Most guidance on how to evaluate an MSP was written by an MSP. That is not a knock. It is just the reality of the market, and it means most evaluation frameworks are optimized to help the MSP look good rather than help the buyer make a sound decision. This article is written from the other side of the table. The 15 points below cover what actually separates a capable partner from a costly one.

Here is what independent evaluation actually looks like.

What MSP evaluation means for mid-market buyers

MSP evaluation is the structured process of assessing a managed services provider's technical capabilities, operational practices, financial terms, and cultural alignment before signing a contract.

At most mid-market companies, the buyer is a CFO or COO, not a dedicated technology procurement lead. That matters, because the sales process for an MSP is typically run by account executives who are very good at selling. They control the demo environment. They choose which references you hear from. They set the pace of the conversation.

A formal evaluation process changes that dynamic. It puts the buyer in control of what gets assessed, in what order, and against what standard. Without a framework, most buyers end up comparing slide decks rather than capabilities. They evaluate what the MSP wants to show them, not what actually matters once the contract is signed.

The 15-point framework below is designed for companies in the $25 million to $300 million revenue range, where technology decisions carry real consequences but where the buyer rarely has a background in managed services procurement. It works equally well for a first-time MSP selection and for a renewal where you are deciding whether to stay, renegotiate, or move on.

If your company is at the point where technology decisions are affecting growth or carrying real risk, Seven Roots publishes vendor-neutral guidance for exactly that stage, and is always glad to compare notes.

The 15-point MSP evaluation framework

Score each MSP on every criterion below on a scale of one to three. A 3 is a clear, verifiable answer backed by documentation or specific operational detail. A 2 is adequate but vague. A 1 is deflection, a follow-up promise, or an answer that raises more questions than it resolves. The total score gives you rank order. The pattern of 1s tells you where the risk is.

MSP evaluation: 15-point framework
# Criterion What to assess Verification question
1 Technical certifications Depth and relevance of vendor certifications (Microsoft, Cisco, security) "How many certified engineers are on shift when my ticket comes in at 2 p.m.?"
2 Help desk coverage model Hours, escalation tiers, staffing ratios per client "What is your average resolution time for a priority-2 issue?"
3 Security posture SOC 2 Type II status, EDR deployment, vulnerability management cadence "Can you share your most recent SOC 2 report and name the EDR platform you deploy?"
4 Incident response process Documented IR plan, tabletop exercise history, cyber insurance "Walk me through the last significant incident you handled. Who did what, in what order?"
5 Onboarding methodology Documented onboarding timeline, named project lead, milestone tracking "Show me an onboarding project plan from a client you brought on in the past year."
6 Communication cadence Scheduled review frequency, escalation path, executive access "Who is my named point of contact, and when do I get to talk to someone senior?"
7 Pricing transparency All-in vs. per-seat pricing, what is and is not included in the base fee "What would last month look like if we had a ransomware event? Walk me through the invoice."
8 Contract and exit terms Notice period, data return provisions, transition assistance obligations "What happens to our data and systems if we leave at month six?"
9 Reference quality and tenure How long clients stay, whether the MSP controls reference selection "Can you provide a client you lost in the past 18 months?"
10 Technology stack alignment Compatibility with your existing tools; costs to deviate from their standard stack "What tools do you standardize on, and what are the fees if we want to use something else?"
11 Compliance expertise HIPAA, PCI, CMMC, or sector-specific experience relevant to your industry "How many clients in our compliance category do you currently serve?"
12 Business continuity and DR Backup coverage scope, RTO and RPO commitments, recovery test cadence "When did you last run a documented recovery test for a client at our scale?"
13 Proactive vs. reactive model Monitoring tooling maturity, patch management process, change management discipline "Share a quarterly business review from a current client."
14 Account ownership and cultural fit Dedicated account manager, client-to-staff ratio, stability of delivery team "What is your current client-to-account-manager ratio?"
15 SLA terms and enforcement Specific response and resolution time targets, penalty structure, measurement method "How many SLA breaches have you had in the past 12 months, and what happened?"

The three criteria most buyers consistently underweight

Most buyers spend too much evaluation time on price and not enough on the three criteria that tend to determine whether a relationship succeeds: security posture, communication cadence, and cultural fit.

Security posture gets underweighted because it is hard to assess without a technology background. Buyers ask about certifications, get a satisfying-sounding answer, and move on. The real question is whether the MSP runs a disciplined vulnerability management program, deploys endpoint detection and response tools across every managed endpoint, and has an incident response plan they have actually practiced. Ask for the SOC 2 Type II report. If they do not have one, or if the last one is more than 18 months old, treat that as a material gap.

Communication cadence gets skipped because buyers assume it will work itself out. It rarely does. Get specific during the evaluation: how often will you receive a formal review, who attends it, and what does it cover? What is the escalation path at 9 p.m. on a Friday? Vague answers here predict operational friction later.

Cultural fit is the hardest to quantify and the easiest to dismiss. But you are entering a relationship where this firm will hold administrative access to your most sensitive systems. The account team you meet during sales is often not the team you will work with day to day. Ask to meet the actual delivery team before you sign. If the MSP resists that request, take note.

How to structure the evaluation from start to finish

A structured evaluation has five stages. Run them in sequence. Skipping stages or collapsing them saves time in the short term and typically costs more when you are six months into a contract that is not working.

Stage 1: Shortlist. Identify three to five candidates using peer referrals, your industry network, and geographic fit if on-site coverage matters. Do not open the RFP to every firm you can find. That rewards firms that are good at responding to RFPs, not necessarily at running managed services.

Stage 2: Structured information request. Send a written questionnaire to shortlisted firms covering the 15 criteria. A useful questionnaire asks for specifics, not promises. Include the verification questions and require documentation where applicable: the SOC 2 report, sample SLA language, and a reference list.

Stage 3: Demos. Allocate 90 minutes per firm. Ask each to walk you through a real incident from a current client. This is harder to script than a standard product demo and tends to reveal actual operational capability.

Stage 4: Reference calls. Allow two hours per firm. Speak with at least one client who has been with the MSP for more than two years, and ask specifically for a reference who has been through a significant incident.

Stage 5: Decision. Total the scorecard, map the pattern of 1s, and make the call. The full process should take six to eight weeks from shortlist to signed contract.

Making the final call: scorecard, references, and the contract

When the evaluation is complete, you will have a score and a pattern. The score tells you rank order. The pattern tells you where the risk is.

If the top-scoring firm has three 1s in security posture, incident response, and SLA enforcement, reconsider the score. Those are the criteria that will matter most when something goes wrong, and something will go wrong eventually. A firm that scores stronger on pricing transparency than on operational depth is not a firm that will serve you well under pressure.

References should be the final lens. A good MSP will provide strong references. What separates a useful reference call from a formality is the questions you ask. Go beyond asking whether the reference is satisfied. Ask what went wrong in the first year and how the MSP responded. Ask whether the account team they were sold by is the same team they work with today. Ask whether they would sign the same contract again knowing what they know now.

Once you have made the selection, protect the decision with a contract that includes specific SLA terms and penalties for breach, a clear data return provision, and a 30-day termination clause without cause for the first 90 days of the engagement.

If you want to pressure-test your scorecard before signing, Heartwood can help you walk through your scoring, identify the questions you have not thought to ask yet, and flag contract language worth reviewing.