Hiring an IT company without knowing what to ask is like hiring a contractor to renovate your house without ever looking at their previous work. You'll end up comparing prices on things you don't fully understand, and choosing whoever sounds the most confident in the sales call.
These seven questions cut through the sales pitch. Ask them in every meeting with a prospective IT provider and listen carefully — not just to the answers, but to how they react to being asked.
1. "Walk me through exactly what happens when I call at 11pm because something critical is down."
Don't ask "do you offer 24/7 support." Every MSP will say yes. Ask them to describe the actual process, step by step. Who answers? Is it a person or a ticket system? What's the escalation path? What's your SLA for a critical issue at that hour?
What a good answer sounds like: A specific process with named escalation levels, defined response time commitments (in writing), and clarity on what "critical" means in their SLA.
Red flag answer: "We're always available" without any specifics on how that works in practice.
2. "Can I see a sample SLA before we move forward?"
A Service Level Agreement is the contract that defines what you're actually buying. Response times, resolution times, uptime guarantees, exclusions — it's all in there. Any reputable MSP will have a standard SLA they can share immediately.
What a good answer sounds like: They produce a document. You look at it. It has specific, measurable commitments.
Red flag answer: Hesitation, vague promises about "getting something together," or an SLA with response time language like "as soon as possible."
An SLA without financial penalties for missed commitments is a wish list, not a contract. Ask what happens if they miss their response time targets.
3. "What's your patch management process, and how often do you patch?"
Most cyberattacks exploit known vulnerabilities that have already been patched. Unpatched systems are one of the most common entry points for ransomware and data breaches. A competent MSP takes patching seriously, has a defined schedule, and can tell you exactly how it works.
What a good answer sounds like: A defined patching schedule (typically monthly for routine patches, faster for critical security patches), a testing process, and a change management policy so patches don't break things.
Red flag answer: "We patch when needed" or uncertainty about their own process.
4. "Describe your backup and disaster recovery solution — and when did you last successfully test a restore?"
This question has two parts and both matter. The first reveals whether they have a real backup solution. The second reveals whether they've ever actually tested it. Many "backup solutions" are untested and will fail at the worst possible moment.
What a good answer sounds like: A specific backup solution (not just "we use cloud backup"), a defined backup frequency, retention periods, and a recent restore test they can describe in detail — including what data was restored and how long it took.
Red flag answer: Vague descriptions, inability to name the backup software, or no recent restore test.
5. "Can you give me references from two businesses in my industry?"
Industry-specific experience matters. A healthcare IT environment has different compliance requirements, software ecosystems, and risk profiles than a law firm or a retail business. An MSP that primarily works with general small businesses may not be equipped for your specific needs.
What a good answer sounds like: They can name clients in your industry (with permission to share) and provide contact information for references you can actually call.
Red flag answer: They can't name any clients in your industry, or references are slow to materialize.
6. "What certifications does your team hold, and who specifically would be working on our account?"
This is a two-part question that reveals both technical competence and accountability. Relevant certifications include Microsoft certifications, CompTIA Security+, CISSP, and others depending on your needs. But equally important is understanding whether you'll have a named account manager or get routed to whoever is available.
What a good answer sounds like: Specific certifications named, a team structure explained, and clarity on who your primary contact would be.
Red flag answer: "Our team is very experienced" without specifics, or no assigned account manager.
7. "What happens to our data, accounts, and systems if we decide to leave?"
This question makes bad IT providers visibly uncomfortable. It's the exit clause question, and it's essential. You need to know that if things don't work out, you can leave cleanly — with all your data, all your credentials, and all your documentation.
What a good answer sounds like: Clear offboarding process, commitment to provide all credentials and documentation, reasonable transition timeline, and no punitive lock-in provisions.
Red flag answer: Vagueness, defensiveness, references to multi-year contracts with steep early termination fees, or any suggestion that your data or accounts "live in their systems."
Ready to Get Structured Proposals?
Our free IT RFP Generator creates a professional request for proposal based on your situation — so every vendor quotes against the same scope and you can actually compare apples to apples.
Generate My IT RFP Free →One More Thing: What to Listen For Beyond the Answers
The content of their answers matters, but so does how they respond to the questions themselves. Good IT providers welcome this kind of scrutiny. They've answered these questions before. They're confident in their processes because their processes are real.
Providers who become defensive, vague, or suddenly very focused on getting you to sign something quickly are sending you a signal. Trust that signal.
The IT relationship is a long one. You're going to call these people when something breaks at the worst possible time. You're trusting them with your data, your systems, and your business continuity. Spend the time to get it right before you sign the contract — not after.