Skip to content
WhatMSP
Guide

Last reviewed June 2026

How to choose an MSP

The complete UK business guide to finding an IT support partner you can rely on — and avoiding one you’ll regret.

10 min read By the WhatMSP team

Choosing a managed service provider is one of the most consequential decisions a business makes. Get it right and you gain a technology partner that quietly removes friction and keeps you secure. Get it wrong and you inherit downtime, security gaps and a contract that’s painful to leave.

This guide walks you through evaluating an MSP the way we do when we assess one for the register. It maps onto our independent scoring methodology, so by the end you’ll know both what to look for and how to read a WhatMSP score.

1. What an MSP actually does

A managed service provider runs your IT for a predictable monthly fee. That usually means a helpdesk for day-to-day problems, security and patching, backup and disaster recovery, management of cloud platforms such as Microsoft 365 or Azure, and proactive monitoring that catches issues before they become outages.

The distinction worth holding onto is proactive versus reactive. A break-fix supplier waits for the phone to ring. A genuine MSP is paid to stop it ringing — patching systems, hardening security and planning ahead so problems are designed out. When you compare providers, you’re really asking how proactive each one is, and whether they can prove it.

2. Security & compliance

Your MSP will hold administrative access to almost everything you own digitally. Their own security is therefore your security. Start here, and don’t compromise.

What to verify

  • Cyber Essentials — the UK government’s baseline security standard. Treat it as the minimum, not a nice-to-have.
  • Cyber Essentials Plus — the hands-on, independently tested version. It shows they practise what they preach.
  • ISO 27001 — a full information-security management system. Important if you’re in a regulated sector.
  • ICO registration — required if they process personal data on your behalf.
  • Professional indemnity insurance — ask for the certificate and check the level of cover.
Pro tip

Don’t take a logo on a website as proof. Cyber Essentials certificates can be confirmed on the NCSC list of certified organisations, and ISO 27001 can be checked with the issuing UKAS-accredited body. Verifying at source is exactly what we do for every provider on the register.

3. Technical capability

An MSP’s toolset tells you whether they’re running an enterprise-grade operation or improvising with consumer products. You don’t need to understand every acronym — you just need them to answer clearly.

  • Remote monitoring & management (RMM) — the platform they use to monitor and maintain your devices. Ask which one.
  • Endpoint security — modern detection and response, not just consumer antivirus.
  • Backup & disaster recovery — how your data is protected, and their recovery time and recovery point objectives (RTO/RPO).
  • Cloud expertise — verified competence in Microsoft 365, Azure or AWS, with partner status to match.
  • The wider security stack — firewall management, email security and DNS filtering.
Red flag

If a provider can’t or won’t tell you what tools they use, that’s a warning sign in itself. Transparency about their technology is basic. If they’re evasive here, ask yourself what else they’d rather you didn’t see.

4. Reputation & references

Marketing tells you how a provider sees itself. Reputation tells you what it’s actually like to be their client — and it’s far harder to fake.

  • Independent reviews — read Google and Trustpilot for patterns over time, not isolated comments.
  • Client references — ask to speak with two or three current clients, ideally in a business like yours.
  • Case studies — documented outcomes for organisations facing similar challenges.
  • Longevity — how long they’ve traded, confirmed on Companies House.
Pro tip

When you call a reference, ask: “What’s your biggest frustration with them?” Every provider has weaknesses. A reference who genuinely can’t name one probably isn’t giving you the full picture.

5. Service & support

This is where the relationship lives day to day. The detail of how they support you matters more than any sales promise.

  • Response SLAs — guaranteed response times for critical issues, in writing, by severity.
  • Support hours — standard business hours, extended, or genuine 24/7? Match this to how you work.
  • A UK-based helpdesk — where the people answering your tickets are actually located.
  • On-site support — whether visits are available, and whether they’re included or charged extra.
  • A named contact — an account manager who knows your environment.
  • Onboarding — a clear plan for transitioning you from your current setup without disruption.

6. Transparency & pricing

Pricing in this market can be deliberately opaque. The model itself matters less than whether you can see the whole picture before committing.

  • A clear model — per-user, per-device or fixed monthly fee, with no surprise charges.
  • Scope — exactly what’s included and what’s billed as a separate project.
  • Contract terms — minimum term and notice period, stated up front.
  • Visible people — you can see who runs the company and who’ll work on your account.

As a rough UK benchmark, per-user managed support commonly runs from around £30 to £80 per user per month depending on what’s included; per-device models often sit between £15 and £40 per device. Treat these as orientation, not a quote — what you’re really buying is clarity.

Red flag

Be wary of anyone who won’t give even a ballpark without extensive “discovery”. Some scoping is reasonable, but a reputable provider can usually give you a sensible range quickly.

7. Red flags to walk away from

Any one of these should give you pause. Several together is your cue to keep looking.

  • No Cyber Essentials — the bare minimum for any security-conscious MSP.
  • Won’t provide references — ask yourself what they’re protecting.
  • High-pressure sales — good providers don’t need to rush you into signing.
  • Vague about their tools — transparency about technology is non-negotiable.
  • No written SLAs — if it isn’t in writing, it doesn’t exist.
  • Pricing that’s too good to be true — it usually is.
  • Can’t explain their security approach — this is their core job.

8. The decision checklist

Print this, or keep it open while you talk to providers. If you can tick most of it honestly, you’re onto a strong candidate.

  • Holds Cyber Essentials (ideally Plus), verified at source
  • Carries professional indemnity insurance and is ICO-registered if needed
  • Will tell you exactly which RMM, security and backup tools they use
  • Has documented backup and disaster recovery with stated RTO/RPO
  • Provides written SLAs with response times by severity
  • Has a UK-based helpdesk and a named account contact
  • Offers references you can actually speak to
  • Gives a clear pricing model with scope, term and notice in writing
  • Has a credible trading history on Companies House
  • Explains its security approach in plain English

Want us to do the hard work?

We independently score every provider on the register against all five areas — out of 50, verified at source — so you can compare on evidence, not marketing.

Frequently asked questions

What is an MSP?

A Managed Service Provider (MSP) is a company that looks after your IT on an ongoing basis for a regular fee — typically covering helpdesk support, security, backups, cloud services such as Microsoft 365, and proactive monitoring. Instead of fixing things only when they break, a good MSP works to keep them from breaking in the first place.

How do I choose the right MSP for my business?

Assess providers across five areas: security and compliance, technical capability, reputation and references, service and support, and transparency on pricing and contracts. Verify credentials such as Cyber Essentials at source, read independent reviews, speak to current clients, and get every commitment in writing before you sign.

What certifications should an MSP have?

At a minimum, look for Cyber Essentials — the UK government baseline for security. Cyber Essentials Plus (hands-on tested) and ISO 27001 (a full information-security management system) indicate greater maturity. If the MSP handles personal data on your behalf they should also be registered with the ICO, and they should carry professional indemnity insurance.

How much does IT support cost in the UK?

Most MSPs charge per user or per device each month. Per-user pricing commonly falls between £30 and £80 per user per month depending on the services included; per-device models often run from £15 to £40 per device. What matters more than the headline rate is clarity — exactly what is included, what is billed as a project, and what the contract term and notice period are.

What questions should I ask an MSP before signing?

Ask what is included in the monthly fee and what costs extra, what their guaranteed response times are for critical issues, which tools they use for monitoring, security and backup, how they handle a breach or disaster recovery, what their offboarding security process is when staff leave, and whether you can speak to two or three current clients in a similar industry.

How does WhatMSP vet managed service providers?

Every provider on the WhatMSP register is independently scored out of 50 across five categories: security and compliance, capability and technical, trust and reputation, service quality, and reliability and stability. Credentials are verified at source against Companies House, IASME, UKAS and the ICO. Ranking is by score alone — we do not sell rankings.

Keep reading