IT Support
IT Support Provider Checklist: 50-Point UK Scorecard
7 July 2026

Reviewed by Blake Smith, Head of Service at LBT, who is responsible for service delivery, SLA performance, and support escalation across every managed IT client — and is accountable for every SLA figure quoted in this article. Last updated July 2026.
Choosing the wrong IT support provider doesn't just cost you money. It costs you time, data, reputation, and — in the worst cases — the business itself. Yet most UK companies still pick an IT provider the way they pick a plumber: a recommendation, a quick call, a gut feeling, a signature.
If you haven't yet settled on managed IT support as the right model for your business, our guide to choosing managed IT support is the place to start before running this checklist. That's not good enough anymore. 43% of UK businesses reported a cyber security breach or attack in the last 12 months, and the average self-reported cost of the most disruptive breach rises to £3,550 once you exclude businesses that reported zero cost — usually because they weren't measuring it properly, not because there wasn't one (GOV.UK Cyber Security Breaches Survey 2025). Your IT provider is the single biggest control you have over whether your business ends up in those statistics or stays out of them.
This article is not another "how to choose an MSP" think-piece. It's a working checklist — 50 due diligence points across five categories, plus a free downloadable one-page scorecard version at the end — that you run through before you shortlist, interview, or sign with any IT support provider in the UK. Print it, tick it, hold every provider to it. By the end, you'll know exactly what "good" looks like and exactly what to walk away from.
Here's what we're covering:
- Certifications and accreditations
- Service levels, response times, and escalation
- Security, data handling, and compliance
- Onboarding, references, and ways of working
- Pricing, contracts, and commercial transparency
Let's get into it.
1. Certifications, Verification and Accreditations Checklist
Before you judge any provider — including us — by a wall of badges, it's worth understanding what a certification actually proves and what it doesn't. Some in the industry call this the "proof gap": the IT industry isn't regulated the way accountancy, law, or financial advice are, and the certifications that do exist are typically self-assessed and describe a single point in time — closer to a food hygiene rating or last year's MOT than an ongoing guarantee. Two providers holding the identical certificate can be delivering wildly different levels of real-world security, because the provider being assessed is the one filling in the paperwork.
That doesn't make certifications worthless — it means they're a starting point, not the finish line. Here's what to actually check:
- Cyber Essentials (the realistic baseline) — a government-backed minimum covering five technical controls; ask for the certificate number and verify it yourself on the NCSC or IASME register rather than taking a logo on a website at face value
- When it was last renewed — requirements tighten periodically (the next major update lands April 2026, extending mandatory MFA to all users and raising the minimum password length to 12 characters), so a certificate from two cycles ago may not reflect current practice
- Cyber Essentials Plus or an equivalent independent audit — a stronger signal than self-assessment, though plenty of solid providers operate well without it; treat it as a bonus, not a dealbreaker
- Sector-relevant accreditations, weighed by relevance — ISO 27001 matters more if you're in a regulated sector, SOC 2 matters if you handle US client data, Microsoft Partner status matters if you're deep in the Microsoft stack. Ask which apply to your business rather than expecting every provider to hold every badge going
- Professional indemnity and cyber liability insurance, with cover levels appropriate to your business size
- Evidence of ongoing, independent verification — not just a certificate renewed once a year. Ask directly: is anything about your security or service delivery checked by someone other than yourselves, on a rolling basis, rather than an annual tick-box exercise?
- Whether they hold themselves to the same standard they sell you — do their own admin accounts, backups, and access controls meet the bar they're recommending for your business?
- Membership of a recognised industry body, where relevant to your sector — useful context, not a substitute for the points above
- Willingness to be checked, not just to assert compliance — a provider confident in its own delivery should welcome scrutiny of the claims above, not deflect it
- What happened the last time something slipped — ask about a real incident or near-miss and how it was handled; that answer tells you more than any certificate
The fix for the proof gap isn't another certificate or a glossier logo wall — it's independent, ongoing verification instead of a once-a-year, self-authored claim. It's exactly why LBT's Technology Resilience Score™ assessment is consultant-verified rather than self-marked, and why we'd rather be judged on that than on how many badges we can fit on a website footer.
see how your current provider's controls score against the Technology Resilience Score™
2. Service Levels, Response Times, and Escalation Checklist
This is where most IT contracts fall apart in practice. A provider can promise the world in a sales meeting, but if the SLA document doesn't back it up in writing, it's not worth the paper it's printed on. Interrogate the detail here — not the headline number.
- Written SLA document, not just a verbal promise or a line in a proposal
- Response time by priority level — critical, high, medium, low — clearly defined with example scenarios
- Resolution time targets, not just response/acknowledgement time (these are very different things)
- What counts as "critical" — get this defined in writing so there's no argument during an actual outage
- 24/7 vs business-hours support — and what "24/7" actually covers (monitoring only, or a live engineer?)
- Named escalation path — who do you call when the helpdesk isn't cutting it, and how fast?
- Escalation to senior/second-line engineers — timeframes and triggers
- SLA penalties or service credits if targets are missed — does the contract have teeth?
- Reporting on SLA performance — do you get monthly/quarterly data on actual vs target response times?
- Multiple contact channels — phone, portal, email — and which gets the fastest response
- Out-of-hours and emergency contact process, tested and documented
An SLA is only worth the paper it's printed on if the provider actually hits it. Here's what a genuinely tiered SLA looks like in practice — this is LBT's own published commitment to clients, shown so you have a real benchmark to hold prospective providers against, not a hypothetical one:
| Priority | Affected service | Target response | Target resolution |
|---|---|---|---|
| P1 | Service not available — all users and functions unavailable | 1 business hour | 8 business hours |
| P2 | Significant degradation — large number of users or business-critical functions affected | 2 business hours | 16 business hours |
| P3 | Limited degradation — limited users/functions affected, business can continue | 4 business hours | 32 business hours |
| P4 | Service requests — e.g. new equipment, starter or leaver | 8 business hours | Quoted per request |
On top of the priority table, every user request should be triaged fast — LBT triages all requests within 15 minutes or less during business hours — and security alerts deserve their own, tighter standard: at LBT, every security alert is triaged within 15 minutes, 24/7, with immediate restrictive action taken where required, not queued behind routine tickets. If a provider's proposed SLA is vaguer or slower than this across the board, ask why. Ask for three months of actual SLA performance data, anonymised if needed to protect client confidentiality, too — a provider confident in hitting its numbers will find a way to show you, not wave the request away.
download the checklist as a printable scorecard
3. Security, Data Handling, and Compliance Checklist
This is the section that protects you legally and operationally, and it's the one businesses skip fastest because it feels like small print. Don't skip it. Your provider will have privileged access to your systems, your data, and often your customers' data too.
- Signed Data Processing Agreement (DPA) compliant with UK GDPR
- Clear data residency commitments — where is your data stored, backed up, and processed?
- Backup strategy detail — frequency, retention, and proof of regular restore testing (not just "we back up daily")
- Documented incident response plan — what happens in the first hour of a breach, and who leads it?
- Breach notification commitment — will they tell you within 72 hours to meet your own ICO obligations?
- Multi-factor authentication enforced on their own access to your systems, not just recommended to you
- Least-privilege access model — do their engineers have blanket admin rights, or scoped, logged access?
- Staff vetting and background checks for engineers with access to your environment
- Sub-processor transparency — do they use third parties (offshore helpdesks, tooling vendors), and are they disclosed?
- Cyber insurance certificate with a sum insured that reflects real exposure, not a token policy
- Right-to-audit clause in the contract, so you can verify controls, not just take their word for it
If you're weighing up outsourcing in the first place rather than just vetting a shortlist, our outsourced IT support FAQ covers the data-handling and access questions business owners ask most before signing anything.
Phishing remains the most common and most disruptive attack vector, hitting 38% of UK businesses in the last year (GOV.UK Cyber Security Breaches Survey 2025). A provider worth hiring should be able to show you, unprompted, what they do to stop phishing becoming a breach — not just what they'll do to clean up after one.
4. Onboarding, References, and Ways of Working Checklist
The sales pitch tells you what a provider says they'll do. The onboarding process and their existing clients tell you what they'll actually do. This is the section most businesses under-invest time in — and regret it within the first 90 days of a new contract.
- Documented onboarding plan with milestones, not a vague "we'll get you set up"
- Full network and asset audit as a mandatory first step, not an optional extra
- Realistic onboarding timeline — be suspicious of anyone promising a same-week full migration for a business of any size
- Named account manager and technical lead, not a rotating cast of strangers
- At least three verifiable client references, ideally in your sector or of similar size
- Willingness to let you speak to references directly without a scripted call
- Client retention/churn data — ask directly how many clients they've lost in the last 12 months, and why
- Evidence of proactive account management — quarterly business reviews, roadmap discussions, not just tickets
- Clear offboarding/exit process documented before you even sign (data handover, access revocation, timelines)
- Cultural fit — do they talk your language, or drown you in jargon and acronyms?
- Genuine understanding of your business goals, not just your ticket queue
A provider that's confident in its own delivery will hand over references without hesitation. One that hedges, delays, or offers only "written testimonials" instead of a phone call is telling you something important.
see how LBT structures onboarding and account management for managed IT clients
5. Pricing, Contracts, and Commercial Transparency Checklist
Cost is rarely where IT relationships fail first — but unclear pricing structures are where trust erodes fastest. Get everything itemised before you sign, not after the first invoice with surprise line items on it.
- Fully itemised pricing — per-user, per-device, or fixed-fee, clearly broken down
- No hidden charges for "emergency" or out-of-hours work — or clear, pre-agreed rates if they exist
- Contract length and break clauses — avoid being locked into multi-year terms with no exit
- Notice period for cancellation, clearly stated and reasonable (30–90 days is standard; anything longer needs justification)
- Price review/increase terms — how and when can they raise fees, and by how much?
- What's included vs chargeable as project work — clarity on where "support" ends and "billable project" begins
- Transparent third-party/licensing pass-through costs — no unexplained markups on Microsoft or vendor licensing
- Scalability of pricing as you add or remove users/devices
- No penalty for right-sizing your contract as the business changes
- A written, plain-English contract — if you need a solicitor to understand the SLA, that's a problem in itself
Given that IT support pricing models vary hugely across the UK market, the number on the quote means nothing without the detail behind it. The cheapest provider on paper is often the most expensive once you account for exclusions, chargeable "emergencies," and slow escalation paths.
How to Use This Checklist
Don't just read it — run it. Score each prospective provider against all five sections, out of ten items apiece, for a total out of 50. Anyone scoring below 35/50, or refusing to answer a question directly, shouldn't make your shortlist.
Get the Printable Scorecard
This checklist is designed to be used live, in a meeting, not just read once. We've turned it into a one-page PDF scorecard — same 50 points, same five categories, laid out so you can score a provider on the spot and compare them side by side against a shortlist.
download the free IT support provider scorecard (PDF)
If your current provider can't help you answer these questions confidently, that's not just a risk sitting on your books — it's a clear opportunity to benchmark them properly and move to a partner who can lift your score. LBT builds exactly this kind of structured, evidence-based review into every Technology Resilience Score™ assessment, measuring an organisation's — and, by extension, its supplier's — ability to prevent, withstand, and recover from technology and cyber risks, scored from 1.0 to 5.0.
see how your provider's score would compare
FAQ
How long should it take to switch IT support providers?
A well-run onboarding for a business of 20–100 users typically takes 4–8 weeks from signed contract to full transition, including a full asset audit, documentation handover from your outgoing provider, and staged cutover. Be wary of anyone promising it in days — thoroughness here prevents problems later.
Is Cyber Essentials enough, or do I need Cyber Essentials Plus?
Cyber Essentials is a strong minimum baseline and is self-assessed. Cyber Essentials Plus adds independent, hands-on technical verification of those same controls — it's the stronger signal of genuine capability, and increasingly expected by insurers, public sector clients, and supply chains.
What's a reasonable response time SLA for critical issues?
Separate triage from formal response. Genuinely good providers triage every incoming request within 15 minutes during business hours, and treat security alerts even more urgently — 15-minute triage, 24/7, with immediate restrictive action where needed. Formal response against a defined priority level (as opposed to initial triage) typically scales from around 1 business hour for a full service-down (P1) issue up to 8 business hours for routine service requests. Anything vaguer than a written, tiered table like this isn't a real SLA.
Should I choose a local UK provider or does location not matter?
Location matters less for remote support delivery, but UK data residency, UK GDPR compliance, and time-zone-aligned support matter a great deal. Confirm exactly where your data sits and where support staff are based — don't assume.
How do I know if my current provider is actually any good?
Benchmark them. Independently assess your organisation's technology resilience rather than relying on their own reporting of their own performance — a consultant-verified score gives you a number you can hold them to, and something concrete to compare against if you ever need to test the market.
Conclusion: Use the Checklist, Then Verify
A checklist is only as good as the honesty of the answers you're given. Run every prospective provider through all 50 points above, score them properly, and don't be talked out of the sections that feel awkward to ask about — those are usually the ones that matter most.
Then go a step further than paperwork. Get an independent, consultant-verified baseline of your own technology resilience with LBT's Technology Resilience Score™ assessment, so you're comparing providers against a real number, not a sales pitch.
One more thing worth checking before you run this checklist: make sure you're actually shopping in the right part of the market. Our guide to right-sized IT support for small business covers how to judge fit by size, not just by ticking boxes.
Is your business's technology environment resilient?
Find out how prepared you really are to keep operating and recover quickly if disruption hits — with a free Technology Resilience Score™.