What documentation do you maintain to manage infrastructure?

What’s the most critical concern for IT and how do you manage it?

Describe your vulnerability identification and patching process.

Describe your change control and roll back process.

What type of incidents have you had and how did you respond? Data breaches? Forensic investigations?

How do you manage passwords and keys?

How can you guarantee the confidentiality of our data?

How should we measure your performance?

When was the last time your company underwent a security audit conducted by a 3rd party?

How many other similar sized companies operating the same kind of systems do you look after and can we have a contact for a reference?

What level of technical accreditation are the staff who would be managing our systems required to obtain?

What kind of staffing can we expect? – Do we get dedicated technicians? What is the average turnover time for your techs? Are they all employees?

Do you have any security specialists? Who is responsible for security?

How many FTEs required for our services?

What is our SLA this wraps in to what is our guaranteed response time for web/email requests/tickets, phone calls, outages, etc.

What are the terms of our contract – How much does it cost, am I locked into this provider if I sign and if so, for how long?
What’s included v chargeable?