Choosing a Managed IT Services Provider: The 12 Questions You Must Ask Before Signing

Your current IT situation is probably one of these scenarios:

Scenario A: You have an internal IT person who's overwhelmed and can't keep up with cybersecurity, cloud migrations, and constant user support requests.

Scenario B: You're paying a break-fix IT company by the hour, and every problem costs you hundreds or thousands in unexpected bills.

Scenario C: You have no IT support whatsoever and employees are solving problems with Google searches and hope.

Any of these sound familiar? You're not alone. Most businesses with 50-900 employees eventually realize they need professional IT management but don't have the budget or need for a full IT department.

That's where Managed Service Providers (MSPs) come in. For a predictable monthly fee, an MSP becomes your outsourced IT department—handling everything from help desk support to cybersecurity to strategic planning.

But here's the problem: the MSP industry is enormously varied in quality. Some MSPs are sophisticated operations with specialized expertise. Others are one-person shops running outdated tools who will create more problems than they solve.

After helping hundreds of businesses evaluate and select MSPs, I've learned that the difference between a good MSP and a mediocre one can literally determine whether your business thrives or suffers a catastrophic security breach.

Here are the 12 critical questions you must ask—and the red flags to watch for.

Before We Start: What is a Managed Service Provider?

An MSP is a company that proactively manages your IT infrastructure and end-user systems for a flat monthly fee.

Typical MSP services include:

• Help desk support for employees

• Server and network monitoring

• Patch management and updates

• Cybersecurity (antivirus, firewall, email security)

• Backup and disaster recovery

• Cloud services management

• Strategic IT planning

• Vendor management

Key difference from break-fix IT: You pay a predictable monthly fee instead of hourly rates when things break. This incentivizes the MSP to keep things running smoothly (fewer problems = less work for them at the same revenue).

The 12 Critical Questions

1. "What's your average client size and retention rate?"

Why this matters: MSPs that serve 5-person companies operate very differently from those serving 500-person companies. You want an MSP whose sweet spot matches your size.

What to look for:

• Average client size of 50-500 employees (if you're 200 employees)

• Client retention rate above 90%

• At least 10-20 clients similar to your size

Red flags:

• "We work with everyone from 1 to 10,000 employees" (too generalized)

• Client retention under 80% (people are leaving for a reason)

• You'd be their largest or smallest client by far

• Vague answers about client count

Follow-up question: "Can I speak with 2-3 current clients in my industry and size range?"

2. "Do you have experience in our industry?"

Why this matters: Different industries have different IT needs and compliance requirements.

Healthcare needs: HIPAA compliance, EHR integrations, telehealth platforms Financial services needs: PCI-DSS, SOC 2, SEC regulations Legal needs: Document management, e-discovery, confidentiality Manufacturing needs: OT/IT convergence, CAD/CAM software, supply chain systems

What to look for:

• At least 3-5 clients in your specific industry

• Understanding of your industry's compliance requirements

• Familiarity with industry-specific software

Red flags:

• "We've never worked with healthcare before, but we're quick learners"

• Can't articulate industry-specific challenges

• Generic answers that could apply to any business

3. "What's included in your base service, and what costs extra?"

Why this matters: "All-inclusive" often isn't. Many MSPs advertise low monthly fees but charge extra for everything meaningful.

Standard inclusions should be:

• Help desk support (unlimited tickets)

• Monitoring and patch management

• Basic cybersecurity (antivirus, firewall management)

• Monthly reporting

• Strategic planning meetings

Common extra charges (verify if included or not):

• Backup and disaster recovery

• Email security

• After-hours support

• On-site visits

• Projects (migrations, new employee setups)

• Advanced cybersecurity (EDR, SIEM)

• Cloud management

Red flags:

• "Everything's included" (it never is—push for specifics)

• No clear service catalog

• "We bill projects separately" (can lead to surprise invoices)

• Extra charges for common requests

Good answer: Detailed service catalog showing exactly what's included, what's add-on, and what's project-based.

4. "What's your response time and resolution SLA?"

Why this matters: "We'll get to it when we can" isn't acceptable for business-critical systems.

What to look for:

• Critical issues (server down, complete outage): 15-30 minute response, 2-4 hour resolution target

• High priority (department affected): 1-hour response, same-day resolution target

• Medium priority (individual user issue): 2-4 hour response, next-day resolution target

• Low priority (requests, questions): 4-8 hour response

Red flags:

• No written SLAs

• Vague commitments ("We respond quickly")

• SLAs only cover response, not resolution

• No consequences for missing SLAs

Follow-up question: "What happens if you miss your SLA? Is there a service credit?"

5. "How is your help desk staffed, and what are your support hours?"

Why this matters: You need to know who's answering the phone at 7 AM when your accounting system is down.

What to look for:

• Dedicated help desk team (not just "whoever's available")

• Coverage during your business hours

• Clear escalation path

• Ticketing system for tracking

• Remote and on-site capabilities

Red flags:

• "You'll always work with the same tech" (what happens when they're sick/on vacation?)

• After-hours goes to voicemail

• Offshore support only (if you need local support)

• No ticketing system (they're using email)

Follow-up questions:

• "What's your average help desk team experience level?"

• "How do you handle after-hours emergencies?"

• "Can I call your help desk right now to test response time?"

6. "What's your approach to cybersecurity?"

Why this matters: Security is the #1 reason to hire an MSP. A security breach can destroy your business.

Minimum security stack should include:

• Next-gen antivirus/EDR on all devices

• Email security (anti-phishing)

• Firewall management

• Patch management

• Security awareness training

• Multi-factor authentication enforcement

• Regular security assessments

• Backup and disaster recovery

Advanced capabilities to look for:

• SIEM or security monitoring

• Vulnerability scanning

• Penetration testing

• Incident response plan

• Cyber insurance assistance

• Compliance expertise (HIPAA, PCI, etc.)

Red flags:

• "We install antivirus and call it good"

• No mention of security training for employees

• No disaster recovery testing

• Can't articulate a response plan for ransomware

• Don't require MFA

Critical question: "When was the last time one of your clients got hit with ransomware, and how did you respond?"

7. "How do you handle vendor relationships and purchasing?"

Why this matters: You need to know if they're recommending solutions based on what's best for you or what pays them the highest commission.

What to look for:

• Transparent about vendor relationships and commissions

• Multiple vendor partnerships (not locked into one)

• Will recommend solutions you already own vs. forcing changes

• Competitive pricing on hardware/software

Red flags:

• Push specific vendors aggressively

• Won't work with technology you already have

• Markup hardware 40%+ above retail

• Require you to purchase everything through them

• Commission-driven recommendations

Good answer: "We have partnerships with multiple vendors. When you need new solutions, we'll evaluate 2-3 options and explain the pros/cons of each. Yes, we earn commissions, but we disclose those and they're already built into vendor pricing."

8. "Who owns our data and systems?"

Why this matters: Some MSPs make it difficult or expensive to leave.

What to look for:

• You own all data, systems, and accounts

• Clear documentation of all systems

• No proprietary tools that lock you in

• 30-60 day transition assistance if you leave

• Clear offboarding process

Red flags:

• "We build everything in our domain/accounts"

• Proprietary systems that can't transfer

• "You can leave anytime, but you'll lose access to everything"

• No documentation provided

• Charges to return your own data

Critical question: "If we decide to bring IT in-house or switch MSPs, what's that process and what do we retain?"

9. "What's your disaster recovery and business continuity plan—for YOU?"

Why this matters: If your MSP goes out of business or suffers their own disaster, you're stuck.

What to look for:

• MSP has their own backup systems

• Business continuity plan for their operations

• Documentation accessible to you

• Cyber insurance coverage

• Multiple team members trained on your environment

Red flags:

• "We've never had a problem" (not a plan)

• Single person knows everything about your systems

• No documentation

• Can't articulate their own backup plan

Follow-up: "How many employees can support our account if our primary tech leaves?"

10. "What tools and technology do you use?"

Why this matters: Modern MSPs use professional RMM (Remote Monitoring and Management) tools. Outdated MSPs use consumer-grade tools.

Professional tools to look for:

• RMM platform (ConnectWise, Datto, Kaseya, NinjaOne)

• PSA/ticketing system (ConnectWise, Autotask, HaloPSA)

• Documentation platform (IT Glue, Hudu)

• Security stack (CrowdStrike, SentinelOne, etc.)

Red flags:

• Using consumer tools (TeamViewer Free, basic antivirus)

• No RMM platform

• "We built our own tools"

• Can't name their stack

11. "How do you handle strategic IT planning?"

Why this matters: Reactive break-fix is just one part. You need proactive guidance on technology strategy.

What to look for:

• Quarterly business reviews

• Technology roadmap aligned with business goals

• Budget planning assistance

• Proactive recommendations

• Lifecycle management (replacing hardware before it fails)

Red flags:

• "We'll fix whatever breaks"

• No regular planning meetings

• Reactive-only approach

• Can't articulate a strategic planning process

Good answer: "We conduct quarterly technology reviews where we discuss your business goals, upcoming needs, budget planning, and lifecycle management. We provide a 3-year technology roadmap and update it regularly."

12. "Can you provide references from clients you've LOST?"

Why this matters: Current clients will say nice things. Former clients tell the real story.

What to look for:

• Willingness to provide references (shows confidence)

• Former clients who left for legitimate reasons (outgrew them, brought IT in-house, relocated)

• Not tons of former clients who left angry

Red flags:

• Refuses to provide any former client references

• Every former client relationship ended badly

• Can't explain why clients left

Pricing: What Should You Expect to Pay?

Typical MSP pricing for businesses with 50-900 employees:

Per-user model: $80-200/user/month

• Includes: monitoring, help desk, basic security, patch management

• Doesn't include: advanced security, backup, cloud services (usually)

Per-device model: $50-150/device/month

• Counts servers, computers, network equipment

Hybrid model: Base fee + per-user/device

• Example: $2,000/month base + $75/user

What affects pricing:

• Your complexity (simple office vs. multi-location with servers)

• Support level needed (9-5 vs. 24/7)

• Security requirements

• Industry compliance needs

• Your current state (how much cleanup is needed)

For a 100-person company, expect: $8,000-15,000/month for comprehensive managed services.

Red flags:

• Drastically cheaper than market rate (you get what you pay for)

• Price too good to be true (probably is)

• Won't provide written quote

• Prices vary wildly when you ask multiple times

The Contract: What to Watch For

Reasonable contract terms:

• 1-3 year agreement

• 30-60 day termination notice

• Clear scope of work

• Written SLAs

• Price lock or cap on increases

Red flags:

• 5+ year contracts

• Auto-renewal with no easy out

• Vague scope of work

• No SLAs in writing

• Can raise prices without limit

Making Your Decision

After asking these 12 questions to 3-4 MSPs, you'll have a clear picture of who's professional and who's not.

Warning signs to walk away:

• Vague, evasive answers

• High-pressure sales tactics

• Won't provide references

• Can't articulate their security approach

• No written SLAs or contract terms

Green lights to move forward:

• Detailed, specific answers

• Industry experience

• Happy client references

• Professional tools and processes

• Transparent pricing and contracts

Don't Navigate This Alone

Choosing an MSP is one of the most important technology decisions your business will make. The right partner helps you grow. The wrong one creates nightmares.

At Sigma Technology Consulting, we help businesses evaluate MSPs objectively. We're not an MSP ourselves, so we have no stake in who you choose—we just want you to make an informed decision.

We can help you:

• Define your IT requirements

• Develop RFP/evaluation criteria

• Pre-qualify MSPs based on your needs

• Attend finalist presentations

• Review contracts

• Manage transition if you're switching

Schedule a free IT strategy consultation. We'll help you understand what you actually need and how to find the right MSP partner.