You’re comparing three MSPs. Their proposals look similar. Everyone claims 24/7 support, a dedicated account manager, and “proactive monitoring.” The pricing is within a few hundred dollars a month of each other. And you still have no idea which one will actually show up when something breaks at 2 a.m.
This post gives you a concrete evaluation framework — what to examine, what to ask, and what should send you straight to the exit — before you sign a managed services agreement.
The right MSP isn’t the one with the best slide deck. It’s the one who can prove their response times, show you their SLA in plain language, and answer hard questions without getting defensive. Here’s how to tell the difference before you’re locked into a contract.
MSP evaluation is the structured process of assessing a managed service provider’s technical capabilities, service delivery model, security posture, contractual terms, and cultural fit before entering a managed services agreement. A thorough evaluation covers proposals, technical interviews, reference checks, and SLA analysis — not just price comparison.
What Should an MSP’s Service Scope Actually Cover?
Most MSP proposals look comprehensive on the surface. But scope is where the gaps hide — and gaps become your problem the moment something outside them breaks. Before you evaluate anything else, get clarity on exactly what’s included and what triggers an out-of-scope charge.
At minimum, a capable MSP serving a mid-market business should cover: endpoint management and patching, network monitoring, helpdesk and end-user support, backup and disaster recovery oversight, vendor management (Microsoft 365, ISPs, line-of-business apps), and a security baseline — at minimum, managed antivirus and MFA enforcement. If any of those are optional add-ons, understand that cost before comparing per-seat numbers.
Some MSPs separate “managed IT” from “managed security.” If your provider doesn’t include security monitoring as a baseline, ask specifically what happens when a security incident occurs — and who’s responsible for the response.
The right question isn’t “what do you offer?” — it’s “what’s explicitly excluded from my agreement, and what does it cost to add?” Get that in writing during the proposal stage.
How to Assess an MSP’s Security Capabilities
Cybersecurity is no longer a premium add-on — it’s a baseline expectation. For businesses handling personal data under PIPEDA or health information under PHIPA, your MSP’s security posture is directly tied to your own compliance exposure.
When evaluating security capabilities, look beyond the marketing language. Ask whether they operate a Security Operations Centre (SOC), what their Managed Detection and Response (MDR) capabilities look like, and whether they hold security-specific certifications. An MSP that can’t answer concretely about threat detection and incident response isn’t equipped to be your security partner.
From a security operations standpoint, the distinction between an MSP and an MSSP (Managed Security Service Provider) matters. A pure MSP manages your infrastructure and keeps the lights on. An MSSP actively monitors for threats and responds to incidents. Many providers market themselves as both — push them to prove it by asking about their SOC staffing model, shift coverage hours, and mean time to detect and respond (MTTD/MTTR) metrics.
Ask any MSP candidate to walk you through how they handled a real security incident in the last 12 months — what happened, what they did, and what the outcome was. A vague answer tells you everything. As a Fortinet Authorized Partner, we use this question ourselves in every competitive evaluation we participate in.
What to Look for in an MSP’s SLA
The SLA (Service Level Agreement) is the document that actually defines your relationship — not the sales presentation. If it’s vague, full of carve-outs, or measured in metrics that don’t match your business needs, no amount of goodwill makes up for it when something goes wrong.
Focus on four areas when reviewing any MSP’s SLA:
Response time vs. resolution time: Response SLAs (“we’ll acknowledge your ticket in 1 hour”) are nearly meaningless on their own. What matters is resolution time — how long before your issue is actually fixed? Ask for both metrics, broken out by severity level.
Uptime guarantees and how they’re measured: What counts as “downtime” in their SLA? Is scheduled maintenance excluded? What’s the compensation if they miss their uptime target — and is it meaningful or a token credit?
Exclusions and carve-outs: Every SLA has them. Common exclusions include third-party vendor outages, user error, and hardware failures outside a certain age. Know where your coverage ends before you need it to kick in.
Escalation paths: Who do you call when the standard helpdesk isn’t cutting it? A well-structured SLA defines a clear escalation chain — L1 to L2 to L3 to management — with contact information and time-bound escalation triggers at each stage.
If an MSP’s SLA doesn’t include financial penalties for missing response or resolution targets, their commitments are unenforceable. “We take this very seriously” is not a service guarantee.
Red Flags That Should Stop You Cold
Most MSP sales processes are polished. The red flags don’t show up in the proposal — they show up in how a provider handles scrutiny. Here’s what to watch for during your evaluation:
- They can’t provide a reference in a similar industry. Any reputable MSP serving mid-market clients should connect you with a current customer willing to take a call. Reluctance here is a signal worth heeding.
- All-inclusive pricing with zero detail. A flat per-seat price with no scope breakdown makes it impossible to know what you’re buying — or where you’ll get charged extra later.
- They don’t know your compliance requirements. If you mention PIPEDA, PHIPA, or SOC 2 and get a blank stare, they’re not the right partner for a regulated industry.
- Long auto-renewal terms with short cancellation windows. A three-year auto-renewing contract with a 90-day cancellation notice window — buried in the fine print — is a trap, not a partnership.
- No documented onboarding process. The first 90 days are the highest-risk period of any MSP relationship. If they can’t describe their onboarding methodology, expect a rocky start.
Questions to Ask an MSP Before Signing Anything
The questions you ask during an MSP evaluation reveal as much about the provider as their answers do. A confident, capable MSP will welcome detailed questions — and their responses will be specific, not generic. Use this as your pre-signing interview guide.
| Question | What a Strong Answer Looks Like | What to Watch For |
|---|---|---|
| What’s your average response time for P1 issues? | Specific minutes or hours, tracked and reportable | Vague language or no SLA data available |
| How many clients per technician do you support? | A specific ratio with rationale (typically under 50:1) | Refusal to answer or “it depends” |
| Who owns our data if we leave? | Clear data portability policy with a defined offboarding window | Evasive language (“we’ll need to discuss that”) |
| How do you handle after-hours incidents? | Named on-call staff model with defined escalation | “Our team is always available” with no specifics |
| What does your onboarding look like? | Documented 30/60/90-day plan with milestones | Generic response with no timeline or deliverables |
| Can you provide SOC 2 or equivalent attestation? | Yes, with documentation available on request | Confusion about what SOC 2 means |
How to Score and Compare MSPs Side by Side
Once you’ve gone through discovery with two or three MSP candidates, you need a structured way to compare them — not just gut feel. A simple weighted scoring model removes the subjectivity and gives you a defensible decision you can present to leadership.
| Criteria | Suggested Weight | Notes |
|---|---|---|
| Security capabilities and posture | 30% | Hardest deficiency to fix mid-contract |
| SLA terms and enforceability | 25% | Must include financial penalties to be meaningful |
| Service scope coverage | 20% | Compare included vs. add-on carefully |
| References and track record | 15% | Industry-matched references preferred |
| Pricing transparency and contract terms | 10% | Auto-renewal clauses, cancellation windows |
Score each MSP 1–5 on every criterion, multiply by the weight, and sum the totals. If two candidates land within 5% of each other, let security capabilities and reference quality be the tiebreaker — those are the areas where deficiencies cause the most damage after you’ve signed.
In our work with GTA mid-market firms, the evaluation criterion that gets skipped most often is data portability and offboarding terms. Always ask: “If we leave in 18 months, what does that process look like and what do we get back?” The answer reveals how much the MSP values the relationship versus just the contract.
Evaluating an MSP isn’t about finding the cheapest option or the most impressive-sounding proposal. It’s about finding a provider whose capabilities, SLA terms, and security posture match your risk profile — and who can prove it before you sign. Run every candidate through the same framework, and let the evidence decide.
If you’re currently evaluating managed IT options in the GTA, we’re happy to answer the same hard questions outlined here — and put our SLA terms in front of you in plain language. Learn more about Balanced+ Managed IT or reach out to start a conversation with no commitment required.
Frequently Asked Questions
What is the average cost of managed IT services in Canada?
Managed IT services in Canada typically range from $100 to $250 CAD per user per month for a fully managed model, depending on service scope, user count, and security inclusions. Businesses with higher compliance requirements (healthcare, finance) or complex environments generally fall toward the higher end. Pricing below $100/user is common but often excludes security services, after-hours coverage, or comes with higher technician-to-client ratios that affect response quality.
What is the difference between an MSP and an MSSP?
An MSP (Managed Service Provider) manages your IT infrastructure — endpoints, networks, helpdesk, backups — and keeps systems operational. An MSSP (Managed Security Service Provider) focuses specifically on security: threat monitoring, incident detection and response, vulnerability management, and compliance support. Some providers offer both under one agreement; others require separate engagements. For businesses handling sensitive data, a provider that covers both is strongly preferable to managing two separate vendor relationships.
How long should an MSP contract be?
Most MSP agreements run one to three years. One-year terms offer more flexibility but may come with higher monthly pricing. Three-year terms often unlock better rates but carry more risk if the relationship doesn’t work out. Whatever the term length, pay close attention to auto-renewal clauses and the required cancellation notice period — commonly 60 to 90 days — meaning you need to act well before your contract anniversary to avoid rolling into another full term.
What should I check before signing an MSP contract?
Before signing, verify four things: the SLA includes enforceable response and resolution time commitments with financial penalties (not just “best effort” language), the scope section explicitly lists what’s excluded, data ownership and offboarding terms are clearly defined, and you’ve spoken directly with at least one reference client in a similar industry. If any of these are missing or vague, negotiate them in before the signature — not after.
