Questions to Ask Your IT Provider About Their Compliance

Questions to Ask Your IT Provider About Their Compliance

Your IT system is urgently required to run your business. When the network goes down, your company can’t function, and you’re not able to help customers, process orders, and more. For these reasons, it’s essential to find IT experts who can keep your business up and running. But what should you look for in an IT partner? 

There’s no question that it’s crucial to find an IT partner you can trust. When you choose the right partners, you can count on everything working as it should. They ensure your systems run smoothly and you’re able to stay productive. On the other hand, choosing the wrong IT partner ensures you’ll have trouble the entire time you work with that MSP. 

However, do IT companies need to be in compliance with security? 


When searching for an IT partner, it’s important to ask them what qualifications they hold. The certification process involves improvement that focuses on best practices. Renewing certifications is also essential to ensure you’re up to date. In the UK, the government backs the Cyber Essentials scheme, which provides a baseline for IT security. 

The right IT company should have more rigorous Cyber Essentials Plus certification. In addition, several ISO certifications (20000, 22301, 270001, 27017, 9001) offer even better practices that protect data, and cloud services, manage services, and ensure business continuity.

Make sure to ask whether any of your certifications require providers that hold these same certifications. 

Have Independent Auditors Assessed You? 

Some certifications, such as the base Cyber Essentials, are self-assessed. However, this isn’t enough to ensure the IT company is fully protected and compliant. So, it’s necessary to rely on certifications that require an independent 3rd party to be awarded, such as the Plus version of Cyber Essentials. 

How Do You Approach Compliance?  

An IT company that takes compliance seriously and as an ongoing effort will be the best company for you rather than one that treats compliance as a yearly exercise only. 

Continuous Improvement is crucial and beneficial to all areas of IT. Each of these areas needs ongoing work, maintenance, and learning from errors and near misses. 

Do You Have Staff Dedicated to Security & Compliance? 

Security and compliance are serious issues, and an IT company needs someone working on these issues, measuring performance, and making improvements. 

While some IT companies may be pretty small, they should still have at least one employee who focuses on security & compliance, even if it’s not their full-time job. 

Who is Responsible for My Data, the MSP, a Third Party, or Myself? 

The answer is that all three are responsible for your data; however, this may happen at different times, especially if cloud tech is in place. 

The question helps you gauge how aware the provider is of the issues sounding technology. For instance, it’s possible to find an IT  provider who knows how to use the cloud. However, do they also understand how cloud services impact compliance? 

When it comes to the cloud, there’s something called the Shared Responsibility Model. That means there are different levels of compliance and responsibility. For instance, if an employee emails sensitive files to the wrong email address, your company is at fault. 

Is administrative access to your data restricted or controlled? If so, this is the responsibility of your MSP. 

Can anyone steal a server from a data centre and gain access to your company’s data? The one responsible for this level of compliance is the third-party data centre. 


What Methods Are Used to Protect Client Data? What protections are in place against security breaches and data leaks? 

An IT company usually has access to all your systems and data; they may also have a managed backup copies of everything. That’s a huge responsibility. Unfortunately, this also makes the IT company a target for cybercriminals. If the IT company is hit by a cyber attack, your business could experience disruption, have to pay a ransom, and more. 

So, before choosing an IT company, find out if: 

  • They’re aware of the scale of their responsibilities
  • Taking action to protect themselves  and their clients

The right IT company will offer the following positive answers: 

  • Multi-factor authentication for all staff
  • Centrally managed antivirus with alerting
  • A next-generation firewall
  • Access is limited to only staff that require access
  • Segregated or separated networks
  • Access to systems only allowed from the office 
  • Backup checks & tests
  • Phishing training for staff
  • Security awareness training
  • Internal security audits

You don’t have to understand all the technical answers; however, consider whether the IT company is comfortable discussing the topic. If the IT company doesn’t come up with an answer, this may be a red flag that their security practices are not as secure as they should be. 

How is Your Disaster Recovery Handled? What Do you Recommend for Clients? 

These questions are asked to learn how the IT company deals when the worst happens. While the IT company has a great backup plan, if they don’t have a disaster recovery plan, they aren’t ready for when the worst happens. And it will happen eventually. 

Here, you may want to provide them with a specific example, such as a fire, flood, ransomware, and more. 

The right answers may include references to high-availability servers, equipment, failovers to the cloud or data centre, recovery from off-site backup images, and more. But remember that disaster recovery plans also include communications. Does the company know who’s responsible during a disaster? Have they thought about how to communicate with clients and what that communication looks like? 

Cyber Risk Management—Do You Maintain an Information Security Risk Register? 

This question is used to determine the maturity of the IT company’s Cyber Security strategy. IT professionals should be aware of the standard set of security technologies. However, a mature IT company will go beyond this to review cybersecurity risks. 

An IT company that’s asked these questions is sure to have identified problem areas or oversights. They will be more secure than a company that’s not gone through this thought process. The more protected a service provider is the less risk of disruptions you can expect to your own company’s operations. You can also tell the company is in a better position to offer advice on how to apply these principles to your business. 

Summing It Up

These questions are all meant to seek out whether an IT provider is serious about security and compliance issues. Consider that a secure IT provider is less risky to your business and is better able to provide you with the right IT advice and guidance.