Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Managed Services

Choosing a Managed Service Provider

The Complete Guide to Selecting, Evaluating, and Working With Your IT Partner

20 min read January 2026

The Complete Guide to Selecting, Evaluating, and Working With Your IT Partner

How to find an MSP that protects your business, not just your computers

Published: January 2026

Author: Dead Simple Computing Ltd

Version: 2.0

Based on: NCSC Guidance

Contents

  • Executive Summary
  • Why Getting This Right Matters
  • The 5 Types of MSP — Which Do You Need?
  • Security Certifications Explained
  • The 10 Questions Every MSP Should Answer
  • Contract Essentials — What Good Looks Like
  • Red Flags That Should Make You Walk Away
  • The Complete MSP Evaluation Scorecard
  • Sample RFP Questions — Ready to Use
  • What Should This Cost? Pricing Guide
  • Real-World Scenario: When It Goes Wrong vs Right
  • Working With Your MSP After Signing
  • How DSC Can Help
  • Further Resources

1. Executive Summary

Choosing a Managed Service Provider isn't just a technology decision — it's a business risk decision. Your MSP will have administrator access to your systems, your data, and potentially your customers' information.

The bottom line:

> A good MSP is an extension of your team. A bad MSP is a liability waiting to happen.

This guide gives you everything you need to:

  • ✅ Understand what to look for (and what to avoid)
  • ✅ Ask the right questions before signing
  • ✅ Negotiate a contract that protects you
  • ✅ Evaluate proposals objectively with our scorecard
  • ✅ Build a productive ongoing relationship

Time to read: 15 minutes

Time it could save you: Months of problems with the wrong provider

2. Why Getting This Right Matters

The Access Problem

When you hire an MSP, you're giving them the keys to your kingdom:

What They Access Why It's Risky
**Domain Admin** Can access every file, email, and system
**Backup Systems** Can delete or encrypt your backups
**Security Tools** Can disable your defences
**Cloud Tenants** Full control of Microsoft 365, Azure, etc.
**Password Managers** May store your credentials

This isn't paranoia — it's reality. The NCSC explicitly warns that MSPs are increasingly targeted because compromising one MSP means accessing dozens of clients.

Real Attacks on MSPs

Year Attack Impact
2020 SolarWinds 18,000+ organisations compromised via MSP software
2021 Kaseya VSA 1,500+ businesses hit by ransomware through MSP
2023 Multiple RMM attacks Remote monitoring tools weaponised against MSP clients
2024 Supply chain focus NCSC warns MSPs now explicitly in scope for regulation

The Business Case

Getting this wrong costs more than getting it right:

Scenario Typical Cost
❌ Ransomware via compromised MSP £100,000 - £1,000,000+
❌ Data breach notification and fines £50,000 - £500,000+
❌ Business disruption (1 week) 5-10% annual revenue
✅ Proper MSP due diligence £2,000 - £5,000 (your time)

3. The 5 Types of MSP — Which Do You Need?

Not all MSPs are the same. Understanding the categories helps you find the right fit:

Type 1: Break-Fix / Reactive Support

  • Model: You call when something breaks, they fix it
  • Pros: Low monthly cost, pay-per-use
  • Cons: No proactive security, no monitoring
  • Best for: Very small businesses with simple needs
  • Security level: ⚠️ Low

Type 2: Basic Managed Services

  • Model: Monthly fee for monitoring and maintenance
  • Pros: Predictable costs, some proactive work
  • Cons: Limited security focus, basic tools
  • Best for: Small businesses without compliance requirements
  • Security level: ⚠️ Basic

Type 3: Managed IT with Security Focus

  • Model: IT management plus security services
  • Pros: Good security baseline, meets most compliance needs
  • Cons: May not have 24/7 coverage, limited incident response
  • Best for: SMEs with some compliance requirements
  • Security level: ✅ Good

Type 4: MSSP (Managed Security Service Provider)

  • Model: Security-first, often with SOC capabilities
  • Pros: Advanced threat detection, 24/7 monitoring
  • Cons: Higher cost, may not do day-to-day IT
  • Best for: Organisations with significant security requirements
  • Security level: ✅✅ Strong

Type 5: Full-Service MSP/MSSP

  • Model: Complete IT and security under one provider
  • Pros: Single point of accountability, integrated approach
  • Cons: Premium pricing, fewer providers to choose from
  • Best for: Regulated industries, CNI suppliers, defence supply chain
  • Security level: ✅✅✅ Comprehensive

DSC is a Type 5 provider — we handle both your IT operations and security with ISO 27001 and Cyber Essentials Plus certification.

4. Security Certifications Explained

Certifications are the fastest way to filter MSPs. Here's what they actually mean:

Tier 1: Essential (Minimum Standard)

Cyber Essentials Plus

Aspect Detail
**What it covers** 5 key security controls tested by external assessor
**Validity** 12 months — must recertify annually
**Testing** Active vulnerability scan + configuration review
**Why it matters** Required for government contracts, proves baseline security
**Red flag** MSP has basic CE but not Plus (no independent verification)

Tier 2: Comprehensive

ISO 27001

Aspect Detail
**What it covers** Complete information security management system
**Validity** 3 years with annual surveillance audits
**Testing** Extensive documentation + implementation audit
**Why it matters** Shows systematic approach to security
**Red flag** "Working towards" ISO 27001 — means they don't have it

SOC 2 Type II

Aspect Detail
**What it covers** Trust principles: Security, Availability, Confidentiality
**Validity** Report covers specific period (usually 12 months)
**Testing** Controls tested over time, not just a snapshot
**Why it matters** Common for cloud/SaaS providers, detailed report available
**Red flag** Only have SOC 2 Type I (point-in-time, not ongoing)

How to Verify Certifications

Certification How to Check
Cyber Essentials NCSC website: ncsc.gov.uk/cyberessentials/search
ISO 27001 Ask for certificate + confirm with certification body
SOC 2 Request the full report (should be provided under NDA)

5. The 10 Questions Every MSP Should Answer

Don't sign anything until you have clear answers to these questions:

Question 1: What certifications do you hold?

Good answer: "We hold Cyber Essentials Plus (recertified annually) and ISO 27001. Here are the certificates."

Bad answer: "We follow best practices" or "We're working on certification."

Question 2: How quickly do you patch critical vulnerabilities?

Good answer: "Critical patches within 14 days of release. We have automated patching where possible with testing for line-of-business applications."

Bad answer: "We patch during maintenance windows" or "When we get to it."

Why 14 days? This is the NCSC recommendation for critical vulnerabilities.

Question 3: What happens if we get ransomware at 2am on a Saturday?

Good answer: "You call our 24/7 emergency line. We have an incident response process — I can walk you through it. Here's our incident response plan."

Bad answer: "Leave a message and we'll call you Monday" or "That's what insurance is for."

Question 4: Can you show me a backup restore?

Good answer: "Absolutely — we test restores quarterly. Here's our last test report showing recovery time and data integrity verification."

Bad answer: "We've never needed to restore" or "That would take too long."

Critical: If they can't prove they can restore, assume they can't.

Question 5: Who has admin access to our systems?

Good answer: "Only named engineers with individual accounts. We use MFA on all access. When someone leaves, access is revoked immediately. We review access quarterly."

Bad answer: "The team shares an admin account" or "I'd have to check."

Question 6: What security logs do you keep and for how long?

Good answer: "We retain security logs for 12 months minimum in our SIEM. You can access them if needed for investigations or audits."

Bad answer: "We keep logs for 30 days" or "That's included in our advanced package."

Question 7: What happens when we want to leave?

Good answer: "90-day notice period. We provide full documentation, assist with transition, and ensure you have all your data. Here's our exit procedure."

Bad answer: "12-month notice" or "We'd need to discuss that."

Question 8: Do you use sub-contractors?

Good answer: "We handle most work in-house. For specialist areas, we use [named partners] who are vetted to our standards. We're responsible for their work."

Bad answer: "Sometimes we bring in extra help" (vague, no accountability).

Question 9: What's your insurance coverage?

Good answer: "£2M professional indemnity, £5M cyber liability. Here are the certificates."

Bad answer: "We're covered" (no specifics).

Why it matters: If they cause a breach, you need confidence they can pay.

Question 10: Can I speak to a similar client?

Good answer: "Of course — here are three references in your sector."

Bad answer: "Confidentiality prevents that" (unlikely) or long hesitation.

6. Contract Essentials — What Good Looks Like

Your contract is your protection. Here's what to ensure it contains:

Service Levels (SLAs)

Priority Definition Response Resolution
**P1 Critical** Complete outage, all users affected 15 minutes 4 hours
**P2 High** Major system down, significant impact 1 hour 8 hours
**P3 Medium** Partial issue, workaround exists 4 hours 24 hours
**P4 Low** Minor issue, single user 8 hours 48 hours

Key clauses:

  • SLA clock starts when YOU report, not when they acknowledge
  • Penalties for repeated SLA breaches
  • SLA reporting included monthly

Security Requirements

Your contract should explicitly require:

  • Patching within 14 days of critical release
  • MFA on all administrative access to your systems
  • Background checks on all staff with access
  • Annual penetration test of their infrastructure
  • Incident notification within 24 hours
  • Log retention for minimum 12 months
  • Right to audit their security practices

Reporting

Specify monthly reports covering:

Report Item Why It Matters
Ticket volume and SLA compliance Are they meeting commitments?
System uptime statistics Is your infrastructure reliable?
Patch compliance percentage Are systems current?
Backup success/failure Can you actually recover?
Security events summary What threats are you facing?

Exit Terms

Protect yourself with clear exit provisions:

Term Reasonable Concerning
Notice period 30-90 days 6-12 months
Data return Within 14 days of exit, your format "After final payment"
Documentation Full handover included Extra charge for docs
Transition support Reasonable assistance included Charged at premium rates

7. Red Flags That Should Make You Walk Away

If you encounter these, find a different provider:

Immediate Walk-Aways 🚫

Red Flag Why It's Serious
No Cyber Essentials certification Haven't invested in basic security
Shared admin passwords Fundamental access control failure
Won't provide references Something to hide
Pushback on contract specifics Won't deliver on promises
No out-of-hours support option Attackers don't work 9-5
Can't explain their incident response Will panic when things go wrong

Yellow Flags ⚠️ (Investigate Further)

Yellow Flag Questions to Ask
Very low pricing What are they not including?
Everything is "extra" What does the base price cover?
Reluctance to meet in person Where are they actually based?
Long contract terms (3+ years) Why lock you in?
Very small team Who's the backup?
No website or weak online presence Are they professional?

8. The Complete MSP Evaluation Scorecard

Use this scorecard to compare providers objectively. Score each item 0-3:

Scoring:

  • 0 = Not met / Not acceptable
  • 1 = Partially met / Below standard
  • 2 = Met / Acceptable
  • 3 = Exceeded / Best in class

Security & Compliance (Max 21 points)

Criteria Score (0-3)
Holds Cyber Essentials Plus
Holds ISO 27001 or SOC 2
Clear patch management commitment (14 days)
24/7 incident response capability
Backup testing with evidence
MFA enforced on all admin access
Log retention 12+ months

Service Delivery (Max 15 points)

Criteria Score (0-3)
Clear SLAs with defined response times
Out-of-hours support available
Named account manager
Proactive monitoring included
Monthly reporting specified

Commercial & Contract (Max 15 points)

Criteria Score (0-3)
Reasonable notice period (≤90 days)
Clear exit and transition terms
Appropriate insurance coverage
Transparent pricing (no hidden costs)
References provided and verified

Technical Capability (Max 12 points)

Criteria Score (0-3)
Experience in your industry/sector
Expertise in your technology stack
Scalability for your growth plans
UK-based support team

Total Score: ___ / 63

Score Recommendation
50+ Strong candidate — proceed to final negotiation
40-49 Acceptable — negotiate on weak areas
30-39 Concerns — consider alternatives
Below 30 Not suitable — do not proceed

9. Sample RFP Questions — Ready to Use

Copy and send these to prospective MSPs:

Company & Credentials

  • Please provide copies of your current Cyber Essentials Plus and ISO 27001 certificates.
  • How many staff do you employ? How many are UK-based?
  • What is your professional indemnity insurance coverage?
  • What is your cyber liability insurance coverage?
  • Can you provide three references from organisations similar to ours in size and sector?

Security Practices

  • What is your policy for patching critical vulnerabilities? What timeframe do you commit to?
  • How do you secure remote access to client environments?
  • What background checks do you perform on staff who will access our systems?
  • Describe your incident response process. What is your notification timeframe?
  • How long do you retain security logs? Can we access them if required?

Service Delivery

  • What are your standard SLA response and resolution times by priority?
  • What hours is your support desk staffed?
  • Do you provide 24/7 emergency support? Is this included or additional?
  • What monitoring tools do you use? What is monitored?
  • What is included in your standard monthly reporting?

Backup & Recovery

  • What backup solution do you use/recommend?
  • How frequently are backups performed?
  • Are backups stored off-site/immutable?
  • How often do you test backup restores? 20. What are your Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?

Commercial

21. Please provide detailed pricing including all items (no hidden costs).

22. What is your minimum contract term?

23. What is your notice period for termination?

24. Describe your exit process and what support is provided.

25. Are there any onboarding or setup fees?

10. What Should This Cost? Pricing Guide

MSP pricing varies significantly. Here's a realistic guide for UK SMEs:

Per-User Pricing (Most Common)

Service Level Per User/Month What's Included
**Basic** £30-50 Monitoring, patching, helpdesk 9-5
**Standard** £50-80 Above + security tools, extended hours
**Premium** £80-120 Above + 24/7 support, advanced security
**Comprehensive** £120-180+ Above + MDR, vCISO, compliance support

What Affects Pricing

Factor Impact
Number of users Volume discounts typically start at 50+
Complexity of environment Multiple locations, legacy systems cost more
Compliance requirements Regulated industries need more documentation
Service hours 24/7 vs business hours is significant
Security level Basic AV vs full MDR is major difference

Hidden Costs to Watch For

Item Watch Out For
Onboarding Should be fixed price, not hourly
Projects Any change outside "business as usual"
Emergency callout Out-of-hours incidents
Hardware procurement Markup on devices
Software licensing Markup vs going direct

What to Expect at Different Company Sizes

Company Size Typical Monthly Spend
10 users £800-1,500
25 users £1,800-3,500
50 users £3,500-6,500
100 users £6,500-12,000

Note: These are indicative ranges. Your specific needs may differ.

11. Real-World Scenario: When It Goes Wrong vs Right

Scenario: Friday 5pm Ransomware Attack

Company: 30-user engineering firm, supplies to defence sector

With the Wrong MSP ❌

5:15pm: Staff notice files encrypted. Call MSP — voicemail says "office closed, back Monday."

5:30pm: MD calls MSP owner's mobile. No answer.

6:00pm: Someone finds a generic "cyber incident" number. 45-minute wait. Told "we don't support that client."

Saturday: MSP finally responds. "We'll look at it Monday."

Monday 9am: MSP discovers backups were also encrypted — they weren't tested and used the same network.

Result:

  • 3 weeks to rebuild systems from scratch
  • Lost live projects and client data
  • Defence customer terminates contract
  • ICO fine for data protection failure
  • Business nearly fails

With the Right MSP ✅

5:15pm: Staff notice files encrypted. Call MSP emergency line — answered in 2 minutes.

5:20pm: MSP incident response activated. Affected systems isolated remotely.

5:45pm: MSP confirms immutable backups from 2am are intact and unaffected.

6:30pm: Recovery begins from clean backups.

Saturday 2pm: Core systems restored. Staff can work Monday.

Monday 9am: Full operation. Incident report drafted. ICO notification prepared.

Tuesday: Lessons learned review. Additional controls implemented.

Result:

  • 12 hours disruption (weekend, minimal business impact)
  • No data loss beyond half a day's work
  • Defence customer impressed by response
  • Insurance claim straightforward with documentation
  • Business continues to grow

The £50/month Difference

The price difference between these outcomes? Often just £30-50 per user per month — the difference between a basic MSP and one with proper security.

12. Working With Your MSP After Signing

The relationship doesn't end when you sign. Here's how to get the most from it:

The First 90 Days

Week Focus
1-2 Documentation handover, access provisioning
3-4 System audit, quick wins identified
5-8 Security baseline established, monitoring active
9-12 First monthly review, relationship bedding in

Ongoing Rhythm

Frequency Activity
**Weekly** Check ticket status, any urgent issues
**Monthly** Review reports, discuss any concerns
**Quarterly** Strategic review, upcoming changes, security posture
**Annually** Full relationship review, pricing, contract renewal

How to Be a Good Client

Yes, this works both ways:

  • Report issues properly — screenshots, error messages, what you were doing
  • Respond to requests — they often need approval to proceed
  • Plan ahead — tell them about projects, new starters, office moves
  • Give feedback — praise good work, raise concerns constructively
  • Pay on time — basic but important for the relationship

Security Partnership

The best MSP relationships are partnerships:

  • Share your risk assessment findings
  • Include them in business continuity planning
  • Conduct annual incident exercises together
  • Review threat intelligence relevant to your sector
  • Attend their security briefings and webinars

13. How DSC Can Help

Dead Simple Computing is a Cyber Essentials Plus and ISO 27001 certified MSP serving UK businesses in regulated industries.

Why Clients Choose Us

What We Offer What It Means For You
**Cyber Essentials Plus certified** We meet the baseline you should require
**ISO 27001 certified** Systematic approach to security, not just tools
**24/7 UK-based support** Real help when you need it, not call centres
**Patch within 14 days** Meets NCSC recommended timeframes
**Immutable backups** Ransomware-resistant, tested quarterly
**UK SIEM with 12-month retention** Full audit trail, your data stays in UK

Services

Managed IT

  • Full IT support and management
  • Microsoft 365 administration
  • Cloud infrastructure management
  • Proactive monitoring and maintenance

Security Services

  • Managed Detection & Response (MDR)
  • Vulnerability management
  • Incident response
  • Penetration testing

Compliance Support

  • Cyber Essentials certification
  • ISO 27001 implementation
  • Supply chain security assessments
  • vCISO and board reporting

Getting Started

Free MSP Health Check

Thinking about changing provider? We offer a free assessment:

  • Review your current MSP contract and services
  • Identify security gaps and risks
  • Provide recommendations (no obligation)
  • Quote for taking over if desired

📧 [email protected]

📞 01onal number

🌐 deadsimplecomputing.co.uk

14. Further Resources

Official Guidance

Standards

  • ISO 27001 — Information security management
  • SOC 2 — Service organisation controls

DSC Resources

This guide is based on NCSC guidance, industry best practices, and DSC's experience working with UK organisations. Last updated January 2026.

Quick Reference: MSP Selection Checklist

Print this page and check off as you evaluate:

Before First Meeting

  • Verified Cyber Essentials Plus on NCSC website
  • Checked for ISO 27001 or SOC 2
  • Reviewed their website and online presence
  • Prepared your requirements list

During Evaluation

  • Asked all 10 key questions (Section 5)
  • Completed evaluation scorecard (Section 8)
  • Received and reviewed sample contract
  • Spoken to at least two references
  • Understood full pricing (no hidden costs)

Before Signing

  • Contract includes security requirements
  • SLAs clearly defined with penalties
  • Exit terms acceptable (≤90 days notice)
  • Insurance certificates provided
  • All verbal promises in writing

After Signing

  • Onboarding plan received
  • Emergency contact details confirmed
  • Access handover scheduled
  • First monthly review booked

Good luck with your MSP selection. If you want to talk through your requirements, we're happy to help — even if you don't choose us.