Most businesses pick an IT provider the same way they pick a contractor — whoever calls back first and sounds confident. That's how you end up locked into a bad contract for three years. This guide walks you through the actual evaluation process, from scoping what you need to the reference questions that expose providers before you sign.
Before you evaluate a single provider, you need to understand what managed IT services actually is — because the MSP industry has done an exceptional job of making it sound like a commodity when it isn't.
When you hire an MSP, you're buying four distinct things at once:
The reason this matters: when you're comparing proposals, you're almost never comparing apples to apples. One proposal might include EDR, backup, and email security. Another might include "endpoint protection" (which might just be antivirus) and "backup monitoring" (which might not include tested restores). Unless you understand what each line item means, you'll optimize for price and get the worst deal.
The baseline minimum in 2026: Any MSP proposal that doesn't include EDR (not just antivirus), tested backup restores (not just backup monitoring), MFA enforcement, and a documented incident response plan is missing the security foundation. Anything below this floor isn't fully managed IT — it's monitoring with a helpdesk.
The most common mistake in MSP evaluation is starting the process by taking sales calls. Sales calls are designed to let the provider scope the conversation. You want to scope it yourself first.
Before you talk to a single vendor, document these six things:
This is where businesses consistently underestimate what they need. If you're in any of these situations, your MSP must understand the specific compliance framework:
Document specifically what's broken or inadequate about your current situation. "Our IT company is slow" is not useful. "Our average ticket resolution time is 3 days and we had two server outages last quarter that lasted 4+ hours each" is useful. Specific pain points let you evaluate whether a new provider would actually solve them.
Know your number before you go in. Market rate for small business fully managed IT is $100–$175 per user per month. Mid-market with compliance requirements runs $150–$250/user/month. If you have 30 users and $1,500/month to spend, that's $50/user — which is below the floor for real managed IT. Know this before you collect proposals so you're not surprised.
Every business has one or two requirements that are non-negotiable. Write yours down before you talk to anyone. Common examples: must be able to sign a BAA, must have a local technician within 30 miles, must support Salesforce, must have CMMC experience. These filter your candidate list before you waste time on proposals from providers who can't actually serve you.
Where you find MSP candidates determines the quality of the pool you're evaluating. Most businesses do one of two things: Google "IT support near me" or ask a peer for a recommendation. Both approaches work — but neither is reliable alone.
The best MSP leads come from business owners in your industry who run a similar-sized operation. Not from your IT person's former employer. Not from your accountant's brother-in-law. From someone who actually uses them, pays them monthly, and has lived through an incident with them.
When you ask for a referral, ask this specifically: "Has your IT provider ever had to respond to a real incident — not a slow computer, but an actual outage or security event? How did they respond?" The answer tells you more than any sales call.
Your industry association likely has a vendor directory or peer community where members share IT provider recommendations. If you're in healthcare, legal, manufacturing, or financial services, there are industry-specific MSPs who live in your world. Find them through your peers, not through Google.
SerenIT matches businesses with vetted MSPs based on industry, size, compliance requirements, and location — not on who pays us the most. Use the matching service here if you want qualified candidates without the cold call inbox flood.
You want 3–5 providers in your evaluation pool. Less than three gives you no baseline. More than five becomes unmanageable. Filter your initial list using your deal-breakers: if CMMC compliance is required and a provider says they "do compliance," that's not the same as having completed CMMC assessments with C3PAO partners. Cut anyone who can't be specific.
Red flag before you even start: Any MSP that gives you a proposal without asking detailed questions about your environment, compliance requirements, and current pain points is not evaluating your needs — they're pasting your user count into a pricing template. That's a sign of what the relationship will look like.
You don't need a formal Request for Proposal for a small business MSP evaluation. But you do need to give every provider the same information and ask the same questions — otherwise you're comparing answers to different questions, which tells you nothing.
Ask these questions in writing. Answers to written questions are more considered, and written answers can be compared side-by-side:
The last question is the one that separates real providers from those selling on promises. Get the answer in the proposal and verify it's in the contract.
When proposals come back, normalize them before you compare prices. Price is the last thing you should compare — and only after you understand what each price actually includes.
Convert every proposal to a single number: total monthly cost divided by number of users. Now you have an apples-to-apples base.
For each proposal, mark whether these are included or extra-cost:
| Item | Must Be Included | Provider A | Provider B | Provider C |
|---|---|---|---|---|
| 24/7 remote monitoring | Yes | |||
| Helpdesk with defined SLA | Yes | |||
| Automated patch management | Yes | |||
| EDR (not just antivirus) | Yes | |||
| Backup monitoring + tested restores | Yes | |||
| MFA enforcement | Yes | |||
| Email security / anti-phishing | Strongly recommended | |||
| After-hours critical support | Depends on your needs | |||
| Onsite visits | Depends on your location | |||
| vCIO / strategic advisory | Mid-market: yes | |||
| BAA signing capability | If regulated industry |
Score each provider 1–5 on each dimension:
Price enters the equation only after you score all eight dimensions. The cheapest provider who scores below 3 on SLA terms and security stack is the most expensive option — you just don't feel it until something goes wrong.
Most businesses either skip references entirely or ask the wrong questions. Providers curate their reference list — you're talking to their happiest clients. The goal is to ask questions that get honest answers from even a curated reference.
Ask for one reference from a client who has switched providers while working with this MSP. Any company that's been growing has migrated platforms, changed ERPs, or added acquisitions during their MSP relationship. How the provider handles complexity and change tells you more than steady-state performance.
IT contracts are written by the provider's lawyers to protect the provider. That's not a complaint — it's the nature of contracts. Your job is to negotiate the terms that protect you before you're in a bad situation with no leverage to leave.
Have an attorney review any IT contract over $50,000/year. A two-hour legal review costs $400–$800 and can save you from a three-year commitment to a provider who performs below expectations. The cost is trivial relative to the exposure.
The SLA is the most important part of your IT contract and the part most businesses don't read carefully. Here's what it needs to contain to actually protect you.
These are different commitments. Response time is how long until someone acknowledges your ticket. Resolution time is how long until the problem is fixed. Both should be defined separately for each priority level. A provider who only defines response time is giving themselves unlimited time to actually fix things.
| Priority | Definition | Typical Response SLA | Typical Resolution SLA |
|---|---|---|---|
| P1 — Critical | Business operations halted (server down, ransomware, site outage) | 15–30 minutes | 4 hours |
| P2 — High | Significant business impact, workaround exists | 1–2 hours | 8 hours |
| P3 — Medium | Single user affected, workaround available | 4 hours | Next business day |
| P4 — Low | Minor issue, request, or question | 8 hours | 3–5 business days |
This is what makes the SLA real. Without a penalty, missing an SLA has no consequences — the provider apologizes and moves on. Your contract should include at minimum:
Providers who say "we don't include penalty clauses because it's a trust-based relationship" are telling you they don't intend to be held accountable. A confident provider will put their commitments in writing.
The SLA is only useful if you can see how the provider is performing. Your contract should specify monthly reporting that includes ticket volume, response time performance against SLA, resolution time performance against SLA, and any violations. Without this reporting, you'll never know if they're meeting the SLA or just telling you they are.
Onboarding is the period most likely to make you regret a decision. The transition from your old provider to your new one is when everything that wasn't documented becomes a problem. A provider with a rigorous onboarding process is a provider who has done this enough times to know where things go wrong.
Ask every provider: "What is your process for the transition period — specifically the overlap between your onboarding and my previous provider's offboarding?" A provider who has never thought about this question has never managed a difficult transition. A good answer describes a specific handoff protocol and a period where both providers have access to ensure nothing falls through.
Never cancel your current provider before your new one completes environment documentation. The leverage you lose the moment you inform your current provider you're leaving is significant. Wait until your new MSP has documented your environment and you have verified copies of all credentials and configurations.
The honeymoon period in an MSP relationship is about 60 days — long enough for the initial enthusiasm to wear off but not long enough for the account to fall into steady-state management patterns. The first 90 days is when you establish what the relationship will actually look like.
A thorough MSP evaluation takes 4–8 weeks: 1–2 weeks to scope requirements and build an RFP, 2–3 weeks for proposal review and site visits, and 1–2 weeks for contract negotiation. Onboarding after signing typically takes 30–60 days for complete environment documentation and transition. Rushing the evaluation creates the same problems you're trying to solve.
Get at least three proposals. Two gives you no baseline and no negotiation leverage. Five or more becomes unmanageable. Three from providers of comparable size and specialization gives you enough price variance to understand market rate and enough service variation to identify what's standard versus what's being upsold.
The SLA penalty clause: what actually happens when the provider misses their response or resolution time commitment. An SLA without contractual remedies (service credits, right to terminate) is a marketing document, not a commitment. Verify this before signing — providers who resist putting it in writing are telling you they don't expect to meet it.
No. Always maintain your own Microsoft 365 or Google Workspace tenant with a billing account in your company's name. When MSPs bundle your licenses into their billing, they become your account's owner — if you leave the relationship, they can hold your licenses hostage or threaten service disruption during migration.
The three most revealing questions: (1) Describe the worst outage or incident you've had in the past year — how did the MSP respond? (2) What does communication look like when something goes wrong? (3) Knowing what you know now, would you sign the same contract again? References will answer these honestly because they're specific rather than general.