Questions to Ask an IT Firm About Their Own Security: 5 You Must Ask Before You Hand Over Access

Most business owners evaluate IT firms on response times, toolsets, and client references. All useful — but incomplete. The questions to ask an IT firm about their own security matter just as much. The firm you hire gets privileged access to your network, your data, and often your credentials. If their house isn’t in order, yours is at risk the moment you sign. Here are five specific questions — and what to listen for in the answers — so you can vet any vendor before handing over the keys.

Why These Questions to Ask an IT Firm About Their Own Security Actually Matter

Supply chain attacks are now one of the most common and damaging categories of cyber incident. The adversary doesn’t target you directly — they target a vendor with access to you, and use that trusted relationship as the entry point. Your IT firm is, by definition, one of your highest-trust vendors.

This isn’t theoretical. The Cybersecurity and Infrastructure Security Agency (CISA) has published extensive guidance on exactly this threat vector, noting that attackers increasingly target IT service providers as a gateway to their client base.

When you hire an IT firm, you’re not just buying a service. You’re extending your own attack surface to include theirs. Every gap in their security is a potential gap in yours. That’s why the questions to ask an IT firm about their own security deserve as much rigor as any other part of your vendor evaluation.

Question 1 to Ask an IT Firm About Their Own Security: Are You Audited Against a Recognized Framework?

Anyone can claim they take security seriously. An external audit against a recognized framework is evidence. Ask directly: “Are you audited by a third party, and against what standard?”

Frameworks worth knowing:

• CIS Critical Security Controls — a practical, prioritized set of actions developed by the Center for Internet Security, widely used by IT service providers
• ISO 27001 — an internationally recognized information security management standard
• NIST Cybersecurity Framework — a voluntary framework from the National Institute of Standards and Technology, used heavily in government-adjacent industries
• SOC 2 Type II — a formal audit of security, availability, and confidentiality controls measured over time

The follow-up questions matter as much as the initial answer. Who performs the audit? An internal self-assessment is not the same as an independent third-party review. How recently was it completed? Frameworks only mean something when they’re actively maintained. What did the last audit find, and how were those findings addressed?

A vendor who can’t answer these questions clearly — or who gets defensive when you ask — is telling you something important.

For context: Xact IT Solutions holds the GTIA Cybersecurity Trustmark, audited annually since 2021 by Versprite, a CREST-accredited assessor, against CIS Critical Security Controls at the IG2 level with supplementary ISO 27001 controls. That’s an active, external, annual audit — not a one-time certification collected and forgotten.

Question 2 to Ask an IT Firm About Their Own Security: What Is Your Breach History?

This is the question most vendors hope you won’t ask. Ask it anyway.

“Have any of your clients ever experienced a breach while under your management? And has your own company ever experienced a security incident?”

These are two distinct questions. A breach affecting a client environment is different from a breach of the vendor’s own systems — though both matter. Listen for specifics. A vendor who says “we’ve never had a breach” with no supporting context is giving you a marketing line. A vendor who says “zero client breaches across our entire history since 2004, and here’s why that holds” is giving you something real to evaluate.

Xact IT has maintained zero client breaches since founding in 2004. That’s not a claim we make lightly — it’s a record we can defend, and one we’re willing to discuss in detail on a cybersecurity strategy call. It’s also genuinely rare in this industry, which is exactly why these are the right questions to ask an IT firm about their own security.

If a vendor has experienced incidents, denial isn’t the right answer. Honest description of what happened, what they did about it, and what changed afterward is. A vendor who learned from a real incident and rebuilt their posture may be more trustworthy than one who has never been tested and has no idea how they’d respond.

Question 3 to Ask an IT Firm About Their Own Security: How Do You Control Privileged Access?

Your IT firm’s technicians will have elevated access to your systems — in many cases, more access than your own employees. The question is how that access is controlled, logged, and revoked.

Specific things to ask:

• How do you authenticate technicians before they can access client systems — do you require multi-factor authentication on all administrative accounts?
• Is access to client environments logged? Can you produce those logs if I ask for them?
• Do technicians have standing access to all client systems at all times, or is access granted only when needed for a specific task?
• What happens to access credentials and permissions when a technician leaves your company?
• How quickly are departing employees’ access rights revoked?

The principle you’re probing for is called least-privilege access — the idea that any person or system should have access only to what they need, only when they need it. A firm that can’t explain how they implement this is operating with unnecessary exposure, and that exposure extends directly to you.

This is also a test of operational maturity. A well-run IT firm has written policies covering all of the above. “We trust our team” is not a policy — it’s a hope.

Question 4 to Ask an IT Firm About Their Own Security: How Do You Vet Your Own Vendors?

An IT firm doesn’t operate in isolation. They use software tools, cloud platforms, and subcontractors to deliver their service. Each of those relationships is a potential entry point into your environment.

Ask: “What vendors have access to the tools you use to manage my environment, and how do you evaluate and monitor those vendors’ security?”

This matters because some of the most damaging supply chain attacks in recent years moved through software that IT providers use to manage client networks. The adversary compromises the software provider, and from there gains access to every client of every IT firm using that software.

A responsible IT firm maintains a documented list of vendors with access to client-touching systems, reviews those vendors’ security posture before onboarding them, and monitors for security advisories on an ongoing basis. They also have a plan for what happens if one of those vendors is compromised.

If the vendor looks at you blankly when you ask this question, that’s a real risk signal. It means their own supply chain exposure is something they’ve never thought through — which is precisely the kind of blind spot attackers exploit.

Question 5 to Ask an IT Firm About Their Own Security: What Happens to My Data If We Part Ways?

This question has a business continuity dimension, but the security implications are significant enough to include here.

When your relationship with an IT firm ends — for any reason — what happens to the data they hold about your environment? Configuration details, network documentation, stored credentials, backup data, system access — all of it needs to be cleanly transferred or destroyed. A vague answer suggests they haven’t thought through offboarding, which in turn suggests their access controls are informal throughout the relationship as well.

Ask for a written description of their offboarding process. Ask specifically:

• How are your access credentials to my systems revoked at termination?
• What documentation about my environment do you retain after the relationship ends?
• How is any retained data protected, and for how long is it kept?
• Will you provide a full handover package to my next IT firm or internal team?

A firm that handles offboarding poorly handles onboarding and access management loosely throughout the engagement too. The two go together. Our managed IT services team maintains documented offboarding procedures for exactly this reason — and we’re happy to walk any prospective client through them.

Red Flags That Should End the Conversation

Some answers to the questions above are workable even if imperfect — a vendor who acknowledges a gap and has a plan to close it is being honest. Other answers should be disqualifying. Watch for these:

• Defensiveness or irritation when you ask about their own security — a firm with nothing to hide welcomes the question
• No external audit and no plan to pursue one
• Inability to name the framework they work against
• Vague or evasive answers about breach history (“we’ve been very lucky”)
• No written policies covering access control, offboarding, or vendor management
• Security claims with no documentation to back them up
• Dismissing supply chain risk as “not really a concern for a company our size”

That last one deserves specific attention. Size doesn’t protect you from supply chain exposure. Small IT firms can manage environments for dozens or hundreds of clients, making them an attractive target precisely because compromising one opens access to many. The CISA supply chain risk guidance makes this point explicitly.

What Good Looks Like When You Ask an IT Firm About Their Own Security

A vendor who handles these questions well will do a few things consistently. They’ll answer directly, without hedging. They’ll have documentation to back up their answers — audit reports, written policies, evidence of framework compliance. They’ll distinguish between what they do for clients and what they do for themselves, and speak to both with equal clarity.

They’ll also be curious about your environment in return. A firm that asks good questions about your own security posture during the evaluation is demonstrating the same mindset they bring to client work. That’s a good sign.

The NIST Cybersecurity Framework provides a useful reference point for what a mature security posture looks like across five functions: Identify, Protect, Detect, Respond, and Recover. When working through the questions to ask an IT firm about their own security, you can use those five categories as a loose checklist — asking about each area surfaces gaps quickly.

A firm that has worked through all five functions for their own environment — not just for clients — is demonstrating the kind of operational discipline that extends to everything they do. Learn more about how we approach this on our cybersecurity services page.

How to Make the Call After Asking an IT Firm About Their Own Security

At the end of this process, you’re making a judgment about trust. These questions give you a structured way to gather evidence — but the decision comes down to whether this firm has the discipline, the culture, and the controls to be a safe steward of your environment.

A useful mental test: if an attacker were trying to reach your business through your IT vendor, what would they find? A firm with external audits, a zero-breach history, strict access controls, and documented offboarding gives them very few options. A firm that has never thought about any of these questions is essentially an open door.

You don’t need to be a cybersecurity expert to run this evaluation. You need to ask the right questions, listen carefully to the answers, and ask for documentation when the answers sound good. The firms worth hiring will welcome that process. The ones worth avoiding won’t.

At Xact IT Solutions, these are the exact standards we hold ourselves to — and the same ones we’d encourage any business to apply to any IT vendor they evaluate, including us. If you want to put these questions to ask an IT firm about their own security directly to our team, we welcome it. Book a Free Cybersecurity Strategy Call and ask us anything.