How to choose IT support for a 10–50 person business: the questions most MSPs hope you won't ask

Most buyer's guides on the internet are written by MSPs trying to sell you something. So is this one — there's no point pretending otherwise. But the questions below are genuinely the ones we'd want to be asked, and the honest answers we'd give. If a competitor would struggle with these questions, they probably aren't the right fit for a 10-50 staff business anyway.

Read it as a working checklist. The headers are the questions; the body is what a good answer sounds like and where the gotchas usually live.

1. What's your engineer-to-user ratio?

This is the single most predictive number for service quality, and almost nobody asks it. The ratio tells you how stretched the engineers are likely to be when something goes wrong at 4:30pm on a Friday.

• Healthy: one engineer per 40-80 supported users. Tickets get attention, the team has time for proactive work.
• Stretched: 1:120 to 1:200. Reactive only. Patching and proactive work falls behind.
• Warning sign: 1:250 or more. Triage by ticket priority, with everything below P1 waiting days.

Some MSPs will count their NOC and offshore tier-one staff to inflate the ratio. Ask specifically: "How many UK-based engineers will be working on our tickets, and how many users do they cover in total?" The honest answer to that is unflattering surprisingly often.

2. Where are your engineers based?

There's nothing inherently wrong with offshore support — well-run offshore teams do excellent first-line work. But you need to know what you're buying. A "Manchester MSP" whose tier-one is in Manila isn't necessarily worse, but the response patterns and the call experience will be different from one with a four-person engineering team in Denton.

Specifically ask whether the engineer who answers your phone is the same one who'll work on the ticket, or whether you're being routed through to a coordinator who logs the call and assigns it to someone else.

3. What's actually in the lowest tier?

This is where most MSP price comparisons fall apart. A £55 tier from one provider can include twice as much as a £75 tier from another. Get the inclusion list in writing and check specifically for:

• Microsoft 365 administration (or just monitoring?)
• Endpoint Detection and Response, not just legacy antivirus
• Patch management for both OS and third-party apps
• Identity hardening — MFA enforcement, conditional access
• Backup verification (especially for M365 — Microsoft doesn't back up your data, contrary to what most users assume)
• Quarterly business review — or just a monthly report?

If we're being specific about ourselves: we wrote a separate post on what £55/user buys at Inology, line by line. Ask any other MSP for the equivalent.

4. Are Microsoft 365 licences passed through at cost, or marked up?

Mark-up is fine if it's disclosed — some MSPs add 5-15% on M365 licences to fund their licensing admin and CSP relationship costs. Pass-through is also fine. What's not fine is finding out after the fact that you're paying £24/user for a Business Premium licence that costs £18.10. We pass through at cost; some don't; the answer should be straightforward.

5. Are there setup or onboarding fees on the lowest tier?

Many MSPs charge between £500 and £2,000 for "first 30 days" or "platform onboarding". That's legitimate if it covers actual onboarding work — building documentation, deploying agents, setting baselines. It's less legitimate if it's just there to recover discounting on the monthly rate.

Get the breakdown of what the setup fee covers. If they can't itemise it, it's marketing.

6. What does "critical response" actually mean?

Every MSP website says something like "rapid response" or "15-minute response". Ask what's actually being measured:

• Acknowledgement: auto-reply email arrives within X minutes (basically meaningless).
• First human touch: a human reads your ticket within X minutes (better).
• Resolution start: an engineer starts working on it within X minutes (best).

"15-minute critical response" should mean a real human is engaged on it within 15 minutes during business hours. If they can't tell you which of those three the SLA is measuring, it's the first one.

7. Can I see your Cyber Essentials certificate?

If your IT provider isn't Cyber Essentials certified themselves, why would you trust them to get you certified? Cyber Essentials is the floor — not the ceiling. For sensitive data (legal, healthcare, financial) you also want to see ISO 27001 or, at minimum, a serious answer about why they don't have it yet.

Don't just accept "we're working on it" or "we use the same controls" — ask for the certificate number and check it on the IASME registry. It takes 30 seconds.

8. What happens when something breaks at 7pm on a Tuesday?

Specifically: who picks up the phone?

Many MSPs that include "24/7 cover" at their cheapest tier mean a third-party answering service (often offshore) that takes a message and emails the duty engineer, who reads it in the morning. That's not 24/7 support, that's an after-hours voicemail.

If you genuinely need 24/7 cover (regulated environment, retail with evening trading, manufacturing with shift work), make sure the contract specifies named on-call engineers and a target response time for out-of-hours P1 tickets. If 24/7 isn't necessary for your business, don't pay for it.

9. Who owns the documentation if we leave?

The single most painful thing about changing MSP is recovering your environment documentation — passwords, network diagrams, vendor contacts, custom scripts, runbooks. The contract should be explicit about exit:

• You own all documentation produced about your environment.
• You get a complete handover pack within X days of contract end.
• Admin credentials, recovery keys, MFA recovery codes are transferred to you, not just "made available".
• No "exit fee" beyond reasonable handover time.

If a contract is silent on exit, that's intentional. Walk.

10. What's the contract term and notice period?

The market has converged on 12 months minimum with 90 days' notice. Anything longer than 24 months locked-in for an SMB is a red flag — it usually means either heavy upfront discounting (you're financing their losses), or a relationship the provider needs to lock in because they'd struggle to retain you on merit.

Watch out for auto-renewal clauses. They're legal, but the notice period to break out of them should be reasonable (30-90 days, not "one calendar year before the renewal date").

11. Can you give three references from 10-50 staff businesses in our sector?

Generic references aren't enough. You want to talk to three actual buyers similar to you. If they can't or won't put you in touch with three live customers in your size range and sector, that's data.

When you do speak to references, the most useful question is: "What's the most annoying thing about working with them, and how have they handled it?" Every relationship has friction. The shape of the friction tells you whether you can live with it.

12. What's the worst incident you've handled in the last 12 months — and what changed afterwards?

This is the most revealing question on the list. Every MSP that handles real businesses has had a bad week in the last year. The ones worth working with will tell you about it openly — what happened, what they did, what they changed in their process so it doesn't happen again.

The ones not worth working with will say something like "we haven't had any major incidents". That's either a lie or it means they don't have enough customers to have learned anything.

The five red flags

Any one of these isn't fatal. Two together means walk.

1. Pricing only available "after a discovery call" for a basic SMB requirement (10-50 users, M365, no specialist compliance). If a price isn't published, the price is whatever they think they can get away with.
2. No published Cyber Essentials or ISO 27001 status for an IT firm in 2026. There's no excuse.
3. References they won't put you in touch with. Logos on a website mean nothing. Names, numbers, and warm intros are the proof.
4. "Unlimited" anything without a clear definition. "Unlimited support" usually means "as long as you don't actually use it much". Get the fair-use boundary in writing.
5. A contract longer than 12 months without a clear performance break clause. Two- and three-year lock-ins for SMBs are about lifetime value, not service quality.

One more thing — trust your instinct on the meeting

Process and certifications matter. So does whether the people you'd be talking to most weeks feel like people you'd want to talk to most weeks. IT support is fundamentally a service business; if the discovery call feels like a sales script, the day-to-day relationship will feel like one too.

If you'd like a no-obligation discovery call where we run through this list against your current setup, we're happy to do that — even if you decide we're not the right fit. Drop us a line.