A Signal of Trust in a Crowded Market
In a field where every MSP says they offer “secure” or “compliant” solutions, third-party accreditation where available is one of the few tools that separates marketing from reality. It demonstrates that a provider is meeting a globally recognized framework, validated by an external body with no stake in the outcome. It also shows that controls are in place, that processes are consistently followed, and that any claims can be backed by evidence.
While ISO/IEC 27001 remains one of the most globally recognized frameworks, others such as SOC 2, NIST 800-53, the CPCSC, and CCCS SMB Baseline Profile are also common. Not all frameworks offer a formal certification or accreditation process, so it’s important to understand what a given standard actually reflects and what level of oversight it includes.
Inside ISO/IEC 27001: What It Covers and Why It Matters
Among the most trusted frameworks in the industry is ISO/IEC 27001, the international standard for information security management systems (ISMS). ISO 27001 outlines 109 detailed controls across administrative, personnel, physical, and technical domains. The standard is split into several categories, each with real-world implications for how an MSP supports clients.
Organizational and Administrative Controls
This section governs the internal structure of the provider, including inventory and asset management, documented policies, change management, access rights, role definition, and business continuity planning. The related controls establish a formalized framework for managing operational risk and ensuring consistency in day-to-day activities.
Personnel and Human Resource Controls
Here, the focus shifts to the people behind the platform. Requirements include pre-employment background checks, confidentiality agreements, onboarding and offboarding protocols, and remote work safeguards. The goal is to ensure that staff are properly screened, trained, and supported to handle sensitive systems responsibly.
Physical Security Controls
These controls govern access to physical infrastructure, such as data centers, secure office spaces, and server rooms, as well as surveillance, visitor logging, and facility-level protections. For MSPs working with sensitive data or public-sector clients, physical security controls form a critical layer of defense.
Technical Controls
This is perhaps the most widely recognized category, encompassing everything from encryption and endpoint protection to vulnerability scanning, identity management, monitoring, and logging. Each control must be formally addressed, and each claim must be backed by documented procedures and audit-ready evidence.
Once certified, the MSP enters a three-year cycle: a full certification audit in year one, followed by annual surveillance audits conducted by an accredited third-party registrar. Additional internal audits are required and usually performed by an independent consultant to identify gaps, test controls, and maintain readiness year-round.
The certification process is both rigorous and labor-intensive. Preparing for an audit can take weeks of focused internal work, in addition to continuous documentation, internal monitoring, and process improvements throughout the year. Every control is reviewed not only for its existence but for its effectiveness. Even seemingly simple controls often involve multiple layers of review. A remote work policy, for example, might need to account for device hardening, VPN configuration, identity management, session timeout, and user training along with the logs and change history to prove that each of these controls is functioning.
Although ISO certification is a meaningful differentiator, it does not prescribe which specific technologies or tools a provider must use. It plainly requires that each control be selected based on documented risk, implemented in policy, and supported by evidence. In practice, certification demonstrates that a formal structure is in place, and one that has been independently audited and maintained through ongoing internal and external review. It also shows a significant investment of time, resources, and organizational commitment to risk management.
When comparing multiple certified MSPs, it’s helpful to ask how key controls have been implemented and whether their approach aligns with the level of protection your business requires. Even with the same certification, providers may tailor controls differently based on client needs, industry demands, and risk assessments.
ITSG-33: Canada’s Highest Standard for Secure IT Services
For organizations in Canada’s public sector (or those serving public sector clients), ISO 27001 alone is not enough. The Government of Canada relies on its own security framework, ITSG-33, developed by the Canadian Centre for Cyber Security, and outlining how government departments and service providers must manage IT security risk throughout the system lifecycle.
The ITSG-33 framework centers on two key components:
- Security Control Profiles (SCPs): A catalog of safeguards across 13 control families, including access control, audit and accountability, configuration management, and incident response. These profiles help determine which security controls must be implemented based on the sensitivity of the system and its use case.
- Security Assessment & Authorization (SA&A): A process that requires documented evidence of how controls are implemented, tested, and reviewed. For service providers, it means being prepared to demonstrate compliance to external auditors or clients at any time.
There is no formal certification for ITSG-33. However, FSET voluntarily aligns its internal practices to the framework to support public-sector clients and others in regulated industries. While ISO 27001 validates that FSET has an audited, documented, and accountable system of internal controls, ITSG-33 reflects how that system aligns to Canadian public-sector expectations.
