10 Questions to Ask Before Signing a Managed IT Contract

Managed IT is one of those services where the gap between a good provider and a bad one becomes painfully clear only after you've signed. A bad MSP doesn't just fail to solve problems — it creates new ones. Here are the questions that separate partners from vendors before you're locked into a contract.

1. What's in scope — and what isn't?

Managed IT contracts vary enormously in what they cover. Some providers include everything: helpdesk, endpoint management, security monitoring, backup, vendor management. Others offer a narrow "monitoring only" service and bill everything else as a project. Get a written scope document and ask specifically about the gray areas: printer support, mobile devices, cloud applications, after-hours coverage.

2. What are your response time SLAs by severity?

Every provider will tell you they respond quickly. Ask for it in writing, tiered by severity. A server down that affects the whole business should have a different SLA than a single user who can't print. If the provider can't define their SLAs precisely, that tells you something.

3. How do you handle after-hours emergencies?

IT emergencies don't respect business hours. Ask who answers the phone at 11 PM on a Saturday, what their escalation path looks like, and whether after-hours response is included in your contract or billed as overtime. The answer matters most when your server is down and you need to know now.

4. What security tools and practices are included?

Endpoint detection and response (EDR), multi-factor authentication enforcement, email security, patch management, dark web monitoring — ask what's included versus what requires an add-on. Security should be baked into managed IT, not an upsell.

5. How do you handle backups and can you demonstrate recovery?

Ask for the 3-2-1 breakdown: 3 copies of data, 2 different media types, 1 offsite. Then ask when they last tested recovery and whether they can show you a recovery time for a worst-case scenario. Untested backups are not backups — they're hopes.

6. What's your staff-to-client ratio?

A lean MSP stretched thin across too many clients delivers slow response times and shallow expertise. Ask how many clients each engineer supports. Industry norms are roughly 50–100 endpoints per engineer for fully managed services. Higher ratios mean you're competing for attention during incidents.

7. Do you have experience in my industry?

Healthcare, legal, financial services, and manufacturing all have specific compliance and workflow requirements. An MSP who has never dealt with HIPAA, PCI-DSS, or industrial control systems will learn on your dime — and may create compliance exposures in the process.

8. What does the onboarding process look like?

A structured onboarding — documentation of your environment, asset inventory, security baseline assessment — is a sign of a mature provider. If their onboarding plan is vague, their ongoing management will be too.

9. What are the contract terms and exit provisions?

Multi-year contracts with steep early termination fees are common. Understand your exit path before you sign: how much notice is required, what happens to your data and documentation when you leave, and whether there are "off-boarding" fees.

10. Can I speak with three current clients similar to my business?

Any provider worth engaging will give you references without hesitation. Follow through on the calls — ask specifically about incidents and how the provider responded, not just the day-to-day experience.

Managed IT is a relationship, not a transaction. The best providers are genuinely invested in your business outcomes. Taking the time to ask these questions upfront is the fastest way to find one.