What to ask your MSP after the NCSC's 2025 guidance
The NCSC published its SME guide to choosing and working with managed service providers on 24 November 2025. It is one of the clearest official checklists we have seen for organisations that rely on an MSP but still need better cyber accountability.
The National Cyber Security Centre published its guide to choosing and working with a managed service provider on 24 November 2025, and it deserves more attention than it has had. Many mid-sized organisations still assume cyber responsibility transfers neatly to the MSP. The guide makes clear that it does not.
That matters because the real commercial problem is rarely whether an MSP exists. It is whether the customer can explain who patches what, who checks backups, who sees suspicious activity first, and who is responsible for client communications when something serious happens.
The strongest part of the guide
The strongest part of the NCSC document is its focus on contract clarity. It pushes organisations to ask for named responsibilities, incident reporting steps, logging expectations, review reporting, and least-privilege access. That is exactly where many otherwise decent IT relationships become vague and risky.
Questions worth asking your MSP now
- How quickly are critical and high-risk patches applied, and how is that reported back to us?
- When were backups last tested for restore, and what would recovery actually look like for our most important systems?
- Which accounts your team uses to access our environment have stronger sign-in in place, and how are privileged accounts controlled?
- What logs are kept, for how long, and how would we get access to them during an incident or an insurance claim?
- Exactly how and how fast will you notify us if you suffer an incident that could affect our systems or data?
Why this matters for renewals and claims
The guide also makes a point many finance leaders will recognise immediately: insurers may ask for health reports, configuration evidence, and a clearer picture of how the environment is run. If your MSP relationship is light on evidence, renewal forms become guesswork and claims become harder to defend.
What good looks like
- A written responsibility matrix rather than a general promise to keep things secure.
- Regular reports that show patching, backups, alerts, and unresolved weaknesses in plain language.
- An agreed escalation route for suspected incidents, including decision-makers on both sides.
- A contract that is specific enough to support renewal answers, client due diligence, and post-incident evidence requests.
If you rely on an MSP, the question is not whether they are good people. It is whether your organisation could defend the arrangement under pressure. The NCSC guide is useful because it gives buyers a practical checklist for that conversation, and because it reminds leaders that outsourced IT still needs visible cyber ownership on the customer side.
An MSP can deliver day-to-day capability, but you still need enough clarity and evidence to stand behind your own security answers.
Sources and further reading
Want help turning this into a practical plan?
We help organisations turn cyber guidance into a joined-up plan around their existing IT team or MSP, with clear priorities, evidence, and leadership reporting.
Talk to Cyber Trust