Interconnekt
Interconnekt
PortalGet in touch
MSP procurementChecklist15 min review

The MSP contract review checklist

A practical checklist for reading a managed IT agreement before you sign or renew. Covers SLAs and response-time definitions, what security is included versus extra, data and IP ownership, exit terms, cyber-insurance alignment, escalation, and reporting.

Most managed IT agreements are signed on trust and read properly only when something has gone wrong. By then the clauses that matter, the ones about response times, what is actually included, and how you leave, are fixed. This checklist exists so you can read the agreement properly first, while you still have room to negotiate.

It is written to be used against any provider's contract, including ours. We have a commercial interest in you choosing Interconnekt, and we are not going to pretend otherwise, but this document is deliberately provider-neutral. If it helps you ask a competitor a sharper question, it has done its job. A provider worth signing with will answer every item on this list plainly. A provider who gets evasive on any of them has told you something useful.

Work through it as seven areas. For each, we give the question to ask, what a good answer sounds like, and the red flag that should make you slow down. Take the answers in writing. "We'll sort that out later" is not an answer to a contract question; it is a deferral of a decision you are about to pay for.

1. Service levels and how response time is defined

Ask: what are the service level targets, and precisely how is response time defined and measured? The trap here is the word "response". Many agreements promise a fast response and then define response as an automated ticket acknowledgement, not a human starting work. A 15-minute response that is really an auto-reply is worth nothing at 3am.

A good answer separates response from resolution, defines both against named priority levels (a P1 outage is not a password reset), states the hours of coverage, and says whether the clock runs in business hours or around the clock. It also tells you what happens when a target is missed. Better agreements attach a service credit or a defined remedy to a missed target, which turns the number from marketing into a commitment.

Red flags: a single blended response time with no priority tiers; response defined as acknowledgement rather than active work; service levels described in the sales deck but absent from the contract itself; and no stated consequence for missing them. If the SLA is not written into the agreement you are signing, it is not an SLA, it is a hope.

2. What security is included versus what costs extra

Ask for a line-by-line split of what security controls are inside the monthly fee and what is billed as a project or an add-on. This is the single most common source of a nasty surprise, because "managed IT" and "managed security" are often quietly different products with different price tags, and the boundary is where the unbudgeted invoices live.

A good answer names the baseline explicitly: which controls are standard (typically multi-factor authentication, patching, endpoint protection, backup), and which are extra (often things like managed detection and response, security awareness training, phishing simulation, a formal Essential Eight or CIS Controls uplift, or incident response retainer hours). It should be clear whether the provider will help you reach a defined security baseline as part of the service, or whether every improvement is a fresh quote.

Red flags: the word "comprehensive" doing the work that an itemised list should do; security described as included in conversation but scoped as chargeable in the fine print; and no clarity on whether responding to an actual incident is covered or billed by the hour while your business is on fire. Ask directly: if we are breached on a Tuesday, what does that cost us under this contract?

3. Data and intellectual property ownership

Ask, in writing: who owns the data, the documentation, and the configuration? The answer should be unambiguous, and it should be you. Your business data is obviously yours, but the documentation of your environment, the runbooks, the network diagrams, the asset inventory, and the tenant configuration are just as important, and this is where some agreements go quiet.

A good answer confirms you own your data and your environment documentation, and that you are entitled to a copy in a usable format on request, not only on exit. It is explicit about any tooling the provider uses on your behalf, and whether accounts and licences are registered in your name and your tenant or locked inside the provider's. The test is simple: if you parted ways tomorrow, would the next provider inherit a documented environment or a mystery?

Red flags: documentation described as the provider's proprietary property; monitoring or management accounts owned by the provider rather than sitting in your tenant; and any suggestion that environment knowledge is a retention mechanism. A provider confident in their service does not need to hold your documentation hostage to keep you.

4. Exit and offboarding terms

Ask what leaving actually involves, in detail, before you sign to join. Notice period, offboarding assistance, data return, and cost. A short notice period on paper means little if the practical cost of extracting your data and knowledge is high enough to trap you. The exit clause is the truest statement of how a provider sees the relationship.

A good answer sets a reasonable notice period, commits to a defined offboarding process with a handover of documentation and administrative control, states data will be returned in a standard, usable format, and is clear and modest about any offboarding fee. The best agreements treat a clean exit as a point of pride, because a provider who makes leaving easy is telling you they intend to keep you by being good, not by being sticky.

Red flags: high or vaguely-defined data-extraction or offboarding fees; no committed handover process; administrative control that stays with the provider; and auto-renewal clauses with a long notice window that quietly re-lock you each year. Read the auto-renewal terms specifically. Diarise the notice date the day you sign.

5. Cyber-insurance alignment

Ask whether the controls the provider delivers actually satisfy your cyber-insurance requirements, and who is accountable if they do not. Cyber policies increasingly require specific controls, multi-factor authentication everywhere, tested backups, endpoint detection, timely patching, and a claim can be reduced or refused if an attested control was not genuinely in place.

A good answer shows the provider understands this exposure. They will map their service to your insurer's control requirements, be willing to attest to what they operate, and flag any gap between what your policy assumes and what your contract delivers. If you are completing an insurance questionnaire, the provider should be able to help you answer it truthfully rather than optimistically.

Red flags: a provider who has never seen your policy's control schedule and is not curious about it; unwillingness to put in writing which controls they operate; and a gap between the security your policy assumes and the security your agreement includes, which is a gap you would only discover at claim time. Line the policy and the contract up now, on paper, while it costs nothing.

6. Escalation and accountability

Ask what happens when the front line cannot resolve an issue, and who owns the problem end to end. Everyday tickets are the easy part. The measure of a provider is what happens on a hard day: a major outage, a security incident, a vendor pointing at another vendor. You want to know the path before you need it.

A good answer describes a clear escalation ladder with timeframes, names how and when senior technical people get involved, and, importantly, commits to the provider coordinating third parties (internet providers, software vendors, hardware suppliers) rather than leaving you to referee between them. Single-point accountability is worth paying for; the alternative is you becoming the project manager of your own outage.

Red flags: no defined escalation path; no named ownership when an issue crosses vendor boundaries; and a support model that resets context every time you call, so you re-explain your environment to a stranger during every incident. Ask who is accountable when the fix requires three vendors to cooperate. The answer should be the provider, not you.

7. Reporting cadence and transparency

Ask what you will receive on a regular basis, and whether it tells you anything you can act on. Reporting is where a provider either demonstrates the work or hides it. You are looking for evidence of the operational reality, tickets handled and how quickly, patch and backup status, security posture against your chosen framework, not a monthly page of green ticks that says everything is fine because nothing is measured.

A good answer commits to a regular review with a named person, includes service-level performance against the targets in section 1, reports on the security controls in section 2, and creates space for the strategic conversation about where your IT is heading, not only what broke last month. The cadence should match your size: a quarterly business review is typical for an SMB, monthly for larger or more regulated environments.

Red flags: no committed reporting; reports that show activity volume but never performance against a target; no regular human review, only a portal you are told to log into; and no forum for the forward-looking conversation. If you cannot see how you are being served, you cannot tell whether you are being served well.

Using this before you sign or renew

Send these seven areas to any provider you are considering, or to your current one at renewal, and ask for written answers. The exercise is revealing in itself. A provider who answers plainly and puts it in the agreement is showing you how they operate. A provider who is smooth in the meeting but vague on paper has answered a different, more important question.

None of this is adversarial. A good managed IT relationship is a long one, and both sides are better served by an agreement that says clearly what is included, what is not, and how it ends. Clarity up front is not a lack of trust; it is the foundation of it.

We publish our prices, write our agreements so you can leave with your data and documentation without a penalty, and are happy to be measured against every item on this list. That is a deliberate position, and it is the same one we would want if we were the customer.

If you want a second read on a managed IT agreement you have been handed, or you are weighing a renewal and want to pressure-test it, that is exactly the kind of conversation we are glad to have, with no expectation that it ends with you switching to us.

Next step

Want a posture assessment against this baseline?

We run a fixed-fee Essential Eight posture assessment that produces an evidence-grade gap analysis in two weeks. The deliverable is a remediation plan keyed to the eight controls, not a glossy slide deck.

Start here

Let’s talk. We’ll be straight.

Tell us what your IT setup looks like and what’s not working. We’ll give you a straight answer, a written quote, and a start date - no pitch deck, no discovery call required.

  • A human answers, not a ticket queue
  • No lock-in contracts, ever
  • We’ll tell you if we’re not the right fit

No spam. A real person replies within one business day.