Questions to Ask Potential MSPs

This article is for educational purposes only and does not constitute professional compliance advice or legal counsel. Your specific situation may vary, and you should evaluate any service provider relationship based on your organization's unique requirements.

You're interviewing managed service providers, and you sense you might be in for a long conversation. Good. The MSPs that breeze through sales calls with confident smiles and quick answers aren't necessarily the ones you should hire—they're the ones who've perfected their pitch. What separates a competent vendor from one that will nickel-and-dime you for years is whether they'll actually answer your hard questions and whether their answers reveal honest self-awareness about what they can and can't deliver.

The best MSPs know this. They expect to be interrogated. They've already been through these conversations with other clients and with their insurance carriers. They have answers ready because they take evaluation seriously. The ones that get defensive or treat your questions as an imposition are already telling you something about how they'll handle escalations and problems—which is usually dismissively.

Starting with Service Level Agreements

Service level agreements matter, but most companies treat them like window dressing. An SLA is only valuable if it's specific, measurable, and actually enforced. When you're talking to an MSP, don't ask about SLAs in abstract terms. Ask about what they actually commit to when things go wrong.

Start with response time. Ask what their typical response time is for critical issues versus high-priority issues versus routine requests. "Typical" is more important than "maximum"—best-case response times don't tell you much, but average response time tells you how they actually operate. Push for numbers: "Two hours for critical issues, four hours for high priority, same business day for medium, next business day for routine" is a reasonable framework. If they hedge on this, they're uncomfortable committing to specific timelines, which means they don't reliably meet them.

Then ask about resolution time, not just response time. Responding to your ticket at 2 AM does you no good if the issue doesn't get fixed for three days. Resolution time commitments are rarer because they're harder to guarantee—sometimes the fix is simple, sometimes it requires coordination with vendors or third parties. But a mature MSP will tell you they aim to resolve critical issues within four to eight hours, high-priority within one business day, and everything else within a defined timeline. If they're vague about resolution, understand that you're buying responsiveness, not necessarily rapid fixes.

Ask them for data. Have they actually been meeting these SLAs? Can they provide statistics on their compliance? An MSP that can tell you "we met our critical response SLA 98% of the time last quarter" is already more credible than one that just asserts they're responsive. Ask them to show you, not just tell you. And then ask what happens when they miss. Do customers get credit automatically, or do you have to fight for it? The answer reveals their actual commitment level. An MSP that automatically credits customers when they miss SLAs has built that into their business model and takes these promises seriously. One that makes you request credits is betting you won't bother asking.

Finally, ask what's not covered by the SLA. Every MSP has exclusions—vendor outages, user error, network problems caused by the customer, issues with systems the customer misconfigured. These exclusions can be reasonable, but they can also be a loophole that swallows the rule. An MSP might claim 99% SLA compliance while excluding half the scenarios where you actually need support. Ask them to walk you through what they cover and what they explicitly don't, and press on the gray areas where it's unclear.

Security Practices and the Certifications Behind Them

Your MSP has privileged access to your systems, your data, and your infrastructure. If they get breached, you get breached. If their security is weak, your security is weak, regardless of what you spend on your own security tools. This is non-negotiable territory, and you need to ask questions that reveal whether they take it seriously or just talk about it.

Start with certifications. SOC 2 is the baseline for any IT service provider that handles customer data. If an MSP doesn't have SOC 2 certification, that's a red flag. Don't let them off the hook with "we're very secure, we just haven't done the certification." They've had plenty of time to get it, and most reputable MSPs have. If they're resisting, ask why. Are they too small? Fine, but then they should have a credible roadmap to getting it. Are they skeptical of the value? That's a bad sign—it suggests they don't see security assurance as important to customers. Ask when they plan to get certified. "This year" is reasonable. "We're thinking about it" is not.

Once you understand their certification status, ask to see their SOC 2 report. If they have it, they should provide it (possibly under NDA, but they should be willing). If they won't show it, that's strange and worth exploring. A report is proof that a third-party auditor verified their controls. It's not a guarantee, but it's evidence. If they can't or won't produce it, something's off.

Then ask about specifics that matter for your security. How do they manage administrative access to customer systems? This is the most important question because most breaches trace back to overly permissive access or stolen credentials. You want to hear that they use multi-factor authentication for all admin access, that they use a privileged access management tool to control and log who accesses what, and that they have audit trails showing exactly who made changes in your environment. If their answer is "we have strong password policies," that's not good enough. Passwords alone don't cut it anymore.

Ask about employee vetting. Do they do background checks on all staff with access to customer systems? Which staff? At minimum, everyone with any access to your data should be vetted. If they exclude contractors or part-time staff, that's a vulnerability they're comfortable with, and you shouldn't be. Ask what else they do beyond background checks—reference checks, security training, ongoing monitoring. The more thorough they are, the more seriously they take security.

Ask about incident response. Do they have a documented incident response plan? Have they tested it? If they haven't, they don't really have one—they have an untested hypothesis. Ask what happens if they discover they've been compromised in a way that might affect your data. What's their timeline for notifying you? 24 hours is reasonable. 72 hours is what regulations require, but that's too slow for most scenarios. If they can't articulate a specific timeline, they haven't thought it through.

Staffing Quality and Specialization

MSP quality is fundamentally a people problem. You're not hiring a company; you're hiring the people at that company to understand and manage your environment. High turnover, lack of specialization, and overwork all degrade service quality in ways that are hard to measure until you're already locked into a contract.

Ask about staff tenure and stability. What's the average tenure of their technical team? If the answer is "we have some people who've been here five years and some who are new," that's normal. If the answer is "most of our staff is under two years," you're constantly retraining them on your environment, and there's minimal institutional knowledge. Every time a familiar face leaves, you're starting over. Ask specifically about your account. Who would be the primary contact? How long have they been with the company? What's the second-level escalation—who handles the work when your primary contact is busy?

Ask about expertise gaps. What certifications does their team hold? What specializations do they have? If your environment is primarily Microsoft, do they have Azure certifications? If you run a lot of Linux, do they have relevant experience? If your infrastructure is heterogeneous, you need people who can work across platforms. An MSP full of Microsoft specialists is great for a Windows-centric organization but might create blind spots elsewhere.

Ask about the ratio of engineers to customers. This is a subtle signal, but it matters enormously. An MSP with 20 engineers and 200 customers can probably serve you well. The same MSP with 20 engineers and 500 customers is stretched thin. There's a breaking point where you can't deliver quality because people are just putting out fires instead of improving your environment. They might not want to tell you this number—it reveals their capacity limits. But if they're reluctant to discuss how they staff for service delivery, that's itself informative.

Ask whether problems always flow through junior staff or whether you have access to senior expertise when it matters. Every MSP has junior technicians doing first-level support—that's efficient and appropriate. But when a problem gets complicated, does it escalate to someone with deep expertise, or does it get bounced between junior people who are all learning? A mature MSP has senior engineers actively involved in complex work and available for escalation.

Understanding Remote Support and On-Site Availability

How the MSP supports you matters—not every issue can be resolved remotely, and vague commitments around on-site support create expectations gaps.

Ask about the support tools they use. Do they have monitoring agents running on your systems continuously, or do they connect remotely on an as-needed basis? Continuous monitoring is better because it gives them real-time visibility and they can detect problems before they become emergencies. Ask how they secure remote access. If they rely on manual screen-sharing sessions where someone clicks a link and gets access, that's weaker than having permanent agents with secured, logged access. Ask about authentication requirements—do they need your credentials to remote in, or do they use their own authentication? They should use their own.

Now ask about on-site support. Some issues genuinely require hands-on work—hardware failures, network problems requiring hands-on troubleshooting, security incidents requiring forensic investigation. Can the MSP provide on-site support? How quickly? Is it included in the base price or billed separately? Do they have technicians distributed geographically who can reach you, or would they have to travel hours to get to your location? This varies by geography and company size—a small MSP in a rural area might not have on-site availability, and that might be acceptable for your needs. But you need to know what you're not getting.

Response time is crucial. Ask them to walk you through what happens when you call with an emergency at 3 AM on a Saturday. Who gets the page? How long before a human responds? What's the chain of escalation if the first person can't solve it? If the answer involves "next business day," you're not getting 24/7 support regardless of what they market. If you need true around-the-clock monitoring and response, make sure you're paying for it and that they can deliver it. Many MSPs don't offer it, and that's fine if you don't need it—but understand what you're actually buying.

Escalation Paths and How They Handle Problems

This is where the MSP's real quality becomes visible. When something goes wrong, how do they respond? Do they investigate, or do they deflect? Do they take responsibility, or do they blame the customer? These patterns start to emerge in how they describe their escalation process.

Ask about their escalation procedure. When you report a problem, who gets notified? How does it move up the chain if initial troubleshooting doesn't resolve it? Is there a clear escalation path, or does it depend on whoever happens to be available? You want clarity—something like "critical issues escalate to the on-call senior engineer within 30 minutes if not resolved at first level."

Ask what happens if the MSP makes a mistake that causes downtime. Do they investigate the root cause? Do they provide a post-incident review explaining what went wrong and how they'll prevent it? Do they compensate you for downtime caused by their errors? An MSP that does post-incident reviews and provides root cause analyses is learning from mistakes. One that just moves on to the next ticket is destined to repeat the same mistakes. Ask whether they track recurring issues and whether they proactively fix root causes or just reactively respond each time the problem surfaces. The difference is enormous.

Ask about accountability specifically. If a known issue keeps happening—say, your backup fails for the same reason once a month—how does the MSP handle that? Do they say "we'll be more careful next time," or do they diagnose the underlying cause and fix it? A reactive MSP keeps responding to symptoms. A mature MSP addresses problems at the root.

Reference Checks and Customer Longevity

Talk to their existing customers. Not the ones they hand-pick—ask for references and make sure they're recent customers who've been with the MSP through thick and thin, not just new success stories.

Ask the MSP for references from similar-sized companies in similar industries who've been customers for at least two to three years. Recent customers are useful but might not see the issues that emerge over time. Long-term customers can tell you whether the MSP improves things or just maintains them, whether they're responsive during crises or whether service degrades.

Ask the MSP what percentage of their customers renew their contracts. If it's 80% or higher, that suggests customers are satisfied enough to stay. If it's lower than 60%, something's wrong. Ask what their average customer lifetime is. If it's less than two years, you should understand why. Are they firing bad customers, or are customers leaving because they're unhappy?

When you call references, ask about real experience, not just satisfaction. How responsive is the MSP when they have a problem? Have they ever had a critical issue that required immediate help? How did the MSP handle it? Ask whether the main contact has changed. If you're being told the account manager changed three times in two years, that's a red flag. Institutional knowledge about your environment is important, and constant turnover disrupts it.

Contract Terms and Off-Ramps

Read the contract carefully before you sign, and ask specific questions about the terms that protect you, not the ones that protect them.

Ask about termination. What notice do you have to provide to leave? 30 days is reasonable. 90 days is standard. Six months or longer should trigger skepticism. Is there an early termination fee if you decide to leave before the contract ends? If yes, how much? Some MSPs charge the full remaining contract value, which can be expensive. Others charge a percentage or a flat fee. Understanding this matters because it affects how much it costs to escape if the relationship isn't working.

Ask about contract renewals. Some MSPs use auto-renewal with narrow cancellation windows. You might have to provide written notice 60 or 90 days before renewal, and if you miss that window, you're locked in for another year or three. Ask whether there's an auto-renewal clause and what the notification window is. This isn't a dealbreaker, but you need to know so you don't accidentally renew.

Ask what happens to your data, documentation, and configurations if you leave. Can you export everything? Will they hand over access? Will they help you transition to a new provider? A good MSP makes offboarding relatively clean because they know a good breakup protects their reputation. An MSP that makes this difficult is betting on lock-in instead of retention through service quality.

Finally, ask about scope creep. The contract should specify what's included in the base price and what's billable separately. New user setups, after-hours support, hardware procurement, compliance-related projects—know whether these are included or whether they'll generate extra invoices. If the scope is vague and the MSP interprets it broadly, your bill can grow quickly.

Listening to How They Answer

The questions you ask matter, but how they answer matters more. A good MSP answers directly, acknowledges where they're not the best fit, and provides specifics. If you ask "what's your response time," they'll say "typically four hours for high-priority issues" rather than "we're very responsive." If you ask about certifications, they'll tell you exactly which ones they hold, when they were last audited, and they'll offer to show you the report.

A mediocre MSP uses marketing language. "We focus on customer success." "We follow industry best practices." "We take security very seriously." These phrases mean nothing without specifics behind them. An MSP that won't answer directly, that deflects hard questions, or that gets defensive is revealing something about how they'll operate once you're locked in. The ones that are helpful, honest about limitations, and willing to engage with your concerns are the ones worth trusting.

Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects general guidance about evaluating managed service providers. Individual MSP relationships vary—evaluate any provider based on your organization's specific needs and risk profile.