Managed IT Service Evaluation: What to Ask Before You Sign

it-best-practicebusiness advice
Written By Anfernee Lai
 

Your Series A just closed. You have six months to get SOC 2 compliant before your enterprise prospects will even take a meeting. So, you bring in three IT providers for demos. They all have polished decks and say the right things about security. They all promise responsive support and a dedicated team. You go with the one who answered your emails fastest and had the best-looking proposal. 

Twelve weeks later, your CTO asks whether this IT provider has experience working with Drata. Silence on the other end of the line. Turns out their SOC 2 support means they can configure endpoint management and set up accounts. Everything else: the evidence collection, the control mapping, the audit prep, is yours to figure out.

Working in compliance, I hear about this often from prospects coming our way from another provider. The evaluation process was not wrong; it’s the questions that didn’t scratch the surface deep enough.

This post gives you the evaluation questions that surface the difference between a managed IT service provider who looks good in a demo and one who actually holds up under pressure. For the full evaluation framework and a downloadable scoring template, see our Guide to IT Services Vendor Evaluation and Selection. What follows below is the conversation you have once you are in the room.

Why Generic Evaluations Fail Startups

The standard MSP evaluation process goes something like this: gather a few referrals, schedule demos, compare pricing, and choose whoever seemed most capable in the presentation. That works fine if you are a 10-person company that needs help desk support and laptop provisioning. However, it falls apart the moment compliance enters the picture.

A 40-person SaaS company with a SOC 2 audit on the horizon, a remote team spread across time zones, and a stack of 30-plus applications is not a generic small business. The IT provider you choose will have deep access to your infrastructure. Their security posture becomes part of your threat surface. Their compliance expertise, or lack of it, will show up in your audit findings. Their ability to integrate with your tools will determine how much engineering time gets pulled into IT support instead of product work.

According to SecurityScorecard research, at least 36% of data breaches in 2024 originated from third-party compromises. Your IT provider is not a vendor you manage at arm's length. They are a load-bearing partner, and the questions below are designed to evaluate them like one.

Each section covers what to ask and, just as important, what a strong answer sounds like versus a weak one. That second part is where most evaluation guides stop short.

 
5 question to ask about security

Security and Compliance: Beyond the Checkbox

Security is the category every MSP claims to prioritize. Separating the ones who mean it from the ones who have a slide about it is where the real evaluation starts. Asking whether a provider holds a SOC 2 certification tells you something. Asking how they support a client who is trying to get one tells you a great deal more.


From a GRC (Governance, Risk, and Compliance) perspective, this is the section I weigh most heavily. A provider who cannot describe your compliance journey in operational terms has not actually done it with a client before.

Questions to ask:

  • Which certifications do you currently hold, such as SOC 2 Type 2, ISO 27001, or HIPAA, and when were they last audited by an independent third party?

  • Have you worked with clients going through their first SOC 2 audit? What does that engagement typically look like on your end?

  • Do you have experience working with compliance automation platforms like Drata? How do you support evidence collection and control mapping?

  • How often do you test backups, and can you share the results of a recent test with a prospective client?

  • Walk me through what happens on your end if one of our endpoints is compromised at 2 am on a Saturday.

What a strong answer looks like

A strong answer names specific certifications, gives the last audit date without hesitation, and describes the compliance workflow in operational terms rather than marketing language. On the SOC 2 question, a provider with real experience will describe the controls they help configure, the evidence they collect on a client's behalf, and how they coordinate with the compliance automation platform. A weak answer is some version of: “We work with a lot of compliance frameworks.”


If the provider is reluctant to share backup test results or does not have a documented incident response procedure for after-hours events, those are signals worth taking seriously. You can check a provider's own security posture before the conversation even starts. Jones IT publishes ours openly through our SafeBase Trust Center. That level of transparency is still rare among MSPs, which itself tells you something about what to expect from providers who do not offer it.

Incident Response: How They Behave When Things Break

Response time SLAs are table stakes. Every MSP will quote you a number, and the number alone tells you almost nothing. What matters is how a provider behaves when something serious goes wrong: whether they communicate proactively or wait for you to chase them, whether they do root cause analysis or just close the ticket, and whether they treat a major incident as something to learn from or something to put behind them as fast as possible.


The thing about incident response is that you cannot assess it from a demo. The only way to get a real read is to ask about a real incident.

Questions to ask:

  • What does your communication cadence look like during an active incident? Who reaches out, how often, and through what channel?

  • After a significant incident is resolved, do you conduct a post-incident review? Can you share an example of one?

  • What was the most significant incident one of your clients experienced in the last 12 months? Walk me through what happened and how you handled it.

  • How do you define and track your time-to-resolution for critical versus non-critical issues?

What a strong answer looks like

The question about their worst recent incident is the most revealing one on this list. A provider who has learned from difficult situations will describe the event clearly, explain what their communication looked like in the moment, and tell you what changed internally afterward. A provider who deflects, gets vague, or cannot recall anything significant is telling you something about how they process failure.


On post-incident reviews: ask to see a real example, even a sanitized one. A provider who runs them will have a template and a process ready to share. A provider who does not will say something like: “We handle it case by case.”

 
Data breach origination from third-party statistic
 

Stack Compatibility: Will They Work with What You Have

The average Series A company runs 30 to 50 SaaS applications. Some are standard: Google Workspace, Slack, Okta, Zoom. Some are specific to the industry or the team. Your IT provider does not need to be an expert in every tool you use, but they do need a clear and consistent process for handling tools they have not worked with before. The providers who create friction are the ones who treat anything outside their standard toolkit as someone else's problem.


This one matters from a security standpoint, too. Every new tool in your environment is a potential access point, and how a provider assesses and onboards unfamiliar software says a lot about how seriously they take that.

Questions to ask:

  • Which tools in a typical startup stack do you have deep experience with, and how do you define deep?

  • What is your process when a client introduces a new tool you have not worked with before?

  • How do you handle integration support? Is that something your team owns, or does it get handed back to the client or the software vendor?

  • How do you manage SaaS sprawl and shadow IT? What does that look like in practice for a 40-person company?

What a strong answer looks like

A provider with real integration depth will describe a specific intake process for unfamiliar tools, including how they assess security implications before onboarding something new. On shadow IT, a strong answer names the tooling they use to detect unapproved applications and describes how they work with the client to build an actual policy rather than issuing a blanket ban that nobody follows.


A weak answer on the new-tool question: “We can usually figure it out, or we work with whatever the client uses.” That tells you who will be doing the figuring.

Cost Predictability: What the Contract Actually Covers

Hidden costs are where IT provider relationships most often go sideways. The base contract looks reasonable. Then the first project comes along: a new office buildout, an email migration, a network upgrade, and there is suddenly a separate scope of work with its own price tag. This is not inherently dishonest. Projects are a different category from managed services. But if the provider is not upfront about exactly where that line sits, you will keep hitting it in ways that feel like surprises.


I find that the providers who are most transparent about their billing structure are also the ones who are most transparent about everything else. It is a reasonable proxy.

Questions to ask:

  • What is included in the base contract, and what specifically triggers an out-of-scope charge?

  • Can you give me three examples of things clients commonly assume are included that are actually project work?

  • How does billing change as we grow? If we add 10 people and 10 devices in the next six months, walk me through what that looks like on the invoice.

  • Can you walk me through a real invoice for a client of a similar size and complexity to us?

What a strong answer looks like

The real invoice request is the most useful question in this section. A provider with a clean billing model will do it without hesitation, possibly showing a redacted version. The invoice itself reveals more than any contract summary: how granular their tracking is, whether costs are bundled or itemized, and whether there are line items that were not mentioned in the sales conversation.


On the out-of-scope question, a strong answer names specific examples without prompting: email migrations, network infrastructure upgrades, office relocations, and cloud migrations. If the provider is vague about where the boundary is, that boundary will move on you later.

Strategic Fit: Are They Building Toward Where You Are Going

Most IT provider evaluations focus entirely on the present: what do you offer, how fast do you respond, what does it cost? The question almost nobody asks is about the next 18 to 24 months. Where is the provider headed? What is on their roadmap? How are they thinking about the shifts in the technology landscape that will affect your business?


For a startup at Series A or B, this matters more than it might seem. Buying IT support for today is only part of the decision. You are choosing a partner who will be involved when you double your headcount, when you move offices, when you start a SOC 2 or HIPAA program, and increasingly, when your team starts adopting AI tools in ways your security policy has not caught up with yet.


That last one is worth dwelling on. Shadow AI, meaning employees using unapproved AI tools that process company data, is one of the fastest-growing compliance risks I see, and most IT providers do not have a coherent answer for it yet. The ones who do are worth paying attention to.

Questions to ask:

  • Where is your own service roadmap headed over the next 18 to 24 months?

  • How are you currently advising clients on AI governance, specifically around employees adopting AI tools outside of approved channels?

  • What compliance frameworks are you seeing the most demand for from companies at our stage?

  • How do you stay current on changes to the threat landscape and pass that knowledge to clients?

What a strong answer looks like

The AI governance question is the best litmus test in this section right now. Providers who are thinking ahead will have a point of view on shadow AI and will describe the specific guidance they give clients. Providers who are not will offer something vague about staying current with technology trends. The gap between those two answers is wider than it sounds.


On compliance framework demand: a provider working with startups should be seeing significant SOC 2 volume and growing HIPAA demand from health-adjacent companies. If their answer suggests they primarily work with more mature compliance postures, they may not be the right fit for where you are in the journey.

 
Responsive vs reactive IT service provider comparison
 

Proactive vs. Reactive: The One Exchange That Reveals Everything

Every IT provider will tell you they are proactive. Hence, that is not a useful data point. The way to get past the claim is to ask a question that requires specifics, because you cannot fake specifics the same way you can fake a general statement.

The question to ask

Ask this: "Walk me through what a typical month looks like for one of your clients at our size, and tell me specifically what your team initiates versus what the client initiates."

What the two types of answers look like

A reactive provider will describe a support queue. Tickets come in, and the team resolves them. Maybe they mention monitoring alerts. The word that dominates the answer is respond.


A proactive provider will describe a calendar. Scheduled maintenance windows. Monthly or quarterly health reviews. Regular strategic check-ins where they bring recommendations to the client rather than waiting to be asked. They will talk about things they caught before they became problems: a storage capacity issue flagged three weeks before it would have caused an outage, and a software license expiring before the renewal deadline passed.


The word that dominates a proactive answer is initiate. If you do not hear it or something close to it, keep that in mind when you score them.

 
IT Service Provider Evaluation Scorecard
 

How to Score Your IT Provider Evaluation

Running these questions across two or three providers without a consistent way to compare answers makes the exercise harder than it needs to be. Before the first conversation, assign weights to the categories that matter most for your business. For a company with a compliance deadline, security and strategic fit should carry more weight than cost predictability. For a company that has already passed its first audit and is focused on operational efficiency, cost structure and integration depth may move up.

A practical threshold to work from: providers who score above 80 on your weighted criteria are strong candidates for expanded scope or a multi-year agreement. Scores between 60 and 80 warrant a follow-up conversation with specific improvement expectations before signing. But if the score is below 60, keep looking.

One thing worth doing that most buyers skip is to share the evaluation criteria with each provider before the conversation, not after. A provider who welcomes the scrutiny is demonstrating something real. A provider who tries to redirect away from the framework is also demonstrating something real.

For the full evaluation process and a customizable scoring template, see our Guide to IT Services Vendor Evaluation and Selection. If you are earlier in the process and still working out what to prioritize, our post on how to choose the right IT service provider covers the criteria to define before you bring your due diligence questions into the room. And if you want to understand what strong managed IT support looks like in practice for Bay Area tech companies, our managed IT services page lays out how we approach each of the areas above.

Ask Better Questions, Choose a Better IT Provider

The right IT provider for a fast-growing tech company is not necessarily the one with the biggest client list or the lowest monthly rate. It is the one who can tell you, in specific and unhesitating terms, how they handle the hard moments: a compliance deadline, an after-hours incident, a tool they have not worked with before, a client who needs them to get ahead of problems rather than react to them.

These questions are designed to create those moments in the evaluation conversation, before anything gets signed. Providers who give strong answers to hard questions in a sales context almost always perform the same way when it counts. The reverse is also true.

We are happy to walk you through how Jones IT would answer any of these. Reach out to start the conversation.

 
Schedule A Consultation Today
 
 
Related Content:
Managed IT Service Evaluation: What to Ask Before You Sign
Managed IT Service Evaluation: What to Ask Before You Sign
What Are Fully Managed IT Services? A Guide for Bay Area Startups
What Are Fully Managed IT Services? A Guide for Bay Area Startups
Why Distributed Teams Still Need On-site IT Support
Why Distributed Teams Still Need On-site IT Support
Employee IT Lifecycle Management: Onboarding, Roles, Offboarding
Employee IT Lifecycle Management: Onboarding, Roles, Offboarding
Internal IT Team Stretched Thin: Close Gaps with Co-Managed IT
Internal IT Team Stretched Thin: Close Gaps with Co-Managed IT
8 Signs Your IT Provider Is Underperforming (And What To Do About It)
8 Signs Your IT Provider Is Underperforming (And What To Do About It)
Co-Managed IT Services: 5 Signs Your IT Team Is Ready for One
Co-Managed IT Services: 5 Signs Your IT Team Is Ready for One
IT Cost Per Employee: 2026 Benchmarks for San Francisco Businesses
IT Cost Per Employee: 2026 Benchmarks for San Francisco Businesses
IT Infrastructure Checklist for Series A Startups
IT Infrastructure Checklist for Series A Startups
When Does a Startup Need a Managed IT Provider?
When Does a Startup Need a Managed IT Provider?
Conference Room AV Setup: What IT Needs to Know Before You Buy Anything
Conference Room AV Setup: What IT Needs to Know Before You Buy Anything
Office Move IT Checklist: How to Keep Employees Productive on Day One
Office Move IT Checklist: How to Keep Employees Productive on Day One
 

About The Author

Avatar

Anfernee Lai
GRC Engineer at Jones IT

Anfernee Lai works on governance, risk, and compliance for Jones IT and the clients we serve. He holds a Computer Science degree from UC Santa Cruz with a focus on Game Design, and has a knack for finding creative solutions to technical problems.


   
Anfernee Lai

Anfernee Lai is a GRC Engineer at Jones IT, where he works on governance, risk, and compliance for the clients we serve. He holds a Computer Science degree from UC Santa Cruz with a focus on Game Design, and has a knack for finding creative solutions to technical problems.

Next

What Are Fully Managed IT Services? A Guide for Bay Area Startups