ScalePad
ControlMap

MSP Business Build Guide

Compliance as a Service: the stickiest recurring revenue you'll ever build

How to start, package, price, and sell a CaaS practice — the people and certifications to invest in, the service catalog and Good/Better/Best tiers, and the delivery and sales motion that turns compliance from a scramble into durable monthly revenue.

Start Here

Why CaaS, why now — and why the MSP wins it

Compliance as a Service is the productized operation of a client's compliance program: assess, remediate, document, evidence, and report — continuously, for a monthly fee. Demand isn't coming from clients waking up security-conscious; it's coming from forces they can't ignore. You already operate most of the controls every framework demands, and you already hold the trust relationship. Someone will run these programs for your clients — the only question is whether it's you.

Four Forces Pushing SMBs Into Formal Compliance

Regulation with teeth

HIPAA, PCI DSS, CMMC, FTC Safeguards, and state privacy laws now carry audits, public breach lists, and contract-eligibility consequences.

Cyber insurance

Renewal questionnaires demand MFA, EDR, backups, training, and documented programs — and misstatements void claims. Every renewal is a CaaS lead.

Supply-chain pressure

Enterprises, primes, and platforms push security questionnaires and contract clauses down to the smallest vendor. SMBs lose deals they can't paper.

No one else to do it

SMBs can't hire compliance officers, and big consultancies won't touch their budgets. The trusted IT provider is the only candidate in the room.

The business case: +20–50% new MRR on the IT contract at 60–70%+ gross margin with platform leverage, near-lock-in churn — you hold the program — and compliance MRR that prices like software. The honest gap this guide closes: most MSPs who stall don't lack tooling — they lack an operating model: who runs it, what goes in the package, what to charge, and how to sell it. This guide answers those questions in order: people, offer, motion.

The Operating Model

What CaaS is — and the three rules that make it work

CaaS sits between your managed security stack and a client's legal obligations: you operate the program — assessments, controls, documents, evidence, reporting — while the client keeps accountability, signatures, and final risk decisions. You are not a law firm, an auditor, or a certification body; you're the team that makes the client ready for all three.

The Boundary

You sell

Program operation: scoping and gap assessments, control implementation and monitoring, policies and attestations, risk register upkeep, vendor risk management, evidence collection, audit and assessor readiness, and reporting with QBRs. The outcome: audit-ready, insurance-ready, contract-ready — continuously.

You don't sell

Legal advice or coverage determinations (counsel's job), the audit or certification itself (auditor, C3PAO, or QSA territory — selling both sides is a conflict), guaranteed compliance, or signatures on attestations — SAQ, SPRS, and QI reports are signed by client officers, prepared by you.

Drink your own champagne

Run your MSP through the same program first — CIS Controls is the natural backbone. It trains your team on real workflows, produces the security package that answers every client and insurer questionnaire, and gives sales a story no slide deck can fake: here's our risk register.

Standardize, then customize

Margin lives in repeatability: one platform, one master client template, one policy library, one QBR format — cloned per client, then tailored 20%. Bespoke-everything CaaS is consulting with worse economics.

Separate program from projects

The monthly fee buys program operation. Remediation work the assessment uncovers — MFA rollouts, segmentation, migrations — is quoted project work. Bundling unknown remediation into a flat fee is how CaaS practices lose money in year one.

Golden rule: position CaaS as risk and revenue protection the client can show someone — an insurer, a prime, a regulator, a customer — not as fear-ware. The deliverable that sells renewals is the artifact in their hands at the QBR: the score, the report, the portal. Design every service to produce one.

01

Practice Foundation

Build the practice — people, disciplines, and the cert ladder

CaaS is a people-and-process business riding on a platform. You don't need a bench of CISOs to start — you need four functions covered, however many hats that takes, plus a deliberate training plan that grows your own talent. Most successful practices start with one champion and fractional everything else.

The Four Functions Every CaaS Practice Must Cover

Compliance lead / vCISO

Owns methodology and judgment: framework interpretation, risk decisions, client-facing reviews, and the QI/vCISO seat where contracted. Day one this is your most senior security-minded person — often the owner or service director — at roughly 25–50% allocation.

Compliance analyst / coordinator

The engine room: runs assessments, drafts policies from templates, chases evidence, maintains risk and vendor registers, and preps QBR decks. The first dedicated hire — and a natural growth path for a detail-oriented service-desk tech who likes documentation.

Technical implementers

Your existing engineers — they already run MFA, EDR, and patching. New muscle to build: evidence discipline (screenshot, export, attach), remediation-by-ticket tied to controls, and being interview-ready when assessors call.

Account / sales motion

Whoever runs QBRs today carries CaaS into them: spotting triggers like renewals, questionnaires, and new contracts, positioning the assessment, and presenting progress. Compliance gives the account manager something concrete to show every quarter.

Foundation → GRC Depth → Specialization

The training and certification roadmap

Certifications build genuine judgment, signal credibility in proposals and assessor conversations, and give growth-path techs a ladder. Sequence them: foundation first, GRC depth second, framework specialization where your verticals demand it.

StageCredentialWhyWho
Foundationmonths 0-6ISC2 CC — Certified in CybersecurityThe fastest credible on-ramp: core security concepts with a low cost of entry. The first rung for the analyst promoted from the desk.Analyst, AMs, every tech touching CaaS
CompTIA Security+The vendor-neutral baseline assessors and government work recognize; cements the technical vocabulary the whole practice shares.Analysts and implementers
GRC depthmonths 6-18ISC2 CGRC — Governance, Risk & ComplianceThe cert that matches the job: risk frameworks, control selection, assessment, and authorization workflows. The natural target for your compliance analyst and lead.Analyst → lead
ISACA CRISC / CISACRISC for risk-register and risk-treatment depth; CISA for audit methodology — invaluable once you're prepping clients for external auditors.Compliance lead
ISC2 CISSPThe senior credential for the vCISO seat: breadth across all domains plus the market signal enterprise-adjacent clients expect on the proposal.Compliance lead / vCISO
Specializeper verticalCyber AB RP / RPA (CMMC) · PCIP (PCI SSC)Framework-official credentials that unlock specific markets: RP status lists your MSP in the CMMC ecosystem; PCIP signals payment-security fluency to acquirers and QSAs.Vertical specialists
Platform and partner enablementControlMap and ScalePad partner training, framework bootcamps, and peer-group programs — where methodology meets the actual tooling your team delivers on.Everyone in the practice

Team shapes by maturity

Starting (1–5 clients): a fractional lead, one analyst at ~50%, engineers as needed — no new headcount to launch. Growing (5–20): first full-time analyst and scheduled evidence workflows. Scaled (20+): a dedicated lead plus 2–3 analysts — roughly one analyst per 8–12 active programs — with CaaS as its own P&L line.

Disciplines no certificate teaches

Build these deliberately: writing (turning a control into a paragraph a business owner understands), evidence hygiene (dated, attributed, mapped artifacts as a reflex), facilitation (scoping workshops and findings reviews are executive meetings), and framework reading (extracting what would satisfy an assessor from the rule text).

Grow, don't poach

Experienced GRC hires are scarce and priced for enterprise. A curious tech plus a structured cert path plus platform guardrails beats an expensive outside hire who doesn't know MSP delivery. A realistic year-one training spend lands around one month of a single mid-tier client's revenue — the highest-leverage line in the launch budget.

02

Offer Design

Design the offer — nine services, three tiers, one rate card

Name the services before you name the packages. These nine building blocks are what every tier draws from — each a discrete deliverable the client can see, with a natural cadence and a clear artifact. Build them once as repeatable plays; the tiers are just bundles of these blocks. Compliance work is invisible by default, and invisible work churns — if a service doesn't produce an artifact, give it one or cut it.

1

Framework assessment

Gap assessment against the chosen framework — CIS as the universal base; HIPAA, PCI, CMMC, or Safeguards per vertical. Artifact: a scored findings report plus remediation roadmap.

2

Policies & procedures

The written program from templates — tailored, approved, and pushed for staff e-attestation on an annual review cycle. Artifact: a versioned policy library plus attestation records.

3

Risk registry

A living register of risks scored by likelihood × impact, with treatment decisions and owners, reviewed quarterly. Artifact: the register plus a risk-trend view.

4

Vendor risk management

Third-party register, tiered diligence questionnaires, contract-clause checks, BAA/AOC collection, and periodic reassessment. Artifact: the vendor register with status.

5

Evidence management

Continuous collection mapped to controls — automated via integrations where possible, scheduled tasks elsewhere. Artifact: an audit-ready evidence library.

6

Awareness training

Campaigns plus phishing simulation, tracked to completion and tied to policy attestations. Artifact: completion reports for every cycle.

7

Trust portal

A client-branded page showing posture, certifications, and shareable artifacts — what they send a prospect or prime instead of a 200-question spreadsheet. Artifact: the portal itself.

8

Reporting & QBR

Posture score, closed gaps, open risks, and upcoming obligations, presented quarterly to leadership. Artifact: the QBR deck and annual program report.

9

Audit & incident support

Assessor and auditor hosting, questionnaire response service, IR plan upkeep and tabletop exercises, and breach-clock support. Artifact: readiness packs and tabletop minutes.

Three Tiers, Clean Boundaries

Good / Better / Best — defining the tiers

Every client lands on one of three tiers. The upgrade logic is built in: Good proves the model, Better is where most clients should land — price-anchor accordingly — and Best serves regulated and audit-bound clients at vCISO depth.

Good

Baseline assurance — know where you stand.

Included

  • Annual framework assessment (CIS-based) + findings report
  • Core policy set from templates + staff e-attestation
  • Annual security awareness training campaign
  • Basic risk register (top 10, reviewed annually)
  • Insurance-questionnaire support (1/yr)
  • Annual posture report at the year-end business review

Best for

SMBs with no regulatory driver yet — security-maturity buyers, insurance-driven buyers.

Typical price

$750 - $1.5K / month

Better

Managed program — stay compliant continuously.

Included

  • Everything in Good, plus:
  • Framework matched to the client obligation (HIPAA, PCI, Safeguards...)
  • Continuous evidence collection mapped to controls
  • Full risk register, reviewed quarterly with treatment tracking
  • Vendor risk management program (register + diligence cycle)
  • Training + phishing simulation, quarterly campaigns
  • Quarterly compliance QBR with posture scorecard

Best for

Clients with a named obligation — practices, dealers, tax firms, clinics — who must prove a running program.

Typical price

$1.5K - $3.5K / month

Best

Audit-bound and regulated — vCISO-led and assessor-ready.

Included

  • Everything in Better, plus:
  • vCISO / Qualified Individual seat with named accountability
  • Multi-framework cross-mapping (e.g., CIS + CMMC + insurance)
  • Client trust portal for prospects, primes & insurers
  • Audit/assessment hosting: SSPs, readiness reviews, assessor liaison
  • Questionnaire response service (uncapped or generous cap)
  • Annual IR tabletop + board-level annual program report

Best for

CMMC L2 candidates, audit-bound healthcare/finance, clients selling into enterprise supply chains.

Typical price

$3.5K - $8K+ / month

Market Anchors

What to charge

Ranges reflect commonly observed North-American SMB market pricing (USD); your costs, vertical, and positioning move them. The principle that matters more than any number: price the outcome — audit-ready, contract-eligible, insurable — never the hours.

OfferTypical rangePricing notes
Gap assessment (entry engagement)$3.5K – $15K one-timeScale by framework weight: CIS and Safeguards at the low end, HIPAA and PCI mid, CMMC L2 at the top or above. Credit a portion against the first year of a tier to convert.
Good tier$750 – $1.5K / moFlat monthly per client — keep it simple. Floor it above your cost of the annual cycle plus margin; this tier exists to start relationships, not to subsidize them.
Better tier$1.5K – $3.5K / moThe workhorse. Price per framework; a second framework adds roughly 40–60%, not 100% — cross-mapping does the work. Quarterly QBRs are the perceived-value engine — never skip one.
Best tier$3.5K – $8K+ / moThe vCISO seat, trust portal, and audit hosting justify the jump; CMMC L2 and audit-bound clients routinely exceed the top of this range. Cap questionnaire volume or price it generously in.
Per-user alternative$15 – $50 / user / moWorks as a compliance add-on inside an existing MRR bundle for small, uniform clients; breaks down for complex scopes — switch to flat tiers at roughly 25+ users or any audit-bound framework.
Projects (remediation, audits)Quoted per scopeMFA rollouts, segmentation, migrations, and assessor-week support at standard project rates. The assessment's roadmap is your pre-sold project pipeline.

Tier design rules: the assessment is a standalone, paid engagement that feeds every tier — never free, or you've taught the market your expertise costs nothing. Remediation is always extra: all three tiers operate the program, and project work is quoted separately, every time. The unit economics: a Better-tier client at ~$2.5K/mo should consume roughly 6–10 analyst-hours monthly once templated. At one analyst per 8–12 programs, a single FTE supports $200–350K of annual CaaS revenue — the math that makes the practice fundable from day one.

03

Go-To-Market Motion

Run and sell it — the lifecycle, the meetings, the triggers

The same six-stage lifecycle runs every client, every framework, every tier. Standardize it and your second client costs half the effort of your first; your tenth runs on rails. Two stages carry the whole relationship: the findings review, where the deal expands, and the QBR, where it renews.

The CaaS Delivery Lifecycle

  1. 1

    Scope

    Obligations, data, systems, and boundary — settled in a structured workshop before any assessment work begins.

  2. 2

    Assess

    Gap assessment against the chosen framework: score it, then build the remediation roadmap.

  3. 3

    Review with client

    The findings meeting — decisions, priorities, and the funded plan. This is where CaaS revenue is actually made.

  4. 4

    Remediate

    Project work closes the gaps while documentation is written in parallel — quoted separately from the monthly fee.

  5. 5

    Operate

    The monthly rhythm: evidence tasks, register touches, training and phishing campaigns, attestation chases, and posture review — 6–10 analyst-hours for a templated Better-tier client.

  6. 6

    Report & QBR

    Quarterly proof of progress — the renewal and upsell engine. Always show movement.

Where the Practice Is Won

The three meetings that carry the practice

1 · The scoping workshop

Who is in the room: owner/exec, ops lead, your compliance lead + analyst. 90 minutes, structured. Output: the obligation register, framework selection, scope boundary, and the assessment SOW — signed before any work begins.

The questions: What contracts, regulators, insurers, or customers impose obligations on you? What sensitive data do you hold, and where? Who are your critical vendors? What has been audited, questioned, or breached before? What deadline is driving this?

2 · The findings review

The structure: posture score first — one number lands harder than forty findings — then top five risks in business language, the roadmap in three phases, and the funded decision. Output: the approved roadmap — your project pipeline — and the tier the client lands on. This meeting is where CaaS revenue is actually made.

The discipline: every finding gets one of four dispositions — remediate (quoted project), accept (documented, owner-signed), transfer (insurance/vendor), or defer (dated). No finding leaves the room undecided.

3 · The compliance QBR

The agenda (45 min): posture score and trend, gaps closed this quarter with the evidence, open risks and treatments, vendor and training status, and what is coming — renewals, audits, regulation changes. Output: the quarterly report artifact and annual program report leadership files. The QBR is simultaneously delivery, proof, and the next sale.

The rule: always show movement. A flat scorecard for two quarters is a churn signal — find the next improvement or surface the next obligation before the client wonders what they are paying for.

The client-facing year at a glance

  1. Q1

    Risk assessment

    QBR #1: annual risk-assessment refresh and insurance-renewal prep.

  2. Q2

    Vendor cycle

    QBR #2: vendor reassessment cycle and training campaign.

  3. Q3

    Testing window

    QBR #3: testing window (scans / pen test / tabletop) and policy review.

  4. Q4

    Program report

    Annual program report, attestation renewals, next-year roadmap, and pricing.

Sell on Triggers, Not Abstract Risk

The fifteen-minute conversation inside a QBR

Your first ten CaaS clients are already on your client list. Sell on concrete events that make compliance urgent — not a cold pitch.

Trigger to watch forThe talk trackLands on
Cyber-insurance renewal, or a questionnaire the client can't answer"Your insurer is asking you to attest to controls. Let's run an assessment so what you sign is true — and so next year's renewal takes an afternoon, not a panic."Assessment → Good/Better
A customer, prime, or platform sends a security questionnaire or flow-down clause"This is the first of many — your buyers are auditing their supply chain. A running program with a trust portal answers all of them once."Better/Best + trust portal
Client is in a regulated vertical — HIPAA, PCI, CMMC, FTC Safeguards"The rule already applies to you — the only question is whether the program exists on paper when someone asks. Here's what the rule actually requires."Better/Best per framework
A near-miss, incident, or a peer's public breach"The difference between their week and yours is a documented, tested program. Let's baseline where you stand."Assessment → tier
M&A, new contract, new location, or a new line-of-business system"Scope just changed — obligations probably did too. A scoping session now is cheaper than a finding later."Scoping workshop

Objection Handling

The four objections — and the honest answers

Too smallSize is not the trigger. Your insurer, customers, and obligations are. Attackers automate; they do not check revenue first.
Already coveredManaged IT runs the controls. CaaS proves them with documents, evidence, and reports outsiders ask for. Different deliverable, different line.
Audit laterPrograms take 6-18 months to mature. Audits give little notice. Waiting creates findings and emergency-rate work.
Too expensiveCompare it to a lost deal, denied claim, or rushed consultant engagement. One event can cover years of program cost.

The land-and-expand path: paid assessment → findings review → Better tier plus first remediation project → two QBRs of visible progress → upsell trigger → Best tier. Average journey: 9–15 months. Map every client to a stage and the pipeline runs itself.

ControlMap Accelerators

Why client #10 costs a fraction of client #1

Every economic assumption in this guide — the 6–10 hour month, one analyst per 8–12 programs, 60–70% margins — depends on a platform built for multi-tenant repeatability. These are the ControlMap features that turn the operating model from theory into rate card.

Built for Multi-Tenant Repeatability

Tenant cloning

Build one master client template per vertical — frameworks adopted, control assignments, policy set, task cadence, QBR structure — and clone it for every new client. Onboarding drops from weeks of setup to a day of tailoring.

Stacks — the auto-answer engine

Hundreds of vendor products pre-mapped to CIS controls. Declare a client's stack — EDR, identity, backup, email security — and Stacks auto-answers the assessment questions those tools satisfy. The gap assessment starts 60–70% pre-populated; your analyst verifies instead of excavates.

Template libraries

Templated policy sets per framework, pre-built risk libraries to seed each register, and vendor templates with diligence questionnaires. Policies, risks, and vendor programs ship from a library, not a blank page — tailoring is the billable judgment, drafting isn't.

Cross-mapped frameworks

CIS, HIPAA, PCI DSS, NIST 800-171/CMMC, FTC Safeguards, SOC 2 and more, mapped to each other. One control implemented satisfies many requirements — the mechanic behind a second framework adding 40–60%, not 100%.

Multi-tenant dashboard + automated evidence

Every client program in one pane — posture, overdue tasks, stale evidence — so one analyst really can run a dozen programs. Integrations with the Microsoft and Google clouds and MSP tooling collect recurring evidence automatically; humans handle exceptions.

Client-facing artifacts built in

Trust portal, posture reports, and QBR-ready exports come from the same data your team works in daily. The artifact that renews the contract is a by-product of delivery, not a Friday-afternoon chore.

The platform-plus-people truth: tooling compresses the mechanics; it doesn't replace the judgment. Stacks pre-answers the assessment — your lead still decides what the risks mean. Templates draft the policy — your analyst still makes it true for this client. ControlMap makes a trained team dramatically faster; it doesn't make an untrained one credible.

Putting It Together

The 90-day launch plan — and the numbers that prove it

Four phases from foundation to launch, each with explicit exit criteria — then six numbers to watch monthly. Resist launching with five frameworks: master one vertical, one framework, three clients, then clone. The MSPs who stall are rarely short on demand; they're drowning in bespoke delivery because they skipped the template phase.

Ninety Days to Live Programs

The 90-day launch plan

PhaseDo thisExit criteria
Weeks 1–3 · FoundationName the compliance lead and analyst (fractional is fine); enroll foundation certs (ISC2 CC, Security+); stand up ControlMap; run your own MSP through CIS as client zero — the training program and the sales asset in one.Your own assessment scored, risk register live, security package drafted.
Weeks 4–6 · ProductizeBuild the master client template; finalize the nine-service catalog and Good/Better/Best definitions; set pricing; draft the assessment SOW, MSA compliance addendum, and the findings-review and QBR deck templates.Rate card signed off; templates clone-ready; a one-page CaaS overview for clients.
Weeks 7–10 · PilotPick 2–3 friendly clients with live triggers (insurance renewal, regulated vertical); run paid pilot assessments — discounted if needed, never free; hold real findings reviews; land them on tiers.2–3 paying programs live; first remediation projects quoted; lifecycle tested end to end.
Weeks 11–13 · LaunchRun the trigger sweep across the whole client base (verticals, renewals, questionnaires); add the compliance slide to every QBR; arm AMs with the field-guide series; deliver the pilots' first quarterly artifacts on time.Pipeline of 10+ scored opportunities; CaaS on every QBR agenda; first QBR artifacts shipped.

The Practice Scorecard — Six Numbers to Watch Monthly

CaaS MRR & attach rate

Total compliance MRR, and the percentage of managed clients on a tier. Year-one target: 15–25% attach.

Hours per program

Analyst hours per client per month, trending toward 6–10 as templates mature. The margin dial.

Assessment → tier conversion

The percentage of paid assessments converting to ongoing programs. Below roughly 60%? Fix the findings review, not the price.

Remediation pipeline

Project revenue quoted from assessment roadmaps — the pull-through that often exceeds the MRR itself.

QBR delivery rate

The percentage of due QBRs delivered on time with artifacts. The single best churn predictor — protect it at 100%.

Evidence freshness

The percentage of controls with current evidence across all tenants — delivery health in one number, straight off the dashboard.

Take Action

Your 10-point CaaS launch checklist

1

Name the team

Name the compliance lead and analyst — fractional hats are fine; unowned functions are not.

2

Start the cert ladder

ISC2 CC and Security+ now, CGRC for the analyst, CISSP for the vCISO track — foundation first, depth second.

3

Run client zero

Run your own MSP as client zero on CIS — your training ground and your best sales asset.

4

Build the master template

Build the master tenant template in ControlMap and clone it for every new client — never start from blank.

5

Define catalog and tiers

Define the nine-service catalog and Good/Better/Best tiers — every service ends in a visible artifact.

6

Set the rate card

A paid assessment, three tiers, and remediation always quoted separately — never bundled into the flat fee.

7

Run the trigger sweep

Sweep your client base for verticals, insurance renewals, questionnaires, and flow-downs — and score the pipeline.

8

Pilot with friendly clients

Pilot with 2–3 friendly clients; run real findings reviews; land them on tiers before going wide.

9

Institutionalize the meetings

Scoping workshop, findings review, and quarterly compliance QBR — with template decks for each.

10

Track the scorecard

Track the six numbers monthly — attach rate, hours per program, conversion, pipeline, QBR delivery, evidence freshness.

This guide is provided for general educational purposes. Pricing ranges, staffing ratios, and market figures are indicative planning anchors drawn from commonly observed MSP market practice and vary by region, vertical, and positioning; they are not benchmarks or guarantees. Nothing here is legal, financial, or audit advice — engagements involving regulated frameworks should be structured with appropriate counsel and qualified assessors. Companion framework guides: HIPAA, PCI DSS, CMMC, and FTC Safeguards (GLBA).

ControlMap

ControlMap by ScalePad

Build your CaaS practice on ControlMap

Tenant cloning, Stacks auto-answering, template libraries, cross-mapped frameworks, and client-ready reporting — the platform this whole operating model runs on.