Seven Questions to Audit Your IT Provider UK 2026 | SBCSG | The Small Business Cybersecurity Guy

Seven questions. That is the tool. Ask them before your next IT contract renewal, and you will have a clear picture of whether your monthly fee is buying genuine security or a vague collection of assurances that will not hold up under pressure.

This is not about starting a confrontation. It is about applying exactly the same scrutiny to your IT contract that you would apply to a lease, a supplier contract, or an insurance policy. If the provider is doing the job properly, they will welcome the questions. They will already have the evidence. They will send you a patching report and a screenshot of your MFA conditional access policies before you have finished the tea.

If they are not doing the job properly, you will know that within two working days of sending the email. The response patterns are consistent and recognisable. What follows is the exact guide.

Before you ask: frame it correctly

Send the questions in a calm, professional email. The framing matters. This is not a performance review or a legal threat. It is a routine cyber risk review, which is something every competent director or manager should be running at least annually.

A workable opening line: “We are reviewing our cyber risk position and want to confirm that our current controls and documentation are in order. Can you walk us through the following?”

That framing is accurate, non-confrontational, and puts the burden of evidence exactly where it should sit: with the provider.

Question 1: Do you hold Cyber Essentials certification yourselves?

The UK government’s Cyber Essentials scheme covers five basic technical controls: firewalls, secure configuration, access control, malware protection, and patch management. The baseline version can be self-attested. Cyber Essentials Plus involves independent verification.

If an IT provider cannot meet the government’s own baseline for their internal systems, something is wrong with the picture. A provider who holds neither version cannot honestly advise clients on achieving it, and cannot credibly argue that the controls they are delivering on your behalf are adequate.

Green flag: Yes, we hold Cyber Essentials Plus, renewed annually. Here is the current certificate number.

Red flag: We are planning to apply next quarter. We hold it for clients but not internally yet. It is not always applicable to how we work.

Evidence to request: The current certificate number, verifiable at the NCSC certificate lookup.

Question 2: Is MFA enforced across our systems?

Note the exact word: enforced. Not available, not recommended, not offered. Enforced.

Multi-factor authentication should be mandatory on Microsoft 365 or Google Workspace, on any VPN or remote access solution, on any privileged administrative accounts, and on any cloud services with access to business data. The enforcement mechanism is a conditional access policy, or equivalent, that blocks authentication without a second factor rather than prompting users who then dismiss the prompt.

This question is particularly important for cyber insurance. Nearly every modern cyber policy requires MFA enforcement. Missing MFA at the time of a breach is the most commonly cited reason for UK cyber claim denials.

Green flag: Yes, enforced via conditional access policies on all Microsoft 365 accounts. Here are the current policies showing which user groups are in scope. Remote access via VPN requires MFA to authenticate.

Red flag: Yes, we have MFA switched on. We encouraged all staff to set it up. Most have, but it is up to users. We can look at enforcing it for your more senior staff.

Evidence to request: Screenshots of conditional access policies showing the enforcement rule and the user groups in scope. VPN authentication configuration showing MFA as mandatory.

Question 3: What is our patching process and can you show me a recent report?

This is the most revealing question in practice because the evidence either exists or it does not, and if it does not, you have your answer.

A managed patching service means the provider has a defined cadence for pushing critical patches within a set window, a platform that tracks coverage across all endpoints, and a report that shows which devices are compliant and which have outstanding patches. The report takes a few minutes to export from any professional RMM.

If critical patches are not applied within 14 days in most frameworks, and vendor-defined critical patches within 24 to 72 hours in more rigorous ones, the patching discipline is not meeting current best practice.

Green flag: We have a monthly patching cycle and push critical patches within 14 days of release. Here is this month’s report showing coverage percentage, exceptions, and outstanding items.

Red flag: Updates happen automatically. We keep things up to date. I would need to check with the team but I am confident systems are generally current.

Evidence to request: An exported patching compliance report from the RMM, covering all managed endpoints, with patch dates, coverage percentage, and any identified exceptions.

Question 4: Do we use EDR as well as antivirus?

Traditional antivirus works by matching files against a database of known bad signatures. Endpoint detection and response, EDR, works by monitoring process behaviour in real time and flagging activity that looks like an attack regardless of whether the file itself has been seen before. The distinction matters enormously for ransomware, which frequently uses novel or modified payloads specifically to evade signature detection.

A security-first provider uses both. The most effective implementations, sometimes called extended detection and response or XDR, feed endpoint data into a broader security operations platform. Basic antivirus on its own is not adequate protection against current threats.

Green flag: Yes, we use [specific product] for EDR on all managed endpoints. The solution includes behavioural detection and response capabilities, not just signature matching.

Red flag: We use [antivirus product name] which includes advanced protection features. It covers ransomware. Every machine is protected.

Evidence to request: The specific product name and version deployed. Confirmation that it includes behavioural detection. A list of devices under management and their protection status.

Question 5: Do you actively monitor our systems, or only respond when we raise a ticket?

Reactive support means someone picks up the phone when you ring. Proactive monitoring means the provider is watching for anomalies, alerts, and indicators of compromise in real time, raising tickets before the customer notices anything is wrong.

The two are not equivalent, and the difference frequently determines whether a ransomware event is contained in an early stage or discovered after the attacker has been in the environment for days or weeks.

Active monitoring can mean a security operations centre, a SIEM platform with alert rules, an MDR service, or a combination. The key question is not which specific tool is in use, but whether the provider is looking at your environment proactively or waiting to be called.

Green flag: We have active monitoring across all managed endpoints and Microsoft 365 environments. Alerts are triaged by [team or platform]. Here is an example of a recent alert we raised and resolved before you were aware of it.

Red flag: We use [RMM tool] and that raises alerts automatically. If something significant happens, we will know about it. We respond quickly when customers contact us.

Evidence to request: A description of the monitoring process and the specific tool or service delivering it. An example of a recent proactive alert. Clarity on the response time objective for different severity levels.

Question 6: What does our documented incident response plan look like and where do we fit in it?

An incident response plan, for an SMB with an MSP, is a written document that covers at minimum: who within the business is the first point of contact, how the provider escalates internally, what the provider does in the first hour, what the business does in the first hour, who the cyber insurer contact is and what the notification obligation is, and what the recovery sequence looks like.

The absence of a documented plan does not mean nothing will happen in an incident. It means that during the worst hour or day the business has experienced, everyone will be improvising. Improvisation under pressure produces errors, delays, and omissions, and the insurer’s forensic team records all of them.

Green flag: Yes, we have a documented incident response plan that covers your business specifically. Here it is. Last reviewed [date].

Red flag: We have a general incident response process. We would work through it with you at the time. Every incident is different so it is hard to be too specific in advance.

Evidence to request: The actual written plan. If one does not exist for your business specifically, ask the provider to produce a draft within 30 days as a contractual deliverable.

Question 7: Have you read our cyber insurance policy and are we compliant with it?

This is the question almost nobody asks, which is why so many UK cyber claims are being declined.

The IT contract and the insurance policy are operationally coupled. The policy sets the control requirements. The IT contract is what delivers them, or does not. If the provider has never seen the policy, they cannot tell you honestly whether the delivery matches the requirement.

A provider who takes security seriously will ask to see the policy before the question is even raised. They will review the technical requirements and confirm in writing which ones they are meeting, which they are not, and what remediation steps are needed.

Green flag: Yes, we reviewed your policy when we onboarded you. Here is our written confirmation of compliance against the key requirements. There are two items we flagged for your attention.

Red flag: We are confident that any reasonable policy requirements will be met by what we have in place. I am not sure we have seen the specific wording, but I would not anticipate any issues.

Evidence to request: Written confirmation, signed, that the provider has reviewed the policy and that the IT controls in your contract meet the requirements set out in it. If they have not seen it, send it and request a written response within 14 days.

How to score the answers

There is no formal scoring system here. The answers tell you what they tell you.

A provider with genuinely good answers will respond quickly, welcome the questions, produce evidence rather than assurances, and acknowledge any gaps calmly with a remediation plan. That is the right result.

A provider who responds with evasion, defensiveness, or the phrase “you are too small to be targeted” has given you everything you need to know. So has a provider who promises to check with the team and then goes quiet.

If you run this exercise and the answers are poor, do not panic and do not immediately cancel. Gather the documentation you can. Make sure you control your own domains, licences, and data. Then approach two or three security-first providers for a proper like-for-like comparison. Take your time. Do it before the renewal date.

How to Turn This Into a Competitive Advantage

The seven questions give you not only a risk audit but a supplier governance process you can show to clients, customers, and insurers. The ability to say “yes, we have reviewed our IT controls against our insurance policy requirements, and here is the written confirmation from our provider” is increasingly a differentiator in B2B contexts.

If you can produce that evidence on request, you are ahead of most of the market.

How to Sell This to Your Board

The board’s governance obligation for cyber security has been formalised by the Cyber Governance Code of Practice, published in April 2025. It sets out explicit expectations for director-level oversight of technical controls, incident response capability, and insurance adequacy.

These seven questions, run annually and documented, constitute a demonstrable cyber governance exercise. The answers form the basis for informed board decisions about IT spend, insurance requirements, and continuity planning. Without the answers, the board is governing blind.

That argument lands with most directors.

What This Means for Your Business

A simple three-step process.

Email the seven questions this week. Word them as a cyber risk review, not an interrogation. Give the provider five working days to respond fully.
Assess the responses. Evidence and clear answers are the bar. Anything vague, defensive, or lacking documentation is a finding.
Act on what you learn. If the answers are good, document them and set a calendar reminder to repeat the exercise before the next renewal. If the answers are poor, begin a structured market comparison before the contract expires.

Spend the time now. The alternative is spending considerably more time later, under rather worse conditions.

Related reading:

Sources

Source	Article
NCSC	Cyber Essentials
NCSC	Multi-factor authentication for online services
NCSC	Vulnerability and patch management guidance
NCSC	Incident management guidance
NCSC	Cyber security for boards
Cabinet Office	Cyber Governance Code of Practice
DSIT	Cyber Security Breaches Survey 2025
Association of British Insurers	Nearly £200 million paid in cyber claims to help UK businesses recover
Microsoft	Microsoft Entra Conditional Access overview
The Small Business Cyber Security Guy	Podcast: Cheap IT, Expensive Breach