Plain-English summary
Plain-English questions to help owners discuss sensitive information handling with IT providers. This page is for orientation only. Always verify the official source, contract language, solicitation instructions, and qualified professional advice before making commitments.
Start with scope
Before asking about tools, ask about scope. Which systems, mailboxes, folders, devices, cloud services, backups, and user accounts might hold sensitive contractor information? Which ones are managed by the IT provider? Which ones are not? If nobody can answer those questions, the business is not ready for a confident security questionnaire response.
Ask about access and identity
Useful questions include: Do all users have named accounts? Are shared administrator accounts avoided? Is multifactor authentication enabled for email, cloud storage, remote access, and administrator accounts? How are new users approved? How are departing users removed? Who reviews permissions? These questions connect directly to how information is actually protected.
Ask about records and response
Ask which logs exist, how long they are kept, what alerts are reviewed, who investigates suspicious events, and what happens after a lost device or compromised account. Ask whether backups are protected from ordinary user accounts. Ask what the provider needs from you to support incident response and customer notification decisions.
Ask about what they will not promise
A good IT provider should be clear about boundaries. They may manage systems, but they may not provide legal advice, official assessment, CMMC certification, contract interpretation, Canadian program submissions, or SPRS scoring. Be wary of anyone who casually promises that a tool or template makes the business compliant without reviewing the actual scope and requirements.
Key takeaways
- Scope comes before tool selection.
- Access, logs, backups, and response need specific answers.
- Provider responsibilities should be written clearly.
- Do not let vendors make unsupported compliance promises.
Official sources to verify
Use these official sources for current requirements. This page is educational and may not reflect every contract-specific detail.