Backup & Disaster Recovery

7 Questions to Ask a Managed IT Provider About Security, Backup and Accountibility

Ensure your managed IT provider is actually protecting your business. Learn the 7 questions you must ask about security, backup, and accountability.

Backup & Disaster Recovery

7 Questions to Ask a Managed IT Provider About Security, Backup and Accountibility

Ensure your managed IT provider is actually protecting your business. Learn the 7 questions you must ask about security, backup, and accountability.

Published:

Three coworkers gathered around a computer screen in an office, reviewing work together.

Most MSP comparisons stay too superficial.

Response times get discussed. Pricing gets compared. Tool names get mentioned.

What often gets missed is the operating model underneath it all.

The right questions should reveal whether security, backup and accountability are actually built into the service, or whether they are bolted on later and owned by nobody in particular.

1. What controls are standard by default, and what is optional?

A strong answer explains what is mandatory in the service model and why.

A weak answer sounds endlessly flexible, because that often means the baseline is negotiable.

2. Who owns patching, identity hygiene, backup and monthly review?

A strong answer names owners, responsibilities and cadence.

A weak answer hides behind “the team handles that”.

3. What evidence do you provide that the controls are actually working?

A strong answer points to reports, review outputs, restore-test evidence, compliance visibility or action logs.

A weak answer relies on reassurance.

4. How do you handle backup, restore approval and testing?

A strong answer distinguishes backup coverage from recovery confidence and explains who approves restores and how testing is evidenced.

A weak answer says backups are in place and leaves it there.

5. How do you manage onboarding, offboarding and access changes?

A strong answer shows process, timing and ownership.

A weak answer treats JML as a collection of ad-hoc tickets.

6. What happens when a device, user or workload does not fit the standard?

A strong answer explains how exceptions are approved, recorded and reviewed.

A weak answer implies every exception is handled informally.

7. What does your monthly review actually cover?

A strong answer goes beyond ticket counts and includes estate health, risk, security posture, backup confidence, open actions and upcoming decisions.

A weak answer is mostly a ticket summary with little operational meaning.

What a weak answer sounds like

Weak answers tend to be vague, reactive and person-dependent. They rely on statements such as “we’re proactive” or “we can do whatever you need” without explaining what is standard, what is evidenced or who owns what.

What a strong answer sounds like

Strong answers are more specific. They describe the default model, show where ownership sits, explain review cadence and give examples of the evidence a client would actually see.

That usually signals a more defensible operating model.

How to use the answers

The goal is not to trap providers.

It is to understand whether the service will reduce ambiguity or simply move it around. A provider that cannot explain standards, ownership and evidence clearly is unlikely to make your environment more supportable over time.

Final thought

The best MSP questions are the ones that expose the operating truth.

They show whether security, backup and accountability are built into the service from the start, or whether they only appear when something goes wrong. For an SME, that difference matters far more than polished sales language.

Book a Security Triage Call

Learn about the Security Baseline Review

More resources

Keep reading

Browse the latest practical guides across Managed IT, Cyber Security, Modern Workplace, and Backup

More resources

Keep reading

Browse the latest practical guides across Managed IT, Cyber Security, Modern Workplace, and Backup

More resources

Keep reading

Browse the latest practical guides across Managed IT, Cyber Security, Modern Workplace, and Backup

For 10-15 seat

Owner-managed SMEs in Sussex & Kent

Who want clarity, stability, and a proper security baseline — start with the free Security Triage Call.

For 10-15 seat

Owner-managed SMEs in Sussex & Kent

Who want clarity, stability, and a proper security baseline — start with the free Security Triage Call.

For 10-15 seat

Owner-managed SMEs in Sussex & Kent

Who want clarity, stability, and a proper security baseline — start with the free Security Triage Call.