What is co managed IT?

Co-managed IT is a shared setup. Your business keeps some IT work in-house, and an independent managed IT services provider, often called an MSP, handles the parts you want help with.

An MSP is a company that supports business technology for a monthly fee. In a co-managed arrangement, they do not replace your internal employee or team. They fill gaps, add tools, bring extra hands, or cover specialized work.

For example, your office manager or IT coordinator might handle day-to-day questions, printers, and new employee setup. The outside provider might help with cybersecurity tools, server maintenance, cloud systems, backup reviews, or after-hours support.

This is different from fully outsourced IT, where one provider handles most or all IT support. Co-managed IT is more like partnership and division of labor.

Many small and mid-sized businesses outgrow the "one helpful person handles everything" stage. A single staff member may know your business well, but may not have time for every project, security task, vendor issue, or emergency.

Co-managed IT can give that person backup. It can also reduce the pressure on owners and office managers who end up making IT decisions without much technical background.

This model is common when a company has one internal IT employee, a part-time tech person, or a capable operations lead, but still needs deeper support. It can also help during growth, office moves, software rollouts, or periods when your internal staff is stretched thin.

If you are still learning the basics, our answers section can help you compare common service models in plain language.

The exact split depends on your business, your staff, and the provider. Good co-managed IT starts with a clear list of responsibilities. That helps avoid confusion, duplicate work, and finger-pointing when something breaks.

A provider might take on monitoring, patching, security tools, backups, documentation, or support escalation. Patching means installing approved software and system updates. Monitoring means watching systems for issues. An endpoint is any business device like a laptop, desktop, or phone.

Some providers also use tools called RMM, short for remote monitoring and management, to watch device health and help maintain systems. They may also recommend EDR, which stands for endpoint detection and response. That is software designed to spot suspicious activity on business devices and help respond to it.

Your internal person might still manage employee onboarding, hardware purchases, software permissions, printer issues, and vendor relationships. In some businesses, they stay the main point of contact while the outside provider handles specialized or time-consuming work behind the scenes.

A good co-managed IT setup is clear, respectful, and practical. Your internal person should not feel pushed aside. The outside provider should work as support, not as a source of confusion.

Start with roles. Who handles employee setup and offboarding? Who owns backups? Who responds after hours? Who works with your internet, phone, software, and copier vendors? Who keeps asset lists and network documentation current?

Ask how support requests are handled and how fast the provider typically responds. You may hear the term SLA, which stands for service level agreement. That is the document that explains response targets, priorities, and support scope. It is not a promise that nothing will ever go wrong.

Also ask what security basics they support. For example, MFA means multi-factor authentication, which adds a second step to sign-in. Backup plans may include a 3-2-1 backup approach, which means keeping 3 copies of data, on 2 different types of storage, with 1 copy kept off-site. No honest provider should promise zero downtime, an unhackable network, or perfect recovery in every situation.

Co-managed IT often makes sense when you already have someone internal who knows your systems and people, but that person needs backup. It can also fit businesses that want more structure without giving up control.

It is especially useful if your team is dealing with growth, multiple locations, stricter client requirements, or more cloud software than one person can comfortably manage. Some businesses also choose co-managed support because they want outside guidance for planning and budgeting.

You may hear the term vCIO, which means virtual chief information officer. That is an outside advisor who helps with IT planning, budgeting, roadmaps, and business technology decisions. Not every co-managed arrangement includes this, but some do.

If your business is in healthcare, payments, legal, or another regulated field, ask how the provider works around your requirements. HIPAA means the Health Insurance Portability and Accountability Act, which affects protected health information. PCI usually means the Payment Card Industry Data Security Standard for businesses that handle card payments. SOC 2 is a reporting framework many software vendors use to show how they handle security controls. Requirements vary by industry and state.

Keep the conversation simple. Ask providers to explain what they would do, what your internal person would still do, and how communication would work. If they cannot explain it clearly, that is useful information.

Ask for a sample onboarding plan, a support process, and a plain-language list of what is included each month. You do not need every tool detail at first. You do need clarity about responsibilities, costs, and limits.

Costs vary a lot by headcount, number of devices, locations, security needs, and your area. As a rough range, co-managed IT may run from a few hundred dollars a month for limited support to several thousand dollars a month for broader help, tools, and after-hours coverage. Those ranges are not quotes.

If you want help sorting through options, we help you find an independent managed IT provider that fits your situation. You can also review common services and compare what different support models usually include.