Skip to main content
MSP Growth

Compliance as a Service: The MSP Playbook for Recurring GRC Revenue

How MSPs can build and sell Compliance as a Service — recurring GRC engagements with real margin, clear scope, and clients who stay for years.

O
Oussama Louhaidia
· · Updated April 16, 2026 · 14 min read
MSP advisor presenting a compliance dashboard to a client on a laptop

The Market Shift MSPs Are Missing

Something changed in the compliance market and most MSPs haven’t caught up yet.

For years, compliance worked like this: a client gets a requirement — SOC 2 from a new enterprise customer, ISO 27001 from a European partner, Cyber Essentials from a government framework — they hire a consultancy to help them achieve it, they pass the audit, and then they more or less ignore compliance until the next renewal.

That model is breaking down. Fast.

Frameworks are moving to continuous monitoring. Insurers want evidence of ongoing controls, not audit certificates. Clients are being asked to maintain compliance across multiple frameworks at once, not just one. And the gap between “we passed our audit last year” and “we can demonstrate we’re compliant today” is becoming commercially expensive.

The result: there’s a growing market of SMB and mid-market clients who need ongoing compliance management — not a periodic consultant engagement. They need someone to run their GRC function as an ongoing service.

That’s Compliance as a Service. And MSPs are positioned better than anyone to deliver it.

What CaaS Actually Means

Compliance as a Service is a recurring monthly engagement that covers a client’s compliance programme continuously, not just at audit time.

The key word is continuous. A CaaS client isn’t buying a report. They’re buying an ongoing function: evidence gets collected, controls get monitored, policies get updated, risks get assessed, and their compliance posture is managed year-round by your team using a dedicated GRC platform.

What that looks like in practice:

  • Evidence collection runs automatically through integrations with their cloud environment (Microsoft 365, AWS, Google Workspace) and feeds into a centralised evidence library
  • Controls are mapped against their target framework(s) and tracked continuously, not just at audit time
  • Risk assessments are updated quarterly, not annually
  • Policies are maintained and versioned, with review cycles managed by your team
  • Compliance reporting is delivered monthly — a live dashboard clients can share with auditors, insurers, or enterprise prospects
  • Audit readiness is a permanent state, not a three-month sprint before every certification renewal

This is fundamentally different from what most MSPs currently offer. Most MSPs offer security tools. Some offer a one-time gap assessment. A handful offer vCISO advisory on a time-and-materials basis. Very few offer a structured, ongoing compliance programme as a productised service.

That gap is the opportunity.

Why the Timing Is Right

Three market forces are pulling clients toward ongoing compliance management right now.

Enterprise procurement requirements are getting longer. If your clients sell to larger organisations, they’re fielding more security questionnaires than they were two years ago. Those questionnaires now ask for evidence — not just yes/no answers — and they’re updated frequently. Clients who want to win and keep enterprise deals need to maintain their compliance posture, not just pass a one-time audit.

Cyber insurance underwriting has tightened significantly. Insurers are requiring documented controls at renewal, and claim audits are now common after incidents. Clients who claimed MFA and documented IR plans on their application and can’t evidence them at claim time are getting burned. A CaaS engagement gives them a maintained evidence library that’s ready when the insurer asks.

Multi-framework requirements are becoming normal. A US-based software company selling to UK financial services clients might need SOC 2 for domestic customers, ISO 27001 for European ones, and Cyber Essentials Plus for any UK government work. Managing three frameworks manually is overwhelming. Managing them through a shared-controls model via a GRC platform with multi-framework coverage is much more tractable — and something an MSP can deliver as a service.

None of these drivers are going away. The compliance burden on SMBs is increasing, not plateauing.

Building Your CaaS Offering

The mistake most MSPs make when building a compliance service is starting with the delivery mechanics before getting the packaging right. You need a clear, sellable offer before you worry about how you’ll deliver it.

Here’s a three-tier structure that works across different client sizes and complexity levels.

Tier 1 — Compliance Foundations ($1,500–$2,500/month)

Designed for: SMBs with one compliance requirement, typically 20–100 employees.

Scope:

  • Single framework coverage (SOC 2 Type II, ISO 27001, or Cyber Essentials Plus)
  • Annual risk assessment with quarterly risk register updates
  • Core policy library (15–20 policies) maintained and versioned
  • Monthly compliance dashboard report
  • Evidence collection for covered controls
  • One quarterly compliance review call
  • Audit support for the covered framework (coordinating evidence, liaising with auditor)

What’s not included: multi-framework coverage, board reporting, IR leadership, vendor risk management.

This tier is the entry point. It’s enough to maintain ongoing compliance for a client with a single framework requirement, and it’s priced attractively enough that clients choose you over managing it themselves (they can’t, but they don’t know that yet).

Tier 2 — Compliance Programme ($3,000–$5,500/month)

Designed for: Mid-market clients with two or more framework requirements, or clients with active audit cycles.

Scope:

  • Multi-framework coverage (up to three frameworks with shared-controls mapping)
  • Full policy library (25–35 policies) with semi-annual reviews
  • Quarterly risk assessments and risk register maintenance
  • Vendor risk assessments (up to 10 per year)
  • Monthly executive compliance report
  • Bi-weekly compliance review cadence
  • Full audit coordination and evidence management
  • Cyber insurance questionnaire support at renewal

Multi-framework is where the economics get interesting. If a client needs SOC 2 and ISO 27001, a significant portion of the controls overlap. Your delivery time on the second framework is a fraction of the first. But your pricing can reflect the added complexity, because for the client it is more complex — they have two audits, two sets of evidence requirements, two renewal cycles to manage.

Tier 3 — Full Compliance + vCISO ($6,000–$10,000/month)

Designed for: Growth-stage companies, regulated industries, or clients with board-level security accountability requirements.

Scope:

  • All of Tier 2 plus named vCISO function
  • Board and executive reporting
  • Security roadmap and budget input
  • Unlimited framework coverage
  • Incident response plan ownership and tabletop exercise facilitation
  • M&A security due diligence support on request
  • Regulatory change monitoring (relevant to client’s industry and geography)

This tier is for clients who effectively need a CISO function. The vCISO component brings the engagement up from a compliance programme to security leadership — which is a different conversation and justifies the higher price point.

The Delivery Model

Having tiers is one thing. Delivering them consistently at margin is another.

The core challenge in CaaS delivery is the ratio of client complexity to consultant time. If every client engagement is a bespoke consulting project, you’ll max out at three or four clients per consultant and the margin disappears. The goal is to standardise enough of the delivery that a consultant can run eight to twelve clients simultaneously.

That requires two things: a repeatable process and the right tooling.

The process looks like this:

  1. Onboarding (weeks 1–4): Scoping call, framework selection, tech stack integration, initial risk assessment, policy gap review, controls mapping. This takes the most time per engagement and should be priced into your onboarding fee or first month.

  2. Steady state (months 2+): Monthly evidence review, compliance dashboard update, risk register maintenance, policy version control, and a monthly or quarterly client call depending on tier. This is where the time savings from automation kick in.

  3. Audit preparation (8–12 weeks before each audit): Evidence package compilation, mock audit walkthrough, auditor liaison. This is a predictable spike and should be built into your capacity planning.

The tooling requirements:

Manual CaaS delivery is not viable at scale. You need a GRC platform that handles:

  • Automated evidence collection from cloud integrations (not screenshots and email requests)
  • Multi-framework controls mapping so you’re not maintaining separate evidence sets per framework
  • A client-facing dashboard that’s always current, not a monthly report PDF
  • Risk register and task management built into the same workflow
  • Policy library management with versioning and review cycles

Without automation, evidence collection alone consumes four to six hours per client per month. With a platform that integrates directly with Microsoft 365 or AWS, that drops to under an hour for routine checks. That’s the operational difference between a business that scales and one that burns out at five clients.

Pricing for Margin

MSPs consistently undervalue compliance services. Here’s why: compliance work doesn’t feel like IT support, and MSPs price based on what’s familiar.

Boutique vCISO and compliance consultancies charge £250–£350/hour for this work in the UK market, $200–$350/hour in the US. That’s the benchmark.

If your Tier 1 CaaS engagement requires eight to ten hours of work per month — realistic for a single-framework client in steady state — the equivalent consulting value is £2,000–£3,500/month. Pricing your packaged service at £1,500–£2,000/month gives clients a real saving while you maintain 50–60% gross margins once delivery is standardised.

The first few clients will be lower margin while you build the delivery machine. Client three or four is where the economics kick in properly, because you’re reusing policies, using the same platform integrations, and your consultant knows exactly what to do each month.

Resist discounting to close your first deals. New clients who negotiate heavily are the ones who will consume the most time. Offer a fixed onboarding discount if you must, not a reduced monthly fee.

One pricing note specific to multi-framework: don’t offer it at a flat discount. If Tier 1 (one framework) is £2,000/month and a client wants three frameworks, your second and third framework should add £600–£900 each, not £2,000 each. Clients aren’t paying the full single-framework rate per additional framework, but the work still costs you time — especially for frameworks with less overlap. Shared controls save work; unique controls still need managing.

Winning Your First CaaS Clients

Your first CaaS clients will almost always come from your existing MSP base. That’s where to start.

The compliance trigger conversation. Every MSP client has at least one compliance trigger coming — a cyber insurance renewal, a new enterprise customer requirement, a regulatory change affecting their industry. Build a calendar of those triggers across your client base. Three months before each trigger, start the conversation about readiness.

The script is simple: “Your cyber insurance renews in Q3. We’ve started to see insurers require detailed evidence of controls, not just yes/no answers on the questionnaire. We can run a readiness check now and move you onto an ongoing compliance programme that keeps you ready year-round. Want to see what that looks like?”

That’s not a hard sell. It’s a legitimate offer to solve a problem they already have.

The gap assessment as a first step. If a prospect isn’t ready to commit to a monthly programme, offer a fixed-scope gap assessment first. Charge £1,500–£2,500 for it. The report from a gap assessment almost always reveals enough findings that ongoing management becomes an easy next conversation. Clients see the gaps, understand the work involved, and realise they can’t manage it themselves.

The enterprise requirement angle. If any of your clients are B2B SaaS businesses, professional services firms, or technology companies selling upmarket, they’re getting security questionnaires from customers and prospects. Those questionnaires are getting longer. A CaaS engagement gives them a compliance posture they can actually evidence — and a dashboard they can send to procurement teams. That’s a direct commercial benefit they can quantify.

Common Mistakes to Avoid

Scoping too loosely. “We’ll handle your compliance” is not a scope. Define exactly what’s included, which frameworks, how many policies, how many vendor assessments, what evidence collection covers, and what’s out of scope. Loose scoping creates scope creep that destroys your margins.

Underestimating onboarding time. The first month of a new CaaS engagement is the heaviest. Integrations take time to set up, the initial risk assessment takes time to run properly, and the policy gap review takes time to do well. Build this into your pricing — either as a one-time onboarding fee (£1,500–£3,000 is reasonable) or into the first month’s fee.

Treating all frameworks as equal. SOC 2 and ISO 27001 are more similar than different. Cyber Essentials is much lighter. CMMC is significantly heavier than either. Price and scope accordingly. Don’t build a flat “compliance programme” that tries to be one size fits all.

Skipping the platform. The number one reason MSP compliance services don’t scale is that they’re delivered manually. Spreadsheets, email threads, and PDF reports are not a delivery model. A purpose-built GRC platform is not a nice-to-have — it’s what separates a consultancy-style engagement from a productised service.

Selling to the wrong clients. CaaS is not right for every SMB. Clients below 15–20 employees are often better served by a simpler security advisory retainer. Clients with no compliance requirements on the horizon have no natural trigger for the conversation. Focus on B2B companies, regulated industries, and clients with active enterprise sales motion.

The Multi-Framework Opportunity

One trend worth paying attention to specifically: the rise of clients who need compliance across multiple frameworks simultaneously.

A software company that started on SOC 2 two years ago might now be adding ISO 27001 for European expansion, NIS2 obligations if they have EU operations, and Cyber Essentials Plus for a UK government bid. Managing three compliance programmes independently is overwhelming. Managing them through a shared-controls model is tractable — if you have the right tooling.

This is where a platform with broad framework coverage creates commercial advantage for MSPs. If you can tell a prospect “we can run your SOC 2, ISO 27001, and Cyber Essentials programmes from one platform, share the evidence across all three, and give you a single compliance dashboard” — that’s a compelling offer. The alternative is three separate consultants, three different audit prep cycles, and three independent evidence libraries.

Multi-framework CaaS clients are also stickier. The more embedded your service is in their compliance posture, the higher the switching cost. That’s exactly what you want in a recurring revenue model.

What the Revenue Looks Like

Here’s what a modest CaaS book of business looks like at 12 months:

  • 4 Tier 1 clients at £2,000/month = £8,000 MRR
  • 3 Tier 2 clients at £4,000/month = £12,000 MRR
  • 2 Tier 3 clients at £7,500/month = £15,000 MRR
  • Total: £35,000 MRR / £420,000 ARR

With a single compliance consultant and a GRC platform running £600–£800/month, your cost structure for the Tier 1 and Tier 2 clients is manageable at 8–12 hours per client per month in steady state. The Tier 3 clients require more senior time but justify the fee.

That’s a meaningful revenue line from one practice area, with high retention (compliance clients stay for years — switching compliance providers is painful), and a natural upsell path as clients grow and add framework requirements.

Building the Practice

The path to a CaaS practice looks like this:

  1. Months 1–3: Define your tier structure and scope. Select a GRC platform. Build your core policy library template. Run your first CaaS engagement with a friendly existing client at a reduced rate to refine your process.

  2. Months 3–6: Sign 3–5 clients. This is enough to validate the delivery model and identify where you need to invest in tooling or process. Start generating gap assessments as a pipeline tool.

  3. Months 6–12: Scale to 8–12 clients with one consultant. At this point, the model is proven and you can justify a dedicated compliance hire to grow the practice further.

The clients who build this practice now will own their market in three years. The compliance burden on SMBs is only heading one direction. MSPs that offer a credible, ongoing compliance service have a significant edge over those that still treat GRC as a one-time project.

Ready to Build Your CaaS Practice?

GetCybr gives MSPs the platform to deliver Compliance as a Service at scale — automated evidence collection, 50+ frameworks, client dashboards, and multi-framework controls mapping built for recurring engagements.

Book a demo to see how it works →

We’ll walk you through how the platform fits into a CaaS delivery model and what a 10-client book of business looks like operationally.

Further Reading

Share: LinkedIn X / Twitter

Ready to Scale Your vCISO Practice?

See how GetCybr helps MSPs deliver enterprise-grade security services.

Get a DemoView Pricing
Get a Demo
GetCybr AI
Hi! Need help with compliance or security? 👋