Top 10 frameworks MSPs use to generate recurring revenue 

Published March 26, 2024
Avatar photo
Evan Pappas

One of the biggest trends in the MSP industry is offering compliance services.  Of course, MSPs are trying to develop the service while still being profitable and driving revenue growth. Cybersecurity compliance services can be a big win in this regard, but MSPs need to develop the right approach. So where should they start?

Before jumping into compliance, MSPs need to understand the most relevant cybersecurity frameworks.  These frameworks are the guidelines used to ensure data security is meeting the standards. 

By using these frameworks to measure a business’ data security, the regulators can determine if a company is compliant with the law. They need to make sure the business can protect  sensitive data. For example, in healthcare the HIPAA framework is critical. For organizations that support the U.S. Department of Defense (DoD), CMMC 2.0 is essential. 

There are many cybersecurity compliance standards implemented by MSPs (and requested by clients). Let’s go over the top 10 frameworks MSPs use to generate revenue.

CIS Controls

The Center for Internet Security (CIS) Controls offers a\ set of best practices for securing an organization’s IT systems and data. It’s a practical framework designed to mitigate the most common cyber threats effectively.


National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) provides a framework of standards, guidelines, and best practices to manage cybersecurity risk across various sectors and industries. It’s a flexible approach to assessing and improving cybersecurity posture based on business needs. Note: In 2024, NIST CSF 2.0 was released, broadening the scope of the framework and adding a “Govern” core function.


Cybersecurity Maturity Model Certification (CMMC) assesses the cybersecurity of defense contractors and suppliers. There are five maturity levels with specific requirements to ensure  protection of Controlled Unclassified Information (CUI).

SOC 2 

Developed by the American Institute of CPAs (AICPA), Service Organization Controls 2 (SOC 2) defines criteria for managing customer data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy. It’s particularly relevant for service providers handling customer data in the cloud.

NIST 800-171

Specifically tailored for government contractors and subcontractors, NIST 800-171 outlines requirements for protecting controlled unclassified information (CUI) in non-federal systems and organizations. Compliance is crucial for organizations handling government contracts.


Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data in the healthcare industry. It mandates safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) handled by covered entities and business associates.

ISO 27001

ISO 27001 is an international standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It provides a comprehensive approach to managing and protecting sensitive information.

FTC Safeguards

The Federal Trade Commission (FTC) Safeguards Rule requires financial institutions under its jurisdiction to develop and implement comprehensive information security programs to protect customer data. It’s essential for MSPs serving clients in the financial sector.


General Data Protection Regulation (GDPR) is a European Union regulation designed to protect the personal data and privacy of EU citizens. It imposes strict requirements on how organizations collect, process, and store personal data, with significant penalties for non-compliance.

UK Cyber Essentials

UK Cyber Essentials is a government-backed certification scheme aimed at helping organizations protect against common cyber threats. It outlines basic cybersecurity measures across five key areas: boundary firewalls, secure configuration, access control, malware protection, and patch management. Compliance demonstrates a commitment to cybersecurity best practices.

Get started on your compliance journey

By working with your clients and asking them about their needs and business, your MSP will be able to make an informed decision on what framework is right for them and begin the process towards compliance for their business. 

MSPs play a crucial role in safeguarding their clients’ data and infrastructure, so offering compliance as a service is a natural step towards increasing revenue and building trust with clients.

Want to learn more about the tools MSPs are using to achieve compliance with these frameworks? Enter ControlMap, ScalePad’s premier compliance tool that MSPs are using to guide their clients through the compliance process. Want to learn more? You can watch the demo right here.