Chapter 2: Identify Your Clients’ Needs

Chapter 2:

Identify Your Clients’ Needs

[12 min read]

Chapter 2 breaks down your client's compliance needs based on their industry and location. You don't have to read all of these — just click on your client's industry or location to reveal the relevant frameworks.

2.1

Compliance Needs Based on Industry & Location

Click on the region and industry your client operates in to identify which frameworks are relevant to their business.

Most Popular

Get familiar with the most common cybersecurity compliance standards. These frameworks are the most used regardless of industry and region.
  • SOC 2 Type I & II
    The five Trust Services criteria:
    Developed by The American Institute of Certified Public Accountants (AICPA), SOC 2 helps organizations safeguard customer data. SOC stands for System and Organization Controls — it includes five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 compliance is a critical framework for MSPs and clients.
  • ISO 27001 (2022)
    Implement and maintain an ISMS:
    ISO 27001 is the internationally recognized standard for implementing and managing an Information Security Management System (ISMS). It should not be confused with ISO 27701, ISO 27017, or ISO 27018. ISO 27001 requirements are the standard used to pass an audit, guaranteeing that a business’s security protocols are up-to-date.
  • PCI DSS
    Secure credit card data:
    The Payment Card Industry Data Security Standard (PCI DSS) is essential for anyone handling credit card information. These standards are designed to protect and secure payment accounts throughout the transaction process. All companies that accept, process, store, or transmit credit card data should be sure to abide by these standards. PCI compliance standards are a pillar in e-commerce.
  • HIPAA
    Securing personal health info:
    HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It’s a federal standard specifically for protected health information (PHI). Regulated by the Office for Civil Rights, HIPAA outlines the permissible use and disclosure of PHI in the USA as set forth by HHS guidelines. HIPAA compliance is absolutely crucial for all healthcare businesses and anyone who handles personal health data for customers and clients.
  • GDPR
    The European mega-mandate:
    Working in the EU? You need to know about GDPR compliance. With 99 distinct articles, this set of data protection regulations is one of the world’s most comprehensive frameworks. It’s designed to give people full control over information associated with them by limiting how organizations can use personal data.
  • 18 CIS Security Controls (see Chapter 5.2)
    Cybersecurity best practices:
    The CIS Critical Security Controls (CIS Controls) are a globally implemented set of best practices used to boost an organization’s cybersecurity. They’re continually updated as these controls prioritize and simplify the steps needed for a strong cybersecurity defense. Compliance software should adhere to these CIS controls to maintain adequate cybersecurity and compliance.
  • NIST CSF 2.0
    The flexible add on:
    Updated in 2024, the National Institute of Standards and Technology (NIST) Cybersecurity 2.0 Framework is a comprehensive — yet flexible — set of standards, guidelines, and best practices. The NIST cybersecurity framework is meant to be implemented alongside existing security processes in any industry.

  • CMMC 2.0
    For defense contractors:
    The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) was introduced to ensure that all defense contractors use security protocols to protect sensitive defense information.

    Companies responsible for handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must meet the CMMC requirements to remain compliant. CMMC compliance requirements are non-negotiable — this framework must be followed for MSPs and clients who work in the defense sector.

  • FTC Safeguards Rule
    Rules for financial institutions:
    The FTC Safeguards Rule ensures that entities covered by the Rule maintain safeguards to protect customer information. It applies to financial institutions subject to the FTC’s jurisdiction that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805.

Regional Frameworks:

Discover which compliance frameworks your clients must comply with based on their location.

Asia-Pacific (APAC)

  • AESCSF - AEMO
    Energy sector security:
    The Australian Energy Sector Cyber Security Framework (AESCSF) is the result of a collaborative effort between several government and industry stakeholders. This framework is designed to ensure the highest level of security, making it a standard for IT risk management in the energy sector.
  • Essential Eight (ACSC)
    A baseline for all organizations:
    Australian organizations of all sizes must defend themselves against malicious cyber threats. To assist organizations with this, the Australian Cyber Security Centre (ACSC) created the Essential Eight. These eight best practices ensure a baseline of key mitigation strategies defined by ACSC's Strategies to Mitigate Cyber Security Incidents, making it a must-have offering for MSPs with clients in Australia.
  • Prudential Standard CPS 234
    For ARPA-regulated organizations:
    This Prudential Standard is designed to help ensure that APRA-regulated entities can safeguard themselves against information security incidents (including cyberattacks) using risk and compliance software. Compliant MSPs and their clients must maintain information security that matches the threat posed by digital vulnerabilities.
  • PSPF
    Guidance for Australian government organizations:
    The Protective Security Policy Framework (PSPF) outlines the Australian Government's protective security policy. It provides guidance on how to effectively implement the policy in four key areas: personnel, physical, governance, and information security. With the PSPF, government organizations can ensure effective security measures aided by compliance monitoring software.

Canada

  • Baseline Cyber Security Controls for Small and Medium Organizations V1.2
    Best for getting the basics:
    Created for small and medium organizations seeking to improve their cybersecurity resiliency, this framework is designed to provide a baseline, not a comprehensive (and complicated) plan. That’s why it’s a great starting point for MSPs providing IT services for Canadian clients. Its goal is to provide 80% of the benefit from 20% of the effort, making it easily accessible to smaller businesses.
  • CyberSecure Canada
    Canada’s cybersecurity best practices:
    This multi-faceted, government-led program aims to enhance cybersecurity measures across the country. Launched by the Canadian Centre for Cyber Security in 2018, the certification is divided into five Organizational Controls and 13 Baseline Controls to address various components of cybersecurity best practices — all of which can be aided by compliance management tools.

Europe

  • DORA
    For the EU financial sector:
    The Digital Operational Resilience Act (DORA) is a regulatory framework aimed at strengthening the cybersecurity and operational resilience of the financial sector within the European Union. It is critical for financial institutions as it mandates comprehensive management of ICT risks, ensuring consistent and robust security practices across the sector to prevent and mitigate cyber incidents.
  • GDPR
    Europe’s comprehensive data protection law:
    This regulation standardizes data protection laws across all EU member states. GDPR includes provisions such as data breach notifications, the right to access, the right to be forgotten, and data protection by design and default. Its wide scope impacts any organization handling EU residents' data, regardless of the organization's location, which makes it crucial that you provide clients with a GDPR compliance tool.
  • IASME Cyber Assurance Framework
    Compliance assurance for MSPs and their clients:
    IASME Cyber Assurance is designed for small and medium-sized organizations. It is a cost-effective standard that helps MSPs and their clients demonstrate their steps to protect sensitive information using compliance management tools. To implement this framework, organizations must first have a strong cybersecurity foundation and become compliant with the IASME Cyber Baseline Framework.
  • IASME Cyber Baseline Framework
    Compliance for small and medium enterprises (SMEs):
    The IASME Cyber Baseline provides a structured approach to compliance for small and medium-sized organizations, including compliance-based MSPs. This framework helps SMEs establish a strong foundation for cybersecurity compliance. The IASME Cyber Baseline framework is recognized as one of the UK government's Cyber Essentials schemes, emphasizing their credibility and relevance in the cybersecurity domain.
  • TISAX
    Enterprise-level data protection:
    TISAX is an industry-standard method for assessing and exchanging information security for enterprises using compliance monitoring tools. Companies use TISAX to simplify the process of evaluating suppliers' data security levels and determine how to handle sensitive customer information.
  • UK Cyber Essentials
    Two levels of proactive risk safeguards:
    UK Cyber Essentials is a government-supported program that provides organizations of any size with an effective way to guard against common cyber attacks. With two levels, Cyber Essentials and Cyber Essentials Plus, MSPs can proactively protect themselves and their clients from security risks using compliance and risk management software.
  • UK ICO
    Privacy management essentials:
    This framework provides the essential elements of a successful privacy management program. It’s not comprehensive or a substitute for compliance monitoring tools with other data protection regulations. Consider your specific needs and consult GDPR when necessary.

USA

  • CJIS
    Protects criminal justice system information:
    The Criminal Justice Information Services Security Policy (CJIS) is a set of security standards created by the FBI. CJIS provides the structure needed to handle sensitive criminal justice information. This policy is mandatory for law enforcement agencies, courts, correctional facilities, and any third-party entities that access, store, or transmit this type of data. MSPs must provide a compliance management tool to support clients in these sectors.
  • FedRAMP
    Government data in cloud storage:
    FedRAMP® was launched in 2011 to provide a cost-effective and risk-focused model for the federal government's use of cloud technology. This program is essential for government operations as it ensures that cloud technologies are implemented securely and efficiently using cybersecurity compliance automation software.
  • NIST AI RMF
    Mitigate the risks associated with using AI:
    The NIST AI Risk Management Framework (AI RMF) is designed to manage risks associated with using artificial intelligence and improve trustworthiness in AI systems' design, development, and deployment. IT risk management around AI is vital for organizations as it offers structured guidance on integrating trustworthiness into AI operations, supporting broad AI risk management efforts through a collaborative and consensus-driven approach.
  • NIST CSF 2.0
    The flexible add-on to supplement security:
    Updated in 2024, the National Institute of Standards and Technology (NIST) Cybersecurity 2.0 Framework is a comprehensive — yet flexible — set of standards, guidelines, and best practices. It is meant to be implemented alongside existing security processes and compliance management tools in any industry.
  • NIST Privacy Framework v1.0
    Voluntary privacy framework:
    NIST created the Privacy Framework as a voluntary framework designed to help organizations protect individuals' privacy while creating innovative products and services. This gives organizations the compliance tools they need to better identify and manage potential privacy-related risks.
  • SOC 1 Type I & II
    Financial data control:
    Developed by The American Institute of Certified Public Accountants (AICPA), SOC 1 reports address a service organization’s financial controls. Type I is a snapshot of controls at a specific point in time, while Type II reports on controls over a defined period. The framework outlines five objectives that organizations must address: control environment, risk assessment, control activities, information and communication, and monitoring.
  • SOC 2 Type I & II
    The five Trust Services criteria:
    SOC 2 compliance helps organizations safeguard customer data. Expanding on the SOC 1 requirements for financial statements, SOC 2 includes reporting on five Trust Services criteria: security, availability, processing integrity, confidentiality, and privacy.

International

  • COBIT 2019
    Support for enterprise IT:
    COBIT 2019 (Control Objectives for Information and Related Technologies) is the most recent evolution of ISACA’s globally recognized and utilized COBIT framework. This comprehensive framework was developed to support understanding, designing, and implementing the management and governance of enterprise IT. MSPs should equip clients with compliance software to support this framework.
  • CSA-CCM v4.03
    Cloud computing industry standards:
    The Cloud Controls Matrix (CCM) and the Cloud Security Alliance Questionnaire (CAIQ) are comprehensive sets of security controls and practices. Based on CSA best practices, the CCM provides an industry-standard set of cybersecurity frameworks tailored specifically to cloud computing and IT security compliance.
  • ISO/IEC 27017:2015
    Security standards for cloud computing:
    ISO/IEC 27017:2015 offers rigorous guidance on the compliance security of cloud computing. In addition to specific information security controls, you’ll want to follow ISO/IEC 27002 and ISO/IEC 27001 standards. This code of practice gives clear instructions for additional controls based on the cloud services being used.
  • ISO/IEC 27018:2019
    PII and cloud computing foundations:
    Part of the larger ISO/IEC 27000 family, ISO/IEC 27018 is a vital first step for cloud service providers in assessing risk and implementing appropriate security measures for PII. This industry-driven initiative creates a secure foundation for cloud computing services to protect Personally Identifiable Information (PII) using compliance management software.
  • ISO/IEC 27701
    The data privacy framework:
    ISO/IEC 27701 helps organizations standardize how they handle Personally Identifiable Information (PII). By doing this, you’ll be set to comply with other data privacy regulations. It includes guidelines on managing PII, making this a valuable compliance management tool for promoting data privacy within organizations.
  • Microsoft DPR
    For SSPA program participants:
    Microsoft Data Protection Regulations (DPR) are annual requirements that Microsoft suppliers enrolled in the Supplier Security and Privacy Assurance (SSPA) program must abide by. These regulations ensure Personal and Confidential Data are properly processed. All Microsoft suppliers must adhere to these regulations, which can be achieved by implementing a compliance monitoring tool.
  • Motion Picture Association
    The film industry framework:
    The MPA manages security assessments at entertainment vendor facilities for its member studios. This set of Content Security Best Practices outlines standard controls to help secure content, production, post-production, marketing, and distribution. This framework is essential for compliance MSPs who support clients in the film industry.
  • PCI DSS
    Secure credit card data:
    The Payment Card Industry Data Security Standard (PCI DSS) is essential for anyone handling credit card information. These standards are designed to protect and secure payment accounts throughout the transaction process. All companies that accept, process, store, or transmit credit card data should be sure to abide by these standards, making it another essential MSP IT service.
  • SCF v2022.2 and v2023.2
    Maximizing cybersecurity at all levels:
    Secure Controls Framework (SCF) provides organizations with a comprehensive approach to cybersecurity and privacy compliance across all operational levels. This framework offers the guidance needed to implement risk and compliance tools and maintain internal controls aligned with business objectives.

Industry Frameworks:

Explore industry-specific compliance frameworks.

Finance

  • SOC 1 Type I & II
    Financial data control:
    Developed by The American Institute of Certified Public Accountants (AICPA), SOC 1 reports address a service organization’s financial controls. Type I is a snapshot of controls at a specific point in time, while Type II reports on controls over a defined period. The framework outlines five objectives that organizations must address: control environment, risk assessment, control activities, information and communication, and monitoring.
  • SOC 2 Type I & II
    The five Trust Services criteria:
    Developed by The American Institute of Certified Public Accountants (AICPA), SOC 2 helps organizations safeguard customer data. SOC stands for System and Organization Controls — it includes five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 compliance is a critical framework for MSPs and clients.
  • FTC Safeguards Rule
    Rules for financial institutions:
    The FTC Safeguards Rule ensures that entities covered by the Rule maintain safeguards to protect customer information. It applies to financial institutions subject to the FTC’s jurisdiction that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805.
  • DORA
    For the EU financial sector:
    The Digital Operational Resilience Act (DORA) is a regulatory framework aimed at strengthening the cybersecurity and operational resilience of the financial sector within the European Union. It is critical for financial institutions as it mandates comprehensive management of ICT risks, ensuring consistent and robust security practices across the sector to prevent and mitigate cyber incidents.
  • FFIEC Cybersecurity Assessment
    Assessment for financial institutions:
    The Cybersecurity Assessment Tool helps financial institutions recognize potential risks and determine their cybersecurity preparedness. Developed by the Federal Financial Institutions Examination Council with ideas from the FFIEC Information Technology Examination Handbook, NIST Cybersecurity Framework, and industry-established best practices, this comprehensive framework is an essential MSP IT service in the financial sector.
  • NYDFS Cybersecurity Regulation
    New York’s cybersecurity regulation for financial institutions:
    The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a comprehensive set of requirements for financial institutions operating under the New York State Department of Financial Services (NYDFS) jurisdiction. It covers organizations such as banks, insurance companies, credit unions, and their third-party service providers, aiming to safeguard sensitive financial data. MSP IT Services must reflect the local requirements for financial institutions in New York.

Healthcare

  • HIPAA
    Securing personal health info:
    HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It’s a federal standard for protected health information (PHI). Regulated by the Office for Civil Rights, HIPAA outlines the permissible use and disclosure of PHI in the USA as set forth by HHS guidelines.
  • MARS
    For health, identification, and tax information:
    Minimum Acceptable Risk Standards (MARS) are designed to ensure the availability, confidentiality, and integrity of protected health information (PHI), personally identifiable information (PII), and federal tax information (FTI). The Centers for Medicare and Medicaid Services developed the standards based on the National Institute of Standards and Technology (NIST) Special Publication 800-53.

Retail / eCommerce

  • PCI DSS
    Secure credit card data:
    The Payment Card Industry Data Security Standard (PCI DSS) is essential for anyone handling credit card information. These standards are designed to protect and secure payment accounts throughout the transaction process. All companies that accept, process, store, or transmit credit card data should be sure to abide by these standards, making it another essential MSP IT service.

Defense / Government Contracting

  • CMMC 2.0
    For defense contractors:
    The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) was introduced to ensure that all defense contractors use security protocols to protect sensitive defense information. Companies responsible for handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must meet the CMMC compliance requirements.
  • NIST 800-171
    Federal standard for DoD contractors:
    Similar to the CMMC 2,0, NIST Special Publication 800-171 (NIST 800-171) is a federal standard that establishes procedures for defense contractors and subcontractors. Specifically, it’s for the management of Controlled Unclassified Information (CUI), such as personal data, equipment specs, logistical plans, and other defense-related information.
  • CJIS
    Protects criminal justice system information:
    The Criminal Justice Information Services Security Policy (CJIS) is a set of security standards created by the FBI. CJIS provides the structure needed to handle sensitive criminal justice information. This policy is mandatory for law enforcement agencies, courts, correctional facilities, and any third-party entities that access, store, or transmit this type of data. MSPs must provide a compliance management tool to support clients in these sectors.
  • FedRAMP
    Government data in cloud storage:
    FedRAMP® was launched in 2011 to provide a cost-effective and risk-focused model for the federal government's use of cloud technology. This program is essential for government operations as it ensures that cloud technologies are implemented securely and efficiently using cybersecurity compliance automation software.

Film

  • Motion Picture Association
    The film industry framework:
    The MPA manages security assessments at entertainment vendor facilities for its member studios. This set of Content Security Best Practices outlines standard controls to help secure content, production, post-production, marketing, and distribution. This framework is essential for compliance MSPs who support clients in the film industry.

Case Studies:

  • Scripps Health

    Healthcare, California, USA
    Incident
    In 2021, Scripps Health was the victim of a significant ransomware attack, causing widespread disruption to their IT systems. This included patient records, appointment scheduling, social security numbers, and driver’s licenses.

    Compliance Issues

    Scripps faced scrutiny over its lack of compliance with HIPAA regulations around the safe handling of patient data. Scripps’ internal computer system was down for weeks, and hackers obtained patient health information and personal data. Not only did this violate HIPAA regulations, but it put 1.2 million patients at risk of identity theft.

    Implications

    Scripps suffered a reported $113M in financial losses due to operational downtime and recovery efforts and a $3.5M class action legal settlement with the 1.2M affected patients. Scripps was found responsible by the court for not taking appropriate measures to safeguard protected health information.

  • Capital One

    Financial Services, Canada & USA
    Incident
    In 2019, Capital One suffered a data breach when a former employee of a contractor exploited a misconfigured firewall. They accessed sensitive customer data, which had an impact across 106M Capital One customers and small business clients across Canada and the USA. At the time, it was one of the largest data breaches in history.

    Compliance Issues

    The breach was a result of lapses in compliance related to cloud security and financial data protection, as well as personal identifiable information (PII). Additionally, there were concerns of third-party contractor and vendor access to sensitive internal systems. And since Capital One operates in states such as New York, it was required to follow NYDFS regulations.

    Implications

    Capital One faced $80M in losses due to remediation efforts and legal fees. While Capital One is not a small business, the incident affected countless small business clients who were part of their ecosystem, showcasing how compliance issues can have a widespread trickle-down impact.

  • Target

    Retail, Canada & USA
    Incident
    In 2013, Target was hit by a significant malware attack that compromised credit card and debit card information for approximately 40M customers, and an additional 70M customers had personal information exposed.

    Compliance Issues

    This case is one of the premier examples of failure to comply with Payment Card Industry Security Standards (PCI DSS). In terms of network security and monitoring, Target had a $1.6M malware tool in place, but missed critical warnings from their security system for over three weeks. Their system was infiltrated through a third-party vendor, also showcasing the need to ensure vendors are compliant.

    Implications

    The resulting data theft cost Target ~$18.5M in settlements and another $202M in legal fees (almost $300M in 2024 dollars). This number is likely significantly larger due to loss of brand reputation and trust among customers who were concerned with shopping at the retailer due to financial security and privacy issues. This example also details a common hacker methodology that has since targeted small businesses — many methods like this are tested on large companies and work their way down to small businesses who are more vulnerable to breaches.

2.2

Cyber Insurance Requirements

How are cyber insurance policies shaping compliance requirements?

Documentation and Reporting:

MSPs and clients must have stringent compliance documentation and reporting to qualify for cyber insurance and reduce premiums. Each must maintain documentation for all security practices and individual security incidents (which is a strong reason to implement compliance management software). Insurers will likely need evidence of regular security audits, risk assessments, and employee training programs. This documentation supports insurance claims and helps prove your MSP is up to industry standards.

Vendor Management:

Cyber insurance policies often require compliance from not just MSPs and clients but also third-party vendors and partners who are integral to business operations. Insurance providers recognize that vulnerabilities in a provider’s ecosystem can impact overall security, so MSPs and clients must also ensure their vendors adhere to security standards.

Incident Response Protocols:

Insurers will likely require MSPs and their clients to have compliance monitoring tools with a documented Incident Response Protocol. This protocol includes a process for detecting, reporting, and responding to cyber incidents. MSPs can build this into their offering or SLAs to ensure clients have a response procedure rather than relying on the client to figure it out independently.

How do you assess each client’s risk level?

Fill out our interactive Client Assessment in Chapter 3.

© 2024 ScalePad Inc. All rights reserved.
DPAPrivacy PolicyTerms of Service
chevron-down