Skip to main content
MSP Wisdom

The Importance of SOC 2* Reporting for MSPs and XaaS Vendors

By Kate Siegrist

Why is SOC 2 important for MSPs and XaaS Vendors?

As regulators place growing pressure on MSP customers to demonstrate these system and data characteristics, the customers will drive some of that responsibility through to the MSPs themselves. They want to feel comfortable that as MSPs manage their IT infrastructure and/or their end-user systems, their data remains safe. Customers also have expectations that the vendors serving MSPs are compliant. Customers do not want to be on the regulators’ radar and surely do not want to show up on the front page of a newspaper for breach of any requirements (and neither do IT service providers)!

What are the steps of a SOC 2 engagement?

First, a clearly defined readiness assessment process determines the state of systems and internal control processes. Once the remediation of gaps is completed, the SOC 2 examination begins. The results are then presented in a report, which provides evidence that controls are in place and operating properly; that they meet the appropriate, pre-defined and agreed-upon criteria, and that they are effective. The report will provide insights and actionable results. 

How frequently should SOC 2 assessments be conducted?

After the initial assessment and reporting, reviews should be completed at least every 12 months.

So what does a SOC 2 assessment do for an MSP or Vendor?

In short: it mitigates the risk to MSPs, XaaS vendors and their customers. As it demonstrates the compliance and offers transparency for customers, SOC 2 reports quickly become a differentiator; a competitive advantage! Think about the statement that is made when a SOC 2 report is voluntarily and proactively added to a proposal or engagement letter. In addition, it makes adhoc reports and customer onsite visits unnecessary, increasing provider productivity.

“Why can I not do it myself?”

Regulators request an independent auditor to conduct an examination for an organization’s internal controls. In addition, a report completed by an outside, independent source delivers transparency for customers and assurance that their security needs are met.


Written by:


Kate SiegristCPA, CISA, CRISC
LUR_LogoSMALL_NoDate_7462_RGB_063015   LLP

Welcome to the Passportal Blog

Into cybersecurity? Read up on current trends in IT Services and ensure you’re up to speed on best practices on how to grow your business.

Want to stay up to date?

Get the latest N-able tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Automated password protection with documentation management integrated with the MSP tools you already use

Manage passwords with ease