MSP Security: Are Certifications Worth It?

By |2019-02-04T15:21:35-07:00January 30th, 2017|

Given the buzz about security being the next big opportunity for MSPs, it only makes sense to look at how an MSP can position itself to take advantage of this opportunity. We have written in our series on MSP security about the size of the opportunity, and Incrementa’s Mike Knapp contributed his views on five easy ways to bolster your security practice.

Let’s not forget that there is also the question of certifications. Specifically, are certifications a worthwhile investment?

Benefits of certification

Certifications can be useful in a couple of different ways. First, they help you to establish credibility with your customers. Security certifications represent third-party verification of your security infrastructure and practices. They show that you practice what you preach, and that you are good at what you’re selling to them. If there’s one thing that’s important when selling security, it’s trust, and third-party certification is a great way to establish that trust. And you can sell trust to prospects as well, which means security certifications can be a pathway to growth.

The other major benefit is that security certifications can allow an MSP to target specific industries that require a higher level of security. Health care is one such industry, where Health Insurance Portability and Accountability Act (HIPAA) rules demand a high level of security to protect patient privacy in electronic health records. The right certifications can open up a lot of new business opportunities.

Types of certification

MSPs can choose from a variety of certifications. A couple of common ones are SSAE 16 SOC 1, Type 2; and SOC 2, Type 2. A lot of potential clients specifically require these certifications, so while they are costly to obtain, they have the potential to open up a lot of new business for a growth-oriented MSP. The International Standards Organization has a couple of security certifications, ISO 27001 and ISO 27002.

HIPAA: no magic bullet

HIPAA compliance is especially tricky. For MSPs that want to get into the health care game, compliance is essential, yet there is no magic-bullet certification. Rather, an MSP must demonstrate a high level of infrastructure and day-to-day operational best practices. Usually the services of an auditor specializing in HIPAA will be able to evaluate your business and ensure that you are compliant with the different rules in this complex law.

High level of competency

The reality is that you don’t need third-party certification to run a secure business. But certification helps. The audits will illustrate where you are deficient — forcing you to improve — and the certification itself is a marketing tool to help you build trust. In some cases, certifications are required to enter a particular market. For MSPs looking to get an edge, security certifications are not just a cost, but an opportunity to stake out new business in an increasingly competitive marketplace.


IT Glue™ is a proven, best practices-driven IT documentation platform packed with features designed to help you maximize the efficiency, transparency and consistency of your team. With at least 20% of your business productivity lost each day in search of vital information, let IT Glue secure this information and start Freeing Minds™.

X