This industry-recognized compliance program consists of a couple of hundred controls that measure the level of detail and accuracy with which a company is doing the things theyre supposed to be doing. For instance: When you get a new user, do you onboard them correctly and consistently? When somebody leaves the company, do you disable their account right away? Do you patch your servers on a regular basis?

Do you have a risk management program? No company that implements these controls is 100% secure, but its a feather in their cap and a sign that theyre at least taking their controls seriously. On top of that, they should be bringing in an external auditor (as opposed to an IT specialist) and challenging them to find evidence of gaps in security controls that are purportedly in place according to documentation. That way a report can be generated by an impartial third party and customers have more peace of mind.

Everyone should be doing this, not just your MSP. Its a very basic step, but it is absolutely a best practice. In the past, it was not uncommon to have an administrator account for which everyone had the password. When somebody left the company, you had to go in and change that password. A better way is to set upnamedaccounts, each protected by multi-factor authentication that allows only that individual to gain access to a given environment. This goes for internal company employees and external MSPs that manage the environment.

More info: Managed Help Desk Services