The MSP Guide to SOC Compliance  

As an MSP, you probably have a laundry list of vendors for your customers’ tech stack. In our experience, we’ve seen MSPs have nearly and upwards of 40 vendors make up their clients’ tech stack. That’s not to mention all the other third parties that support your internal business operations, from finance to HR. Objectively, that’s a lot of vendors, and a lot of potential risk as a result.

So, what should an MSP do about it? One effective approach is to gain greater visibility into the security and compliance posture of your partners. These partners provide you with hardware sourced from their own supply chains, software that might be deployed across your endpoints, and access to their portals and UIs for tracking and monitoring. This access can expose your staff’s sensitive personal data to unnecessary risks in a third-party environment. While these actions are meant to serve your customers, how well do you truly know your vendors? How can you baseline and quantify this knowledge?

SOC Compliance is actually here to help with such baselining and vetting needs. Yes, though compliance doesn’t exactly have a reputation for enabling business operations, when leveraged effectively, it actually does just that.

SOC compliance helps you as an MSP to:

• Vet your vendors and partners in business in a standardized way, so they can transition from being your partner to your trusted and verified partner.
• Build trust with your customers and prospects by showcasing an orderly and well-managed operation, known in SOC terms as an “effective control environment.” Many organizations begin in a “wild west phase,” prioritizing product or service development over other business processes. Achieving SOC certification signals that your organization is a trustworthy and verified partner, capable of meeting the needs of customers, prospects, and vendors without compromising their risk tolerance.
• Compete and win by meeting your customers’ and prospects’ compliance requirements. If they need SOC compliance, their vendors likely will too. Achieving and maintaining SOC compliance gives you a competitive edge, making you a trusted and verified partner. Attract and retain customers by demonstrating your commitment to high standards and security.

There are three kinds of SOC compliance:

SOC 1 focuses on processes and controls for financial information and reporting, typically managed by your Finance and Accounting team. MSPs can use SOC 1 attestations to build trust with customers and demonstrate financial integrity. Additionally, MSPs should assess their own vendors through this financial risk management lens.

SOC 2 focuses on security, operations, and compliance controls across five trust criteria: security, availability, confidentiality, privacy, and integrity. It provides insight into business operations, including management practices, HR processes, data security, privacy, resiliency, and key stakeholder roles and responsibilities.

SOC 3 is a more generalized, marketing-focused certification. It covers similar processes and controls as SOC 2 but in less depth. Unlike SOC 1 and SOC 2, which reveal detailed information about an organization’s control environment, SOC 3 offers a high-level executive summary.

Not all SOCs are created equal. When you’re evaluating a SOC2, keep a sharp eye on these five report components:

1. Period of observation. For how long was the organization under the microscope, and how long ago was it? Are you looking at a Type I or a Type II audit? Are there reasons to think organizational policies and processes may have changed since?
2. Trust services criteria. What are the trust services criteria against which the organization was evaluated? Are any criteria missing that are critical to your business, your industry, or your own compliance requirements?
3. Scope of the audit. What business functions were observed and tested? Was the scope limited to the organizations’ product or services environment, or did it extend to the entirety of the organization? If the former, are these the products or services you are considering procuring? Are there other SOC reports available for the other product lines?
4. Auditor’s opinion. This sounds intuitive but is surprisingly frequently overlooked. We would assume the availability of a SOC report means the auditors issued a favorable opinion, but that’s not always the case, and it’s up to you to confirm this. That is the objective and external third-party assessment of an “effective control environment” that you should be looking for.
5. Testing methodology and results. You’ll usually find this will be the last major section of the SOC2 report, but don’t make the mistake of overlooking it. This section is the meat of the report, and it is why audits last months – for both the audit team, and the organization under getting audited. Take a look at how the audit team tested for, or observed the presence of, certain controls, and how the organization fared. If it is not an annual SOC2 audit, keep an eye out for instances of “non occurrences,” not just “exceptions.” Remember to always ask yourself this “is this control critical for product/services delivery to me as the customer?” If so, weigh it accordingly against the others in your own assessment of the SOC2.

With these considerations in mind, you can arm yourself to vet your vendors, screen your partners, and even build out on your own vendor risk management program, one SOC2 review at a time. If you don’t have one yet and/or are interested in obtaining your SOC2 Type I or Type II, take a look at our latest report in our Trust Profile. Our Compliance Team works with our MSP Partners to enable effective governance, risk, and compliance programs.