TL;DR. Pick an IT support company on four things: written SLA with specific response times, transparent per-user pricing, a clean data-exit clause, and evidence they already deliver Cyber Essentials. Everything else — logos, accreditations, years trading — is a tiebreaker. Below are the eleven questions to ask at first meeting, and what good answers look like.

Start with the contract, not the pitch deck

Every MSP pitch sounds the same. The difference lives in the paperwork. Ask for a draft contract before the second meeting and read the SLA, termination and pricing schedules carefully. If they won't send one until you've signed a letter of intent, that's your answer.

The 11 questions

1. What is your response time SLA, in writing, by priority?

Good answer: "30 minutes for priority 1 (business-down), 2 hours for priority 2 (user can't work), 4 hours for priority 3 (workaround exists)." Bad answer: "We respond very quickly" or "as soon as we can".

2. How do you price?

Per-user-per-month is the cleanest model for most small businesses. Expect £40–£80 per user at the managed tier. Be suspicious of very cheap (£25) — there's almost no engineering time in that number — and of "contact us for a quote" when no figure appears anywhere on the site.

3. Will I have a named engineer and account manager?

You want both. An engineer who learns your setup, and a non-engineer contact for commercial questions. If the answer is "the team handles everything", you're buying a ticket queue.

4. What's your engineer-to-user ratio?

60–90 users per engineer is healthy for a proactive managed service. 150+ is a volume shop running on autopilot. Ask the number.

5. Are you local enough to be on-site today if needed?

For West Sussex businesses, "same-day" usually means an engineer driving from somewhere within an hour. Ask where the engineers physically sit. Remote-only MSPs are fine for cloud-native teams but painful when a switch fails.

6. Do you deliver Cyber Essentials or just tick the box?

Cyber Essentials v3.3 Danzell (in force 27 April 2026) auto-fails any tenant where MFA is available on a cloud service but switched off. A serious provider will build your tenant to pass on day one. Read the NCSC Cyber Essentials overview so you can judge their answer.

7. What's your backup and restore test cadence?

Expect monthly test-restores of Microsoft 365 data and quarterly test-restores of servers, with a written report. "We do backups" is not an answer.

8. How do you handle out-of-hours and emergencies?

On-call rota with a published number, or a genuine 24/7 desk. Some providers charge extra per incident out of hours — check the rate card before you sign.

9. What's your onboarding look like in the first 30 days?

A credible plan: week 1 discovery + credential handover, week 2 fix the urgent risks (missing MFA, unpatched devices, expired backups), weeks 3–4 standardise Microsoft 365, deploy endpoint protection, document the environment. Anything vaguer than this is worrying.

10. How does the contract end?

The data-exit clause is the single most important paragraph in the contract. It should say: on 30 days' notice, admin access is transferred back, documentation is delivered, and the provider's accounts are removed — at no additional cost. If it says "reasonable fees apply", negotiate that out.

11. Who owns the Microsoft 365 tenant?

You do. Always. The provider should hold Global Admin for the duration of the contract, under your tenant, with accounts they remove on exit. If they've set the tenant up under their own reseller umbrella and you can't get it out, you've been licensed, not served.

Red flags that end the conversation

  • No pricing on the website anywhere
  • 36-month contracts as the "standard" option
  • Testimonials with only first names
  • No photos of real staff on the about page
  • Refuses to send the contract before a signature
  • Can't produce a Cyber Essentials certificate of their own
  • "We partner with everyone" — translation: they're a reseller, not engineers

Scoring the shortlist

Score each provider 1–5 on the 11 questions. Weight SLA, pricing transparency, Cyber Essentials capability and data-exit most heavily — they predict how the relationship ends, not how it starts. Two references to existing clients, chosen by you from their client list rather than hand-picked, are worth more than a glossy brochure.

At Syntek we publish our IT support pricing and contract shape openly. Ask for a copy and compare against whoever else you're considering — that's the job.

FAQ

Should I pick a local or national IT company?

For a small business under 100 users, local usually wins. You get on-site response, a named engineer, and someone who knows the area. National providers are stronger for multi-site operations above 100 users.

Do I need a long contract?

No. A good UK MSP will offer 30-day rolling terms. If they insist on 36 months to get a sensible price, they are pricing for churn — walk away.

How many clients should a good IT company have per engineer?

A healthy ratio is around 60 to 90 users per engineer. Much higher and SLAs start slipping. Ask the question and expect a specific number.

What accreditations actually matter?

Cyber Essentials Plus (for the provider themselves), Microsoft Solutions Partner for Modern Work, and — for larger clients — ISO 27001. CompTIA certifications are a reasonable engineer-level signal.

Syntek Solutions Team

We write our own contracts and publish our own prices. Based in Horsham, serving West Sussex SMEs. Read about how we work or ask for a quote.