Regulation with teeth
HIPAA, PCI DSS, CMMC, FTC Safeguards, and state privacy laws now carry audits, public breach lists, and contract-eligibility consequences.
MSP Business Build Guide
How to start, package, price, and sell a CaaS practice — the people and certifications to invest in, the service catalog and Good/Better/Best tiers, and the delivery and sales motion that turns compliance from a scramble into durable monthly revenue.
Start Here
Compliance as a Service is the productized operation of a client's compliance program: assess, remediate, document, evidence, and report — continuously, for a monthly fee. Demand isn't coming from clients waking up security-conscious; it's coming from forces they can't ignore. You already operate most of the controls every framework demands, and you already hold the trust relationship. Someone will run these programs for your clients — the only question is whether it's you.
Four Forces Pushing SMBs Into Formal Compliance
HIPAA, PCI DSS, CMMC, FTC Safeguards, and state privacy laws now carry audits, public breach lists, and contract-eligibility consequences.
Renewal questionnaires demand MFA, EDR, backups, training, and documented programs — and misstatements void claims. Every renewal is a CaaS lead.
Enterprises, primes, and platforms push security questionnaires and contract clauses down to the smallest vendor. SMBs lose deals they can't paper.
SMBs can't hire compliance officers, and big consultancies won't touch their budgets. The trusted IT provider is the only candidate in the room.
The business case: +20–50% new MRR on the IT contract at 60–70%+ gross margin with platform leverage, near-lock-in churn — you hold the program — and compliance MRR that prices like software. The honest gap this guide closes: most MSPs who stall don't lack tooling — they lack an operating model: who runs it, what goes in the package, what to charge, and how to sell it. This guide answers those questions in order: people, offer, motion.
The Operating Model
CaaS sits between your managed security stack and a client's legal obligations: you operate the program — assessments, controls, documents, evidence, reporting — while the client keeps accountability, signatures, and final risk decisions. You are not a law firm, an auditor, or a certification body; you're the team that makes the client ready for all three.
The Boundary
Program operation: scoping and gap assessments, control implementation and monitoring, policies and attestations, risk register upkeep, vendor risk management, evidence collection, audit and assessor readiness, and reporting with QBRs. The outcome: audit-ready, insurance-ready, contract-ready — continuously.
Legal advice or coverage determinations (counsel's job), the audit or certification itself (auditor, C3PAO, or QSA territory — selling both sides is a conflict), guaranteed compliance, or signatures on attestations — SAQ, SPRS, and QI reports are signed by client officers, prepared by you.
Run your MSP through the same program first — CIS Controls is the natural backbone. It trains your team on real workflows, produces the security package that answers every client and insurer questionnaire, and gives sales a story no slide deck can fake: here's our risk register.
Margin lives in repeatability: one platform, one master client template, one policy library, one QBR format — cloned per client, then tailored 20%. Bespoke-everything CaaS is consulting with worse economics.
The monthly fee buys program operation. Remediation work the assessment uncovers — MFA rollouts, segmentation, migrations — is quoted project work. Bundling unknown remediation into a flat fee is how CaaS practices lose money in year one.
Golden rule: position CaaS as risk and revenue protection the client can show someone — an insurer, a prime, a regulator, a customer — not as fear-ware. The deliverable that sells renewals is the artifact in their hands at the QBR: the score, the report, the portal. Design every service to produce one.
01
Practice Foundation
CaaS is a people-and-process business riding on a platform. You don't need a bench of CISOs to start — you need four functions covered, however many hats that takes, plus a deliberate training plan that grows your own talent. Most successful practices start with one champion and fractional everything else.
The Four Functions Every CaaS Practice Must Cover
Owns methodology and judgment: framework interpretation, risk decisions, client-facing reviews, and the QI/vCISO seat where contracted. Day one this is your most senior security-minded person — often the owner or service director — at roughly 25–50% allocation.
The engine room: runs assessments, drafts policies from templates, chases evidence, maintains risk and vendor registers, and preps QBR decks. The first dedicated hire — and a natural growth path for a detail-oriented service-desk tech who likes documentation.
Your existing engineers — they already run MFA, EDR, and patching. New muscle to build: evidence discipline (screenshot, export, attach), remediation-by-ticket tied to controls, and being interview-ready when assessors call.
Whoever runs QBRs today carries CaaS into them: spotting triggers like renewals, questionnaires, and new contracts, positioning the assessment, and presenting progress. Compliance gives the account manager something concrete to show every quarter.
Foundation → GRC Depth → Specialization
Certifications build genuine judgment, signal credibility in proposals and assessor conversations, and give growth-path techs a ladder. Sequence them: foundation first, GRC depth second, framework specialization where your verticals demand it.
| Stage | Credential | Why | Who |
|---|---|---|---|
| Foundationmonths 0-6 | ISC2 CC — Certified in Cybersecurity | The fastest credible on-ramp: core security concepts with a low cost of entry. The first rung for the analyst promoted from the desk. | Analyst, AMs, every tech touching CaaS |
| CompTIA Security+ | The vendor-neutral baseline assessors and government work recognize; cements the technical vocabulary the whole practice shares. | Analysts and implementers | |
| GRC depthmonths 6-18 | ISC2 CGRC — Governance, Risk & Compliance | The cert that matches the job: risk frameworks, control selection, assessment, and authorization workflows. The natural target for your compliance analyst and lead. | Analyst → lead |
| ISACA CRISC / CISA | CRISC for risk-register and risk-treatment depth; CISA for audit methodology — invaluable once you're prepping clients for external auditors. | Compliance lead | |
| ISC2 CISSP | The senior credential for the vCISO seat: breadth across all domains plus the market signal enterprise-adjacent clients expect on the proposal. | Compliance lead / vCISO | |
| Specializeper vertical | Cyber AB RP / RPA (CMMC) · PCIP (PCI SSC) | Framework-official credentials that unlock specific markets: RP status lists your MSP in the CMMC ecosystem; PCIP signals payment-security fluency to acquirers and QSAs. | Vertical specialists |
| Platform and partner enablement | ControlMap and ScalePad partner training, framework bootcamps, and peer-group programs — where methodology meets the actual tooling your team delivers on. | Everyone in the practice |
Starting (1–5 clients): a fractional lead, one analyst at ~50%, engineers as needed — no new headcount to launch. Growing (5–20): first full-time analyst and scheduled evidence workflows. Scaled (20+): a dedicated lead plus 2–3 analysts — roughly one analyst per 8–12 active programs — with CaaS as its own P&L line.
Build these deliberately: writing (turning a control into a paragraph a business owner understands), evidence hygiene (dated, attributed, mapped artifacts as a reflex), facilitation (scoping workshops and findings reviews are executive meetings), and framework reading (extracting what would satisfy an assessor from the rule text).
Experienced GRC hires are scarce and priced for enterprise. A curious tech plus a structured cert path plus platform guardrails beats an expensive outside hire who doesn't know MSP delivery. A realistic year-one training spend lands around one month of a single mid-tier client's revenue — the highest-leverage line in the launch budget.
02
Offer Design
Name the services before you name the packages. These nine building blocks are what every tier draws from — each a discrete deliverable the client can see, with a natural cadence and a clear artifact. Build them once as repeatable plays; the tiers are just bundles of these blocks. Compliance work is invisible by default, and invisible work churns — if a service doesn't produce an artifact, give it one or cut it.
Gap assessment against the chosen framework — CIS as the universal base; HIPAA, PCI, CMMC, or Safeguards per vertical. Artifact: a scored findings report plus remediation roadmap.
The written program from templates — tailored, approved, and pushed for staff e-attestation on an annual review cycle. Artifact: a versioned policy library plus attestation records.
A living register of risks scored by likelihood × impact, with treatment decisions and owners, reviewed quarterly. Artifact: the register plus a risk-trend view.
Third-party register, tiered diligence questionnaires, contract-clause checks, BAA/AOC collection, and periodic reassessment. Artifact: the vendor register with status.
Continuous collection mapped to controls — automated via integrations where possible, scheduled tasks elsewhere. Artifact: an audit-ready evidence library.
Campaigns plus phishing simulation, tracked to completion and tied to policy attestations. Artifact: completion reports for every cycle.
A client-branded page showing posture, certifications, and shareable artifacts — what they send a prospect or prime instead of a 200-question spreadsheet. Artifact: the portal itself.
Posture score, closed gaps, open risks, and upcoming obligations, presented quarterly to leadership. Artifact: the QBR deck and annual program report.
Assessor and auditor hosting, questionnaire response service, IR plan upkeep and tabletop exercises, and breach-clock support. Artifact: readiness packs and tabletop minutes.
Three Tiers, Clean Boundaries
Every client lands on one of three tiers. The upgrade logic is built in: Good proves the model, Better is where most clients should land — price-anchor accordingly — and Best serves regulated and audit-bound clients at vCISO depth.
Baseline assurance — know where you stand.
Included
Best for
SMBs with no regulatory driver yet — security-maturity buyers, insurance-driven buyers.
Typical price
$750 - $1.5K / month
Managed program — stay compliant continuously.
Included
Best for
Clients with a named obligation — practices, dealers, tax firms, clinics — who must prove a running program.
Typical price
$1.5K - $3.5K / month
Audit-bound and regulated — vCISO-led and assessor-ready.
Included
Best for
CMMC L2 candidates, audit-bound healthcare/finance, clients selling into enterprise supply chains.
Typical price
$3.5K - $8K+ / month
Market Anchors
Ranges reflect commonly observed North-American SMB market pricing (USD); your costs, vertical, and positioning move them. The principle that matters more than any number: price the outcome — audit-ready, contract-eligible, insurable — never the hours.
| Offer | Typical range | Pricing notes |
|---|---|---|
| Gap assessment (entry engagement) | $3.5K – $15K one-time | Scale by framework weight: CIS and Safeguards at the low end, HIPAA and PCI mid, CMMC L2 at the top or above. Credit a portion against the first year of a tier to convert. |
| Good tier | $750 – $1.5K / mo | Flat monthly per client — keep it simple. Floor it above your cost of the annual cycle plus margin; this tier exists to start relationships, not to subsidize them. |
| Better tier | $1.5K – $3.5K / mo | The workhorse. Price per framework; a second framework adds roughly 40–60%, not 100% — cross-mapping does the work. Quarterly QBRs are the perceived-value engine — never skip one. |
| Best tier | $3.5K – $8K+ / mo | The vCISO seat, trust portal, and audit hosting justify the jump; CMMC L2 and audit-bound clients routinely exceed the top of this range. Cap questionnaire volume or price it generously in. |
| Per-user alternative | $15 – $50 / user / mo | Works as a compliance add-on inside an existing MRR bundle for small, uniform clients; breaks down for complex scopes — switch to flat tiers at roughly 25+ users or any audit-bound framework. |
| Projects (remediation, audits) | Quoted per scope | MFA rollouts, segmentation, migrations, and assessor-week support at standard project rates. The assessment's roadmap is your pre-sold project pipeline. |
Tier design rules: the assessment is a standalone, paid engagement that feeds every tier — never free, or you've taught the market your expertise costs nothing. Remediation is always extra: all three tiers operate the program, and project work is quoted separately, every time. The unit economics: a Better-tier client at ~$2.5K/mo should consume roughly 6–10 analyst-hours monthly once templated. At one analyst per 8–12 programs, a single FTE supports $200–350K of annual CaaS revenue — the math that makes the practice fundable from day one.
03
Go-To-Market Motion
The same six-stage lifecycle runs every client, every framework, every tier. Standardize it and your second client costs half the effort of your first; your tenth runs on rails. Two stages carry the whole relationship: the findings review, where the deal expands, and the QBR, where it renews.
The CaaS Delivery Lifecycle
Obligations, data, systems, and boundary — settled in a structured workshop before any assessment work begins.
Gap assessment against the chosen framework: score it, then build the remediation roadmap.
The findings meeting — decisions, priorities, and the funded plan. This is where CaaS revenue is actually made.
Project work closes the gaps while documentation is written in parallel — quoted separately from the monthly fee.
The monthly rhythm: evidence tasks, register touches, training and phishing campaigns, attestation chases, and posture review — 6–10 analyst-hours for a templated Better-tier client.
Quarterly proof of progress — the renewal and upsell engine. Always show movement.
Where the Practice Is Won
Who is in the room: owner/exec, ops lead, your compliance lead + analyst. 90 minutes, structured. Output: the obligation register, framework selection, scope boundary, and the assessment SOW — signed before any work begins.
The structure: posture score first — one number lands harder than forty findings — then top five risks in business language, the roadmap in three phases, and the funded decision. Output: the approved roadmap — your project pipeline — and the tier the client lands on. This meeting is where CaaS revenue is actually made.
The agenda (45 min): posture score and trend, gaps closed this quarter with the evidence, open risks and treatments, vendor and training status, and what is coming — renewals, audits, regulation changes. Output: the quarterly report artifact and annual program report leadership files. The QBR is simultaneously delivery, proof, and the next sale.
The client-facing year at a glance
QBR #1: annual risk-assessment refresh and insurance-renewal prep.
QBR #2: vendor reassessment cycle and training campaign.
QBR #3: testing window (scans / pen test / tabletop) and policy review.
Annual program report, attestation renewals, next-year roadmap, and pricing.
Sell on Triggers, Not Abstract Risk
Your first ten CaaS clients are already on your client list. Sell on concrete events that make compliance urgent — not a cold pitch.
| Trigger to watch for | The talk track | Lands on |
|---|---|---|
| Cyber-insurance renewal, or a questionnaire the client can't answer | "Your insurer is asking you to attest to controls. Let's run an assessment so what you sign is true — and so next year's renewal takes an afternoon, not a panic." | Assessment → Good/Better |
| A customer, prime, or platform sends a security questionnaire or flow-down clause | "This is the first of many — your buyers are auditing their supply chain. A running program with a trust portal answers all of them once." | Better/Best + trust portal |
| Client is in a regulated vertical — HIPAA, PCI, CMMC, FTC Safeguards | "The rule already applies to you — the only question is whether the program exists on paper when someone asks. Here's what the rule actually requires." | Better/Best per framework |
| A near-miss, incident, or a peer's public breach | "The difference between their week and yours is a documented, tested program. Let's baseline where you stand." | Assessment → tier |
| M&A, new contract, new location, or a new line-of-business system | "Scope just changed — obligations probably did too. A scoping session now is cheaper than a finding later." | Scoping workshop |
Objection Handling
The land-and-expand path: paid assessment → findings review → Better tier plus first remediation project → two QBRs of visible progress → upsell trigger → Best tier. Average journey: 9–15 months. Map every client to a stage and the pipeline runs itself.
ControlMap Accelerators
Every economic assumption in this guide — the 6–10 hour month, one analyst per 8–12 programs, 60–70% margins — depends on a platform built for multi-tenant repeatability. These are the ControlMap features that turn the operating model from theory into rate card.
Built for Multi-Tenant Repeatability
Build one master client template per vertical — frameworks adopted, control assignments, policy set, task cadence, QBR structure — and clone it for every new client. Onboarding drops from weeks of setup to a day of tailoring.
Hundreds of vendor products pre-mapped to CIS controls. Declare a client's stack — EDR, identity, backup, email security — and Stacks auto-answers the assessment questions those tools satisfy. The gap assessment starts 60–70% pre-populated; your analyst verifies instead of excavates.
Templated policy sets per framework, pre-built risk libraries to seed each register, and vendor templates with diligence questionnaires. Policies, risks, and vendor programs ship from a library, not a blank page — tailoring is the billable judgment, drafting isn't.
CIS, HIPAA, PCI DSS, NIST 800-171/CMMC, FTC Safeguards, SOC 2 and more, mapped to each other. One control implemented satisfies many requirements — the mechanic behind a second framework adding 40–60%, not 100%.
Every client program in one pane — posture, overdue tasks, stale evidence — so one analyst really can run a dozen programs. Integrations with the Microsoft and Google clouds and MSP tooling collect recurring evidence automatically; humans handle exceptions.
Trust portal, posture reports, and QBR-ready exports come from the same data your team works in daily. The artifact that renews the contract is a by-product of delivery, not a Friday-afternoon chore.
The platform-plus-people truth: tooling compresses the mechanics; it doesn't replace the judgment. Stacks pre-answers the assessment — your lead still decides what the risks mean. Templates draft the policy — your analyst still makes it true for this client. ControlMap makes a trained team dramatically faster; it doesn't make an untrained one credible.
Putting It Together
Four phases from foundation to launch, each with explicit exit criteria — then six numbers to watch monthly. Resist launching with five frameworks: master one vertical, one framework, three clients, then clone. The MSPs who stall are rarely short on demand; they're drowning in bespoke delivery because they skipped the template phase.
Ninety Days to Live Programs
| Phase | Do this | Exit criteria |
|---|---|---|
| Weeks 1–3 · Foundation | Name the compliance lead and analyst (fractional is fine); enroll foundation certs (ISC2 CC, Security+); stand up ControlMap; run your own MSP through CIS as client zero — the training program and the sales asset in one. | Your own assessment scored, risk register live, security package drafted. |
| Weeks 4–6 · Productize | Build the master client template; finalize the nine-service catalog and Good/Better/Best definitions; set pricing; draft the assessment SOW, MSA compliance addendum, and the findings-review and QBR deck templates. | Rate card signed off; templates clone-ready; a one-page CaaS overview for clients. |
| Weeks 7–10 · Pilot | Pick 2–3 friendly clients with live triggers (insurance renewal, regulated vertical); run paid pilot assessments — discounted if needed, never free; hold real findings reviews; land them on tiers. | 2–3 paying programs live; first remediation projects quoted; lifecycle tested end to end. |
| Weeks 11–13 · Launch | Run the trigger sweep across the whole client base (verticals, renewals, questionnaires); add the compliance slide to every QBR; arm AMs with the field-guide series; deliver the pilots' first quarterly artifacts on time. | Pipeline of 10+ scored opportunities; CaaS on every QBR agenda; first QBR artifacts shipped. |
The Practice Scorecard — Six Numbers to Watch Monthly
Total compliance MRR, and the percentage of managed clients on a tier. Year-one target: 15–25% attach.
Analyst hours per client per month, trending toward 6–10 as templates mature. The margin dial.
The percentage of paid assessments converting to ongoing programs. Below roughly 60%? Fix the findings review, not the price.
Project revenue quoted from assessment roadmaps — the pull-through that often exceeds the MRR itself.
The percentage of due QBRs delivered on time with artifacts. The single best churn predictor — protect it at 100%.
The percentage of controls with current evidence across all tenants — delivery health in one number, straight off the dashboard.
Take Action
Name the compliance lead and analyst — fractional hats are fine; unowned functions are not.
ISC2 CC and Security+ now, CGRC for the analyst, CISSP for the vCISO track — foundation first, depth second.
Run your own MSP as client zero on CIS — your training ground and your best sales asset.
Build the master tenant template in ControlMap and clone it for every new client — never start from blank.
Define the nine-service catalog and Good/Better/Best tiers — every service ends in a visible artifact.
A paid assessment, three tiers, and remediation always quoted separately — never bundled into the flat fee.
Sweep your client base for verticals, insurance renewals, questionnaires, and flow-downs — and score the pipeline.
Pilot with 2–3 friendly clients; run real findings reviews; land them on tiers before going wide.
Scoping workshop, findings review, and quarterly compliance QBR — with template decks for each.
Track the six numbers monthly — attach rate, hours per program, conversion, pipeline, QBR delivery, evidence freshness.
This guide is provided for general educational purposes. Pricing ranges, staffing ratios, and market figures are indicative planning anchors drawn from commonly observed MSP market practice and vary by region, vertical, and positioning; they are not benchmarks or guarantees. Nothing here is legal, financial, or audit advice — engagements involving regulated frameworks should be structured with appropriate counsel and qualified assessors. Companion framework guides: HIPAA, PCI DSS, CMMC, and FTC Safeguards (GLBA).
ControlMap by ScalePad
Tenant cloning, Stacks auto-answering, template libraries, cross-mapped frameworks, and client-ready reporting — the platform this whole operating model runs on.