If you are an IT director at a UK mid-market organisation and you are about to sign a managed services contract, the security posture of your MSP is not a procurement checkbox — it is an operational risk decision. Your MSP will have privileged access to your network, your endpoints, your identity systems, and your data. If they are compromised, you are compromised. The NCSC published specific guidance on choosing MSPs in late 2025, the Cyber Security and Resilience Bill is moving through Parliament, and NIS Regulations already classify larger MSPs as regulated entities. This is a technical checklist for evaluating whether your prospective MSP can actually protect you, not just tell you they can.
Why MSP Security Posture Matters More Than It Used To
The threat model has changed. MSPs are high-value targets precisely because they hold privileged access to dozens or hundreds of client environments. A single MSP compromise cascades across every client they manage. The Kaseya VSA attack in 2021 demonstrated this at scale — a vulnerability in one remote monitoring tool led to ransomware deployment across over 1,500 downstream businesses.
The NCSC recognised this concentration risk and published dedicated guidance on choosing managed service providers in late 2025. The guidance is not advisory in the traditional sense — it is rapidly becoming the baseline that procurement teams reference when evaluating MSPs for mid-market and public sector contracts.
Under the NIS Regulations, MSPs classified as "Relevant Managed Service Providers" must register with the ICO, report incidents within 24 hours of awareness (with a detailed report within 72 hours), and demonstrate appropriate risk management measures. The Cyber Security and Resilience Bill, currently progressing through Parliament with second reading scheduled in early 2026, will extend these obligations further — bringing data centres, MSPs, and critical supply chain providers under direct regulatory oversight.
For an IT director signing a three-year managed services contract, this is not background noise. Your MSP's regulatory posture today determines your own risk exposure for the duration of the engagement.
The Certification Picture: What Each Standard Actually Tells You
UK MSP Security Certifications Compared: Depth and Scope
How Cyber Essentials Plus, ISO 27001, and SOC 2 Type II compare on key evaluation criteria, scored 1 to 5 where 5 indicates the deepest coverage.
Source: CTC editorial assessment based on NCSC and certification body documentation, February 2026
Three security certifications dominate MSP marketing in the UK: Cyber Essentials Plus, ISO 27001, and SOC 2 Type II. They are not interchangeable. Each tests a different thing at a different depth.
Cyber Essentials Plus is the UK government-backed scheme assessed through IASME. It covers five technical controls: boundary firewalls and internet gateways, secure configuration, user access control, malware protection, and patch management. The "Plus" designation means an independent assessor has verified these controls through hands-on technical testing — not just a self-assessment questionnaire. Certification renews annually.
Cyber Essentials Plus is a minimum. It confirms that an MSP has the basics in place, but it does not assess broader security management, incident response capability, or supply chain controls. It is the entry ticket, not the destination.
ISO 27001 is an international standard for an Information Security Management System. It requires the MSP to identify information security risks, select and apply controls proportionate to those risks, and maintain an ongoing cycle of assessment and improvement. Certification involves an external audit by a UKAS-accredited body (in the UK) and remains valid for three years with annual surveillance audits.
ISO 27001 tells you that the MSP has a structured approach to security governance. It covers policies, procedures, people, and technology across the entire organisation. The standard is risk-based and flexible — the MSP chooses which controls to apply based on their risk assessment, so two ISO 27001-certified MSPs may have very different control sets. Ask to see their Statement of Applicability to understand which controls they have applied and which they have excluded.
SOC 2 Type II is an American Institute of Certified Public Accountants standard that evaluates controls over a period of time (typically 6 to 12 months) against five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. A Type II report is more valuable than Type I because it tests whether controls operated effectively over time, not just whether they existed at a point in time.
SOC 2 is common among MSPs with US-headquartered clients or those operating cloud platforms. It is less prevalent in UK-only MSPs but increasingly requested by mid-market organisations with international operations. If your MSP holds SOC 2 Type II, ask for the full report — not a summary. The management assertions and auditor exceptions tell you what actually happened, not what the marketing team wants you to know.
The NCSC MSP Guidance: What to Look For
The NCSC guidance on choosing an MSP published in late 2025 covers five areas that your evaluation should address.
Security credentials and certifications: The NCSC recommends that MSPs hold Cyber Essentials Plus at minimum and ideally ISO 27001. Beyond certification, the NCSC advises checking whether the MSP's own staff receive regular security training, whether they conduct penetration testing of their own infrastructure (not just their clients'), and whether they have a formal vulnerability management programme.
Incident response capability: Ask for a copy of the MSP's incident response plan. It should define escalation paths, communication protocols, and recovery time objectives. Ask when they last tested the plan — a tabletop exercise or simulated incident within the past 12 months is the minimum you should expect. If the plan has never been tested, it is a document, not a capability.
Supply chain transparency: Your MSP uses tools from other vendors — RMM platforms, PSA tools, backup solutions, security products. Each of these vendors is part of your supply chain. The NCSC advises asking your MSP to identify all sub-processors and fourth parties that have access to your data or systems. If they cannot produce this list, they have not mapped their own supply chain.
Monitoring and detection: The MSP should be able to describe how they monitor their own infrastructure for threats — not just how they monitor yours. What SIEM or detection capability do they run internally? Do they have a 24/7 security operations function, or is monitoring limited to business hours? If their own house is not monitored around the clock, their response to a breach affecting your environment will be delayed.
Contractual commitments: Security commitments should be in the contract, not in a slide deck. SLAs for incident notification (the NCSC recommends MSPs notify affected clients within 24 hours of a confirmed breach), data handling obligations, and the right to audit should be specified in writing.
The Questions Your Procurement Team Should Ask
MSP Security Evaluation: Minimum Evidence Checklist
Percentage of UK mid-market organisations that request each type of security evidence from MSPs during procurement, versus the percentage that should.
Source: CTC editorial assessment based on NCSC guidance and UK channel feedback, February 2026
These are specific questions, not general enquiries. The answers should be factual and verifiable.
Can you provide your current Cyber Essentials Plus certificate and ISO 27001 Statement of Applicability? When was your last external penetration test of your own infrastructure, and can we see the executive summary? What RMM, PSA, and security tooling do you use internally, and which vendors have access to client data? Describe your incident response process — who is the named incident manager, what are the escalation thresholds, and when did you last run a test? What is your staff vetting process, and do all engineers with access to client systems hold current DBS checks? Do you carry Professional Indemnity insurance and Cyber Liability insurance — what are the coverage limits? If a breach affects our environment through your systems, what is your contractual notification timeline? Can you provide references from two current clients of comparable size and complexity?
If the MSP cannot answer all eight within a week, they are either disorganised or they do not have the answers. Neither is acceptable for a mid-market managed services engagement.
Consider scoring each answer on a three-point scale: verified (documentary evidence provided and current), stated (claimed but not yet evidenced), and absent (no answer or deflection). An MSP that scores "verified" on six or more of the eight is worth progressing to contract negotiation. An MSP with three or more "absent" scores should be disqualified regardless of price. This is not bureaucracy — it is a structured way to compare providers when your shortlist has three or four names on it and the sales presentations all sounded equally polished.
Document the responses in a due diligence register that records the date each piece of evidence was requested, received, and verified. This register becomes your audit trail if a regulator or insurer asks how you selected your MSP after an incident. The ICO has made clear in enforcement actions that "we trusted our provider" is not a defence under UK GDPR Article 28 processor obligations.
Red Flags in the Evaluation Process
Some warning signs appear during the sales process itself. If the MSP's pre-sales team cannot discuss security without deferring to a "technical resource" who is never available, security is not embedded in their culture. If they resist providing documentation — certificates, pen test summaries, insurance details — before contract signature, they will resist providing it after.
Watch for MSPs that cite Cyber Essentials (without Plus) as their primary security credential. The self-assessed version of Cyber Essentials requires no external verification and is a lower bar than the independently tested Plus certification. It is better than nothing, but it is not sufficient for an MSP managing mid-market environments.
Be cautious of MSPs that cannot articulate the difference between their own internal security controls and the security services they sell to clients. A well-run MSP practices what it sells. If they offer SOC-as-a-service to clients but do not run their own SIEM internally, the service is a revenue line, not a capability.
Another warning sign is an MSP that holds Cyber Essentials Plus but cannot name the assessor who conducted the test or the date of the last assessment. Certificates are only valid for 12 months, and an MSP operating on a lapsed certificate has no current external validation of their basic controls. Ask to see the certificate itself — it includes the assessment date and the certifying body. If it expired three months ago and they have not renewed, that tells you how seriously they take the process.
Pay attention to how the MSP handles your security questions during procurement. If they treat your due diligence as an inconvenience rather than a normal part of business, they will treat your security requirements the same way after contract signature. The best MSPs welcome detailed security scrutiny because they know their answers are strong. The worst deflect, delay, and hope you will sign before asking awkward questions.
Building Security Into the Contract
Your managed services contract should contain specific security clauses beyond the standard terms. Required notification of any security incident affecting your data or systems within 24 hours. The right to conduct or commission an annual security audit of the MSP's controls relevant to your environment. A data processing addendum compliant with UK GDPR specifying data locations, sub-processors, and retention periods. A commitment to maintain current Cyber Essentials Plus and ISO 27001 certification throughout the contract term, with notification if certification lapses. A named security contact within the MSP for escalation outside normal support channels. Business continuity and disaster recovery commitments with defined RTOs and RPOs for your environment.
Include a transition clause that requires the MSP to cooperate with any successor provider for a minimum of 30 days after contract termination. This cooperation should cover the transfer of documentation, configurations, credentials, and knowledge about your environment. Without a transition clause, your MSP holds operational power at the point when you are least able to negotiate — when you have already decided to leave.
Require an annual security review meeting where the MSP presents their current certification status, any incidents that affected your environment or their infrastructure, changes to their sub-processor list, and updates to their security posture. This should not be a sales meeting dressed up as a review. It should be a structured assessment with documented outcomes and action items.
These are not unusual requests. Any MSP competing for mid-market business in 2026 should expect them. If they push back on contractual security commitments, they are telling you where security sits in their priorities.
The First 90 Days After Signing
Vetting does not end when the contract is signed. The first 90 days of a managed services engagement are when you validate whether the MSP delivers what they promised during procurement.
In the first week, confirm that all admin credentials for your environment are documented in a shared, secure location — not held exclusively by the MSP. Verify that backup jobs are running and that a test restore has been completed successfully. Confirm that your endpoint protection, patching schedule, and monitoring are active and reporting as specified.
By day 30, request the first monthly security summary. This should include patch compliance rates, open vulnerabilities, any security incidents or alerts, and confirmation that your systems are being monitored to the agreed SLA. If the MSP cannot produce this report within 30 days of go-live, their operational maturity is lower than their sales team suggested.
By day 90, conduct your first formal review against the contractual SLAs. Compare promised response and resolution times against actual performance. Check whether the sub-processor list has changed since contract signature. If the MSP has substituted a security tool or changed a backup provider without notifying you, raise it immediately — this is a contractual matter, not a minor operational detail.
