Due Diligence and Ongoing Monitoring

For those that use a Managed Services Provider, I'm wondering what additional documents are typically collected beyond the SOC2 report.  Our standard DD checklist is pasted below but I don't know whether they are all relevant to an MSP or are already covered by the SOC2.  What do others do?

This is a solid list.  I would also just encourage you to ensure you have strong breach/incident notification language in your contracts or at least understand what their process and timelines are. Understanding their incident response times and procedures is also important. I would also want to look at their Vendor Management program and make sure you know what (if any) of their third parties have access to or process your data. I'd love for others to weigh in as well.

GM, I agree with Lisa-Mae, always good to check on your vendor's VMP - they must demonstrate control and oversight over their material subcontractors

the one thing I would add, is to request their pen test report.  be careful to check scope to be sure their service to you was included 

happy to chat, [Email has been removed by the Community Manager for privacy reasons. Please reach out to the member directly by clicking on their name, which will redirect you to their profile and contact information.]