Co-Managed IT: Making the Partnership Work
Note: This is general information and not legal advice.
On this page
Executive Summary
What Co-Managed IT Actually Looks Like
Co-managed IT is not outsourcing. It is not replacing your team. It is a partnership model where responsibilities are deliberately divided. Your internal staff keeps institutional knowledge, business relationships, and strategic decision-making. The MSP partner fills gaps - after-hours coverage, security operations, infrastructure monitoring, and specialized project work.
Typically handles
- → Business application ownership and strategy
- → User relationships and day-to-day support
- → Strategic technology decisions and roadmap
- → Vendor selection and budget approval
- → Institutional knowledge and business context
Typically handles
- → Security operations and monitoring (24/7)
- → After-hours coverage and on-call response
- → Infrastructure monitoring and alerting
- → Specialized projects and implementations
- → Patch management and routine maintenance
Your team keeps strategic control. The MSP extends your capacity. This is not about replacing internal staff - it is about giving them room to focus on strategic work instead of being consumed by operational noise.
Communication: The Thing That Makes or Breaks It
Co-managed IT fails when communication breaks down. Regular touchpoints, shared ticketing, shared documentation, and clear escalation paths are non-negotiable. Both teams need to know what is happening and what changed. Without communication, one team's fix becomes another team's outage.
- → Weekly operational sync - ticket review, incidents, ongoing work
- → Monthly strategic meeting - projects, roadmap alignment, vendor decisions
- → Quarterly business review - metrics, satisfaction, responsibility adjustments
- → Shared ticketing system - both teams see all work, not just their own
- → Shared documentation - runbooks, passwords, network diagrams, change logs
- → Documented escalation paths - who gets called, when, for what
Shared Ticketing
Both teams log all work in the same system. No side channels. No private email threads. Everything visible.
Shared Documentation
Runbooks, network diagrams, password vaults, configuration baselines - both teams contribute and both teams use the same sources.
Escalation Paths
Clear documentation of who handles what, when to escalate, and who has final authority on decisions.
Regular Cadence
Weekly, monthly, quarterly - scheduled touchpoints that happen regardless of whether there is a crisis.
Map Every Responsibility
Use a RACI matrix (Responsible, Accountable, Consulted, Informed) or similar tool. Who handles what? Who gets called at 2am? Who approves changes? Who owns backups? Who manages the identity provider (IdP)? If it is not written down, it will fall through the cracks.
| Function | Internal IT | MSP Partner | Shared |
|---|---|---|---|
| After-hours on-call | Escalation contact | Primary responder | - |
| Security monitoring | Review alerts | 24/7 monitoring | Incident response |
| Patch management | Approval policy | Deployment | Testing |
| Backup management | RPO/RTO definition | Operations | Restore testing |
| Identity management (IdP) | Access approvals | Configuration | Offboarding |
| Change control | Approval authority | Documentation | Implementation |
| Strategic roadmap | Ownership | Input | - |
| Vendor management | Selection, contracts | Technical review | - |
Who gets called at 2am when the server goes down? If you cannot answer that for every critical system, you have a gap. Write it down. Make sure both teams know the answer. Test it.
Change Control: Two Teams, One Environment
When two groups can make changes to the same environment, you need a process. Document changes. Approve changes. Test changes. Communicate changes. Without change control, one team's quick fix becomes another team's outage.
Internal IT deploys a new application. MSP patches the underlying server without knowing about the app. The patch breaks the app. Nobody knows what changed. Both teams spend hours troubleshooting what a five-minute change log entry would have prevented. This happens constantly without change control.
Request
Any change starts with a documented request - what, why, when, and impact assessment.
Approve
Defined approval authority reviews and approves based on risk and business impact.
Test
Test in non-production when possible. Document results. Get sign-off before production.
Implement
Deploy during approved maintenance window. Both teams notified. Change log updated.
Verify
Confirm the change worked. Check monitoring. Verify no unexpected side effects.
Document
Update runbooks, configuration baselines, and asset inventory. Close the loop.
Change control does not need to be bureaucratic. It needs to be consistent. A simple change log in your ticketing system works if everyone uses it. The goal is not paperwork - it is preventing the avoidable outages that happen when two teams are working in the same environment without visibility.
Making the Partnership Work Long-Term
Co-managed IT is not a set-it-and-forget-it arrangement. Your needs will change. Your team will change. The technology will change. Regular reviews, adjusting the responsibility split as needs evolve, shared goals and metrics, and trust building over time are essential.
Regular Reviews
Quarterly business reviews at minimum. Discuss what is working, what is not, and what needs to change. Adjust the responsibility matrix as needed.
Shared Metrics
Both teams should be measured on the same outcomes - uptime, ticket resolution time, user satisfaction. Aligned metrics prevent blame games.
Trust Building
Trust comes from consistent follow-through. Do what you said you would do. Document what you changed. Communicate early when things go wrong.
Adjustment Flexibility
The initial responsibility split will not be perfect. That is okay. Adjust as you learn what works. The matrix is a living document.
Knowledge Transfer
Both teams should be learning from each other. Internal staff gains security expertise. MSP gains business context. Cross-training reduces single points of failure.
Escalation Clarity
When disagreements happen, who has final authority? Define escalation paths before conflicts arise. Strategic decisions stay with internal leadership.
Successful co-managed partnerships take time to mature. The first few months involve learning each other's patterns and fixing gaps in the responsibility matrix. Stick with the process. Communicate openly. Adjust as needed. It gets easier.
Explore Deeper
Co-managed IT touches many topics. Each guide goes deeper into the specifics.
Common Questions
How do we decide which responsibilities stay internal vs go to the MSP?
Start with capacity, expertise, and risk. Keep strategic decisions internal - technology roadmap, vendor selection, budget approval. Delegate operational burden - after-hours coverage, security monitoring, patch management, specialized projects. Your team keeps institutional knowledge and control. The MSP fills gaps.
What if our internal IT team resists working with an MSP?
This is common. Frame it as extending capacity, not replacing. The MSP handles the noise - after-hours tickets, security alerts, routine maintenance - so internal staff can focus on strategic work. When positioned as relief rather than replacement, resistance usually fades.
How often should we meet with our co-managed IT partner?
Weekly operational sync for ticket review and incidents. Monthly strategic meeting for projects and roadmap alignment. Quarterly business review at minimum - metrics, satisfaction, and adjustment of the responsibility split. The cadence keeps both teams aligned.
Do we need a shared ticketing system?
Yes, strongly recommended. Both teams need visibility into all work - not just their own tickets. When internal staff can see what the MSP is handling (and vice versa), you avoid duplicated effort, catch gaps early, and maintain a single source of truth for IT activity.
What happens during off-hours in a co-managed arrangement?
This should be explicitly defined in your responsibility matrix. Who is on call? What gets escalated vs what waits until morning? What is the escalation path? If you cannot answer that for every system, you have a gap that will surface during an incident.
How does N2CON approach co-managed IT?
We work alongside internal IT teams regularly. We bring security operations, after-hours coverage, and specialized project capacity while your team keeps strategic control. It works when communication, responsibilities, and change control are clear. We help establish those fundamentals.
Related resources
Sources & References
Considering a co-managed IT arrangement?
We work alongside internal IT teams every day - bringing after-hours coverage, security operations, and specialized expertise while your team keeps strategic control.
Contact N2CON