Questions to ask your IT provider about their compliance

Michael Hamer 09-Aug-2021 13:22:27
IT Provider

You rely on IT to run your business; when you can't use your IT systems, you can't service existing clients, you can't process orders, and potential clients could end up taking their business elsewhere.

So you need IT experts to keep you safe and running. But if you're not an IT expert yourself, it can be hard to know what to look for in an IT partner.

You have to place a lot of trust in an IT company. The right choice can mean all the basics 'just work', with an IT provider supporting you in using IT to work smarter and focus on your business. The wrong choice could leave you on the back foot, dealing with unexpected outages and frustrated staff.

An IT company that doesn't consider its own compliance, security and business continuity is a risk to your business and certainly not best placed to advise you on IT. Furthermore, they could be a risk to you: IT companies make an attractive target to cybercriminals, they're a gateway to many other businesses – this exact situation was worldwide news in July.

I've spent the last 10 years working in IT with businesses of all different sizes, industries, and stages in their journeys. If I was dropped into any company today and asked to find an IT partner, these are the top questions I would ask. If a company takes their own IT seriously, they are much better placed to look after yours.

There are three main areas I'll break these questions down into:

  • Compliance – what third party standards do you meet?
  • Security – what do you do to protect yourself?
  • Continuity – what do you do to ensure service availability?


What certifications do you hold?

The certification process drives improvement by focusing on best practices. Renewing certifications keeps you up to date – especially important in a fast-changing environment like technology. In the UK, the government-backed Cyber Essentials scheme provides a baseline for IT security. An IT company should, at the very least, have the more rigorous Cyber Essentials Plus certification. In addition, several ISO certifications offer an even more stringent set of practices (20000, 22301, 270001, 27017, 9001) to protect data, cloud services, manage services and ensure business continuity. Make sure you are aware whether any of your certifications require that providers hold these certifications themselves.

Have independent auditors assessed you?

Some certifications, like the base Cyber Essentials, are entirely self-assessed. This alone would not give me confidence in an IT company. Only rely on certifications that require an independent 3rd party audit to be awarded, like the Plus version of Cyber Essentials.

How do you approach compliance?

An IT company that treats compliance as an ongoing effort and bakes it into how they operate will look after you better than one that treats it as a big one-off yearly exercise to tick the boxes ready for audit day.

Embracing Continuous Improvement is beneficial as all areas of IT require ongoing work, maintenance and learning from errors or near misses.

Do you have staff dedicated to security and compliance?

These are key areas to deliver in. An IT company should have someone working on these areas, measuring performance, and pushing improvements. Depending on size, it may not be their full-time job, but a single person should be accountable for the overall effort.

Ultimately, who is responsible for my data? The MSP, a 3rd party or myself?

The answer here is: likely all of them, at different times – especially if any cloud technology is in use which you can almost expect it to be nowadays.

This question helps gauge how aware a supplier is of the business issues that surround technology. For example, you would expect an IT provider to understand how to use the cloud, but will they consider the potential impacts on compliance?

As an aside, for the cloud, assume a Shared Responsibility Model. For example, consider that you have your files in 'the cloud'. Where do responsibilities lie? If your employee emails sensitive data to the wrong email address – that's still your responsibility (though IT can help you put policies in place to reduce this risk). Is administrative access to your data restricted or controlled? This is the responsibility of your IT company. Can somebody steal a server from a data centre and access your sensitive data? Preventing this usually is entirely the responsibility of the 3rd party data centre.

Is your IT strategy compliant? And why should it matter if it isn't? Check out our guide on IT compliance



What methods are used to protect client data? What protections do you have against security breaches or data leaks?

An IT company will typically have access to all your systems and data; they may also hold and manage backup copies of everything. This is a big responsibility. As noted in the introduction, this makes an attractive target for Cyber Criminals. They could cause a lot of disruption, increasing the victim's likelihood of paying out a ransom.

You want to know that an IT company is 1) aware of the scale of their responsibilities and 2) taking action to protect themselves and, by extension, their clients. Some suppliers take security more seriously than others.

There are many ways of answering this question because security comes in many layers. Positive answers or potential prompts are:

  • Multi-factor authentication for all staff
  • Centrally managed antivirus with alerting
  • A next-generation firewall
  • Access is limited to only staff that require access (aka Principle of Least Privilege)
  • Segregated or separated networks
  • Access to systems only allowed from the office (or specific areas)
  • Backup checks and tests
  • Phishing training for staff
  • Security awareness training
  • Internal security audits

It is not necessarily important to understand the technical responses here. Instead, look at how comfortable they are talking about the topic. Although it's a big area, it should be easy to find examples. If they aren't forthcoming with answers, perhaps their security practices are not as mature as they should be.

How is your disaster recovery handled? What do you recommend to clients?

If the question above deals with "how do you reduce the risk of something bad happening?" this one deals with "what do you do when the worst happens?". An IT company that thinks about Backup without thinking about Disaster Recovery is not focused on real-world business needs.

Providing a specific example can help get a more helpful answer—for example, a building fire, flooding, ransomware.

Good answers may reference high availability servers or equipment, failovers to the cloud or the data centre, recovery from off-site backup images. On the communications side, do they know who is responsible during a disaster? Have they thought about how to communicate with clients and how to do so?

Cyber Risk Management – Do you maintain an Information Security Risk Register?

This question aims to gauge the maturity of the company's Cyber Security strategy. IT professionals should all be aware of the standard set of security technology. A mature or business goal-orientated supplier will have gone beyond this to review cybersecurity risks.

A provider that has asked these questions will be better placed to have identified gaps or oversights and be more secure than someone who has not carried out this exercise. A better-protected service provider means less risk of disruption to your operations and that they can better advise you on how to apply these principles to your business.

Do you rely on 3rd party software or hosting? How do you ensure they have adequate security?

As described in the introduction, companies that supply other companies are targets for Cyber Criminals. What steps are in place to protect an IT provider and their clients against their suppliers?

I would expect an answer around processes. For example, supplier reviews are common in many industries where Quality Assurance is required. Do they review their suppliers, track their responses and are they aware of potential weaknesses?


Do you have a Business Continuity Plan in place?

We have touched on Backup and Disaster Recovery above. These are of critical importance, but a supplier's Business Continuity Policy is more likely to impact your experience of working with them – a minor disaster should not push them over into Disaster Recovery. Ideally, they are sufficiently prepared that they can continue to serve you following a disaster.

This is equal parts processes and technology. For example, a key line of communication is the telephone system. Will a power outage at the office take their phones offline?

A technical response may be that it's cloud-hosted - so no – there's no noticeable impact on receiving phone calls.

A process-based answer would be that hard copies of contact numbers for key contacts at clients are printed out and stored, and clients are aware of alternative numbers. This may cause a noticeable impact but would still allow a level of service to be maintained.

How would you respond to a specific incident? Building fire? Lockdown? What areas of service would be affected?

Having a policy is the first step. Getting specific will help understand how deep and considered review has been carried out. It's a big topic, so I can't say there's a perfect answer. But I do think prompting a conversation around it will give you a clear idea of how prepared a provider is. Try talking around the scenarios of a building fire or another lockdown.

In the first instance, you want to know that the service or help desk will remain in operation – this is typically where you need the quickest response. Which methods of communication would be affected: phones, chat, email? Are all staff on-site or is a branch office or remote workers able to maintain service whilst head office deals with a fire. How quickly can they source and set up equipment for staff to use?

If staff need to cover other roles to maintain reactive services, how long until maintenance and proactive services dip? What could the impact be on clients? A short-term issue will cause much less impact here, but if this important work is disrupted for too long, you could suffer disruption from the knock-on effects. What if backup alerts are not being actioned? What if updates are not being carried out and key software breaks?

If they can provide good and thought through answers to you about their IT, then you can look forward to the same principles being shared with you for your IT.

Diverse employees group focused on working on pc desktops in shared office room, multi-ethnic company team people using computer software in coworking, modern open space for corporate staff concept

These questions all seek to probe an IT provider about how seriously they take security and compliance on the basis that a secure IT provider is less risk to your business and better placed to give you the right advice about IT.

I would still encourage you to ask questions about fix times, staffing levels and response times – these are all important, as well as generally finding out whether an IT provider is a good fit in terms of culture and attitude for your business. But I think they are easier to arrive at for someone not in a technical role, than the points above.

It is not critically important to understand the technical detail of the responses (after all, this is what you are looking for in an IT partner). Instead, look to gauge reaction. An IT provider that offers strategic advice should be working with these concepts day in and day out, they should be comfortable talking around these topics, and they should be practising what they preach and have policies in place.

If these questions give a potential IT Provider food for thought, or they downplay the seriousness of these issues, it could be a sign that they are focused more on fixing computers than supporting businesses. This might not be the fit that you are looking for.

Get in touch to discuss your needs with an IT specialist, today!