How to Evaluate MSP Security Practices
Reviewed by the Fully Compliance editorial team. Updated March 2026.
The short answer: Your MSP has administrative access to your systems, so their security posture is your security posture. Evaluate them on documented security policies, privileged access management with MFA, incident response plans with defined notification timelines, SOC 2 Type II certification, employee background checks, and willingness to put security commitments in writing. Evasive answers are disqualifying.
MSP security is the category where competence stops being optional and becomes non-negotiable. This is where many organizations trip up in the evaluation process because security feels abstract — it's hard to evaluate in a sales call, easy to oversell, and difficult to verify without deep expertise. But here's the reality: your MSP has keys to your kingdom. They have administrative access to your systems, privileged credentials for your applications, and visibility into your data. If their security is weak, your security is compromised regardless of how much you spend on firewalls and encryption. If they get breached, you get breached, and you'll be the one explaining to your board, your customers, and your insurance carrier why you trusted someone without adequately vetting them.
Sophos's 2024 Active Adversary Report found that MSP-targeted attacks increased 78% between 2021 and 2024, precisely because attackers understand the leverage gained from compromising one provider to reach hundreds of client environments simultaneously. The Kaseya VSA attack in 2021 demonstrated this at scale — one compromised MSP tool led to ransomware deployment across an estimated 1,500 downstream organizations. This is not theoretical risk. It's documented, recurring, and accelerating.
The good news is that evaluating real security practices isn't that hard if you know what to look for. You don't need to be a security expert — you need to ask specific questions, listen for concrete answers instead of marketing language, and understand what good security actually looks like.
Documented Security Policies Are the Minimum Bar
Start by asking whether the MSP has documented information security policies. A mature organization has written policies covering data protection, access control, incident response, vendor management, and employee security practices. Ask to see them. If they don't have written policies, that's already a disqualifying sign. Security that exists only in someone's head isn't security — it's luck.
Look for specifics when you review the policies. Vague policies are worthless. You want policies that say things like "All user access to customer systems requires authentication with multi-factor authentication" or "All data is encrypted in transit using TLS 1.3 or higher." If a policy is all general statements like "security is important and we take it seriously," it's not a real policy. It's marketing material with a policy label.
Ask about policy enforcement. How do they verify that staff actually follow policies? Do they conduct security training? How often? Do they test whether employees understand and follow policies, or do they assume compliance? A policy that nobody enforces is fiction. An MSP that can tell you "we conduct annual security training and we audit access controls quarterly to verify compliance" takes policies seriously.
Ask when the policies were last reviewed and updated. If a security policy hasn't been reviewed in three years, it's out of date. The threat environment changes constantly and policies must reflect current realities. An MSP that says "we reviewed our policies last year and updated them to address the new CISA guidance" is keeping pace with the industry. One that says "we've had the same policies for five years" is not.
Access Control Failures Cause More Breaches Than Any Other Factor
This is the most important security question because most data breaches and most unauthorized activities trace back to overly broad access or poor access controls. The 2024 Verizon Data Breach Investigations Report found that compromised credentials were involved in 77% of breaches affecting web applications — and MSPs are credential-rich environments by definition. Ask your MSP directly: How do they manage who has access to customer systems? Do they use principle of least privilege? Does everyone have administrative access, or do they grant access based on job requirements?
Ask specifically whether they use a privileged access management system. A PAM solution controls, logs, and audits all administrative access to systems — think of it as a security camera for administrative activities. When someone accesses a critical system, the PAM logs who accessed what, when they accessed it, what they did, and how long they stayed. This is non-negotiable for any professional MSP. If they don't have one, that's a red flag. If they do, ask how it works and whether you can get access to logs of activity in your environment.
Ask whether they enforce multi-factor authentication for all administrative access. MFA means they can't get in with a stolen password alone — they need a second factor like a TOTP app or a hardware security key. It's not perfect, but it's substantially more secure than passwords alone. An MSP that doesn't require MFA for admin access is leaving a massive door open.
Ask specifically: Can you see logs of who accessed my systems and when? This is critical because if you need to investigate a security incident, you need to know what happened. An MSP that can't provide detailed access logs is either not logging properly or is hiding something. Both are bad.
Ask about deprovisioning. When someone leaves the MSP, how quickly do they lose access to your systems? The best MSPs remove access within hours. Mediocre ones take days. Bad ones don't remove access at all unless you follow up. A disgruntled former employee with access to customer systems is a major risk. Ask about third-party access as well — if the MSP uses backup vendors, monitoring vendors, or compliance tools, those vendors have access to your systems. Does the MSP manage that access? Are those third parties vetted for security?
The Incident Response Plan Must Exist, Be Documented, and Be Tested
Ask whether the MSP has a documented incident response plan and ask to see it. An incident response plan defines roles and responsibilities, communication processes, investigation procedures, and notification timelines. It covers both incidents affecting the MSP's infrastructure and incidents affecting customer data. If they don't have a plan, they haven't prepared for what to do when something goes wrong — and something will go wrong eventually.
Ask about breach notification. If they discover they've been compromised in a way that might affect your data, how do they notify you? What's their timeline? Within 24 hours is reasonable and shows they take this seriously. Within 72 hours is what regulations require, but that's slow — a lot can happen in three days. If they don't have a defined timeline, that's concerning.
Ask about past incidents. Have they experienced security incidents affecting customer data? If yes, how many? How did they handle them? If they say they've never had any security issues, they're either lying or they don't have visibility into incidents. Neither is reassuring. No organization operating at scale can credibly claim zero incidents — the question is whether they detect them and handle them well.
Ask whether they'll help you respond to incidents in your environment. If you suffer a breach or notice suspicious activity, will the MSP help investigate? Can they provide forensics? A good MSP is a partner in incident response. A bad one points fingers and defends their infrastructure while your systems are being compromised.
Background Checks on All Staff with System Access Are Non-Negotiable
Ask whether the MSP does background checks on all staff with access to customer systems. What level of background check? At minimum, expect criminal background checks. For sensitive industries like healthcare or finance, expect more thorough checks including credit checks for people with financial access.
Ask specifically who's vetted. Does this apply to all employees or just some? There's no reason to exclude anyone with system access from background checks. If they exclude contractors, part-time staff, or offshore contractors, that's a vulnerability they're comfortable with, and you shouldn't be.
Ask about vetting beyond background checks — reference checks, verification that claimed certifications are real, ongoing security training. The more thorough the process, the more seriously they take personnel security. The insider threat remains one of the most difficult risks to mitigate, and rigorous vetting is the first line of defense.
SOC 2 Type II Is the Baseline Organizational Certification
SOC 2 certification is the most important thing to look for at the organizational level. It's not a personal certification — it's a statement from a third-party auditor that the organization has implemented appropriate information security controls. The auditor specifically examines whether the organization's controls address risks to customer data and system availability.
Ask: Do you have SOC 2 certification? Most professional MSPs do. If they don't, ask why. Are they too small? That's potentially acceptable, but then ask when they plan to get it. Are they skeptical of the value? That's a disqualifying sign — it means they don't see security assurance as important to their customers.
Ask whether they have SOC 2 Type I or Type II. Type I means an auditor reviewed their controls at a point in time and confirmed they exist and appear to work. Type II means an auditor verified over six to twelve months that the controls actually operated effectively throughout that period. Type II is more meaningful because it shows controls work day-to-day, not just on the day of the audit.
Ask when their most recent audit occurred. Recent audits are more meaningful than old ones. If the most recent SOC 2 audit was three years ago, a lot has changed. Ask whether they have other certifications like ISO 27001 or HIPAA compliance attestation. ISO 27001 is more comprehensive than SOC 2 and is recognized globally. HIPAA attestation is important if you're in healthcare. These certifications show increasing levels of commitment to security.
Active Threat Monitoring Separates Serious Providers from Checkbox Vendors
Ask whether the MSP actively monitors for threats against their infrastructure. How? What tools do they use? Do they hunt for threats or just react to alerts? A good MSP actively looks for problems, not just responds to alerts. They have security analysts watching for suspicious activity.
Ask about vulnerability management. Do they scan their systems for vulnerabilities? How often? Do they have a process for remediating vulnerabilities? How quickly? If an emergency vulnerability is disclosed, how fast can they patch? An MSP that tells you "we scan weekly, we have processes for emergency patching, and critical vulnerabilities are patched within 48 hours" is managing risk. One that patches sporadically or doesn't scan is flying blind. The 2024 Mandiant M-Trends report found that the median time from vulnerability disclosure to exploitation has dropped to 5 days — down from 32 days in 2021 — making patching speed a direct measure of security maturity.
Ask about patching processes specifically. Do they patch proactively or wait for customers to request patches? How do they test patches before deploying? If a patch causes problems, what's the rollback process?
Willingness to Document Security Commitments Is a Critical Signal
A critical signal is whether the MSP is willing to document security commitments. If you ask for documentation of security practices and they provide it thoughtfully and completely, that's positive. If they're cagey, evasive, or incomplete, that's a warning sign.
Ask: Will you sign a data security addendum? A DSA commits the MSP to specific security practices in writing. It's particularly important if you're in regulated industries like healthcare or finance. An MSP that will sign a DSA has thought through security commitments and is confident they can meet them. One that refuses is concerning.
Ask for specific commitments in writing: "We will maintain SOC 2 Type II certification at all times." "We will enforce multi-factor authentication for all administrative access." "We will notify you of security incidents affecting your data within 24 hours." If they won't commit to these basics in writing, the answer will tell you something important about whether they actually maintain these practices.
If you're in healthcare, ask whether the MSP understands HIPAA and what they do to support your compliance. If you're in finance, ask about PCI DSS and SOC compliance requirements. A good MSP is already familiar with your industry's compliance framework and can discuss what they do to support your compliance efforts. If they're unfamiliar with your industry's requirements, they're not positioned to serve you. They should have experience with organizations like yours and be able to provide references.
Security is where MSP quality becomes non-negotiable. A mediocre MSP might be tolerable for basic IT support if you'll work around their limitations. A mediocre MSP handling your security is unacceptable — you're trusting them with the crown jewels. The MSP that answers thoughtfully, provides documentation, and acknowledges where they're not perfect is more trustworthy than one that claims everything is fine. The one that gets defensive or evasive when pressed on security is one you should cross off your list.
Frequently Asked Questions
Why does my MSP's security matter if I have my own security tools?
Because your MSP has administrative access to your systems. They can bypass your firewalls, access your data, and make changes to your infrastructure. If an attacker compromises the MSP, they inherit those same privileges across every client environment the MSP manages. Your security tools protect you from external threats, but they don't protect you from a compromised trusted partner with admin credentials.
What is the minimum security certification an MSP should have?
SOC 2 Type II is the baseline for any MSP handling customer data or managing customer infrastructure. It means a third-party auditor verified that the MSP's security controls operated effectively over a sustained period. If the MSP doesn't have SOC 2 and can't articulate a credible timeline for obtaining it, that should factor heavily against them in your evaluation.
How do I verify an MSP's security claims?
Ask for their SOC 2 report (they may require an NDA). Review their documented security policies. Ask for specifics about access controls, MFA enforcement, and incident response procedures. Check whether they'll sign a data security addendum committing to specific practices. Cross-reference their claims by asking the same questions to references. An MSP that provides consistent, detailed answers across all of these channels is likely telling the truth.
What should an MSP's incident response plan cover?
At minimum: roles and responsibilities during an incident, communication procedures between the MSP and affected clients, investigation and containment procedures, notification timelines (24 hours or less for incidents affecting customer data), post-incident review processes, and evidence preservation procedures. The plan should have been tested — an untested plan is an untested hypothesis.
How quickly should an MSP notify me of a security breach?
Within 24 hours of discovering a breach that may affect your data. Regulatory requirements like HIPAA allow up to 72 hours, but that's the legal floor, not a service standard. A lot can happen in three days — continued data exfiltration, lateral movement, evidence destruction. An MSP that commits to 24-hour notification takes your security seriously. One that defaults to the regulatory maximum is doing the minimum.
Should I worry about the MSP's subcontractors and third-party vendors?
Yes. If the MSP uses third-party tools or subcontractors that access your environment, those parties represent additional attack surface. Ask the MSP how they vet their vendors, whether third parties have direct access to customer systems, and whether the MSP contractually requires its vendors to maintain specific security standards. Access you don't know about is risk you can't manage.