🔍

MSP Due Diligence Checklist: What to Verify Before Signing - MSP Guide Australia

Operations 2026-06-11 🕐 6 min 1271 words

MSP Due Diligence Checklist: What to Verify Before Signing

Signing an MSP contract is a significant commitment. You're entrusting a third party with your technology infrastructure, data security, and business continuity. Rushing into an agreement without proper due diligence is one of the most expensive mistakes businesses make.

This checklist covers every area you need to evaluate before signing. Use it as a structured framework for your evaluation. For current market context, see our MSP pricing comparison 2026. For contract specifics, see our MSP contract checklist.

Phase 1: Initial Research (Before Meeting the MSP)

Company Background

  • [ ] Business registration. Verify the MSP is a registered Australian business (ASIC lookup). Check for any history of deregistration or legal action.
  • [ ] Operating history. How long have they been in business? Longer isn't always better, but less than 2 years is a risk factor.
  • [ ] Ownership structure. Who owns the MSP? Is it privately held, PE-backed, or part of a larger group? PE ownership can affect service priorities.
  • [ ] Financial health. Can they provide financial statements? Are they profitable? A struggling MSP is a risky partner.
  • [ ] Insurance. Do they have professional indemnity, public liability, and cyber insurance? What are the coverage limits?

Online Presence

  • [ ] Website quality. Is it professional, current, and detailed? Or generic and template-based?
  • [ ] Google reviews. Check the volume and sentiment of reviews. Look for patterns in complaints.
  • [ ] Glassdoor/Indeed reviews. What do their employees say? High turnover = inconsistent service.
  • [ ] LinkedIn. Check the team size, longevity, and professional presence.
  • [ ] News and press. Any recent acquisitions, layoffs, or controversies?

Industry Standing

  • [ ] Vendor partnerships. Are they a Microsoft Partner, AWS Partner, or other relevant vendor? What's their partner tier?
  • [ ] Certifications. Do they hold relevant certifications (ISO 27001, SOC 2, Essential 8 maturity)?
  • [ ] Industry memberships. Are they part of industry bodies (AITP, ConnectWise partner communities)?
  • [ ] Awards or recognition. Any relevant industry awards or rankings?

Phase 2: Technical Evaluation

Infrastructure and Tools

  • [ ] RMM platform. What tool do they use? How mature is their deployment?
  • [ ] PSA/ticketing system. What system manages their service delivery?
  • [ ] SOC capabilities. Do they have a Security Operations Centre? In-house or outsourced?
  • [ ] Backup and DR. What backup solutions do they use? Where is data stored? Have they tested restores?
  • [ ] Network operations. Do they have a NOC? 24/7 monitoring? What's the escalation process?
  • [ ] Remote access tools. What tools do they use for remote support? Are they secure and auditable?

Security Posture

  • [ ] Security framework. What framework do they follow? (Essential 8, ISO 27001, NIST)
  • [ ] MFA implementation. Do they enforce MFA for all their own systems and client environments?
  • [ ] Patch management. What's their patching process and SLA?
  • [ ] Incident response. Do they have a documented incident response plan? Has it been tested?
  • [ ] Security training. Do they train their staff on security? Do they offer security awareness training to clients?
  • [ ] Essential 8 maturity. What's their maturity level against the Essential 8? See our Essential 8 audit guide.

Technical Capabilities

  • [ ] Technology stack. Are they experienced with your specific technologies (M365, Azure, specific line-of-business apps)?
  • [ ] Specialisations. Do they have dedicated specialists or generalists?
  • [ ] Certifications. What certifications do their technicians hold?
  • [ ] Vendor relationships. Can they access vendor support directly?
  • [ ] Lab/testing environment. Do they test changes before deploying to production?

Phase 3: Service Delivery Evaluation

Service Level Agreements

  • [ ] Response times. What are the SLAs for different priority levels?
  • [ ] Resolution times. What are the target resolution times?
  • [ ] SLA reporting. How do they report on SLA performance? How often?
  • [ ] SLA penalties. What happens if they breach SLAs?
  • [ ] Scope clarity. Is the scope of services clearly defined in writing?

See our MSP SLA guide for what to look for.

Staffing and Support

  • [ ] Client-to-technician ratio. What's their ratio? Under 30:1 is ideal.
  • [ ] On-call process. How does after-hours support work?
  • [ ] Escalation paths. What's the escalation process for complex issues?
  • [ ] Dedicated vs. shared resources. Will you have a dedicated account manager or technician?
  • [ ] Staff turnover. What's their technician turnover rate? (Ask directly — their answer tells you a lot)

Communication and Reporting

  • [ ] Regular reviews. How often do they conduct service reviews?
  • [ ] Reporting quality. What reports do they provide? How detailed are they?
  • [ ] Communication channels. How do you reach them? (Portal, email, phone, direct)
  • [ ] Ticket visibility. Can you see all tickets, or just open ones?
  • [ ] Escalation to management. Can you escalate directly to management if needed?

Onboarding Process

  • [ ] Onboarding timeline. How long does onboarding take?
  • [ ] Documentation. What documentation do they create during onboarding?
  • [ ] Discovery process. How thorough is their environment audit?
  • [ ] Transition plan. How do they handle the transition from your current provider?
  • [ ] Onboarding cost. Is there an additional onboarding fee?

See our MSP onboarding best practices for what good onboarding looks like.

Contract Terms

  • [ ] Term length. How long is the initial term? (12 months is standard)
  • [ ] Renewal terms. Does it auto-renew? What's the notice period for non-renewal?
  • [ ] Exit clause. What's the process for terminating the contract?
  • [ ] Exit costs. Are there penalties for early termination?
  • [ ] Data ownership. Who owns your data? Can you get it back on exit?
  • [ ] IP ownership. Who owns any custom scripts, documentation, or configurations?

See our MSP contract checklist for detailed contract evaluation.

Liability and Indemnity

  • [ ] Liability caps. What's their maximum liability?
  • [ ] Indemnification. Who's responsible if something goes wrong?
  • [ ] Data breach liability. What happens if they cause a data breach?
  • [ ] Service credits. Are there financial penalties for SLA breaches?
  • [ ] Insurance requirements. What insurance do they carry?

Compliance

  • [ ] Privacy Act compliance. How do they handle your data under Australian Privacy Law?
  • [ ] Industry regulations. Are they familiar with your industry's compliance requirements?
  • [ ] Essential 8. Can they demonstrate Essential 8 maturity? See our Essential 8 audit guide.
  • [ ] Data sovereignty. Where is your data stored? Is it in Australia?

Phase 5: Reference Checks

Client References

  • [ ] Request 3+ references from clients of similar size and industry
  • [ ] Ask about response times, communication quality, issue resolution, and overall satisfaction
  • [ ] Ask about any problems and how they were handled
  • [ ] Ask about contract terms and any surprises
  • [ ] Contact references directly — don't rely on written testimonials

Employee References

  • [ ] Check Glassdoor for employee sentiment
  • [ ] Look for patterns in complaints (management, work-life balance, compensation)
  • [ ] High turnover is a red flag — it means inconsistent service

Phase 6: Final Decision

Scorecard

Create a simple scorecard:

Category Weight Score (1-5) Weighted Score
Technical capability 25%
Security posture 25%
Service delivery 20%
Pricing and value 15%
Contract terms 10%
References 5%
Total 100%

Red Flags Summary

If you encounter any of these, proceed with extreme caution:

  • Unwillingness to provide references
  • Vague scope definitions
  • No SLA commitments
  • High staff turnover
  • Pressure to sign quickly
  • No documented processes
  • Unwillingness to negotiate terms
  • No cyber insurance

Frequently Asked Questions

How long does MSP due diligence take?
A thorough due diligence process typically takes 2-4 weeks. This includes initial research, meetings with the MSP, reference checks, contract review, and internal approval. Rushing this process is a common cause of poor MSP relationships.
What's the most important thing to check during MSP due diligence?
Client references and staff stability. Ask for references from clients of similar size and industry. Check employee turnover — high turnover means inconsistent service. A beautiful sales presentation means nothing if the technicians delivering service are constantly changing.
Should I hire an independent consultant for MSP due diligence?
For large contracts ($100K+/year), yes. An independent IT consultant can evaluate the MSP's technical capabilities, contract terms, and pricing objectively. For smaller contracts, use our checklist and do the work yourself.
What red flags should I look for in MSP due diligence?
Key red flags: unwillingness to provide references, vague scope definitions, no SLA commitments, high staff turnover, no documented processes, and pressure to sign quickly. Our MSP red flags guide covers all warning signs in detail.
Can I negotiate MSP contract terms after due diligence?
Yes, and you should. MSP contracts are typically negotiable, especially SLA terms, scope definitions, pricing, and exit clauses. If an MSP won't negotiate, that's a red flag about how they'll handle ongoing relationship management.

Related Reading

Business Strategy
How to Choose an MSP: The Due Diligence Checklist
4 min read
Tools
Compare MSPs Side by Side
1 min read
Business Strategy
How to Negotiate MSP Contracts: A Buyer's Guide
4 min read