Introduction
The phrase “fully managed IT support” is used so often in the industry that it has almost lost its meaning, two providers can use the same words and deliver completely different levels of service. For UK SMEs with fifty to one hundred and fifty users, understanding what is actually included, what sits outside scope, and what you are genuinely paying for can make the difference between a smooth relationship and constant friction.
This guide breaks down the elements most businesses should expect from a managed IT contract, how to compare two providers fairly, and how to align expectations with what the contract really covers.
The short answer
A good fully managed contract clearly sets out scope, SLAs, security responsibilities, governance expectations and which activities count as projects rather than inclusive work. You should always compare delivery against what you have paid for instead of what you assumed was included. Strong contracts provide visibility through reviews, reporting and documented responsibilities. Exclusions should be listed explicitly, such as onboarding, migrations and advanced security tooling.
Start with scope: what did you actually buy?
The three pillars of a managed service
A fully managed contract typically covers support, security and governance but as we said at the start, full managed as a term has been loosely used to describe a wide range of services. Most problems arise when only support is defined clearly and everything else is left ambiguous. If your contract does not explicitly list what is included in each “pillar” or at least areas you are expecting, you may not get the consistency or coverage you thought you were getting.
Why assumptions create friction
When the contract says “fully managed” but the business assumes this includes strategy, vendor management or advanced security, the gap between expectation and reality becomes painful. Providers are not usually withholding anything, the contract simply never included the areas you thought it did.
How to map stated scope versus expected scope
Before comparing two providers, it helps to map what your team believes they will receive against what is written. Clarify support tasks, security responsibilities, governance cadence, onsite expectations, out of hours support and what will be billed separately. This removes most of the ambiguity that causes tension later.
The thirteen point inclusion checklist
Every contract will be different, but there are recurring themes. These are the areas many SMEs expect to see covered whether that is in the “fully managed” element of the contract or just included in your list of costing when provided with quote details. Remember, this will come down to how each provider lists out their services, some many have everything in one bundle cost, others may list support and licensing as very separate things.
Support and operations
A typical contract will include helpdesk access, monitoring and patching (patching as a whole is something to clarify as the term can be defined differently by each supplier, particularly when it comes to 3rd party applications, it’s often devices and Microsoft 365 updates), user onboarding and offboarding, and asset or device management. The variation is usually in how proactive this is and whether recurring issues are removed rather than simply handled.
Microsoft 365 and identity
You should expect clarity on who manages your Microsoft 365 tenant, who owns MFA and conditional access, and who controls administrative rights. Identity is central to modern security, so responsibilities here need to be written clearly.
Cybersecurity baseline
Some baseline level of endpoint protection, email security and backup verification is common. The depth varies significantly so you should understand whether security is actively managed, or simply listed as a tool that exists. This can also be where you see variance in cost.
Governance and improvement
Good providers outline a review cadence, reporting expectations and whether strategic or roadmap conversations are included (if they aren’t included by default it doesn’t necessarily mean they are a worse provider but it may mean it is looked at separately, especially if their roadmapping is done by a CTO or vastly experienced individual). Some contracts only include operational support, while others include structured improvement planning, knowing which one you have is essential. One thing to keep in mind here is that typically not all accounts will be even, it will depend on spend or what is included in the contract to how regular your reviews are. For more information on what should be included in an IT roadmap, read our piece here.
SLA essentials and how to interpret them safely
Response and resolution
An SLA for a first response is not the same as an SLA for resolving an issue, or even an SLA for solving a critical issue. Many SMEs misunderstand this difference, the contract should explain which activities each SLA applies to.
Priority definitions
You should be clear on what constitutes a critical issue, what counts as a major incident and what is treated as a standard request. If you do not understand these definitions, SLAs will feel inconsistent.
What an SME can realistically expect
Most fully managed contracts assume business hours support unless otherwise stated. Extended hours, on call and rapid onsite support typically require a separate agreement.
What is usually not included
Out of hours urgent support, weekend work, major incident handling, on call services and scheduled onsite visits are often outside standard scope unless explicitly purchased. Items that require project work are also usually quoted separately.
Common exclusions that cause misunderstandings
Onboarding and discovery
Many providers treat onboarding as a project because they must document the environment, fix inherited issues and bring the environment up to a manageable standard. This is rarely included in the monthly fee but some suppliers may allow the cost to be spread across months.
Migrations and project work
Upgrades, migrations, hardware rollouts and transformation initiatives almost always sit in project or professional services. They are not included in the baseline contract unless written in.
Vendor management
Some providers will liaise with software vendors for you, others will not. This varies widely and should be clarified to avoid frustration.
Security incidents
Containment, investigation and remediation for security incidents are usually outside the standard scope because they are unpredictable and labour intensive. This becomes a bigger point if you actively go against suggestions of hardware and security upgrades a supplier has put forward.
Onsite visits
Most fully managed agreements include remote support as the core service, onsite time is often limited or billed separately but can be included in a contract.
Request An IT Cost Benchmark Review
If you’re interested to see where your contract & costs compare to the industry request a benchmark review.
Expectation versus contract: how to align them fairly
The common expectation gap
Businesses often believe strategic planning, vendor liaison or deep security oversight are included because the marketing language implied it and the contract usually tells a different story. Neither party is truly in the wrong here but make sure the questions are asked.
How to have a scope alignment conversation
The simplest approach is to sit with your provider and compare contract language to business expectations. If gaps exist, discuss whether the provider can improve delivery or whether the contract needs expanding.
When expanding scope makes sense
If the business wants structured governance, proactive improvement, or vCIO style planning, those services will likely need to be added formally. They require time and expertise, so they rarely sit inside the lowest tiers.
When improvement should be included without additional cost
If the contract includes certain activities but they are not being delivered to the expected standard, this is a delivery issue rather than a scope issue. Providers should address this without increasing fees.
A simple ten-minute contract sanity check
To check whether your contract really covers what you think it does, ask yourself a few questions. Do we know exactly which tasks the provider owns? Are SLAs defined clearly and mapped to real scenarios? Are exclusions transparent? Is governance included? Do we know what will be billed separately? If any of these answers are unclear, there is room to improve alignment.
A brief example scenario
A ninety-user professional services firm believes their contract includes roadmap planning and strategic guidance as they would like to have a more strategic approach to their technology and IT. In reality, the contract only covers operational support. The provider is not underperforming; they are delivering what was contracted. After reviewing the agreement together, the business decides to add a quarterly governance layer and formalise vCIO time which not only gives the business what they want but they have access to increased levels of expertise.
FAQs
What does fully managed actually mean?
It depends on the provider. It should always include support, monitoring, patching (a very basic level) and basic security, but the depth and governance level varies significantly.
Should cybersecurity be included?
A baseline set of controls often is, but the level of management and evidence varies so always check responsibilities. As an MSP ourselves we believe strongly in having what we consider a minimum level of cybersecurity as it has become a necessity for businesses.
How often should we review the contract?
Annually works well, with quarterly service reviews to align expectations and discuss changes. The quarterly reviews will depend on what you have agreed with your provider, some people like frequent reviews and others just like IT to almost be set and forget.
Are projects always charged separately?
Almost always. Migrations, upgrades and transformation work normally sit outside the core agreement, especially when specialists are required and the time that is required to deliver any projects.
What is a reasonable review cadence?
Quarterly service reviews are common for SMEs, with an annual contract or scope review but it really is a business to business case. If you are very happy with your support and it doesn’t feel needed then you may not have the reviews as frequently, it can also depend on the level of support you take.