How we rate MSPs.
Every provider on the register is scored out of 50 across five areas that genuinely matter to the businesses they serve. Credentials are verified at source — we don’t sell rankings; the metal is earned, never bought.
One number, fifty points, five categories.
The WhatMSP score is a single figure out of 50. It is the sum of five weighted categories, each assessed against verifiable evidence gathered during an independent audit. There is no opinion column and no “editor’s choice”. A provider either has the certification, the reviews, the cover and the track record — or it doesn’t.
Because the score is built from evidence, two assessors looking at the same provider reach the same number. That repeatability is the whole point: it is what lets buyers compare one MSP against another on a level footing.
Worked example · a Gold provider
A score of 38 clears the Gold threshold of 32 but sits below Platinum’s 40. The gauge shows exactly where a provider lands against every tier line — no rounding, no spin.
The five categories · 50 points
Cyber Essentials & CE Plus, IASME Cyber Assurance, ISO 27001 and ISO 9001, Crown Commercial Service / G-Cloud, IASME certification-body status and ICO registration. Can they protect themselves — and you?
Microsoft Solutions Partner status, verified individual certifications on staff (CISSP, Microsoft, CompTIA), cloud expertise, RMM tooling, 24/7 cover, documented processes and a managed security stack. Can they actually do the job?
Independent reviews across Google and other platforms, an evidenced Net Promoter Score, verified client references, case studies and trading history. Do the claims hold up?
Written SLAs, UK-based support (not outsourced), dedicated account management, structured onboarding, on-site capability and a client portal. What is it like to work with them?
Professional indemnity insurance graded by cover level, cyber insurance, business continuity / disaster recovery, financial health, transparent pricing and visible leadership. Will they still be here in three years?
Every criterion, on the table.
Nothing hidden. This is the exact checklist our engine scores — the points each criterion is worth, and where we verify it. Published straight from the live scoring model.
Security & Compliance
max 12-
Cyber Essentials IASME / NCSC register+2
-
Cyber Essentials Plus IASME / NCSC register+2
-
ISO 27001 or IASME Cyber Assurance (ISMS) UKAS / IASME register+2
-
ICO Registered ICO register+1
-
ISO 9001 (Quality Management) UKAS / accreditation register+1
-
Crown Commercial Service / G-Cloud CCS supplier list+1
-
Cyber Essentials / CE Plus Certification Body IASME+1
-
CREST accredited CREST register+1
-
SOC 2 Certification+1
Capability & Technical
max 12-
Microsoft / AWS / Google Cloud partner Vendor partner programmes+2
-
Cloud expertise Services / Declaration+2
-
RMM / monitoring tooling Products / Declaration+1
-
Verified individual certifications on staff Certification+3
-
24/7 or extended-hours support Self-declaration+2
-
Documented processes / ITIL Self-declaration+1
-
Security stack (EDR / SIEM / SOC) Products / Declaration+1
Trust & Reputation
max 10-
Google reviews (4+ stars) Google Places+3
-
Trustpilot / other platforms Platform cache+1
-
Case studies / testimonials Self-declaration+1
-
Evidenced Net Promoter Score Verified attribute+2
-
Verified client references Verified attribute+2
-
Trading history (5+ years) Companies House+1
Service Quality
max 8-
Written SLAs Self-declaration+2
-
UK-based support (not outsourced) Verified attribute+2
-
On-site support capability Self-declaration+1
-
Client portal / ticketing Self-declaration+1
-
Dedicated account management Self-declaration+1
-
Structured onboarding Self-declaration+1
Reliability & Stability
max 8-
Professional indemnity insurance Verified attribute+2
-
Transparent pricing Website / Declaration+1
-
Team / leadership visible Website / Declaration+1
-
Cyber insurance Verified attribute+1
-
Business continuity / disaster recovery Verified attribute+1
-
Financial health (turnover / accounts) Companies House+1
-
Proactive communication & contract terms Self-declaration+1
Total available: 50 points. Your tier is whichever band the score lands in — Silver 25, Gold 32, Platinum 40. Audit depth changes how thoroughly we look; it never caps the number.
Silver, Gold and Platinum.
A provider’s tier is set purely by its score — nothing else moves the line. Audit depth changes how thoroughly we look (interviews, reference checks, on-site visits), but it never caps or inflates the score. Any provider that meets the criteria can reach Platinum.
A solid, credible provider. Meets the baseline on security, holds professional cover and has the reviews and trading history to back it up.
A strong all-rounder. Demonstrates depth across capability and service, with verified references and transparent commercial terms.
The top of the register. Comprehensive certification, an exemplary track record and evidence of proactive, mature operations across the board.
Below 25/50, no badge is issued. Providers that don’t meet the baseline aren’t ranked — and they aren’t charged for a badge they didn’t earn.
Checked at source, not taken on trust.
A claim on a website isn’t evidence. Where an independent register or issuing body exists, we check against it directly. These are the records that underpin a WhatMSP score.
Legal entity, incorporation date, company status and named directors — confirmed against the official UK register.
Cyber Essentials, CE Plus and IASME Cyber Assurance, verified against the IASME-issued certificate and the NCSC list of certified organisations.
Information-security and quality-management certifications confirmed through the UKAS-accredited certification body, not just a logo on a footer.
Public-sector supplier status checked against the CCS supplier list and the G-Cloud / Digital Marketplace.
Professional certifications held by named staff — CISSP and (ISC)², Microsoft, CompTIA — checked against the issuing body.
Registration as a data controller or processor, checked on the Information Commissioner’s public register.
Evidence of current professional indemnity cover (graded by level) and dedicated cyber insurance.
Ratings and review counts from Google and other public platforms, plus an evidenced Net Promoter Score where provided.
The metal is earned, never bought.
Providers pay for the audit and, if they choose, for a premium listing. Neither buys a better score and neither changes the ranking. A provider that fails the baseline is told so — and is not charged for a badge. The leaderboard you see is ordered by score alone, and it always will be.