, no incident response plan, no reporting samples, poor documentation, no references, hidden fees, weak access controls, and reluctance to explain how the provider secures its own systems.

Avoid a provider that:

  • Says “everything is included” but will not define scope.
  • Cannot explain how administrative access is protected.
  • Does not require MFA for privileged accounts.
  • Offers backup but cannot show restore testing.
  • Has no documented incident response process.
  • Cannot provide sample reporting.
  • Avoids questions about subcontractors.
  • Provides vague pricing with many unknown extras.
  • Uses only reactive break/fix support.
  • Does not discuss end-of-life systems.
  • Cannot provide references.
  • Pressures you to sign before reviewing the SLA.

The best MSPs are comfortable with due diligence. They should welcome detailed questions because clear answers protect both sides.

MSP Evaluation Scorecard

An MSP evaluation scorecard helps compare vendors consistently. Score each provider on security, service scope, SLA quality, backup maturity, communication, reporting, references, contract clarity, pricing transparency, and strategic fit. The provider with the highest evidence-based score is usually the safer choice.

Use a 1–5 score for each category.

Category Score 1 Score 5
Security maturity Tool names only, no process MFA, logging, MDR/EDR, incident response, reporting
SLA clarity Vague response promises Written priorities, response targets, escalation
Backup maturity Backups exist but untested Tested restores, RTO/RPO, clear recovery process
Communication Reactive and technical Proactive, plain-language, business-focused
Reporting No samples Monthly executive and technical reporting
References None or irrelevant Similar clients and strong reference calls
Contract clarity Ambiguous scope Clear inclusions, exclusions, responsibilities
Pricing transparency Hidden extras Clear monthly fee, project rates, exclusions
Strategic fit Basic support only Roadmap, lifecycle planning, risk reduction
Exit process Unclear Data, credentials, documentation, transition support

Do not rely on the final score alone. A provider with a low security score or unclear contract should not win only because the price is lower.

Questions to Ask Before Choosing an MSP

The best questions to ask an MSP focus on proof: how the provider secures access, responds to incidents, tests backups, reports performance, handles exclusions, communicates during outages, supports compliance, and transitions clients in or out. Specific questions produce better answers than broad questions about service quality.

Use these questions in vendor interviews:

  1. What types of clients do you support most often?
  2. Can you provide references from similar businesses?
  3. What is included in the monthly fee?
  4. What is excluded?
  5. What are your support hours?
  6. What are your SLA response targets?
  7. How do you prioritize urgent issues?
  8. How do you secure admin access?
  9. Do you require MFA for privileged accounts?
  10. How do you manage patches?
  11. How often are backups tested?
  12. What happens during a ransomware incident?
  13. Do you provide monthly reporting?
  14. How do you handle third-party vendors?
  15. What happens if we cancel?
  16. How do you onboard a new client?
  17. How do you document our environment?
  18. Who owns passwords, documentation, and admin accounts?
  19. How do you help with cyber insurance requests?
  20. What would you improve in our first 90 days?

A good MSP should be able to answer these questions clearly, calmly, and specifically.

FAQ: Choosing a Managed Service Provider

What is the most important factor when choosing an MSP?

The most important factor when choosing an MSP is accountability. The provider should clearly define what it manages, how fast it responds, how it protects systems, how it reports performance, how it tests recovery, and what happens during an incident or contract exit.

Price matters, but accountability determines whether the relationship works when systems fail or security risks appear.

How many MSPs should I compare?

Most businesses should compare at least three MSPs using the same scope, questions, and pricing categories. Comparing multiple providers helps reveal differences in cybersecurity maturity, support coverage, backup strategy, reporting quality, exclusions, contract terms, and overall fit.

Do not compare one provider’s basic plan with another provider’s security-focused plan. Normalize scope first.

Should I choose the cheapest MSP?

You should not choose an MSP based only on the cheapest monthly fee. A lower price may exclude cybersecurity, backup testing, after-hours response, onsite support, strategic planning, or project work, which can create higher costs during downtime, breaches, or urgent upgrades.

Choose based on value, risk reduction, and evidence of capability.

What certifications should an MSP have?

Useful MSP certifications may include recognized cybersecurity, cloud, vendor, and service-management credentials. Certifications such as ISO 27001, SOC 2, Cyber Essentials Plus, Microsoft credentials, Sophos partner status, or other vendor certifications can help validate expertise, but they should be confirmed with references and process evidence.

Certifications are trust signals, not a substitute for due diligence.

How do I know if an MSP is secure?

You know an MSP is secure when it can explain its access controls, MFA requirements, remote management process, logging, patching, endpoint protection, backup testing, incident response, credential handling, and internal security standards. The MSP should protect its own systems as carefully as it protects client systems.

Ask how the provider would detect and respond if one of its own tools or accounts were compromised.

What should an MSP contract include?

An MSP contract should include service scope, exclusions, support hours, SLA targets, incident notification, roles and responsibilities, liability terms, reporting requirements, data handling, third-party involvement, renewal language, cancellation terms, and exit support for documentation, credentials, and data.

The contract should reduce ambiguity, not create it.

Should an MSP provide 24/7 support?

An MSP should provide 24/7 monitoring for critical systems when downtime or cyber incidents could harm the business. Full 24/7 live helpdesk support is not always necessary, but after-hours escalation should be defined for security incidents, outages, backup failures, and business-critical systems.

Ask what happens at 2 a.m. if ransomware activity is detected.

What is the difference between an MSP and an MSSP?

An MSP manages broader IT operations such as helpdesk, devices, networks, cloud systems, backup, vendors, and planning. An MSSP focuses on cybersecurity services such as monitoring, threat detection, incident response, vulnerability management, and compliance support. Some providers offer both MSP and security services.

A business with limited internal IT may need both operational support and security monitoring.

How long does MSP onboarding take?

MSP onboarding time depends on the number of users, devices, applications, vendors, locations, security gaps, documentation quality, and backup complexity. A proper onboarding process should include discovery, tool deployment, credential review, documentation, backup validation, monitoring setup, and a first-priority risk review.

Ask for the onboarding plan before signing.

What should I ask MSP references?

Ask MSP references about response quality, communication, billing transparency, outage handling, cybersecurity guidance, backup reliability, project delivery, and whether the provider has improved the environment over time. The best reference questions focus on how the MSP behaves when something goes wrong.

A strong question is: “Tell me about the last serious issue and how the MSP handled it.”

Final Takeaway: How Do You Choose the Right MSP?

Choose the MSP that provides the clearest evidence of security maturity, service reliability, backup readiness, communication quality, contract transparency, and business fit. The right provider should reduce risk, improve visibility, support users effectively, document responsibilities, and help the business make better technology decisions over time.

The best MSP selection process is evidence-based. Define your needs, compare providers against the same criteria, review the SLA, validate security, check references, inspect backup procedures, understand exclusions, and confirm exit terms before signing.