Key Takeaways

A service provider that takes 4 hours to respond to a demo request and 48 hours to respond to a critical incident: read the contract before signing.
Technical expertise alone isn't enough. A good service provider understands your business challenges, not just your infrastructure.
Be wary of plans without a defined SLA. If it's not in writing, it doesn't exist.
Ask for verifiable references in your industry—not just the logos on the sales brochure.
The end of the contract mirrors the beginning: Who holds the access rights? Do you own the documentation?

Switching IT service providers takes time and costs more than expected. Migration, staff training, and a period of uncertainty during the transition: most small and medium-sized businesses underestimate these costs when making their initial choice. These 8 criteria are designed to help you avoid having to make this decision all over again 18 months later.

The 8 criteria at a glance

This summary table is designed to serve as an evaluation rubric during your interviews with potential service providers.

#	Criterion	Key question to ask	Quality indicator
1	True Responsiveness	Who is on call at 10 p.m. on a Sunday?	P1/P2/P3 service level agreements (SLAs) specified in the contract
2	Skill Coverage	What do you outsource?	Certifications that can be verified online
3	Industry Knowledge	Please list two clients in my area that I can call.	Verifiable references + knowledge of industry-specific software
4	Pricing Transparency	What happens when I go over my data plan? How much does it cost?	Line-by-line fare schedule, hourly fare provided
5	Scalability	Who is your largest current client?	Portfolio of clients of various sizes, migration experience
6	Security & Compliance	Show me your incident response plan.	Documented PRI, security audit proposed as part of the scoping process
7	Posture Tips	Do you conduct quarterly reviews with written feedback?	QBR with Proactive Recommendations
8	Termination of Contract	Who will have admin access if we cancel tomorrow?	Reversibility clause, customer-owned documentation

Criterion 1: Actual responsiveness, not the contractual response time

A 4-hour response time in a contract is standard. What varies is how the on-call system is organized behind that number. Is it a dedicated rotating team, or a single technician handling emergencies from home on weekends?

Request the standard contract and carefully read the definition of “criticality.” This term often covers much less than one might think. A production server going down on a Friday night: for some service providers, this does not qualify as a P1 incident if no data is formally lost.

Level	Standard Definition	Expected response time
P1 - Review	Production server down, access unavailable	< 1 heure, 24/7
P2 - Major	Reduced service, significant impact on business operations	< 4 heures, heures ouvrées étendues
P3 - Standard	Incident with no immediate impact on production	< 24 heures, heures ouvrées
P4 - Minor	Request, question, development	< 72 heures

IT Systèmes offers contractually defined P1/P2/P3 SLAs, with 24/7 on-call support and real-time customer access to the ticketing system. Each incident level has a written definition and a guaranteed response time. Learn more about IT Systèmes' MSP offering →

✅ Good sign	🚩 Warning
P1/P2/P3 service level agreements (SLAs) specified in the contract	A single timeframe for all types of incidents
Documented on-call duty with a written escalation procedure	"We are committed to doing our very best."
Accessible customer ticketing tool with timestamps	No written definition of service levels

Criterion 2: Actual coverage of competencies

A general-purpose service provider manages the computer fleet, email, and backups. For a security audit, an Azure migration, or an ERP integration, you need to know whether these tasks are handled in-house or outsourced.

Subcontracting isn't a problem, as long as it's transparent and the primary contractor remains clearly responsible. The problem arises when a contractor agrees to everything without mentioning their limitations, then improvises after the contract is signed.

Field	What a General Practitioner Covers	This requires a specialist
Infrastructure	Computer fleet, local area network, backups	Hybrid cloud architecture, high availability
Security	Antivirus, updates, basic firewall	Penetration testing, ANSSI audit, advanced incident response
Application	Email, M365, Office tools	Custom Development, ERP/CRM Integration
Compliance	GDPR Basics (Register, DPO)	NIS2, HDS, SecNumCloud certification

‍

IT Systèmes provides services in infrastructure, cloud, security, and development with Microsoft-certified teams. Each area is handled by a designated specialist. Any work that is outsourced is transparent, documented, and under the contractual responsibility of IT Systèmes. Learn more about IT Systèmes’ MSP offerings →

✅ Good sign	🚩 Warning
Team with specialists identified by field	A single technical point of contact for all matters
Transparency regarding what is outsourced and to whom	Vague response regarding certifications or partners
Certifications that can be verified online (Microsoft Partner, ANSSI, etc.)	A very extensive catalog for a team of three people

Criterion 3: Knowledge of Your Industry

A law firm does not face the same constraints as a small or medium-sized industrial company. The former works with confidential data on mobile devices that are often outside the network’s coverage area. The latter manages industrial control systems, production lines, and sometimes OT systems that are isolated from the internet.

A service provider who is familiar with your industry will ask the right questions right from the scoping phase. They are familiar with your business software, the associated regulatory requirements, and recurring issues. Put them to the test during your first meeting: ask them a specific question about your environment. The quality of their answer will tell you a lot.

‍

Sector	Common Business Software	Key Regulatory Requirement	Specific IT Risk
Lawyers / Legal	Kleos, Clio, Jarvis Legal	Enhanced Confidentiality, RPVA	Highly sensitive customer data, mobile workstations
Chartered accountant	ACD, Cegid, Pennylane	IGS, GDPR, professional confidentiality	Multiple-client access, firm synchronization
Industry	SAP/Sage ERP, CMMS	NIS2, OT/IT Security	Legacy systems that cannot be patched, business continuity
Education / Training	Yparéo, OpenERP, Moodle	GDPR and Minors, Student Data	Diverse user base, high turnover in access
Health / Medical and Social Services	Osiris, NetSoins, Medimust	HDS, PGSSI-S	Health data, critical service continuity

‍

IT Systèmes has been supporting small and medium-sized businesses in the legal, accounting, industrial, and healthcare sectors for over 15 years. We have in-depth knowledge of industry-specific software, regulatory requirements, and IT risks unique to each sector. Verifiable references are available upon request. Learn more about IT Systèmes’ MSP services →

✅ Good sign	🚩 Warning
References in your industry, verifiable by phone	Generic references where contactless is possible
Knowledge of the business software you use	Getting to Know Your Business Software During the First Meeting
Relevant questions about your constraints right from the first meeting	Standard speech, not tailored to your business

Criterion 4: Pricing Transparency

Flat-rate plans make budgeting easier, provided you know exactly what they cover. What is included in “IT infrastructure management”? Replacing a hard drive? Setting up a new workstation? Recovering from a ransomware attack?

Ask for a line-by-line breakdown of what is included and the hourly rate outside the package. This figure reveals a lot about the service provider's business policy.

‍

Type of Service	Included in the package?	Questions to Ask
Hardware Replacement (Failure)	Often not: labor, yes; parts, no	Who's placing the order? Who's paying? What's the deadline?
Onboarding a New Employee	Varies depending on the contract	Included in the package for up to N positions?
Security Incident Response	Rarely in the case of major incidents	What is covered? To what extent?
Migration to New Software	Generally not included in the package	What is the production rate? Who approves the cost estimate?
Annual audit or security report	Often billed as an extra charge	Is this included? How often?

‍

The MSP IT Systèmes offering includes a detailed, line-by-line pricing schedule, an hourly rate provided before signing the contract, and prior client approval for any work outside the scope of the agreement. No billing surprises. Learn more about the MSP IT Systèmes offering →

✅ Good sign	🚩 Warning
Scope of the flat-rate plan, itemized line by line	"All-inclusive" package without a list of contents
Hourly rate (excluding package rates) disclosed prior to signing	Total estimate without a breakdown
Client approval required before any work outside the scope	Evasive response regarding additional costs

Criterion 5: The ability to grow with you

Your organization currently has 40 employees. In two years, there may be 80, with an additional office and cloud needs that don't yet exist. Can the service provider keep up, or is it designed to handle only clients of your current size?

The direct question to ask: Who is your biggest client right now? If your current size is already at the upper end of their range, you’ll likely be too complex for them in 18 months. It’s better to know that now.

✅ Good sign	🚩 Warning
A portfolio of clients of various sizes	Portfolio consisting solely of very small businesses if you are a medium-sized company
Experience with migrations and scaling	Hesitation Regarding Transformation Projects
Flexible packages with the option to add services	No experience with cloud or distributed architecture

Criterion 6: Security and Compliance

SMEs now account for the majority of ransomware victims in France (source: ANSSI, 2024 Cyber Threat Overview). The IT service provider is often the first link in the security chain. Its security posture directly determines your level of risk.

Three specific questions to ask: How do you secure my IT system on a daily basis? What happens if I fall victim to a ransomware attack at 3 a.m.? How do you help me comply with my regulatory obligations?

Security Maturity Level	What the service provider offers	Indicators
Basic	Antivirus, updates, firewall	No active monitoring, no PRI
Intermediate	EDR, 24/7 monitoring, tested backups	Outsourced SOC or MDR, quarterly restoration tests
Advanced	Annual penetration test, ANSSI audit, vulnerability management	Certifications, NIS2 support, PSSI documentation

The IT Systèmes MSP offering includes 24/7 monitoring, managed EDR, tested immutable backups, and a documented incident response plan. A security audit is offered during the scoping phase. NIS2 and GDPR support is available depending on the industry. Learn more about the IT Systèmes MSP offering →

✅ Good sign	🚩 Warning
Documented Incident Response Plan (IRP)	Security mentioned solely as an upsell
Proposed security audit during the scoping phase	No formal procedure in the event of an incident
NIS2 and GDPR support included or offered	No mention of the regulatory requirements for your industry

Criterion 7: The advisory approach

A service provider that handles support tickets without ever questioning the underlying architecture may be convenient in the short term. When a technology becomes obsolete or a migration becomes necessary, you find out too late—often at the last minute—and therefore at a high cost.

A service provider with a consultative approach alerts you before problems arise, suggests improvements without you having to ask for them, and understands your business well enough to anticipate your needs. You can tell right from the first meeting: does the provider ask questions about your business, or only about your servers?

✅ Good sign	🚩 Warning
Quarterly Business Reviews (QBRs) with summaries and recommendations	Only reactive, never proactive
Questions About Your Business Projects From the Very First Contact	No questions about your business during the presentation
Proactive alerts regarding technologies reaching the end of their life cycle or end of support	No formal review or IT roadmap has been proposed

Criterion 8: Contract Termination Management

This is the detail that almost no one checks before signing, and that everyone regrets not having checked when they first signed up. Ask the question directly: If we switch providers in 18 months, how does that work?

Who has administrator access? Do you own the documentation for your IT system? Is there a clause that complicates the transfer to a competitor? A reputable service provider has no reason to avoid this topic.

Point of vigilance	Good practice	Question to Include in the Request for Proposals
Administrator Access	Held jointly starting on Day 1	Can you show me how access is managed?
IT Documentation	Provided and updated by the customer; owned by the customer	Do I have a contractual right to the documentation?
Data and Backups	Returns within 30 days, standard size	In what format and within what timeframe will you return my data to me?
Non-Solicitation Clause	Reasonable duration (6–12 months max)	Is there a clause that limits my future choice of service provider?
Transition Period	Support for the Designated Successor	Do you support the incoming service provider during the transition?

IT Systèmes contracts include an explicit reversibility clause, contractual ownership of the IT system documentation, and the transfer of administrator access within 5 business days. The documentation is hosted at the client’s site and updated after each service call. Learn more about IT Systèmes’ MSP offering →

✅ Good sign	🚩 Warning
Maintenance of the IS documentation, which is the client's contractual property	Documentation missing or "in progress"
Joint administrator access from the start	Critical access held solely by the service provider
A clear reversibility clause and a defined return deadline	Missing or excessively restrictive exit clause

How to Use This Grid in Practice

No service provider will perfectly meet all of these criteria. The goal is to find one who is honest about what they do well, clear about their limitations, and who answers your questions without dodging them.

A service provider that acknowledges outsourcing security to a certified specialist inspires more confidence than one that claims to handle everything in-house with a team of five people.

One final tip: Reach out to two or three current clients on your own, not through the references provided by the service provider. Whether on LinkedIn or through your network, a few ten-minute calls will give you real-world feedback that no brochure can replace.

Frequently asked questions

Should we choose a local IT service provider, or can we work remotely?

Routine support and cloud projects work very well remotely. For on-site work (hardware, cabling, rack installation), a local or regional presence is still necessary. Ideally, a service provider capable of handling both as needed.

What budget should you set aside for an IT outsourcing provider?

For an SME with 20 to 50 workstations, a comprehensive IT outsourcing contract generally costs between €80 and €200 per workstation per month, depending on the service level. It’s worth comparing this to the cost of a full-time in-house technician, based on the actual figures.

How long does it take to switch IT service providers?

Between 4 and 12 weeks, depending on the complexity of the IT system. The critical phase involves taking over documentation and transferring access rights. If the outgoing service provider has not maintained documentation, this phase may take longer. It is good practice to allow for a 4-week overlap period between the two service providers.

Can an IT service provider also handle the development of business software?

Some do. Managed services providers focus on operations. Those that also cover development and automation can manage the entire IT system, from infrastructure to applications. IT Systèmes covers both areas, which eliminates the need to deal with multiple technical contacts on topics that often overlap.

Are you evaluating IT service providers for your small business?

IT Systèmes answers all these questions with complete transparency.

Request an initial exchange →