Due Diligence and Ongoing Monitoring

 View Only
  • 1.  DD items for MSP - beyond SOC2 report

    This message was posted by a user wishing to remain anonymous
    Posted 03-02-2023 09:34 AM
    This message was posted by a user wishing to remain anonymous

    For those that use a Managed Services Provider, I'm wondering what additional documents are typically collected beyond the SOC2 report.  Our standard DD checklist is pasted below but I don't know whether they are all relevant to an MSP or are already covered by the SOC2.  What do others do?

    Internal controls report (e.g., SOC report, internal audit)

    Compliance Manual

    Code of Ethics

    HR policies, including hiring guidelines and leave policy

    Financial statements

    Insurance certificates or detailed overview

    (general liability, D&O, E&O, cyber)

    IT/Cybersecurity policy

    Cyber Incident Response Plan

    BCP policy

    Disaster Recovery policy

    BCP attestation

    Outsourcing policy



  • 2.  RE: DD items for MSP - beyond SOC2 report

    Posted 03-14-2023 10:24 AM

    This is a solid list.  I would also just encourage you to ensure you have strong breach/incident notification language in your contracts or at least understand what their process and timelines are. Understanding their incident response times and procedures is also important. I would also want to look at their Vendor Management program and make sure you know what (if any) of their third parties have access to or process your data. I'd love for others to weigh in as well.




  • 3.  RE: DD items for MSP - beyond SOC2 report

    Posted 03-15-2023 06:58 AM

    GM, I agree with Lisa-Mae, always good to check on your vendor's VMP - they must demonstrate control and oversight over their material subcontractors

    the one thing I would add, is to request their pen test report.  be careful to check scope to be sure their service to you was included 

    happy to chat, [Email has been removed by the Community Manager for privacy reasons. Please reach out to the member directly by clicking on their name, which will redirect you to their profile and contact information.]