Compliance is becoming one of the most consistent conversations MSPs are having with clients. ISO 27001, Cyber Essentials, GDPR, supplier risk — questions that used to come up occasionally are now coming up in almost every client review. Clients are being asked for certifications by their own customers, by procurement teams, and increasingly by their insurers.

For MSPs this creates a straightforward opportunity. Your clients need help with compliance. You already have the trust relationship, the technical knowledge, and the visibility into their infrastructure. The only thing missing is a way to deliver it efficiently at a margin that makes sense.

This

Claude's response was interrupted

Retry

i already have this one.

13:22

Ah good — means you're ahead of the curve on that one. What's the URL? I can take a look and suggest improvements to push it to page one faster, or we can just pick a different one to write.

Here are the MSP-specific ones you don't have yet based on what I can see on your knowledge base:

• "What is a compliance gap analysis and how do MSPs deliver one"
• "How MSPs can make money from ISO 27001"
• "How to price compliance services as an MSP"
• "How to onboard a client onto a compliance programme"
• "Why your MSP clients are asking about Cyber Essentials in 2026"
• "How to manage compliance for multiple clients as an MSP"

The one most likely to get to page one quickly is "how to price compliance services as an MSP" — very specific, low competition, high intent from MSP owners who are already sold on the idea and just need the commercial model. Nobody is really writing about this well.

Want me to write that one?

How to onboard a client onto a compliance programme this oen

13:24

Here you go:

How to Onboard a Client onto a Compliance Programme

Meta description: A practical guide for MSPs on how to onboard a client onto a compliance programme — from initial scoping to first review, without the chaos.

Winning a compliance engagement is one thing. Delivering it smoothly from day one is another. A poorly managed onboarding creates confusion, delays, and erodes the client's confidence in you before you've had a chance to demonstrate value.

A well-structured onboarding on the other hand sets the tone for the entire engagement. It positions you as the expert, gives the client clarity on what to expect, and gets the programme moving quickly enough that the client sees early progress before they've had time to question whether they made the right decision.

This guide walks through a proven onboarding process for MSPs delivering compliance as a managed service — whether that's ISO 27001, Cyber Essentials, GDPR, or a combination of frameworks.

Before the onboarding call — preparation

The worst onboarding calls happen when the MSP turns up unprepared and uses the session to gather information they could have collected beforehand. Before you meet the client for the first onboarding session, do your homework.

Review everything you already know about the client. What do they do, how many staff do they have, what systems are they running, what do you already know about their infrastructure from your existing relationship? The more context you have going in, the more confident and credible you will appear.

Research the framework they're targeting. If they're going for Cyber Essentials, know the five themes inside out. If it's ISO 27001, understand the mandatory documents and the typical gap areas for businesses their size and sector. Your client is paying for your expertise — turn up with it.

Prepare a simple onboarding pack. This doesn't need to be elaborate — a one page overview of the programme structure, key milestones, what you'll need from them, and who needs to be involved. Sending this ahead of the first call means the client arrives with context rather than questions.

The onboarding call — what to cover

The first formal onboarding session typically runs between 60 and 90 minutes. It should cover five things.

Scope definition

Before any compliance work can begin you need to agree what's in scope. For ISO 27001 this means defining the boundaries of the Information Security Management System — which parts of the business, which systems, which locations. For Cyber Essentials it means identifying the devices, networks, and services that will be included in the assessment.

Scope creep is one of the most common causes of compliance projects overrunning. Getting a clear, documented scope agreed at the start protects both you and the client.

Stakeholder mapping

Compliance programmes fail when they're treated as an IT project. The client needs to understand from day one that compliance touches every department — HR owns people controls, finance owns asset management, operations owns physical security, everyone owns acceptable use. Map out who needs to be involved and make sure the right people are in the room or are at least briefed.

Identify your key contact — the person you'll be working with day to day. This should be someone with enough seniority to make decisions and enough availability to respond when you need things from them. A compliance programme where you're waiting weeks for client responses won't deliver on time.

Gap analysis overview

Walk the client through what a gap analysis involves and set expectations on what it will reveal. Most clients approaching compliance for the first time have significant gaps — that's why they need you. Framing this early prevents the client being shocked or defensive when you come back with findings.

Explain that the gap analysis is not a criticism of how they've been operating — it's the foundation of the programme. You can't close gaps you haven't identified.

Programme timeline and milestones

Give the client a clear view of the journey ahead. Break the programme into phases — gap analysis, remediation, documentation, internal audit, certification — with approximate timescales for each. Even if the timescales shift as the programme progresses, having a framework prevents the engagement feeling open-ended and unstructured.

Be honest about what affects the timeline. The single biggest variable in how long a compliance programme takes is how quickly the client can provide information, complete actions, and make decisions. Make this explicit — the timeline is a shared responsibility.

Roles and responsibilities

Clarify what you will do and what the client needs to do. A common failure mode is the client assuming the MSP will handle everything and the MSP assuming the client will be more proactive than they are. Write it down. Who owns the risk register? Who writes the policies? Who organises the staff awareness training? Who signs off the documentation?

For smaller clients you will often end up doing more of the heavy lifting. For larger clients there may be an internal team involved. Either way the responsibilities need to be explicit from day one.

Phase one — the gap analysis

Once the onboarding call is complete, the first substantive piece of work is the gap analysis. This is where you assess the client's current state against the requirements of their target framework and identify what needs to be done to close the gaps.

For Cyber Essentials this is relatively straightforward — work through each of the five themes and assess whether the client currently meets the requirements. For ISO 27001 it involves reviewing the client against all 93 Annex A controls and the mandatory clauses of the standard.

Deliver the gap analysis findings in a clear, prioritised format. Group findings by theme or domain, indicate the severity of each gap, and give the client a sense of the remediation effort involved. The output of the gap analysis becomes the project plan for the rest of the programme.

Phase two — remediation and documentation

The remediation phase is where most of the work happens. Based on the gap analysis findings you will work with the client to close gaps — implementing missing controls, writing policies and procedures, configuring systems, training staff.

For most small business clients the documentation workload is significant. ISO 27001 requires a set of mandatory documents including the information security policy, risk assessment methodology, statement of applicability, risk treatment plan, and various operational procedures. Many clients will have none of these in place at the start of the programme.

Batch the documentation work into logical groups and deliver it in phases rather than all at once. Overwhelming the client with twenty documents to review and sign off simultaneously leads to delays and superficial engagement with the content.

Phase three — evidence collection

One of the most common reasons compliance programmes stall is poor evidence collection. The client has implemented a control — they've enabled multi-factor authentication, they've deployed endpoint protection, they've conducted a supplier assessment — but they haven't kept any evidence that they did it.

Build evidence collection into the programme from the start rather than leaving it to the end. Every time a control is implemented, capture the evidence immediately. A screenshot, a configuration export, a completed questionnaire, a signed policy — whatever the auditor will want to see, collect it at the time.

If you're managing this across multiple clients the evidence management challenge multiplies quickly. A centralised platform that lets you attach evidence directly to controls and track what's been collected versus what's outstanding makes this significantly more manageable than chasing evidence across email threads and shared drives.

Phase four — internal audit and management review

Before an external certification audit, ISO 27001 requires an internal audit and a management review. These are not formalities — they are genuine checks that the ISMS is working as intended.

The internal audit involves reviewing the controls that have been implemented and checking that they are operating effectively. As the MSP delivering the programme you can conduct this on behalf of the client, or help them build the capability to do it themselves.

The management review is a meeting with the client's senior leadership to review the performance of the ISMS, consider any changes to the business or its context, and confirm commitment to the programme going forward. Make sure the right people attend — this is a leadership conversation, not an IT conversation.

Phase five — certification and beyond

Once the internal audit and management review are complete the client is ready for their external certification audit. Help them select a UKAS-accredited certifying body, prepare them for what the Stage 1 and Stage 2 audits involve, and support them through the process.

Certification is not the end of the engagement — it's the beginning of the ongoing managed service. ISO 27001 requires annual surveillance audits and a full recertification every three years. Cyber Essentials renews annually. GDPR compliance is continuous. Your value as an MSP is in helping the client maintain their compliance posture over time, not just achieve it once.

Managing the programme efficiently

If you're delivering compliance programmes across multiple clients simultaneously, the administrative overhead can quickly become the bottleneck. Tracking which clients are at which phase, which controls have been implemented, which evidence has been collected, which reviews are due — across separate spreadsheets for each client — is unsustainable at any meaningful scale.

SnapGRC is built for exactly this use case. The platform gives MSPs a multi-tenant dashboard to manage multiple client compliance programmes from one place — tracking controls, collecting evidence, managing risk registers, sending supplier questionnaires, and monitoring progress across all your clients simultaneously. If you're delivering compliance as a managed service and want to see how the platform works, book a free 20-minute demo or visit here to learn more.