This blog post outlines a crawl, walk, run framework that helps MSPs structure their compliance services in a way that grows with both demand and delivery capacity.
We’ll discuss:
- How to start with a focused scope and goal
- Expanding that scope and delivery
- Scaling once you have a solid foundation
More MSPs are starting to explore compliance as a serious service offering. Clients are asking tougher questions, frameworks are becoming more common across industries, and being able to guide a client through their compliance journey has real value.
But delivering compliance services isn’t like selling endpoint protection or managing backups. It’s complex, ongoing, and often hard to scope.
Trying to build a full compliance offering all at once is unrealistic for most MSPs. What works better is a phased approach, starting with focused services, refining your internal processes, and then expanding into more advanced support over time.
MSPs can ramp up to full speed with a three-phase approach. We’ll dive into starting with the crawl phase, scaling up into a walk phase, then moving with compliance at top speed with the run phase.
Crawl: Start small with one framework and a narrow scope
The crawl phase is about showing that you can deliver a structured, repeatable compliance experience, even if it’s just for one client and one framework. At this stage, you’re not building a full program. You’re running a clear assessment, identifying gaps, and giving clients something they can act on.
This is often the easiest way to begin offering Compliance as a Service. A client may ask about SOC 2 or HIPAA, and you respond by conducting a baseline assessment. You review their current controls, compare them against framework requirements, and present a simple report outlining the big gaps.
No need to manage evidence, coordinate audits, or overhaul their documentation. The goal is to structure what’s usually a vague conversation and build trust in your process.
Starting here also helps your team learn how to scope and deliver compliance projects without being overwhelmed. You can get feedback, build internal templates, and see how clients respond to early outputs. It’s low-risk and informative.
Walk: Expand by building consistency into your delivery
The walk phase begins once you’ve completed a few basic assessments. This is where you start delivering more complete services and introducing consistency into your operations.
You might:
- Begin offering service packages that include:
- Policy drafting
- Vendor risk reviews
- Ongoing risk assessments
- Support multiple frameworks relevant to your client base
- Use standardized tools and documentation to streamline delivery
You may also involve other team members in the process and assign them roles such as project coordination, policy management, or client updates.
Pricing also evolves here. Many MSPs stick with hourly rates, which can work well if you know how to estimate delivery effort. For example, you might scope one client at five hours a month for light support, while another might require 10–15 hours for more involved needs. You can start offering service tiers based on this delivery model. It gives clients clarity and allows you to manage time more effectively.
Run: Scale when you have reliable processes and client demand
At the run phase, you’re managing compliance across several clients and frameworks. Your services likely include full documentation support, evidence tracking, leveraging integrations for automated evidence collection and monitoring, reporting automations, internal audit prep, and external auditor coordination if needed.
At this stage:
- Your team works from a defined internal system
- Templates and documentation are standardized
- Clients understand what to expect and how your service is delivered
This is where you can think about automation, not to reduce quality, but to reduce the burden of repetitive tasks like gathering evidence or formatting reports.
You can also look at expanding contracts. With established processes and client trust, you can offer longer-term agreements that bundle recurring services, framework updates, and audit support into a predictable package.
You don’t have to figure everything out to get started
Compliance is a long-term investment for your clients and should be one for your MSP too. That doesn’t mean launching a massive new offering overnight. You can start with a small, specific engagement, build your process as you go, and scale only when you’re confident in your team and tools. You can start now for FREE with ControlMap Free Edition.
Want to see how to support every stage of your compliance journey with less manual effort?
of ControlMap with one of our product experts today. The live demo can show you exactly how to use ControlMap to build your compliance program.
