Chapter 5: How to Package Your Services

How to Package Compliance and Risk Management Services: A Step-by-Step Guide for MSPs

Chapter 5

As digital infrastructures grow more complex and regulatory requirements become more demanding, Managed Service Providers (MSPs) are increasingly expected to deliver more than just technical support. Businesses now rely on their MSPs to help navigate the intricacies of compliance and risk management, ensuring that systems, data, and processes remain secure and audit-ready.

This step-by-step guide provides a clear, structured approach to packaging compliance and risk management services. From conducting a foundational assessment to implementing controls, preparing for audits, and enabling continuous monitoring, MSPs can leverage this framework to create scalable, value-driven service bundles tailored to client needs.

By formalizing and productizing your compliance offerings, you not only meet client expectations but also create new opportunities for growth, recurring revenue, and differentiation in a competitive market.

The Security and Compliance Journey

STEP 1:
ASSESS
STEP 2:
ADDRESS GAPS
STEP 3:
AUDIT
STEP 4:
MONITOR
5.1

Step 1: Assess

The first step is an initial assessment with your client. The goal is to:

  • Create a baseline for current procedures, policies, and controls,
  • Identify gaps in their internal processes,
  • Prioritize these gaps based on which are most critical to operational success and which would have the most detrimental impact if compromised,
  • Determine the path forward.

Tools

  • Integrations
  • MSP Portal
  • Frameworks
  • Assessments

Methodologies

  • Risk Assessment
  • Gap analysis between current state and required compliance standards
  • Framework selection based on findings
5.2

Step 2: Address

Now that you have a baseline for your client, you can address gaps in their processes. But this takes time! Step 2 requires you to:

  • Create a roadmap with priorities, milestones, and budgets,
  • Ensure controls are healthy and gaps are remediated in a timely manner
    (see the “18 CIS Controls” graphic below for an idea of where to start),
  • Address the top priority gaps first,
  • Propose projects to address security needs,
  • Implement projects (e.g. MFA on all systems),
  • Communicate project statuses and overall progress to stakeholders on an ongoing basis.

Tools

  • Policies, Procedures, and Governance Documents
  • Evidence Management
  • Risk & Vulnerabilities Register
  • Asset Management
  • Internal Controls Management
  • People Management
  • Reports
  • SSO Enablement

Methodologies

A systematic approach to:
  • Policy and procedure development
  • Change management
  • Risk mitigation strategies

Start With These 18 CIS Controls

  1. Inventory and Control of Enterprise Assets
  2. Inventory and Control of Software Assets
  3. Data Protection
  4. Secure Configuration of Enterprise Assets and Software
  5. Account Management
  6. Access Control Management
  7. Continuous Vulnerability Management
  8. Audit Log Management
  9. Email and Web Browser Protections
  10. Malware Defences
  11. Data Recovery
  12. Network Infrastructure Management
  13. Network Monitoring and Defence
  14. Security Awareness and Skills Training
  15. Service Provider Management
  16. Application Software Security
  17. Incident Response Management
  18. Penetration Testing
5.3

Step 3: Audit

Some clients may not need to proceed to Step 3, especially if they are in an industry or sector that does not require adhering to specific compliance frameworks. However, achieving these standards will bolster their risk management processes and increase their credibility in the market. Step 3 requires you to:

  • Identify specific compliance frameworks your client should achieve,
  • Ensure controls meet the required standard(s),
  • Share results with third parties for external audits and due diligence,
    • Some frameworks require third-party verification (e.g. SOC2, ISO)

Tools

  • Vendor Management
  • Trust Portal
  • My Compliance Portal
  • White-labeling

Methodologies

  • Internal Audits
  • Third-Party Audits
5.4

Step 4: Monitor

Your client has addressed the most critical gaps in their processes and is approved by third-party auditors — that’s a win! Step 4 ensures they adhere to these regulations and proactively address gaps. The goal is to:

  • Stay current on policies, procedures, and controls over time to remain compliant,
  • Continue to improve compliance and risk management processes as your client scales,
  • Track progress so you can illustrate continuous improvement to key stakeholders.

Tools

  • Continuous Monitoring
  • Reporting

Methodologies

  • Continuous monitoring of frameworks
  • Monitor analytics
  • Incident management and response
  • Regulatory updates and change management for clients
  • Using dashboard and reporting to facilitate communication with clients
5.5

Creating Service Bundles

Service bundles are becoming increasingly common in the MSP space. They ensure your clients get everything they need in terms of compliance and risk management services, but also make it easier to deliver a standardized service. Bundles also make it easier for you to sell your full stack at a price that makes sense for your business. Here are some high-level tips for bundling your services:

Add Baseline Security Requirements to Your MSA

By making security a required part of your contracts (rather than a bolt-on or optional service), you can mitigate the risk your client is exposed to and ensure clear terms for both parties. This also shifts liability away from your MSP and onto the security best practices required by compliance frameworks.

Include Penetration Testing in Your Compliance Bundle

Penetration testing is not a one-off security task — it needs to be done consistently (ideally every quarter) to identify and remedy gaps in security processes. By making it a standard offering within your bundle, you can ensure tests are performed consistently, which helps mitigate risk.

Toggle Options Based on Specific Client Needs

Every client has their own unique security needs. These options should be a standard part of your offering, but you can personalize your commitment for each client. To create the right balance, consider how many hours per month your team must commit for each of the following categories:

• Assessment & Remediation
• Policy Management

Add Options to Bolt-On Single Projects

There are plenty of services that should be performed annually, but do not necessarily fit into a monthly recurring payment model. These tasks should be available as bolt-on projects performed as necessary. Your service bundles should be flexible enough to incorporate one-off tasks.

For example, initial assessments can be priced as a single project and then rolled into recurring revenue if both parties agree. This is great way to start the relationship, showcase your value as an MSP, build trust, and upsell to more comprehensive services in a monthly recurring package.

Customize Packages Based on Client Assessments

Client assessments with grade scores are a great way to identify your client’s unique needs and create a custom service bundle. This should include your standard service offering (i.e. baseline security requirements, monthly and quarterly recurring projects) and include flexibility for bolt-on projects performed annually or as necessary.

You know what to include in your CaaS package — but how much should you charge for your services?

Explore pricing models (and our Interactive Pricing Calculator) in Chapter 6.

© 2025 ScalePad Inc. All rights reserved.
DPAPrivacy PolicyTerms of Service
chevron-down