MSP Compliance Frameworks

Developed by The American Institute of Certified Public Accountants (AICPA), SOC 2 helps organizations safeguard customer data. SOC stands for System and Organization Controls — it includes five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 compliance is a critical framework for MSPs and clients.

ISO 27001 is the internationally recognized standard for implementing and managing an Information Security Management System (ISMS). It should not be confused with ISO 27701, ISO 27017, or ISO 27018. ISO 27001 requirements are the standard used to pass an audit, guaranteeing that a business’s security protocols are up-to-date.

The Payment Card Industry Data Security Standard (PCI DSS) is essential for anyone handling credit card information. These standards are designed to protect and secure payment accounts throughout the transaction process. All companies that accept, process, store, or transmit credit card data should be sure to abide by these standards. PCI compliance standards are a pillar in e-commerce.

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It’s a federal standard specifically for protected health information (PHI). Regulated by the Office for Civil Rights, HIPAA outlines the permissible use and disclosure of PHI in the USA as set forth by HHS guidelines. HIPAA compliance is absolutely crucial for all healthcare businesses and anyone who handles personal health data for customers and clients.

Working in the EU? You need to know about GDPR compliance. With 99 distinct articles, this set of data protection regulations is one of the world’s most comprehensive frameworks. It’s designed to give people full control over information associated with them by limiting how organizations can use personal data.

The CIS Critical Security Controls (CIS Controls) are a globally implemented set of best practices used to boost an organization’s cybersecurity. They’re continually updated as these controls prioritize and simplify the steps needed for a strong cybersecurity defense. Compliance software should adhere to these CIS controls to maintain adequate cybersecurity and compliance.

Updated in 2024, the National Institute of Standards and Technology (NIST) Cybersecurity 2.0 Framework is a comprehensive — yet flexible — set of standards, guidelines, and best practices.

The NIST cybersecurity framework is meant to be implemented alongside existing security processes in any industry.

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) was introduced to ensure that all defense contractors use security protocols to protect sensitive defense information.

Companies responsible for handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must meet the CMMC requirements to remain compliant. CMMC compliance requirements are non-negotiable — this framework must be followed for MSPs and clients who work in the defense sector.

The FTC Safeguards Rule ensures that entities covered by the Rule maintain safeguards to protect customer information. It applies to financial institutions subject to the FTC’s jurisdiction that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805.