What Is Included in a Managed IT Services Agreement? A Practical Breakdown

A managed IT services agreement typically includes the exact services the provider will deliver, how performance is measured, what security controls are in place, and how pricing, responsibilities, and termination are handled. It is the document that turns “we manage your IT” into enforceable, measurable commitments. If you are evaluating providers, understanding these inclusions helps you compare like for like and reduce operational risk.

Why a managed IT services agreement matters

A managed IT services agreement (sometimes called an MSA with a Statement of Work, or a Master Services Agreement plus schedules) sets expectations for both parties. For organizations with offices in multiple locations, such as New York and New Jersey or London and Dublin, it also standardizes service delivery across sites and time zones. A clear agreement reduces surprise charges, prevents gaps in cybersecurity coverage, and clarifies who does what during incidents.

Core sections included in a managed IT services agreement

1) Parties, definitions, and term

Most agreements begin by identifying the customer entity and the service provider, then define key terms. Definitions often include “covered devices,” “business hours,” “incident,” “severity,” “user,” and “service request.” The term section specifies contract length (month-to-month, 12 months, 36 months), renewal rules, and notice periods. If you have multiple legal entities across regions, ensure the agreement lists which entities and sites are covered, such as a Chicago headquarters and a Phoenix distribution center.

2) Scope of services (what is actually included)

The scope is the heart of a managed IT services agreement. It should spell out exactly which services are included, which are optional add-ons, and which are excluded. A strong scope section also references an inventory baseline, such as number of endpoints, servers, network devices, and cloud tenants. Common inclusions are:

• Help desk and end-user support: ticketing, remote support, and sometimes onsite support for hardware issues or new hire setups.
• Endpoint management: patching, device health monitoring, antivirus or EDR deployment, disk encryption policies, and standard configurations.
• Server and infrastructure management: monitoring, patching, capacity planning, virtualization management, and lifecycle recommendations.
• Network management: firewall management, switch and wireless monitoring, ISP coordination, and VPN administration.
• Cloud services support: Microsoft 365 or Google Workspace administration, identity management, and SaaS app support defined by list.
• Backup and recovery services: backup scheduling, verification, retention rules, and restore assistance.
• Security operations components: alert monitoring, vulnerability scanning, security hardening, and incident response procedures (often with defined boundaries).

Look for language that specifies service limits, such as “unlimited remote support” versus “up to X hours per month,” and whether projects like major migrations are included or billed separately.

3) Service levels (SLAs) and performance targets

SLAs define response time, resolution targets, and availability commitments. These are usually tied to severity levels. For example, a Severity 1 outage might require a 15-minute response during business hours, while a Severity 3 request might allow a 4-hour response. If your business operates across time zones, confirm whether SLAs apply in local time for each site, such as 8 a.m. to 6 p.m. Pacific for West Coast offices and 8 a.m. to 6 p.m. Eastern for East Coast offices, or if the provider offers 24/7 coverage.

SLAs should also state how performance is measured and what happens if the provider misses targets. Some agreements include service credits, but many focus on reporting and remediation plans. Ensure the SLA language distinguishes between provider-controlled issues and dependencies like internet outages or third-party SaaS incidents.

4) Roles and responsibilities (shared accountability)

A managed IT services agreement should include a “customer responsibilities” section. This often requires you to maintain accurate user lists, notify the provider about hires and terminations, approve critical changes, and keep licensing compliant. Providers typically commit to documenting changes, maintaining tools, and escalating security issues promptly. This section is essential in regulated environments such as healthcare in California or financial services in Singapore, where audit trails and access governance are mandatory.

5) Tools, access, and remote management permissions

Most providers use RMM (remote monitoring and management), PSA (ticketing and billing), and security tooling. The agreement should disclose what tools will be installed, what data they collect, and who can access it. It should also define how administrative credentials are handled, whether a privileged access management approach is used, and what happens to tool agents upon termination. Clear rules here prevent disputes about “ownership” of monitoring data and reduce security risks related to unmanaged admin accounts.

6) Cybersecurity and risk management inclusions

Security content varies widely, so confirm what is included in your managed IT services agreement rather than assuming “security is covered.” Common contractual inclusions are:

• Baseline security controls: MFA policies, password standards, encryption, and device compliance checks.
• Endpoint protection: antivirus, EDR, or managed detection components, plus alert handling boundaries.
• Email security: filtering, anti-phishing policies, and domain protections (SPF, DKIM, DMARC) when in scope.
• Vulnerability management: scanning cadence, remediation responsibilities, and patch windows.
• Incident response process: triage, containment, escalation, and communication steps, including when legal or forensics partners are engaged.

If you operate in regions with specific requirements, such as GDPR in the European Union, HIPAA in the United States, or APRA CPS 234 in Australia, the agreement should map security services to those obligations and specify what evidence the provider can supply.

7) Backup, disaster recovery, and business continuity

Backup is often included, but recovery expectations are not always explicit. The managed IT services agreement should define backup scope (servers, Microsoft 365, endpoints), retention, offsite replication, encryption, and testing frequency. It should also clarify recovery responsibilities, such as whether the provider performs restores and how quickly, and what constitutes a billable disaster recovery event. If you have a multi-site footprint, like a Dallas office and an Atlanta warehouse, document recovery priorities for each location.

8) Change management and project work

Agreements commonly separate “managed services” (ongoing operations) from “projects” (one-time changes). A good managed IT services agreement defines what changes are included, such as routine firewall rule updates, and what is considered project work, such as migrating to Azure, network redesign, or replacing an on-prem ERP server. It should specify approval workflows, maintenance windows, and documentation requirements, so changes are controlled and auditable.

9) Compliance, privacy, and data protection terms

Data processing language may appear in a Data Processing Agreement (DPA) or as an addendum. Look for confidentiality terms, data handling, subcontractor use, breach notification timelines, and data residency expectations. For example, a company with operations in Toronto and Montreal may require Canadian data residency for certain datasets. The agreement should also address log retention, who owns the data, and how data is returned or destroyed at the end of the relationship.

10) Pricing, billing, and what triggers extra charges

Pricing in a managed IT services agreement is often per-user, per-device, or a hybrid model. The contract should list included items, unit rates, and billing cadence. Watch for common charge triggers, such as after-hours support, onsite dispatch, third-party vendor coordination beyond a threshold, or major version upgrades. Clarity here helps you forecast IT spend across departments and locations, including satellite offices where onsite visits may incur travel fees.

11) Reporting, reviews, and documentation deliverables

Operational reporting is frequently overlooked. Your managed IT services agreement should specify what reports you receive and how often, such as monthly ticket metrics, patch compliance, backup success rates, vulnerability trends, and asset inventory changes. Many providers also include quarterly business reviews (QBRs) to discuss roadmap, risk, and budget. Require documentation deliverables like network diagrams, admin account inventories, and an up-to-date asset list to prevent knowledge gaps.

12) Termination, offboarding, and transition assistance

Every agreement ends eventually, so the managed IT services agreement should describe offboarding clearly. This includes notice periods, final billing, data return format, credential handover, tool agent removal, and the level of transition assistance included. If you rely on the provider for Microsoft 365 administration, confirm how tenant admin roles will be transferred. Strong offboarding terms reduce downtime during provider changes and help you maintain security posture.

Red flags to watch for when reviewing inclusions

• Vague scope language: phrases like “general IT support” without listing systems, tools, and boundaries.
• No SLA specificity: response times not defined by severity or only described as “best effort.”
• Security assumptions: “we handle security” without naming controls, monitoring scope, or incident response steps.
• Hidden exclusions: critical items like backups, MFA, or patching listed as add-ons.
• Weak offboarding terms: no plan for credentials, documentation, or tool removal.

How to confirm what is included before signing

Request the scope and SLA schedules in writing, and ask for a sample monthly report. Verify the asset baseline, including remote sites and home-office users. If you operate across jurisdictions, confirm privacy and compliance addenda for each region. Finally, insist that all verbal promises are captured in the managed IT services agreement, either in the main body, a Statement of Work, or an attached service catalog.

Conclusion

A well-written managed IT services agreement should leave little room for guesswork: it defines scope, SLAs, security, backup, compliance, pricing, and offboarding in practical terms that match your business operations. Whether you are supporting a single office or multiple locations across the United States, Canada, Europe, or Australia, taking time to validate inclusions protects uptime, strengthens security, and stabilizes IT costs. If you want confidence in execution, treat the agreement as an operational blueprint and ensure every critical service is explicitly documented.

Frequently Asked Questions