Selecting a managed service provider is one of the most consequential IT decisions a UK business will make. The relationship typically runs for 3–5 years, the provider touches every aspect of your infrastructure, and switching mid-contract is painful and expensive. Get it right, and your IT becomes a genuine competitive advantage — reliable, secure, and aligned with your growth. Get it wrong, and you face slow response times, security gaps, unpredictable costs, and the misery of a poorly managed exit.
The challenge is that most MSPs say broadly the same things in their marketing material. "Proactive," "responsive," "strategic partner" — these are table stakes claims, not differentiators. The only way to separate the genuinely excellent from the merely adequate is to ask the right questions and insist on verifiable, written answers. Here are the 12 that matter most.
Questions 1–3: Technical Capability
1 What certifications and vendor partnerships do you hold?
Certifications matter because they represent externally verified competence. Microsoft Solutions Partner status (formerly Gold/Silver) is the baseline for any provider managing Microsoft 365 or Azure environments. Fortinet partnerships indicate certified network security capability; Cisco, Juniper and Veeam partnerships signal depth in networking and backup respectively. These designations require engineers to pass technical examinations and maintain ongoing training — they are not purchased. A provider without relevant certifications is relying on self-reported competence with no external validation. Ask to see the certificate. Any serious MSP will have these documents readily available.
2 What monitoring tools and RMM platform do you use?
Remote monitoring and management (RMM) is the technical foundation of managed IT. Professional-grade platforms — NinjaRMM, ConnectWise Automate, Datto RMM, Kaseya VSA — provide real-time visibility across your estate, automated patch deployment, scripting capability and alert management. If your prospective MSP cannot name their RMM platform, or relies on ad hoc monitoring through individual vendor consoles, treat that as a serious concern. Equally important: ask who monitors alerts outside of business hours. Monitoring software that generates alerts that nobody acts on until 9am Monday morning provides very limited protection. Ask for a demonstration of the monitoring dashboard for an existing client (redacted) — a confident MSP will oblige.
3 Is cybersecurity built into your service or an optional extra?
In 2026, cybersecurity is not a feature — it is a foundation. Any MSP that still treats security as an optional bolt-on is operating a model built for a threat landscape that no longer exists. The baseline expectation is that managed antivirus and EDR (endpoint detection and response), email filtering, patch management, and firewall management are part of the core managed service. Advanced capabilities — SIEM, SOC, vulnerability scanning, penetration testing — can reasonably be priced additionally. But basic security hygiene must be embedded. Ask specifically: "If a ransomware incident were to occur, what detection and response capability do you have in place as part of our standard contract?"
Questions 4–6: Support and SLAs
4 What are your actual SLA response times — and what happens if you miss them?
An SLA (service level agreement) without a consequence mechanism is a target, not a commitment. The industry standard for a managed IT SLA is a tiered structure: critical incidents (server down, complete connectivity loss) within 15–30 minutes; high-priority incidents (significant user impact) within 1–2 hours; standard issues within 4 hours. What should accompany these targets is a service credit mechanism — if the MSP misses the SLA, they owe you something. This is what makes an SLA a genuine commitment. If your prospective provider uses language like "we aim to" or "our target is" without any financial consequence for missing that target, the SLA is aspirational rather than contractual. Get the SLA terms in the contract schedule, not just in the sales presentation.
5 Who actually answers the phone at 2am?
This is the question that reveals more than almost any other. Plenty of MSPs advertise "24/7 support" without disclosing that their out-of-hours coverage is handled by an outsourced NOC (network operations centre) in a different country, staffed by engineers reading from standardised runbooks who have never seen your environment. That model has its place for simple alerting triage, but if your file server goes down at midnight, you want someone who knows your infrastructure, not someone asking for a ticket number. Ask specifically: who picks up an out-of-hours critical call? Are they the same engineers who manage your account day-to-day? Are they UK-based? The answer tells you a great deal about the real quality of the 24/7 claim.
6 Can I see your actual ticket resolution metrics for the past 90 days?
Any MSP running a professional operation tracks mean time to respond (MTTR) and mean time to resolve across their client base. These numbers are the reality check on every SLA claim in their brochure. A provider consistently hitting sub-30-minute critical response times with 85%+ first-call resolution will share this data without hesitation. A provider who deflects this request — citing client confidentiality, claiming they don't aggregate the data, or simply changing the subject — is almost certainly hiding performance they know won't survive scrutiny. Requesting 90 days of performance data is a reasonable, standard ask. The response tells you everything about how seriously they take accountability.
Questions 7–9: Commercial Terms
7 What exactly is included in the monthly fee — and what isn't?
The managed IT pricing conversation is where the most misunderstandings occur. "Unlimited support" is a phrase that appears in many proposals; in practice, it is almost never genuinely unlimited. On-site visits, project work, out-of-hours calls beyond a defined threshold, hardware procurement, and software licensing are commonly excluded from the standard fee. Get a fully itemised service schedule — not a one-page summary, but a comprehensive list of every service, the scope of each, and explicit confirmation of what falls outside the monthly fee. Pay particular attention to project work: if you are planning a server migration, an office move, or a significant platform change in the next 12 months, clarify how that work will be scoped and priced before you sign the contract.
8 What's the exit process if we want to leave?
How an MSP handles exit tells you a great deal about the confidence they have in their own service quality. A provider who is genuinely good at what they do is not afraid of you leaving — because they know you won't want to. A provider who embeds lock-in mechanisms — withholding credentials, delaying documentation handover, charging excessive exit fees, or simply being obstructive — is using contractual friction as a substitute for service quality. Before signing, read the exit clauses carefully. You should expect: a defined notice period (typically 30–90 days), an obligation on the MSP to hand over all documentation, credentials and access within a defined timeframe, and no punitive transfer charges. If the exit process is difficult on paper, it will be worse in practice.
9 How do you handle annual price increases?
Managed IT contracts typically run for 12–36 months, and most include provision for annual price increases. CPI-linked increases — tied to the Consumer Price Index — are the standard and fair approach; they reflect the real-world cost pressures the provider faces and are predictable for you as a client. What you want to avoid is uncapped discretionary increases — clauses that allow the provider to increase your fee by any amount with a defined notice period. In an inflationary period, that mechanism can be used very aggressively. Insist that any annual increase mechanism references a published index (CPI, RPI) and includes a cap — typically 5–8% — on the annual rise. Get it in the contract body, not an appendix that can be amended unilaterally.
Questions 10–12: Strategic Fit
10 What does your onboarding process look like and how long does it take?
Onboarding is the most revealing phase of any MSP relationship. A thorough onboarding — discovery, documentation, monitoring deployment, configuration baseline, staff communication — typically takes 2–6 weeks depending on the size and complexity of your environment. Providers who claim they can be fully operational within 48 hours are cutting corners that will show up as knowledge gaps and response failures later. The discovery phase should produce a comprehensive asset register and network diagram. The documentation phase should capture all system credentials, vendor contacts, licensing details and configuration specifics. The monitoring deployment should result in full visibility across all endpoints before the old provider is offboarded. Ask for the onboarding project plan in writing before signing.
11 How do you communicate proactively?
The distinction between a reactive IT provider and a strategic partner is largely defined by the quality of proactive communication. At minimum, you should receive a monthly service report covering ticket volumes, SLA performance, patch status and any incidents. Beyond that, quarterly business reviews (QBRs) should give you a forward-looking IT roadmap: what needs to be replaced in the next 12 months, what upgrades are coming, what the security posture looks like, and where your budget should be directed. The gold standard is genuinely proactive communication: your account manager contacts you to say "we noticed a spike in failed login attempts on your M365 tenant last Tuesday and applied conditional access policies — here is what we did." That level of engagement is the difference between a vendor and a partner.
12 Can I speak to three existing clients similar to my business?
References are non-negotiable. Case studies on a website are curated marketing; a direct conversation with an existing client of similar size and sector is real intelligence. Ask for three references — specifically businesses that have been with the MSP for at least 12 months, in a comparable industry, and of a similar headcount to yours. When you speak to them, ask: how do they handle incidents? Do they respond within the SLA they sold you? Are there any recurring issues? Would you sign the contract again knowing what you know now? A single enthusiastic reference might be cherry-picked; three consistent, candid positive references from comparable businesses is a meaningful signal.
Red Flags to Watch For
Beyond the specific answers to the 12 questions above, certain patterns should prompt serious concern regardless of how well the rest of the conversation goes.
- Vague SLA language — "we aim to respond within" is not an SLA commitment
- Billing exclusively by the hour — no predictable cost control; no incentive for the provider to prevent issues
- Resistance to client references — a confident provider with happy clients will never hesitate
- No infrastructure documentation after 6 months — if they don't know your environment, they can't manage it properly
- Outsourced helpdesk for all out-of-hours coverage — particularly if the outsourced team has no access to your documentation
- Offering a proposal before understanding your business — any MSP who quotes without a proper discovery conversation is guessing
- Complicated, punitive exit clauses — lock-in is a sign they don't trust their own service quality
What Great Actually Looks Like
When you find the right MSP, the experience is qualitatively different from the industry average. Here is what the best providers consistently deliver:
- Written, guaranteed SLAs with financial consequences for missing them
- Named account manager who knows your business, plus a 24/7 helpdesk with access to your documentation
- Quarterly business reviews with a forward-looking IT roadmap and budget planning
- Proactive communication — you hear from them before problems escalate, not after
- Transparent pricing with a fully itemised service schedule and no surprise charges
- Cybersecurity integrated into the core service, not treated as a premium upsell
- Fair, documented exit process with full handover of credentials and documentation
The right MSP should feel like an extension of your business — a team that understands your goals, knows your infrastructure, and is genuinely invested in your IT working well. Anything less than that standard is settling for less than you should.
For further context on the cost side of the MSP decision, see our guide to managed IT services pricing in the UK.
Ready to Evaluate Your Options?
Vertex9 provides managed IT services across the UK with written SLAs, named account managers, and quarterly business reviews. Start with a free IT assessment and see exactly what we'd recommend for your business before any commitment.
Our Managed IT Services Get a Free AssessmentFrequently Asked Questions
Should I choose a local or national MSP?
Both can work well. A local MSP can dispatch an engineer quickly; a national MSP typically has deeper bench strength and more specialist resources. The ideal is a provider with national infrastructure and local engineering capability — so you get both fast on-site response and access to a broad team when complex problems arise.
What size MSP should I look for?
A rough guide: your MSP should have at least five engineers for every 100 end-users they support. Below that ratio, you risk slow response times and engineers stretched across too many clients. Ask prospective providers for their engineer-to-user ratio directly — a confident provider will give you a straight answer.
How do I switch MSPs without disruption?
Ensure your contract mandates that your outgoing MSP hands over full documentation, all credentials and system access within a defined period — typically 30 days. A reputable incoming MSP will project-manage the transition, running parallel monitoring during the changeover period to ensure no gaps in coverage during the handover.
Is a cheaper MSP always worse?
Not always, but prices significantly below the UK market rate usually signal one of three things: an offshore helpdesk, no genuine proactive monitoring, or margins too thin to retain qualified engineers. If a quote appears unusually low, ask specifically what is excluded and whether any element of the service is outsourced outside the UK.
How long does MSP onboarding take?
Typically 2–6 weeks for a thorough onboarding: discovery of your environment, documentation of all assets, deployment of monitoring agents, and configuration of alerting. Be cautious of providers claiming to be fully operational within 48 hours — proper onboarding cannot be rushed without creating knowledge gaps that will surface as incidents later.