Chapter 5:
How to Package Your Services
[10 min read]
Chapter 5 breaks down multiple ways you can package and bundle your compliance and risk management offering.
The Security and Compliance Journey
STEP 1:
ASSESS
STEP 2:
ADDRESS GAPS
STEP 3:
AUDIT
STEP 4:
MONITOR
5.1
Step 1: Assess
The first step is an initial assessment with your client. The goal is to:
- Create a baseline for current procedures, policies, and controls,
- Identify gaps in their internal processes,
- Prioritize these gaps based on which are most critical to operational success and which would have the most detrimental impact if compromised,
- Determine the path forward.
- Integrations
- MSP Portal
- Frameworks
- Assessments
- Risk Assessment
- Gap analysis between current state and required compliance standards
- Framework selection based on findings
5.2
Step 2: Address
Now that you have a baseline for your client, you can address gaps in their processes. But this takes time! Step 2 requires you to:
- Create a roadmap with priorities, milestones, and budgets,
- Ensure controls are healthy and gaps are remediated in a timely manner
(see the “18 CIS Controls” graphic below for an idea of where to start), - Address the top priority gaps first,
- Propose projects to address security needs,
- Implement projects (e.g. MFA on all systems),
- Communicate project statuses and overall progress to stakeholders on an ongoing basis.
- Policies, Procedures, and Governance Documents
- Evidence Management
- Risk & Vulnerabilities Register
- Asset Management
- Internal Controls Management
- People Management
- Reports
- SSO Enablement
A systematic approach to:
- Policy and procedure development
- Change management
- Risk mitigation strategies
Start With These 18 CIS Controls
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets and Software
- Account Management
- Access Control Management
- Continuous Vulnerability Management
- Audit Log Management
- Email and Web Browser Protections
- Malware Defences
- Data Recovery
- Network Infrastructure Management
- Network Monitoring and Defence
- Security Awareness and Skills Training
- Service Provider Management
- Application Software Security
- Incident Response Management
- Penetration Testing
5.3
Step 3: Audit
Some clients may not need to proceed to Step 3, especially if they are in an industry or sector that does not require adhering to specific compliance frameworks. However, achieving these standards will bolster their risk management processes and increase their credibility in the market. Step 3 requires you to:
- Identify specific compliance frameworks your client should achieve,
- Ensure controls meet the required standard(s),
- Share results with third parties for external audits and due diligence,
- Some frameworks require third-party verification (e.g. SOC2, ISO)
- Vendor Management
- Trust Portal
- My Compliance Portal
- White-labeling
- Internal Audits
- Third-Party Audits
5.4
Step 4: Monitor
Your client has addressed the most critical gaps in their processes and is approved by third-party auditors — that’s a win! Step 4 ensures they adhere to these regulations and proactively address gaps. The goal is to:
- Stay current on policies, procedures, and controls over time to remain compliant,
- Continue to improve compliance and risk management processes as your client scales,
- Track progress so you can illustrate continuous improvement to key stakeholders.
- Continuous Monitoring
- Reporting
- Continuous monitoring of frameworks
- Monitor analytics
- Incident management and response
- Regulatory updates and change management for clients
- Using dashboard and reporting to facilitate communication with clients
5.5
Creating Service Bundles
Service bundles are becoming increasingly common in the MSP space. They ensure your clients get everything they need in terms of compliance and risk management services, but also make it easier to deliver a standardized service. Bundles also make it easier for you to sell your full stack at a price that makes sense for your business. Here are some high-level tips for bundling your services:
Add Baseline Security Requirements to Your MSA
By making security a required part of your contracts (rather than a bolt-on or optional service), you can mitigate the risk your client is exposed to and ensure clear terms for both parties. This also shifts liability away from your MSP and onto the security best practices required by compliance frameworks.
Include Penetration Testing in Your Compliance Bundle
Penetration testing is not a one-off security task — it needs to be done consistently (ideally every quarter) to identify and remedy gaps in security processes. By making it a standard offering within your bundle, you can ensure tests are performed consistently, which helps mitigate risk.
Toggle Options Based on Specific Client Needs
Every client has their own unique security needs. These options should be a standard part of your offering, but you can personalize your commitment for each client. To create the right balance, consider how many hours per month your team must commit for each of the following categories:
• Assessment & Remediation
• Policy Management
• Assessment & Remediation
• Policy Management
Add Options to Bolt-On Single Projects
There are plenty of services that should be performed annually, but do not necessarily fit into a monthly recurring payment model. These tasks should be available as bolt-on projects performed as necessary. Your service bundles should be flexible enough to incorporate one-off tasks.
For example, initial assessments can be priced as a single project and then rolled into recurring revenue if both parties agree. This is great way to start the relationship, showcase your value as an MSP, build trust, and upsell to more comprehensive services in a monthly recurring package.
For example, initial assessments can be priced as a single project and then rolled into recurring revenue if both parties agree. This is great way to start the relationship, showcase your value as an MSP, build trust, and upsell to more comprehensive services in a monthly recurring package.
Customize Packages Based on Client Assessments
Client assessments with grade scores are a great way to identify your client’s unique needs and create a custom service bundle. This should include your standard service offering (i.e. baseline security requirements, monthly and quarterly recurring projects) and include flexibility for bolt-on projects performed annually or as necessary.
You know what to include in your CaaS package — but how much should you charge for your services?
Explore pricing models (and our Interactive Pricing Calculator) in Chapter 6.
Chapter 4
Don’t Sell Compliance — Sell Risk Assessment & Management
Now that the foundation is set, let’s explore how to approach risk management training and compliance conversations with your clients.
Chapter 6
How to Price Your Services
Monthly recurring payments? One-off projects? Learn how your MSP can price your Compliance as a Service offering.
