Published:

Most MSP comparisons stay too superficial.
Response times get discussed. Pricing gets compared. Tool names get mentioned.
What often gets missed is the operating model underneath it all.
The right questions should reveal whether security, backup and accountability are actually built into the service, or whether they are bolted on later and owned by nobody in particular.
1. What controls are standard by default, and what is optional?
A strong answer explains what is mandatory in the service model and why.
A weak answer sounds endlessly flexible, because that often means the baseline is negotiable.
2. Who owns patching, identity hygiene, backup and monthly review?
A strong answer names owners, responsibilities and cadence.
A weak answer hides behind “the team handles that”.
3. What evidence do you provide that the controls are actually working?
A strong answer points to reports, review outputs, restore-test evidence, compliance visibility or action logs.
A weak answer relies on reassurance.
4. How do you handle backup, restore approval and testing?
A strong answer distinguishes backup coverage from recovery confidence and explains who approves restores and how testing is evidenced.
A weak answer says backups are in place and leaves it there.
5. How do you manage onboarding, offboarding and access changes?
A strong answer shows process, timing and ownership.
A weak answer treats JML as a collection of ad-hoc tickets.
6. What happens when a device, user or workload does not fit the standard?
A strong answer explains how exceptions are approved, recorded and reviewed.
A weak answer implies every exception is handled informally.
7. What does your monthly review actually cover?
A strong answer goes beyond ticket counts and includes estate health, risk, security posture, backup confidence, open actions and upcoming decisions.
A weak answer is mostly a ticket summary with little operational meaning.
What a weak answer sounds like
Weak answers tend to be vague, reactive and person-dependent. They rely on statements such as “we’re proactive” or “we can do whatever you need” without explaining what is standard, what is evidenced or who owns what.
What a strong answer sounds like
Strong answers are more specific. They describe the default model, show where ownership sits, explain review cadence and give examples of the evidence a client would actually see.
That usually signals a more defensible operating model.
How to use the answers
The goal is not to trap providers.
It is to understand whether the service will reduce ambiguity or simply move it around. A provider that cannot explain standards, ownership and evidence clearly is unlikely to make your environment more supportable over time.
Final thought
The best MSP questions are the ones that expose the operating truth.
They show whether security, backup and accountability are built into the service from the start, or whether they only appear when something goes wrong. For an SME, that difference matters far more than polished sales language.

Managed IT Services
Joiner, Mover, Leaver Automation: A Guide for SMEs

Modern Workplace
What Defensible IT Looks Like for a Microsoft 365 SME

Managed IT Services
What a Monthly IT Review Should Include for a 10-25 User SME

Backup & Disaster Recovery
7 Questions to Ask a Managed IT Provider About Security, Backup and Accountibility

Cyber Security