NCSC Checklist for Selecting the Right IT Provider for your Cyber Security

Cyber security tools are only part of the picture

When you work with a Managed Service Provider (MSP), you gain access to specialist cyber security tools and expert support, but how confident are you that your MSP is truly protecting your business?

Not all MSPs deliver the same level of cyber security, transparency, or accountability. To help organisations make informed decisions, the UK’s National Cyber Security Centre (NCSC) has published a practical checklist outlining the key questions every business should ask their IT provider.

In this blog, we walk through the NCSC’s due diligence checklist and explain how Technical Drive meets each requirement. If you’d like to explore the full guidance yourself, you can view the official NCSC resource below.

Covering everything from recognised certifications and service transparency to incident response and supply chain risk, these questions are designed to ensure your MSP follows best practice and takes cyber security seriously.

How CyberSafe365+ Supports your Cyber Security

At Technical Drive, we’re proud to confidently answer every one of these questions, and to provide clear evidence to support our approach.

Our CyberSafe365 package offers a straightforward, easy-to-understand suite of security tools, backed by our experienced Cyber Security team, giving our clients peace of mind that their systems and data are well protected.

View the full NCSC checklist here>

Key questions to ask your MSP

The NCSC recommends asking your IT provider the following questions to understand whether they are equipped to protect your organisation effectively.

1. Do they hold recognised security certifications?

• TD Answer: Yes. We hold recognised certifications including Cyber Essentials Plus and work in line with ISO 27001 principles. Audit reports and scope statements are available on request.

2. Can they provide references, testimonials, or case studies from other SMEs?

• TD Answer: Absolutely. We can provide verifiable references, testimonials, and case studies from SMEs across a wide range of sectors, including professional services, manufacturing, and charities.

3. Do they have a proven track record of security and service quality?

• TD Answer: Yes. Our documented service KPIs, patch compliance records, incident metrics, and SLA performance demonstrate consistent, reliable service delivery.

4. Do they provide transparency around services and processes?

• TD Answer: We believe transparency is essential. Clients receive access to service catalogues, runbooks, onboarding plans, architecture diagrams, and clear monthly service reports.

5. Are service levels such as response times and uptime clearly defined?

• TD Answer: Yes. Our SLAs clearly define response and restoration targets, availability metrics, change windows, escalation paths, and service-credit mechanisms.

6. Do they offer solutions that fit your needs and budget?

• TD Answer: The CyberSafe365 package is a cyber security package that's designed to fit the needs and budget of SMEs. Providing a suite of security tools, backed by our experienced Cyber Security team.

Cyber security services your MSP should provide

A capable MSP should deliver more than ad-hoc support. These core services form the foundation of a strong cyber security posture, helping to reduce risk, detect threats early, and ensure your business can recover quickly if something goes wrong.

• Timely patch management across all systems and software to address known vulnerabilities

• Automated, off-site backups with regular testing to ensure data can be restored when needed

• Continuous security monitoring and logging, with alerts for unusual or suspicious activity

• Use of two-step verification (2SV) across all access points to reduce the risk of unauthorised access

• Clear, documented incident response and management procedures

• Prompt application of security updates and firmware patches across infrastructure

Without these fundamentals in place, even well-resourced organisations can be exposed to unnecessary cyber risk.

Contract and agreement considerations

Your contract with an MSP should clearly define what you can expect from the service and how cyber security responsibilities are shared. A well-structured agreement helps avoid confusion during day-to-day operations and is especially important during security incidents.

• A detailed and clearly defined Service Level Agreement (SLA)

• Clear roles, responsibilities, and liabilities for both parties

• Defined processes for how and when security incidents are reported

• Regular service reviews and reporting to maintain transparency

• Application of the principle of least privilege to MSP system access

• Clear provisions for managing obsolete accounts and infrastructure

• A transparent process for contract review, renewal, or termination

These points help ensure accountability and give you confidence that cyber security obligations are understood and enforceable.

Risk and responsibility

Cyber security risk doesn’t stop with your MSP. Their suppliers, tools, and partners can all impact your overall security posture, which is why supply chain risk and responsibility must be clearly addressed.

Key areas to explore include:

• Clearly documented accountability and liability in the event of a cyber security incident

• A tested incident response and recovery plan that includes realistic scenarios

• Agreed backup and disaster recovery procedures aligned with your business needs

• An ongoing programme of cyber security training and user awareness

Understanding how risk is managed, and who is responsible at each stage, is essential for building a resilient cyber security strategy.

Take Control of Your Cyber Security

Your MSP should give you confidence, not uncertainty. Knowing your cyber security is managed properly makes all the difference.

The NCSC’s checklist shows what good looks like, and at Technical Drive, we work to that standard.

Through clear processes, recognised security frameworks, and our CyberSafe365 service, we help organisations reduce risk and stay protected.

If you’re reviewing your IT provider or want reassurance about your cyber security, speak to our team today.

Call us on 01527 880088

Get in touch online