platform 365 logo with strap line
Book now

The Questions Every Business Should Be Asking Their MSP

The UK’s cyber risk landscape is changing, and expectations on managed service providers are rising fast.

That’s why Platform 365 is in the process of achieving Assurix certification, an independent assurance platform aligned with the National Cyber Security Centre (NCSC) MSP due diligence framework.

Assurix recently published a guide designed to help SMEs understand what good looks like when working with an MSP. What stood out to us wasn’t just the checklist, but how rarely businesses are encouraged to ask these questions of their existing provider.

So we’ve flipped it around.

If you work with an MSP today, here are five questions worth asking, and why they matter.

1. Can you provide evidence how access to our systems is controlled and monitored?

It’s not enough to say “we use best practice”. Businesses should expect clear controls around privileged access, MFA, and audit trails  and proof that they’re enforced.

2. How do you detect and respond to security incidents, and how quickly would we be informed?

A strong MSP can explain their monitoring, escalation paths, and response times in plain English. Vague answers usually mean reactive processes.

3. What security responsibilities sit with you, and which sit with us?

One of the biggest gaps Assurix highlights is unclear accountability. If responsibilities aren’t defined, risks fall between the cracks.

4. Can you demonstrate that patching, backups, and recovery processes are consistently tested?

Security controls only work if they’re maintained and verified. Evidence matters more than reassurance.

5. What independent assurance or certification backs up your security claims?

Third-party validation removes guesswork. It shows that processes are assessed against recognised standards — not just internal opinions.

Why This Matters

The NCSC guidance (and platforms like Assurix) exist because cyber risk increasingly sits outside the business, within supply chains and service providers.

Certification isn’t about badges. It’s about:

  • Transparency

  • Accountability

  • Repeatable, auditable security processes

That’s exactly why Platform 365 is pursuing Assurix certification, to give clients confidence not just in what we say, but in what can be independently verified.

If you’re not sure how your current MSP would answer these questions, that uncertainty itself is a signal worth paying attention to.