Do Managed Service Providers Need a SOC Report?

A Managed Service Provider (MSP) is a company that performs an assortment of IT services for customers, often for small to moderately sized businesses with limited in-house IT capabilities. Services provided by an MSP can vary and may include technical support, which keeps a customer’s infrastructure up and running, and security services like managing firewalls, antivirus and patching solutions. MSPs can also help customers recover from a security breach.

So should MSPs have a SOC report? While there are no established requirements to do so, it may in fact be beneficial. A SOC 2 report, for instance, would demonstrate that an MSP has appropriate controls in place relevant to the services provided to customers based on the applicable trust services criteria. That could provide a competitive advantage in the marketplace, since obtaining a SOC report makes a strong statement about the MSP’s principal service commitments and system requirements. Plus, providing the report may render customer onsite visits or periodic assessments unnecessary.

Here are a few example controls that would be expected to be in place at an MSP (this is not an all-inclusive or exhaustive list):

  • The Network Monitoring Center monitors alerts on a 24/7 basis
  • Access to client information is permitted only via multifactor authentication
  • The MSP can access client systems only through a VPN or other encrypted means
  • Monitoring tools (such as a SIEM) monitor the MSP and customer systems to automatically detect threats
  • Change requests from clients are evaluated to determine requirements and the potential effect
  • Client approval is required for all changes prior to commencement of changes
  • For clients where the MSP monitors the status of backup jobs, tickets are created and attempts are made to correct any detected backup failures
  • When needed, the MSP communicates backup failures to the client

Customers rely on their MSP to protect data and answer questions regarding IT issues. By obtaining a SOC 2 report, MSPs can alleviate many customers concerns and demonstrate their commitment to implementing and maintaining strong controls.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Successfully Transitioning Significant Processes During Business Succession
Fraud Risk Assessments – What your Organization Should Consider
Prop 24 passes in California What is it? What does it mean for privacy?
SOC, SOC 2 BY Rick Stevenson
How to Review a Vendor’s SOC Report
Ransomware Attack Disrupts Popular Sports Gambling Sites
The Hardware Failure That Took Down The Tokyo Stock Exchange

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102