Choosing the right managed service provider for your business isn’t just about finding someone to fix your IT problems – it’s about partnering with a company that takes your security, data, and business continuity as seriously as you do. That’s why the UK’s National Cyber Security Centre has developed a comprehensive checklist to help SMEs make informed decisions when selecting an MSP.
With 50% of small-sized businesses experiencing security breaches or cyber-attacks in recent years1, the stakes have never been higher. The NCSC’s guidance is designed to help businesses like yours identify MSPs that don’t just talk about security – they live and breathe it.
At ERGOS Technologies Limited, we’re proud to say we tick every single box on the NCSC’s checklist. But we don’t want you to just take our word for it. Let’s walk through the checklist together and show you exactly how we meet, and exceed, these critical standards.
Understanding the NCSC’s MSP guidance
The NCSC recognises that SMEs need clear guidance when selecting and working with managed service providers. Their checklist covers everything from security certifications to contract considerations, helping you ask the right questions and make confident decisions about who you trust with your IT infrastructure.
Security certifications: the foundation of trust
The checklist asks: Does the MSP hold recognised security certifications such as Cyber Essentials Plus or ISO 27001? If not, what security standards do they use?
ERGOS Technologies: ✓ Yes
Security certifications aren’t just badges we display on our website – they’re proof that we’ve undergone rigorous, independent audits of our security practices.
Our ISO 27001 certification is particularly significant. This internationally recognised standard demonstrates that we follow best practices in protecting data, managing risks, and responding to security incidents. Achieving this wasn’t a box-ticking exercise; it required us to implement a comprehensive information security management system that governs everything we do.
What does this mean for you? It means that when you work with ERGOS Technologies, you’re partnering with an MSP that has been independently verified to meet international standards for information security. Your data is protected by proven frameworks, not just promises.
We also hold Cyber Essentials Plus certification, the UK government-backed standard that protects against common cyber threats. This dual certification approach ensures we’re not just compliant – we’re exceeding industry expectations.
Proven track record: references that speak volumes
The checklist asks: Can they provide references, testimonials or case studies from other SMEs? Do they have a proven track record of security and service quality? Do they demonstrate transparency about their services and processes?
ERGOS Technologies: ✓ Yes to all
We’ve built our reputation one successful partnership at a time. Our client testimonials and case studies demonstrate not just our technical capabilities, but our commitment to being a true business partner. We believe transparency builds trust, which is why we’re always happy to connect prospective clients with existing customers who can share their experiences.
Our service delivery is backed by clearly defined processes that we’re happy to explain in detail. We don’t hide behind technical jargon – we help you understand exactly what we’re doing, why we’re doing it, and how it benefits your business.
Service level agreements: clear expectations
The checklist asks: Are their service levels including response times and uptime clearly defined in SLAs? Do they fit your needs and budget?
ERGOS Technologies: ✓ Yes
Vague promises about excellent service don’t cut it in today’s business environment. That’s why we provide detailed SLAs that clearly specify our response times, uptime commitments, and escalation procedures. You’ll know exactly what to expect, and we’ll be accountable for delivering it.
We also understand that every business has different needs and budgets. Our service packages are designed to be flexible and scalable, ensuring you get the protection you need at a price point that makes sense for your business.
Essential services for managed IT security
The NCSC checklist identifies several critical services that any MSP should provide. Here’s how ERGOS Technologies delivers on each:
Timely patch management
The checklist requires: Timely patch management for all systems and software
ERGOS Technologies: ✓ Yes
We implement automated patch management systems that ensure your software and systems are always up-to-date with the latest security patches. Cybercriminals exploit known vulnerabilities—we make sure those doors stay firmly closed.
Automated off-site data backups
The checklist requires: Automated, off-site data backups and regular testing of restore processes
ERGOS Technologies: ✓ Yes
Your data is your lifeblood. We provide automated, off-site backups with regular testing of restore processes. It’s not enough to just back up your data – you need to know you can actually recover it when it matters most. We test our backup systems regularly to ensure rapid recovery in any scenario.
Security monitoring and logging
The checklist requires: Security monitoring and logging, with alerts for suspicious activity
ERGOS Technologies: ✓ Yes
Our security monitoring systems work around the clock, watching for suspicious activity and alerting us to potential threats before they become problems. We don’t just collect logs – we actively analyse them to identify patterns and anomalies that could indicate a security issue.
Two-step verification
The checklist requires: Use of 2SV (2 Step Verification) across all access points
ERGOS Technologies: ✓ Yes
We implement two-step verification across all access points, adding an essential extra layer of security. Even if credentials are compromised, your systems remain protected. This simple measure dramatically reduces the risk of unauthorised access.
Clear incident response procedures
The checklist requires: Clear incident response and management procedures
ERGOS Technologies: ✓ Yes
When security incidents occur – and in today’s threat landscape, it’s a matter of when, not if – you need to know exactly what will happen. Our incident response procedures are documented, tested, and designed to minimise impact on your business. We know our role, you know yours, and together we can respond quickly and effectively.
Timely security updates and firmware patches
The checklist requires: Application of timely security updates and firmware patches
ERGOS Technologies: ✓ Yes
From your servers to your network equipment, we ensure that security updates and firmware patches are applied promptly. We balance the need for security with the need for stability, testing updates appropriately whilst ensuring critical patches are deployed without delay.
Contract and agreement considerations: protection in writing
The checklist covers:
- Is there a detailed service level agreement?
- Are roles, responsibilities, and liabilities clearly defined?
- Does the contract specify how and when security incidents are notified?
- Are there provisions for regular reviews and reporting?
- Is the principle of least privilege applied to MSP access?
- Are there clauses for managing obsolete accounts and infrastructure?
- Is there a clear process for contract review, renewal, or termination?
ERGOS Technologies: ✓ Yes to all
Our contracts are designed to protect both parties whilst ensuring clarity and fairness. We believe in:
- Crystal-clear SLAs that leave no room for misunderstanding
- Defined responsibilities so everyone knows who does what
- Rapid incident notification protocols that keep you informed
- Regular reporting that demonstrates our value and highlights areas for improvement
- Least privilege access ensuring we only have the access we need to do our jobs
- Active account management to prevent security risks from dormant credentials
- Flexible terms that allow for growth, change, or transition
Risk and responsibility: addressing the difficult questions
The NCSC’s checklist doesn’t shy away from the difficult questions, and neither do we:
Have you assessed your MSP’s supply chain risks?
We understand that our security is only as strong as our weakest link. That’s why we carefully assess and manage our own supply chain risks, ensuring that our vendors and partners meet the same high standards we apply to ourselves. The NCSC’s supply chain guidance is something we take seriously and apply throughout our operations.
Are accountability and liability for cyber security incidents explicitly documented?
Our contracts explicitly document accountability and liability for cyber security incidents. We don’t hide behind vague terms – we clearly state our responsibilities and ensure you understand yours. This transparency protects both parties and ensures effective collaboration.
Do MSPs have a tested incident response and recovery plan?
We don’t just have plans on paper – we test them regularly. Our incident response and disaster recovery procedures are rehearsed, refined, and ready to deploy when needed. We know they work because we’ve proven they work.
Are backup and disaster recovery procedures outlined and agreed upon?
All our backup and disaster recovery procedures are clearly outlined in our service agreements. You’ll know exactly what’s backed up, how often, and what the recovery process looks like. No surprises, no ambiguity.
Is there a process for regular security training and awareness?
The human element is often the weakest link in security. That’s why we maintain a programme of regular security training and awareness, both for our own team and as a service we can provide to yours. Educated users are your first line of defence against social engineering and phishing attacks.
Why this matters for your business
The NCSC hasn’t created this checklist to make life difficult for MSPs or SMEs. They’ve created it because small businesses are increasingly targeted by cyber criminals, and the consequences of choosing the wrong IT partner can be devastating.
By following this checklist and choosing an MSP like ERGOS Technologies that meets every criterion, you’re:
- Reducing your risk of becoming a cyber-crime statistic
- Protecting your reputation with customers and partners
- Ensuring business continuity in the face of threats
- Meeting regulatory requirements more easily
- Gaining peace of mind knowing your IT is in expert hands
The ERGOS difference
Meeting the NCSC’s checklist is our baseline – not our ceiling. We’re constantly investing in new technologies, training, and processes to stay ahead of evolving threats. Our ISO 27001 certification requires continuous improvement, and we embrace that challenge.
More importantly, we’re not just an IT company – we’re a partner invested in your success. We take the time to understand your business, your challenges, and your goals. Then we build IT solutions that support your ambitions whilst keeping you secure.
Ready to find an MSP you can trust?
If you’re currently evaluating MSPs or reviewing your existing IT support arrangements, we encourage you to use the NCSC’s checklist as your guide. Ask the tough questions. Demand evidence. And don’t settle for providers who can’t tick every box.
At ERGOS Technologies Limited, we’re ready to show you exactly how we meet each criterion. We’re happy to provide:
- Detailed information about our certifications
- References from satisfied clients
- Examples of our SLAs and contracts
- Case studies demonstrating our expertise
- A frank discussion about how we can support your specific needs
Your business deserves an MSP that takes security as seriously as you do. We’re here to prove we’re that partner.
Ready to discuss your IT security needs? Contact ERGOS Technologies Limited today to learn more about how we can help protect and grow your business with IT solutions that meet the highest standards of security and service.
For more information about choosing an MSP, visit the NCSC’s guidance for SMEs and their guide to choosing a managed service provider.
Sources: