Standards Management
Manage compliance standards and regulatory requirements from a single pane of glass. OpsPilot365 Trust Center ships with built-in support for major industry standards and allows you to create custom standards tailored to your MSP’s clients. Map standards to controls, run gap analyses, and generate coverage reports for auditors.
Note: Many MSP clients must comply with multiple standards simultaneously. Trust Center’s standard-to-control mapping ensures that a single implemented control can satisfy requirements across several standards. For example, enabling MFA satisfies requirements in SOC 2, HIPAA, NIST 800-171, CIS, CMMC, and ISO 27001 all at once, reducing redundant work and audit preparation time.
Standards Overview
| Metric | Value |
|---|---|
| Built-in Standards | 7 |
| Custom Standards | 3 |
| Average Coverage | 82% |
| Open Gaps | 14 |
Built-in Standards
OpsPilot365 includes pre-configured standards with requirements already mapped to Microsoft 365 controls. Each standard is maintained and updated as regulatory requirements evolve.
| Standard | Description | Coverage | Requirements Met |
|---|---|---|---|
| SOC 2 Type II | Service Organization Control — Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) | 85% | 162/190 |
| ISO 27001:2022 | International Standard for ISMS — Annex A controls across 4 themes: Organizational, People, Physical, Technological | 79% | 73/93 |
| NIST 800-171 Rev 2 | Protecting CUI in Nonfederal Systems — 14 control families: Access Control, Audit, Awareness Training, Configuration Management, and more | 72% | 80/110 |
| HIPAA | Health Insurance Portability and Accountability Act — Administrative, Physical, and Technical Safeguards for ePHI protection | 88% | 110/125 |
| GDPR | General Data Protection Regulation — Data subject rights, lawful processing, breach notification, DPO requirements | 76% | 65/85 |
| CIS Microsoft 365 Benchmarks | Center for Internet Security — Level 1 (essential) and Level 2 (defense-in-depth) benchmarks for M365 services | 91% | 109/120 |
| CMMC Level 2 | Cybersecurity Maturity Model Certification — 110 practices across 14 domains, aligned with NIST 800-171 for DoD contractors | 68% | 75/110 |
Custom Standard Creation
Create custom compliance standards for industry-specific, client-specific, or internal MSP requirements. Custom standards support the same control mapping, evidence linking, and gap analysis as built-in standards.
Note: Use cases for custom standards include client-specific security policies that go beyond regulatory requirements, MSP internal security baselines applied across all managed tenants, industry frameworks not yet included in built-in standards, cyber insurance policy requirements mapped to technical controls, and state-specific privacy regulations (CCPA, SHIELD Act, etc.).
| Field | Required | Description |
|---|---|---|
| Standard Name | Yes | Display name (e.g., “Acme Corp Security Baseline”) |
| Version | Yes | Version identifier for tracking changes (e.g., “v2.1”) |
| Description | Yes | Purpose and scope of the standard |
| Categories | No | Organizational groupings for requirements (e.g., “Access Control”, “Data Protection”) |
| Requirements | Yes | Individual requirements with unique IDs, descriptions, and control mappings |
| Applicable Tenants | No | Scope to specific tenants or apply globally (default: all tenants) |
| Review Cycle | No | How frequently the standard should be reviewed (quarterly, semi-annual, annual) |
Standard-to-Control Mapping
Each requirement within a standard is mapped to one or more controls in the Controls Library. This mapping is the foundation for automated compliance assessment and gap analysis.
| Standard Requirement | Mapped Controls | Assessment Result |
|---|---|---|
| SOC 2 CC6.1 — Logical Access | TC-AC-001 (MFA), TC-AC-002 (Legacy Auth Block), TC-AC-003 (Conditional Access) | Satisfied |
| HIPAA 164.312(a)(1) — Access Control | TC-AC-001 (MFA), TC-AC-004 (RBAC), TC-AC-005 (PIM) | Satisfied |
| NIST SC-7 — Boundary Protection | TC-NS-001 (Named Locations), TC-DP-001 (DLP), TC-NS-002 (Connectors) | Partial |
| CIS 5.2 — Enable Mailbox Auditing | TC-LM-001 (Unified Audit), TC-LM-002 (Mailbox Audit) | Satisfied |
| CMMC SC.L2-3.13.1 — Monitor Communications | TC-LM-003 (Threat Detection), TC-DP-002 (Email Encryption) | Gap |
Gap Analysis and Coverage Reports
- Gap Analysis Report — Lists every requirement that is not fully satisfied, grouped by standard. Includes the missing controls, remediation steps, estimated effort, and which tenants are affected. Prioritized by risk severity and number of affected tenants. Links to OpsPilot365 remediation workflows. Exportable as PDF for client or auditor review.
- Coverage Report — Shows the percentage of each standard’s requirements that are currently satisfied. Broken down by category, tenant, and control type (technical vs. administrative). Per-tenant coverage heatmap across standards. Trend lines showing coverage improvement over time. Exportable as CSV for spreadsheet analysis.
Standard Lifecycle Management
| Lifecycle Stage | Description | Actions Available |
|---|---|---|
| Draft | Standard is being configured; not yet active | Edit requirements, map controls, assign tenants |
| Active | Standard is live and being assessed continuously | Run assessments, generate reports, track gaps |
| Under Review | A new version is available; current version still active | Compare versions, plan migration, update mappings |
| Deprecated | Replaced by a newer version; historical data retained | View historical reports, export audit records |
Best Practices
- Start with CIS Benchmarks — CIS Microsoft 365 Benchmarks are the most directly actionable standard for M365 environments. They map 1:1 to specific configuration settings, making them ideal for establishing a technical security baseline before layering on regulatory standards.
- Create an MSP Baseline Standard — Define a custom standard that represents your MSP’s minimum security requirements. Apply it across all tenants as a universal baseline, then layer client-specific regulatory standards on top.
- Leverage Control Reuse — When a client requires a new standard, check how many of its requirements are already satisfied by existing controls. High reuse rates reduce implementation effort significantly and can be highlighted in client proposals.
- Schedule Quarterly Gap Reviews — Run formal gap analysis reports quarterly and share them with client stakeholders. This demonstrates continuous compliance improvement and justifies ongoing MSP security services.
- Track Regulatory Updates — Subscribe to OpsPilot365 notifications for built-in standard updates. When a standard is revised (e.g., NIST 800-171 Rev 3), review the version comparison to identify new or changed requirements and update your control mappings accordingly.
API Reference
GET /api/addons/trust-center/standards— List all standards (built-in and custom) with coverage percentagesGET /api/addons/trust-center/standards/:standardId— Get detailed standard information including all requirements and mappingsPOST /api/addons/trust-center/standards— Create a new custom standard with requirements and control mappingsPUT /api/addons/trust-center/standards/:standardId— Update a custom standard’s requirements, mappings, or metadataGET /api/addons/trust-center/standards/:standardId/requirements— List all requirements for a standard with their satisfaction statusGET /api/addons/trust-center/standards/:standardId/gaps— Run gap analysis returning unsatisfied requirements with remediation guidanceGET /api/addons/trust-center/standards/:standardId/coverage— Get coverage report broken down by category, tenant, and control typePOST /api/addons/trust-center/standards/:standardId/requirements/:reqId/controls— Map a control to a specific standard requirementGET /api/addons/trust-center/standards/:standardId/versions— List version history for a standard with change summariesGET /api/addons/trust-center/standards/export/:standardId— Export standard assessment as PDF, CSV, or auditor-ready package