Written by: Charles Weaver, co-founder of MSPAlliance

There are more standards, laws, regulations, and frameworks impacting MSPs today than at any previous time in our history. Around the globe, governments, regulators, and industry groups are paying more attention to data privacy, and security, including the role outsourced IT providers (MSPs) have.

More MSPs are beginning to chase the compliance tail, and it needs to stop. Here are some effective techniques to deal with compliance headaches facing MSPs today, and how to avoid getting over audited.

Know Your Controls

Anyone who has been through an MSP Verify, SOC 2, or similar audit project, understands what controls are. Controls govern how an MSP organization operates. The first step in not being over-audited is having a good handle on your MSP organization’s controls. That means knowing what they are, having them documented, and, most importantly, reviewing them regularly to ensure they are current and effective towards your company’s goals.

Understand your Client Control Frameworks

Any worthy MSP understands how their clients operate their businesses, especially when it comes to regulatory requirements. For example, MSPs working within the healthcare sector in the United States know what HIPAA is and how important it is to clients.

Similarly, MSPs need to understand how those frameworks impact the controls affected by the MSP. If a client, regulated by HIPAA, has to demonstrate compliance related to patient and other medical information, the MSP is also implicated in those controls and must demonstrate compliance with those controls.

Avoid “Check the box” Relationships

This is, perhaps, the most crucial guidance we can offer when it comes to avoiding over-auditing. Clients will often attempt a “check the box” compliance model. Compliance “check the box” is when clients try to perform cursory reviews of an MSP to “check the box” related to a certain compliance or control framework important to them.

Often, clients not familiar or experts in control frameworks will ask vague questions such as “are you HIPAA compliant.” This is a tricky question as HIPAA is a US Federal regulation and not a control framework. Moreover, there is no HIPAA certification; you are compliant with that law, or you are not.

MSPs need to determine what the client is looking for and respond quickly. Sometimes, the response will be, “no, I’m not certified here, but we do meet those controls that you said matter most to you.” Certification in a particular area does not always guarantee compliance.

PCI is another area where MSPs are dragged into debates about whether they need to have a full-blown PCI audit when the MSP does not handle any credit card information. In many cases, merely completing the self-assessment PCI form is sufficient to demonstrate compliance with a particular family of controls.

As these control frameworks continue to expand, MSPs need to be responsive to their client compliance requests, but not to indulge wild and ultimately costly audit projects which subject the MSPs to needless examination.


Post A Comment
YouTube Logo | MSPAlliance

Subscribe to MSPAlliance on YouTube!

Explore a world of valuable content, including full-length podcast episodes and clips, thought-provoking special interviews, immersive events, enriching webinars, live streams, and more.

Join our community on YouTube, subscribe to our channel, and elevate your MSP journey!

Mobile and Laptop device image of YouTube MSPAlliance Channel | MSPAlliance

Have questions?

We're here to help! Fill out the form below and we will get back to you as soon as possible.

First Name *
Last Name: *
Contact Email: *
*Required Fields
Note: It is our responsibility to protect your privacy and we guarantee that your data will be completely confidential.






Contact us


510 Meadowmont Village Cir, #289 | Chapel Hill, NC 27517

MSP News

Sign up for MSP News, the weekly newsletter bringing you news and analysis from the managed services industry.