Choosing the wrong IT partner costs you more than money—think downtime, data risk, and frustrated teams. Use these seven questions to separate real partners from “break/fix” providers and pick support that actually moves the needle.
1) What does your SLA guarantee—in writing?
Why it matters: Fast, predictable response keeps incidents small and staff productive.
Ask for:
- Response & resolution targets by priority (P1, P2, P3)
- Hours covered (8×5, 24×7, bank holidays)
- Escalation path and service credits if they miss targets
Red flags: “We respond ASAP”, vague “priority” definitions, no penalties.
Good looks like: P1 response in 15–30 mins, clear resolution windows, 24×7 option, documented major-incident management.
2) How will you keep us secure and prove it?
Why it matters: UK SMBs face phishing, ransomware, and supply-chain risk.
Ask for:
- Cyber Essentials (or Plus) certification, documented patching cadence
- MFA everywhere, email security (DKIM/DMARC), endpoint protection, backups with immutable copies
- Regular security reporting and user awareness training
Red flags: “We install antivirus.” Nothing about backups or MFA.
Good looks like: Quarterly security reviews, phishing simulations, tested restores, CIS controls, SIEM/EDR where appropriate.
3) What’s your onboarding plan for the first 60–90 days?
Why it matters: A structured start avoids months of fire-fighting.
Ask for:
- Asset & access discovery (devices, SaaS, admin accounts)
- Baseline health check (patching, backups, security gaps)
- Runbook creation (how your environment works, who to call, change freeze rules)
- “Quick wins” list with dates
Red flags: “We’ll see when we start.”
Good looks like: A week-by-week plan, named roles, and a first-month improvement report.
4) How do you prevent issues, not just fix them?
Why it matters: Prevention = fewer tickets, lower cost, happier staff.
Ask for:
- Proactive monitoring & patching, hardware lifecycle, capacity planning
- Standard images/builds, Autopilot/Intune or similar device management
- Change control and maintenance windows
Red flags: All energy on helpdesk, nothing on maintenance.
Good looks like: Monthly maintenance calendar and trend reports showing ticket reduction over time.
5) Can you support our hybrid work & cloud stack?
Why it matters: Most UK teams mix Microsoft 365, VPNs, line-of-business apps, and remote devices.
Ask for:
- Microsoft 365/Entra ID expertise, OneDrive/SharePoint governance
- Secure remote access (Zero Trust/ZTNA or modern VPN with MFA)
- Experience with your key apps (Sage, Xero, industry tools, VoIP)
Red flags: “We mainly do on-prem servers.”
Good looks like: Clear reference projects migrating, securing, and supporting hybrid environments.
6) What do you measure and share with us every month?
Why it matters: You can’t improve what you don’t measure.
Ask for:
- Ticket volumes by type, MTTR, first-contact resolution, device compliance, patch success, backup status, security incidents blocked
- Executive summary + technical appendix, actions for next month
Red flags: No data or vanity metrics.
Good looks like: A concise dashboard plus a 30-minute monthly review focused on outcomes (fewer incidents, faster onboarding, better uptime).
7) What’s your pricing model and what’s included?
Why it matters: Clarity avoids surprise bills.
Ask for:
- Per-user vs per-device pricing, add-ons (after-hours, projects), minimums, onboarding fees
- What’s included: support hours, patching, M365 admin, security stack, backup storage, vCIO/strategic time
Red flags: Rock-bottom price with lots of exclusions, charge for every minor change.
Good looks like: Transparent per-user plan with a defined security baseline and clear project rates.
Nice-to-have (but powerful) extras
- vCIO / IT Roadmap: Quarterly planning tied to business goals and budget
- Compliance help: ISO 27001 support, data retention, subject access requests (UK GDPR)
- User training: Bite-size videos, phishing drills, new-starter onboarding packs
- Vendor management: One throat to choke for internet/VoIP/software renewals
RFP/shortlist checklist (copy/paste)
- Written SLA with response/resolution times and credits
- Cyber Essentials (or Plus), backups tested, MFA enforced
- 90-day onboarding plan with quick wins
- Proactive maintenance schedule & reports
- Proven Microsoft 365/hybrid experience (ask for references)
- Monthly metrics + review meeting
- Clear pricing with inclusions/exclusions
- vCIO/roadmap and user training options
Sample interview questions (use verbatim)
- “Show us last month’s client report (anonymised). What did you improve?”
- “Walk through your 90-day onboarding for a 50-user firm on Microsoft 365.”
- “How do you verify backups and prove restores work?”
- “What’s your P1 process at 2am on a bank holiday?”
- “Which controls map to Cyber Essentials, and which are outside scope?”
- “How do you standardise and secure new devices?”
- “Give two references of UK clients similar to us.”
Red flags to walk away from
- No written SLA or penalties
- Can’t explain Cyber Essentials or backup testing
- Only reactive support, no roadmap or reporting
- Unclear pricing or heavy reliance on long contracts
- Poor communication, slow presales responses
Example pricing patterns (so quotes make sense)
- Per user, all-inclusive: £60–£120+/user/month depending on hours, security stack, and 24×7 cover
- Co-managed IT: Lower per-user fee, internal IT keeps projects; partner handles monitoring, patching, escalations
- Project fees: Fixed or T&M for migrations, rollouts, audits (expect day-rates for senior engineers/architects)
(These are ballparks; London and 24×7 support trend higher.)
Conclusion
Pick the partner who can prove fast response, real security, a clean onboarding plan, and steady improvement—not just “we’re friendly”. Ask the seven questions, insist on evidence, and you’ll avoid the classic MSP regrets.