Ever wondered if your current MSP cuts the mustard?
Here’s how to find out!
Selecting the right partners (or the wrong ones!) can have a serious impact on your organisation’s performance, efficiency, security, not to mention your fundamental capability to provide the services you offer and your long-term success.
No business can be an expert in all the professional services functions they need to keep their business solvent, secure, successful and performing at its peak – legal advice, accounting and financial services, IT and cybersecurity, amongst many others – which is why many leading organisations choose to partner with expert providers in these fields.
In light of new and emerging risks posed to your business by poorly managed and unsecured technology in the face of unrelenting cyber attacks levelled at individuals and organisations of all sizes and sectors, perhaps more so than for any other professional services, your choice to partner with the right Managed IT Services Provider (MSP) is a mission critical choice.
With coming up to 30 years of experience in the IT Industry, we have prepared a checklist of items to consider when selecting a new MSP to assist in making the safest, most secure, compliant technology provider choice for your organisation.
How and When to Ask the Right Questions?
Your MSPs commitment to providing the highest level of service, quality and security for their clients is key to your business continuity and success. You should feel free to ask these questions of your provider at any time and you should expect to receive a prompt and informed response.
A proactive, progressive and professional MSP should have no issues providing these details openly or upon request. And if they can’t, don’t or won’t…well it might be time to reconsider your options!
Professional Indemnity Insurance
- What is it ? – This insurance protects professionals who provide advice or services to clients. It covers financial losses that may arise if a client claims that the professional’s advice or service was negligent or inadequate.
- Why is it important ? – This insurance is crucial as it covers the provider against claims of negligence or inadequate work. It assures clients that they can seek appropriate compensation in the case that the products or services delivered by the MSP adversely affect your business.
- How can it be verified ? – Clients can request a Certificate of Currency from the prospective MSP that verifies that Professional Indemnity Insurance Policy is current, and that it has a coverage amount of a minimum of AUD$5M.
Cyber Insurance
- What is it ? – This is a type of insurance that helps businesses mitigate the financial risks associated with cyber threats such as data breaches and cyberattacks. It may cover costs related to damaged computer systems, lost revenue, legal expenses, and other cyberattack remediation costs. To become insurable, MSPs must meet the requirements of their policy. These requirements are extensive, often spanning over 20 pages and requiring proof of incident response, management, backup and disaster recovery capabilities.
- Why is it important ? In today’s digital age, cyber threats are a significant concern. A provider with cyber insurance demonstrates that they take cybersecurity seriously and have means and measures in place to address the legal, reputational, recovery and financial costs that may arise from a cyber incident.
- How can it be verified ? Clients can request a “Certificate of Currency” from the prospective MSP that verifies that their Cyber Insurance Policy is current, and verify the types of coverage and amounts.
Public and Product Liability Insurance
- What is it ? – This is a type of insurance that protects your business if someone is injured or their property is damaged because of your business activities. It covers legal costs, compensation, and other people’s property in your control.
- Why is it important ? This insurance shows that the provider is prepared for any accidents, errors, defects that might occur during their operations. It gives clients peace of mind knowing that any potential damages or injuries will be covered.
- How can it be verified ? Clients can request a Certificate of Currency from the prospective MSP that verifies that their Public & Product Liability Insurance is current and verify the coverage amount. Typically, this should be AUD$20M or higher.
Quality Management System (QMS)
- What is it ? – A Quality Management System or QMS (such as ISO9001) is a formalised system that documents processes, procedures, and responsibilities for achieving quality policies and objectives. It helps coordinate and direct an organisation’s activities to meet customer and regulatory requirements, to improve its effectiveness and efficiency, and ultimately deliver high quality outcomes for clients with a focus on continuous improvement.
- Why is it important ? A provider with a documented, active and regularly audited QMS shows that the MSP is committed to delivering high-quality products and services – the first time. It indicates that they have structured processes in place to meet customer requirements and regulatory standards.
- How can it be verified ? Customers can request the MSP’s Certificate ID of their Quality Management System Certification. In Australia, a list of organisations that have been independently Certified to comply to the ISO9001 Quality Management System Standard are listed on the JAZANZ website register.
Information Security Management System (ISMS)
- What is it ? – An Information Security Management System or ISMS (such as ISO27001) is a structured framework designed to safeguard an organisation’s valuable information assets, ensuring their confidentiality, integrity, and availability. It involves coordinating processes, technology, and resources to effectively identify and manage the risks associated with information security.
- Why is it important ? Most MSP’s will have full access to your businesses critical data and business information, including Personally Identifiable Information of your staff and clients, as well as financial, account or billing information, and possibly other proprietary information. Having a documented, active and regularly audited ISMS is a clear indication of the MSP’s commitment to securing to valuable information assets within their systems. It shows that they have robust policies and controls to manage information security risks.
- How can it be verified ? Customers can request the MSP’s Certificate ID of their Information Security Management System Certification, as well as their Statement of Applicability. In Australia, a list of organisations that have been independently Certified to comply to the ISO27001 Quality Management System Standard are listed on the JAZANZ website register.
Change Management System
- What is it ? – Change Management is the process of tracking and managing a change throughout its entire life cycle, from start to closure, with the aim to minimize risk to a business. It involves a structured approach that includes steps for identifying, assessing, approving, implementing, and reviewing changes.
- Why is it important ? Change Management is crucial for the scalability of managed services and is becoming increasingly vital to cyber security. It helps maintain control over IT systems, reduce risks associated with unapproved changes, and ensure that changes align with business objectives. Effective change management can increase employee engagement, reduce frustration with operational and technology changes, and optimise project management.
- How can it be verified ? An MSP can provide a documented Change Management Policy and show evidence of effective Change Management through a well-structured change tracking system that includes both Internal Change Tracking and Customer Change Tracking. This process should typically involve policy-driven compliance requirements as well as consistent mechanisms for formal change request, review, approval, and meticulous documentation steps, oversee by an established Change Advisory Board (CAB) that meets frequently and regularly.
Australian Signals Directorate Essential Eight Maturity Model
- What is it ? – The Essential Eight is a set of strategies recommended by the Australian Signals Directorate to help organisations protect themselves against various cyber threats and make it much harder for adversaries to compromise systems. The Essential Eight Maturity Model provides tiered and targeted security benchmarks organisations should work towards attaining to secure their environments, ranging from Level 0-3.
- Why is it important ? Implementing the Essential Eight and demonstrating Essential Eight Maturity Model level attainment shows that the MSP follows recommended strategies to mitigate cyber threats. It is a strong indicator of their commitment to maintaining a secure IT environment for their own operations, and of their ability to be able to advise clients on working towards achieving an Essential Eight Maturity Level commensurate with their own business requirements.
- How can it be verified ? There are many external / third party organisations that independently review and assess an MSP’s level of implementation of the Essential Eight mitigation strategies. Customers should seek out an MSP that has been independently verified to have implemented Essential Eight Maturity Level 3.
Microsoft Partner Status
- What is it ? – This refers to the status level of an MSP’s formal partnership with Microsoft. There is a difference between being an entry level Microsoft Partner, and having been recognised by Microsoft has having the required skills and expertise in a Microsoft solutions area to be designated a Microsoft Solutions Partner. You may previously have heard about Microsoft Silver / Gold Partner status’; these have now been retired, requiring MSPs to recertify against more stringent requirements in the new Microsoft AI Cloud Partner program.
- Why is it important ? This status shows that the MSP has a strong relationship with Microsoft, one of the leading technology companies. It indicates that their staff have the required level of technical training (as specified by Microsoft) and have access to the latest Microsoft resources and technologies. Engaging an MSP that has verified Microsoft Solutions Partner status ensures the best quality outcomes when configuring, deploying, supporting and maintaining various Microsoft systems, as well as leveraging the most out of your Microsoft License Subscriptions. At a minimum, customers who use the Microsoft 365 products (eg. Outlook, Teams, Office Suite, OneDrive, etc..) should seek to engage an MSP with a Modern Work Solutions Partner designation.
- How can it be verified ? An MSP’s Microsoft Partner Status can be verified by searching the Microsoft Partner Register and MSPs will usually show their partner status badges and details on their websites. Your MSP should also be able to provide you with Microsoft documentation upon request that displays their Microsoft Partner ID and partner status details.
Customer Satisfaction Metrics
What is it ? – Customer Satisfaction in the context of an MSP refers to the degree to which the end-users of the services provided by the MSP are pleased with those services. It evaluates the effectiveness of programs and services from the users’ viewpoint, emphasising individual users over technologies and applications. Mature MSP’s will use industry recognised Net Promoter Score (NPS) methodology for measuring Customer Satisfaction.
Why is it important ? For you as a customer, a consistently high NPS score for their MSP is a testament to the quality, reliability, and value of the services provided. It instils confidence in them as a quality provider of a positive user experience.
How can it be verified ? The MSP should be able to provide detailed trends of their customer NPS score over time (years), so as to demonstrate consistent performance. An MSP delivering high quality services should be achieving an NPS score of 85 greater.
How to Use this Information
Ultimately, the decisions you make about who to partner with should come down to your organisation’s risk appetite. You will need to determine if verbal assurances (e.g. “we take the security of access to your systems seriously”, “we have great customer service” or “you won’t be at risk, and everything will be fine if our systems are breached by a cyberattack”, “we’re working towards…”) are sufficient, or if you require more concrete evidence and assurance in order to make this very important decision.
To get you started on reviewing your current or prospective MSP arrangements, we have consolidated these questions into a checklist to guide you when selecting a new MSP.
Using this checklist will go a long way to assist you to consider your risk appetite and to make the safest, most secure, and compliant technology provider choice for your organisation.