Questions to ask your IT managed services provider

If your organisation is considering engaging (or already engages) an IT managed services provider to manage user devices, servers and Microsoft 365 or Google Workspace environments, they will share responsibility in protecting your organisation and the information it holds from cyber security threats. 

Here are some questions to ask the provider, to engage on and help clarify their approach to cyber security.

• Do you hold ISO 27001 or any other comparable certifications?
• How are you securely administering your systems and services?
• How do you securely store and share passwords?
• How are you monitoring activity on your systems and services?
• How are you regularly assessing your systems and services?
• Are you prepared for, and able to respond to, cyber security incidents? Do you have an incident response plan?
• Are you implementing better practice cyber security for your customers? For example how will you support compliance with the Essential Eight standards to Maturity Level 1?
• What activities will you monitor on our servers/services and user devices? What reporting do you provide?
• Can you provide 2-3 customers we could talk to about your service?

If you are considering engaging a managed service provider, It’s a good idea to also other not-for-profits to see if anyone else uses or recommends them, or would recommend another provider.

Read next

• Engaging a tech support provider
• What to look for in an IT contract for not-for-profits
• How to check a software vendor’s references
• Questions to ask your SaaS provider