How to Evaluate MSP Security Practices

This article is for educational purposes only and does not constitute professional compliance advice or legal counsel. Your specific situation may vary, and you should evaluate any service provider relationship based on your organization's specific needs and risk profile.

MSP security is the category where competence stops being optional and becomes non-negotiable. This is where many organizations trip up in the evaluation process because security feels abstract—it's hard to evaluate in a sales call, easy to oversell, and difficult to verify without deep expertise. But here's the reality: your MSP has keys to your kingdom. They have administrative access to your systems, privileged credentials for your applications, and visibility into your data. If their security is weak, your security is compromised regardless of how much you spend on firewalls and encryption. If they get breached, you get breached, and you'll be the one explaining to your board, your customers, and your insurance carrier why you trusted someone without adequately vetting them.

The good news is that evaluating real security practices isn't that hard if you know what to look for. You don't need to be a security expert—you just need to ask specific questions, listen for concrete answers instead of marketing language, and understand what good security actually looks like.

Information Security Policies and Procedures

Start by asking whether the MSP has documented information security policies. A mature organization has written policies covering data protection, access control, incident response, vendor management, and employee security practices. Ask to see them. If they don't have written policies, that's already a concerning sign. Security that exists only in someone's head isn't security—it's luck.

Look for specifics when you review the policies. Vague policies are nearly worthless. You want policies that say things like "All user access to customer systems requires authentication with multi-factor authentication" or "All data is encrypted in transit using TLS 1.3 or higher." If a policy is all general statements like "security is important and we take it seriously," it's not a real policy. It's marketing material that's been labeled as a policy.

Ask about policy enforcement. How do they verify that staff actually follow policies? Do they conduct security training? How often? Do they test whether employees understand and follow policies, or do they assume compliance? A policy that nobody enforces isn't a policy—it's fiction. An MSP that can tell you "we conduct annual security training and we audit access controls quarterly to verify compliance" is one that takes policies seriously.

Ask when the policies were last reviewed and updated. If a security policy hasn't been reviewed in three years, it's probably out of date. The threat environment changes constantly and policies should reflect current realities. An MSP that says "we reviewed our policies last year and updated them to address the new CISA guidance" is keeping pace with the industry. One that says "we've had the same policies for five years" is not.

Access Control and Privileged Access Management

This is the most important security question because most data breaches and most unauthorized activities trace back to overly broad access or poor access controls. Access control failures aren't technical failures—they're failures of process and discipline. Ask your MSP directly: How do they manage who has access to customer systems? Do they use principle of least privilege? Does everyone have administrative access, or do they grant access based on job requirements?

Ask specifically whether they use a privileged access management system. A PAM solution is software that controls, logs, and audits all administrative access to systems. Think of it as a security camera for your administrative activities. When someone accesses a critical system, the PAM logs who accessed what, when they accessed it, what they did, and how long they stayed. This is non-negotiable for any professional MSP. If they don't have one, that's a red flag. If they do, ask to understand how it works and ask whether you can get access to logs of activity in your environment.

Ask whether they enforce multi-factor authentication for all administrative access. MFA means they can't get in with a stolen password—they need a second factor like a TOTP app on their phone or a hardware security key. It's not perfect, but it's substantially more secure than passwords alone. An MSP that doesn't require MFA for admin access is leaving a massive door open.

Ask specifically: Can you see logs of who accessed my systems and when? This is critical because if you need to investigate a security incident, you need to know what happened. An MSP that can't provide detailed access logs is either not logging properly or is hiding something. Both are bad.

Ask about deprovisioning. When someone leaves the MSP and needs to lose access to your systems, how quickly does that happen? The best MSPs remove access within hours. Mediocre ones might take days. Bad ones might not remove access at all unless you follow up. A disgruntled employee with access to customer systems is a major risk.

Ask about third-party access. If the MSP uses a backup vendor, a monitoring vendor, or a compliance tool, those vendors have access to your systems. Does the MSP manage that access? Are those third parties vetted for security? Does the contract require them to maintain security standards? Access you don't know about is a risk you don't understand.

Incident Response and Breach Notification

Ask whether the MSP has a documented incident response plan. Can they provide it? An incident response plan should define roles and responsibilities, communication processes, investigation procedures, and notification timelines. It should cover both incidents that affect the MSP's infrastructure and incidents that affect customer data. If they don't have a plan, they haven't prepared for what to do when something goes wrong—and something will go wrong eventually.

Ask about breach notification. If they discover they've been compromised in a way that might affect your data, how do they notify you? What's their timeline? Within 24 hours is reasonable and shows they take this seriously. Within 72 hours is what regulations require, but that's slow—a lot can happen in three days. If they don't have a defined timeline, that's concerning. They should have thought about this.

Ask about past incidents. Have they experienced security incidents affecting customer data? If yes, how many? How did they handle them? Can they provide examples of incidents that didn't affect customer data but were handled well? If they say they've never had any security issues, they're either lying or they don't have visibility into incidents. Neither is reassuring. No organization can claim zero incidents—the question is whether they detect them and handle them well.

Ask whether they'll help you respond to incidents. If you suffer a breach or notice suspicious activity in your environment, will the MSP help investigate? Can they provide forensics? Can they help with notification and remediation? A good MSP is a partner in incident response. A bad one is someone pointing fingers and defending their infrastructure while your systems are being compromised.

Employee Background Checks and Vetting

Ask whether the MSP does background checks on all staff with access to customer systems. What level of background check? At minimum, you should expect criminal background checks. For sensitive industries like healthcare or finance, you should expect more thorough checks including credit checks for people with financial access.

Ask specifically who's vetted. Does this apply to all employees or just some? There's no reason to exclude anyone with system access from background checks. If they exclude contractors, part-time staff, or offshore contractors, that's a vulnerability they're comfortable with, and you shouldn't be.

Ask about vetting beyond background checks. Do they do reference checks? Drug screening? Verification that claimed certifications are real? Credit checks for staff with financial access? The more thorough, the better. This signals they take personnel security seriously.

Certifications and Third-Party Audits

SOC 2 certification is the most important thing to look for at the organizational level. It's not a personal certification—it's a statement from a third-party auditor that the organization has implemented appropriate information security controls. The auditor specifically examines whether the organization's controls address risks to customer data and system availability.

Ask: Do you have SOC 2 certification? Most professional MSPs do. If they don't, ask why. Are they too small? That's potentially acceptable, but then ask when they plan to get it. Are they skeptical of the value? That's a bad sign.

Ask whether they have SOC 2 Type I or Type II. Type I means an auditor reviewed their controls at a point in time and confirmed they exist and appear to work. Type II means an auditor verified over a period of six to twelve months that the controls actually operated effectively throughout that time. Type II is more meaningful because it shows the controls work day-to-day, not just on the day of the audit.

Ask when their most recent audit occurred. Recent audits are more meaningful than old ones. If the most recent SOC 2 audit was three years ago, a lot could have changed. The threat environment changes rapidly.

Ask whether they have other certifications like ISO 27001 certification or HIPAA compliance attestation. ISO 27001 is more comprehensive than SOC 2 and it's recognized globally. HIPAA attestation is important if you're in healthcare. These certifications show increasing levels of commitment to security.

Threat Monitoring and Vulnerability Management

Ask whether the MSP actively monitors for threats against their infrastructure. How? What tools do they use? Do they hunt for threats or just react to alerts? A good MSP actively looks for problems, not just responds to alerts. They have security analysts watching for suspicious activity.

Ask about vulnerability management. Do they scan their systems for vulnerabilities? How often? Do they have a process for remediating vulnerabilities? How quickly? If an emergency vulnerability is disclosed, how fast can they patch? An MSP that can tell you "we scan weekly, we have processes for emergency patching, and critical vulnerabilities are patched within 48 hours" is managing risk. One that patches sporadically or doesn't scan is flying blind.

Ask about patching processes specifically. Do they patch proactively or do they wait for customers to request patches? How do they test patches before deploying? If a patch causes problems, what's the rollback process? Testing is critical because a bad patch can cause as much damage as a vulnerability.

Security Transparency and Willingness to Document

A critical signal is whether the MSP is willing to document security commitments. If you ask for documentation of security practices and they provide it thoughtfully and completely, that's positive. If they're cagey, evasive, or incomplete, that's a warning sign.

Ask: Will you sign a data security addendum? A DSA is a contract document that commits the MSP to specific security practices. It's particularly important if you're in regulated industries like healthcare or finance. A DSP that will sign a DSA has thought through security commitments and is confident they can meet them. One that refuses is concerning.

Ask for specific commitments in writing. Something like "We will maintain SOC 2 Type II certification at all times" or "We will enforce multi-factor authentication for all administrative access" or "We will notify you of security incidents affecting your data within 24 hours." If they won't commit to these basics in writing, understand why. The answer will tell you something important about whether they actually maintain these practices.

Compliance Framework Knowledge

If you're in healthcare, ask whether the MSP understands HIPAA and what they do to support your compliance. If you're in finance, ask about PCI DSS and SOC compliance requirements. If you handle data in the EU, ask about GDPR compliance and data handling practices.

A good MSP will already be familiar with your industry's compliance framework. They'll be able to discuss what they do to support your compliance efforts. If they're unfamiliar with your industry's requirements, that's a red flag. They should have experience with organizations like yours.

Ask specifically: Do you have experience with organizations in my industry? Can you provide references? How do you support compliance audits? Do you provide documentation? Do you participate in our assessments? An MSP that's familiar with your industry and can provide references is better positioned to support your compliance than one that's generic.

The Overall Picture

Security is where MSP quality becomes non-negotiable. A mediocre MSP might be tolerable for basic IT support if you'll work around their limitations. A mediocre MSP handling your security is unacceptable—you're trusting them with the crown jewels. Use these questions to separate vendors that take security seriously from ones that are hoping you don't ask detailed questions. The MSP that answers thoughtfully, provides documentation, and acknowledges where they're not perfect is more trustworthy than one that claims everything is fine. The one that gets defensive or evasive when pressed on security is one you should cross off your list.

Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects general guidance about evaluating managed service providers. Individual MSP relationships vary—evaluate any provider based on your organization's specific needs and risk profile.