Blog / Compliance
A practical guide to SOC 2 and NIST CSF for MSPs (and what "compliance tracking" should mean)
SOC 2 and NIST CSF show up constantly in MSP sales conversations, usually because a prospective client's own compliance requirements flow downstream to their vendors. If your client answers to HIPAA, PCI-DSS, or a state-level framework, so do you, whether or not you signed up for it explicitly.
The trap a lot of "compliance" tooling falls into is treating this as a static checklist: a list of controls, a checkbox for each, done. That tells you almost nothing useful, because a checked box doesn't tell you whether the control is actually implemented, partially implemented, or just aspirational.
What a real posture dashboard needs
- A three-state model per control at minimum — implemented, partial, planned — not a binary checkbox that can't represent "we started this."
- Evidence tied to the control, not filed separately — a screenshot, a config export, a policy doc, linked to the specific requirement it satisfies.
- Live posture, not a point-in-time snapshot — a control that was implemented six months ago and quietly regressed should show up as regressed, not still green.
- A rollup that a non-technical stakeholder can read — a board member or a client's compliance officer needs the summary, not the control-by-control detail, in the room.
Where the Quarterly Business Review fits
The QBR is where posture tracking earns its keep. Instead of a tech manually assembling slides from memory the night before a client meeting, the review should build itself from the same live data the posture dashboard already has — the controls in place, the gaps still open, the incidents (if any) and how they were handled, and the trend since the last review.
We say this as a design principle we hold ourselves to, not a feature we're claiming is finished: a compliance module isn't "done" when the sample data renders convincingly in a demo. It's done when the real evidence-ingestion path exists and is tested against real client environments. If you ever see a Nexus compliance screen showing more coverage than that, ask us directly — we'd rather be told than let it stand.