ISO 27001 Compliance Checklist 2026: Get Certified Now

ISO 27001 Compliance Checklist 2026: Get Certified Now

Stop guessing on your ISO 27001 compliance path. The standard changed in a big way in 2022, cutting Annex A from 114 controls to 93 and reorganizing them into four themes: Organizational, People, Physical, and Technological, which means old spreadsheets and recycled checklists are already outdated (ISO 27001 certification checklist details). For MSPs, vCISOs, GRC firms, CPAs, and other resellers, that matters because clients expect clear answers, fast execution, and no wasted motion.

Traditional compliance projects drag because too many providers bury clients in paperwork, overcharge for weak testing, and show up late with generic reports. That model doesn't work when you're trying to guide a client through ISO 27001, SOC 2, HIPAA, or PCI DSS at the same time. You need a practical roadmap that ties policy, evidence, risk assessment, and technical validation together.

This is that roadmap. It's built for channel partners who need to move fast, stay affordable, and deliver work under their own brand without conflict. We'll keep it simple, show where pentest, pen test, penetration test, and penetration testing fit into the process, and focus on what auditors expect to see.

Physical security still matters too. If your client runs racks, offices, or shared facilities, fold in practical enterprise data center security guidance alongside your cyber controls so the ISMS reflects real operations instead of a fantasy environment.

Define Your Information Security Policy Framework

Your policy framework decides whether ISO 27001 becomes a working management system or a pile of audit documents. MSPs and vCISOs that get this right move faster, collect cleaner evidence, and avoid the rework that kills margin.

ISO 27001:2022 expects a defined ISMS and documented policies that support scope, risk treatment, applicability decisions, and day-to-day control execution. You also need a clear document set that auditors can trace back to how the client operates, not a generic template library copied from the last engagement (mandatory ISO 27001 documents overview).

A professional team collaborating on a risk assessment project in a modern office meeting room setting.

Build Policies People Can Actually Use

Write policies around the client's real environment. A healthcare MSP needs language for PHI handling, remote support boundaries, workforce access approvals, and vendor controls. A CPA firm needs rules for financial records, client portals, retention, and secure file exchange. A SaaS client needs documented expectations for production access, logging, change control, and secure configuration.

Keep the first version tight. Plain English wins. Named owners win. Policies tied to real workflows win.

  • Define scope first: List the systems, teams, locations, services, and data types inside the ISMS.
  • Assign accountable owners: Name who maintains each policy, who approves it, and who gathers evidence.
  • Match policy to reality: If the client uses Microsoft 365, Azure, Okta, CrowdStrike, or Google Workspace, the policy should say so.
  • Standardize without cloning: White-labeled templates help channel partners scale, but each client version still needs client-specific systems, roles, and exceptions.

A policy nobody can explain will fail in interviews. Auditors ask operations staff, HR, IT, and managers simple questions. If the answers conflict with the written policy, your documentation loses value fast.

Leadership support affects speed and follow-through. Konfirmity's ISO 27001 readiness benchmark guide points to executive backing as a major factor in readiness because it clears budget, ownership, and decision bottlenecks. If leadership treats ISO 27001 as an IT admin project, approvals stall, evidence stays incomplete, and risk treatment drifts.

For MSPs and vCISOs, this is also where you protect delivery quality. Set the policy structure so it supports later validation work, including white-labeled manual testing. A manual pentest does not replace policy, but it does confirm whether the written rules around access, segmentation, remote access, and change control hold up in the actual environment. If you need a clean way to connect policy decisions to later control testing, use this risk assessment methodology for security programs.

Conduct a Comprehensive Risk Assessment

Risk assessment is where ISO 27001 stops being theory. You're identifying what can go wrong, what matters most, and which controls belong in the environment.

For MSPs and vCISOs, this is also where you separate real exposure from scanner noise. A good penetration test doesn't replace a risk assessment, but it gives technical proof that a risk is exploitable, not just possible.

A person using an employee identification badge to access a secure door via a digital card reader.

Tie Risks to Real Assets

Start with assets your client relies on. Customer data in Microsoft 365, backups in Azure, RMM tooling, VPN access, cloud workloads, laptops, office access points, and third-party platforms all belong on the table.

Then map threats and weaknesses to each one. For a healthcare client, that might mean exposed remote access and mishandled PHI. For a law or finance client, it may be weak privileged access around document systems and email.

Use a documented method and stick to it. If you need a cleaner way to structure that process, use this guide to risk assessment methodology.

  • Interview multiple teams: Security, operations, HR, compliance, and leadership see different risks.
  • Document assumptions: Auditors will ask why a risk was rated high, medium, or low.
  • Reassess after major change: New cloud platforms, mergers, office moves, and client onboarding all change exposure.
  • Add manual pentesting: A manual pentest or pen testing engagement helps validate whether external attack paths, privilege escalation paths, or web flaws are reachable.

A financial services MSP might discover that backup admin accounts are overprivileged. A healthcare organization might find physical access gaps around network closets. A reseller supporting PCI DSS clients may uncover weak segmentation that impacts cardholder systems. Those are the findings that should drive control selection, evidence collection, and remediation priority.

Implement Access Control and Identity Management

Access control breaks ISO 27001 efforts faster than almost anything else. MSPs feel this first because identity sprawls across Microsoft 365, RMM, PSA, backup platforms, remote access tools, client tenants, and internal admin systems. If you cannot show who has access, why they have it, who approved it, and when it gets reviewed, your audit gets messy fast.

For channel teams, this is not one generic IT control. It is a cross-client operating discipline. Your checklist should tie access evidence to the actual control set you run every day, including user provisioning, privilege approvals, admin segregation, offboarding, and physical entry records. vCISOs should push for one repeatable access model across managed clients instead of rebuilding the process account by account.

A diverse team of cybersecurity professionals analyzing data on computer screens during an incident response meeting.

Lock Access to Roles

Role-based access control is the baseline. A CPA firm should not let accounting staff drift into HR systems. A help desk technician should not keep standing domain admin across every client. A vCISO should be able to pull an approval record for production access without chasing screenshots through email and Teams.

Use the identity platforms your clients already own. Microsoft Entra ID, Okta, Duo, JumpCloud, and Google Workspace can enforce role assignment, MFA, conditional access, and cleaner joiner-mover-leaver workflows if you configure them with intent.

Least privilege needs proof. Auditors want the access model, the approval path, the review schedule, and the evidence that offboarding happened.

Key requirements include:

  • Require MFA for remote and administrative access: Cover VPN, email, cloud consoles, RMM, PSA, backup portals, and privileged sessions.
  • Review privileged accounts on a schedule: Focus on break-glass accounts, service accounts, delegated admin roles, and any shared administrative access that still exists.
  • Document every access change: Keep approval and removal records for joiners, movers, leavers, and privilege escalations.
  • Separate technician access by role and client need: Do not give broad standing access just because it is operationally convenient.
  • Include physical access in the same control set: Badge issuance, key handling, visitor logging, and server room restrictions all count.

Here is the MSP-specific gap I see often. Teams document policy well enough for a GRC platform, but they do not verify whether those controls hold up under real attack paths. Add a white-labeled manual pentest to test external access, privilege escalation routes, exposed admin workflows, and weak tenant separation. It gives your vCISO practice a practical validation step that is faster and more affordable than building a full offensive security function in-house, and it gives clients evidence that goes beyond screenshots and policy exports.

If you support SOC 2, HIPAA, or PCI DSS alongside ISO 27001, identity work carries across all of them. Build one clean access governance process, verify it with real testing, and reuse the evidence intelligently. That is how MSPs keep compliance profitable instead of turning it into admin drag.

Establish Cryptography and Data Protection Controls

Weak encryption turns a small mistake into a reportable incident. ISO 27001 expects more than a checkbox here. You need clear rules for what gets encrypted, where it lives, how it moves, who can decrypt it, and how you prove those controls work.

For MSPs and vCISOs, this control area gets messy fast because client data sprawls across M365, backup platforms, ticketing systems, file shares, cloud workloads, and security tooling. Add pentest artifacts, screenshots, exploit notes, exported logs, and draft reports, and you are now storing some of the most sensitive material in the environment. Treat that data like a target, because an attacker would.

Protect Data in Motion and At Rest

Start with the practical failure cases. A technician laptop gets stolen. A backup repository is copied. A report with exploitable findings is shared over email. Your standard should answer each of those scenarios with a defined control, not a vague statement about encryption.

Use the tools your clients already pay for, but set one standard across the stack. BitLocker and FileVault for endpoints. TLS for external services and admin portals. Encrypted backup storage. Centralized key management through Azure Key Vault, AWS KMS, or another approved vault. The control is not the product. The control is consistent configuration, ownership, and review.

A few recommendations matter more than the rest:

  • Classify sensitive security artifacts: Pentest reports, screenshots, exported configs, and evidence files should have stricter storage and sharing rules than routine service documents.
  • Keep keys separate from protected data: If the same admin plane controls both, you have not reduced much risk.
  • Define approved transfer methods: Do not let technicians send sensitive findings through unmanaged email threads or ad hoc file-sharing links.
  • Test recovery with encryption enabled: Restores, legal holds, and incident evidence collection still need to work under pressure.
  • Document exceptions: Auditors will ask why a legacy system cannot meet the standard and what compensating controls you applied.

Cloud services need their own treatment. ISO 27001:2022 added a specific control theme around the secure use of cloud services, reflected in Annex A updates summarized by the ISO/IEC 27001:2022 transition guidance from IT Governance. For MSPs, that means checking tenant-level encryption settings, key ownership, data residency requirements, SaaS backup coverage, and how admins export or share client data from cloud consoles.

Do not stop at policy evidence. Verify that protection holds up in practice. A white-labeled manual pentest is a smart fit here because it shows whether sensitive data can be exposed through weak storage controls, insecure portals, poor report handling, or tenant crossover. That gives your vCISO team a usable validation step without the cost and delay of building a full offensive security bench, and it gives clients proof that your cryptography controls work outside a spreadsheet.

Develop Incident Response and Management Procedures

Incidents happen. The question isn't whether your client will face one. The question is whether the team knows what to do in the first hour.

A useful incident response plan is short, clear, and operational. It names people, systems, escalation paths, legal contacts, communications steps, and evidence handling requirements. It also gets tested.

Make the Plan Work Under Pressure

A ransomware event in an MSP environment doesn't stay neatly contained. It spills into client trust, support queues, legal review, insurance contacts, and sometimes regulator notifications. Your plan needs to reflect that reality.

A pen test can help here because it shows whether detection works in a live environment. If a manual pentesting team gets domain admin or lands in a sensitive web app without triggering review, that says more than a policy ever will.

Use practical scenarios:

  • Phishing into mailbox access: Can the team detect suspicious login patterns and reset sessions fast?
  • Compromised RMM credentials: Can privileged actions be contained and investigated?
  • Web application exploitation: Can logs, alerts, and handoffs prove what happened?
  • Insider misuse: Can HR, IT, and leadership coordinate cleanly?

A response plan should fit on a bad day. If your team needs twenty tabs and a committee before acting, it's too bloated.

Keep incident logs and corrective actions. Those records show auditors that the ISMS isn't just written down. It's being used, learned from, and improved.

Maintain Business Continuity and Disaster Recovery Plans

Business continuity and disaster recovery sound similar, but they solve different problems. Continuity keeps the business operating. Recovery restores systems after the hit.

MSPs should drive both because clients usually underestimate how dependent they are on identity providers, cloud storage, line-of-business apps, backup platforms, and remote access. If any of those fail, the ISMS gets stress-tested immediately.

Test Restores, Not Just Backups

A backup job with a green check mark isn't proof. A tested restore is proof.

For a financial client, continuity may mean preserving access to email, document systems, and client communications during an outage. For a medical practice, it may mean maintaining secure access to scheduling and records. For an MSP, it often means recovering PSA, RMM, ticketing, and credential systems in the right order so support can function.

Build the plan around dependencies. Microsoft 365, Azure, AWS, Datto, Veeam, VMware, and local infrastructure all have different recovery friction points.

  • Rank critical systems: Not everything needs to come back first.
  • Document restore steps clearly: The person doing the work shouldn't need tribal knowledge.
  • Include vendor dependencies: Cloud services and outsourced providers can slow recovery.
  • Run live drills: Tabletop exercises are useful, but actual restore testing is better.

This section also supports broader compliance work. If you're serving clients with SOC 2, HIPAA, or PCI DSS obligations, continuity evidence often carries over when documented well.

Execute Security Awareness Training Programs

Security awareness training fails when it's treated like a yearly HR task. For ISO 27001, it needs to change behavior, produce evidence, and reduce avoidable risk across the client environment.

That matters even more for MSPs and vCISOs. Your users handle tickets, reset passwords, approve MFA prompts, share files, touch client data, and interact with vendors every day. One bad click from a dispatcher or one weak verification step at the help desk can bypass a stack of technical controls.

Train by Role, Risk, and Real Workflow

Generic awareness videos create checkbox evidence. They do not prepare staff for the attacks they see.

Train finance teams on invoice fraud and payment change scams. Train help desk staff on caller verification, privilege escalation abuse, and admin portal misuse. Train executives on business email compromise and impersonation. Train technical teams on secrets handling, secure configuration, and phishing that targets remote access tools. Train admin staff on visitor handling, device use, and document exposure.

ISO 27001 makes the people side of security easier to operationalize because staff responsibilities are clearly defined in Annex A. Use that structure to map training content to job function, policy ownership, and recurring proof for the audit file.

For MSPs, this is also a practical service line. Bundle policy rollout, short monthly training, phishing simulations, acknowledgment tracking, and exception handling into recurring compliance support. Clients buy it because they need audit evidence. They keep it because it cuts preventable incidents and gives the vCISO a clean reporting story.

A stronger program also connects awareness to external risk. If staff approve new vendors, exchange client data with outside parties, or respond to supplier emails, training should reinforce your third-party risk management process, not sit in a separate silo.

  • Make training role-specific: Match examples to the systems, approvals, and data each team touches.
  • Track completion and acknowledgments: Auditors want records, dates, and proof of follow-up for missed training.
  • Use incidents your clients recognize: Invoice fraud, MFA fatigue, fake support calls, and shared mailbox abuse get attention fast.
  • Reward reporting: Fast escalation of suspicious emails, access requests, and vendor messages improves response time.
  • Test the result: Phishing simulations, callback checks, and help desk verification reviews show whether the training is working.

The best verification step is practical, not expensive. Pair awareness training with periodic manual testing of the human attack path, especially social engineering exposure around help desk workflows, admin access, and client impersonation. For channel teams, white-labeled pentesting gives you a fast way to validate whether users and support staff apply the training in real conditions without building a full in-house testing function.

Document and Review Security Controls Regularly

Bad evidence sinks good security work. If you cannot show what was done, who approved it, and when it was reviewed, the auditor has no reason to trust the control.

Your documentation should cover the controls auditors test. Policy approvals, access reviews, change tickets, logs, incident records, training acknowledgments, vendor assessments, internal audit results, management review notes, and technical validation such as a penetration test report all belong in scope. For MSPs and vCISOs, the job is not just to collect proof once. The job is to build an evidence process that works across clients without turning every audit into a scramble.

Build an Evidence Library That Survives Audit

Multi-client compliance breaks teams that rely on tribal knowledge and scattered folders. Use one system. Set naming rules, retention periods, owners, review dates, and control mappings from day one.

Confluence, SharePoint, Google Drive, Vanta, Drata, Sprinto, Secureframe, or your GRC platform can all do the job if the structure is disciplined and the evidence stays current. The platform matters less than the operating model.

Keep a separate cyber security audit checklist tied to evidence collection so engineers, account leads, and vCISOs know exactly what to gather before an auditor asks. That saves time, cuts duplicate requests, and gives you a cleaner client reporting cadence.

Good evidence is timestamped, assigned to an owner, easy to retrieve, and mapped to a control. Better evidence also shows what failed, what changed, and when the fix was verified.

Channel teams should stop relying on scanner output alone. A white-labeled manual pentest gives you practical proof that technical controls were tested by a human attacker, not just marked green by automation. It also solves two common GRC problems for MSPs. Cost and speed. You get validation your clients can use in an ISO 27001 audit package without building a full testing team in-house.

If you want this section to hold up under audit, review evidence on a schedule, not at renewal time. Quarterly control reviews are a better operating rhythm for most MSPs because they catch stale screenshots, expired approvals, broken logging, and missing remediation notes before those gaps hit the audit trail.

Manage Third-Party and Supplier Security Risks

Your client can do everything right internally and still get hurt through a vendor. That's why supplier risk belongs in every serious ISO 27001 compliance checklist.

Cloud hosts, payroll providers, outsourced developers, backup vendors, legal platforms, payment processors, consultants, and hardware suppliers all affect security. If they touch systems, data, credentials, or facilities, they matter.

Review Vendors Like They Matter

A vCISO should maintain a vendor inventory and rank suppliers by risk. A payment provider that touches PCI DSS workflows deserves more scrutiny than a low-risk office supply vendor. A cloud file-sharing platform used for client records should face stronger review than a marketing tool.

Ask practical questions. Do they support MFA? How do they handle access reviews? What certifications or attestations can they provide? What happens when they have an incident? Can your client terminate access cleanly?

Use a defined process like this third-party risk management process so assessments don't depend on memory or whoever happens to be available that week.

A few checks belong in every review:

  • Require documented security commitments: Put expectations in contracts where possible.
  • Track high-risk vendors separately: They need tighter follow-up and more frequent review.
  • Review shared access paths: SSO, API keys, VPN access, and support accounts are common weak points.
  • Include testing where appropriate: Pen test or penetration testing results can support vendor review when a supplier hosts or develops critical systems.

The Statement of Applicability matters here too. It must be updated annually, especially when major changes affect technology, operations, or regulatory requirements, so third-party changes don't drift outside the ISMS (Statement of Applicability update guidance).

ISO 27001 Compliance Checklist, 9-Point Comparison

MSPs and vCISOs do not need another generic ISO 27001 list. They need a working map that shows what takes time, what burns resources, and what helps a client pass audit without stalling delivery.

Use this comparison to scope effort fast, set client expectations early, and decide where outside validation, including white-labeled manual pentesting, will save you rework.

ItemImplementation complexityResource requirementsExpected outcomesIdeal use casesKey advantages
Define Your Information Security Policy FrameworkModerate to high. Requires leadership alignment, ownership mapping, and cross-functional inputPolicy workshops, compliance review, documentation owner, approval cycleClear governance, audit-ready policies, assigned accountabilityClients starting an ISMS or replacing scattered policies with a formal structureImproves consistency, reduces policy gaps, gives auditors a cleaner story
Conduct a Comprehensive Risk AssessmentHigh. Requires asset context, threat analysis, scoring logic, and treatment planningSecurity lead time, asset inventory, risk register, assessment method, technical validation where neededPrioritized risks, treatment decisions, defensible audit evidenceNew ISO 27001 programs, major environment changes, high-risk client environmentsFocuses effort on real exposure, exposes control weaknesses, supports budget decisions
Implement Access Control and Identity ManagementHigh. Usually touches multiple platforms, privilege models, and joiner-mover-leaver workflowsIAM tooling, MFA rollout, provisioning process, admin cleanup, periodic access reviewsLeast-privilege access, better logging, fewer stale accountsClients with Microsoft 365, cloud apps, privileged technicians, or shared admin accessCuts unauthorized access risk, improves audit evidence, tightens operational control
Establish Cryptography and Data Protection ControlsModerate. Configuration is straightforward. Key handling and coverage checks are notEncryption settings, key management process, endpoint and cloud review, validation testingProtected data in transit and at rest, stronger client trust, cleaner regulatory alignmentClients handling sensitive records, regulated data, or multi-tenant cloud workloadsStrengthens data protection, limits breach impact, supports contractual requirements
Develop Incident Response and Management ProceduresModerate to high. Process design is easy. Making it usable under pressure takes workIR plan, runbooks, detection tooling, communications path, tabletop exercisesFaster triage, cleaner escalation, documented handling of security eventsRansomware-prone clients, regulated clients, and any team with after-hours support exposureImproves response speed, reduces confusion, supports reporting and corrective action
Maintain Business Continuity and Disaster Recovery PlansHigh. Recovery targets, dependencies, and testing expose weak architecture fastBackup platform, recovery design, failover testing, business owner input, documented recovery stepsRecoverable systems, defined RTO and RPO, lower outage impactClients with uptime commitments, line-of-business apps, or revenue tied to system availabilityReduces downtime, lowers data loss risk, protects service delivery
Execute Security Awareness Training ProgramsLow to moderate. Easy to launch. Harder to keep relevant and measurableTraining platform, role-based content, phishing tests, admin follow-up, reporting cadenceBetter user reporting, fewer avoidable clicks, stronger day-to-day security habitsAll clients, especially those with email-heavy workflows and frontline staffLow-cost risk reduction, better user behavior, more incident reporting
Document and Review Security Controls RegularlyModerate. The real challenge is keeping evidence current and usefulCentral evidence repository, review schedule, control owners, test results, version trackingCurrent documentation, stronger internal reviews, less audit scrambleClients juggling ISO 27001 with SOC 2, customer questionnaires, or recurring auditsImproves audit readiness, catches drift early, keeps the ISMS usable
Manage Third-Party and Supplier Security RisksModerate to high. Depends on vendor count, contract quality, and access exposureVendor inventory, review workflow, legal input, reassessment cadence, exception trackingLower supplier risk, documented due diligence, better contract coverageClients relying on SaaS, outsourced support, payment processors, or hosted infrastructureReduces supplier exposure, improves accountability, supports client-facing assurance

One recommendation: do not treat every row as equal.

For MSP-led ISO 27001 programs, risk assessment, access control, control reviews, and supplier risk usually drive the audit outcome. They also create the most client friction because they expose messy realities. Shared admin accounts, weak offboarding, undocumented exceptions, and vendors with broad access. Fix those first.

That is also where white-labeled manual pentesting fits. It is not a substitute for the checklist. It is a practical verification step that helps vCISOs and MSPs confirm whether technical controls prove effective, without building a full in-house testing team or dragging the project timeline.

Partner with MSP Pentesting for Compliance Validation

Paperwork gets you to the audit. Technical validation gets you through it.

ISO 27001 certification includes a two-stage external audit. Stage 1 checks documentation readiness, and Stage 2 tests whether the ISMS operates as intended (ISO 27001 requirements and audit stages). MSPs and vCISOs know what happens next. If access control looks clean on paper but shared admin accounts still exist, or if segmentation claims fall apart under testing, the auditor finds the gap fast.

That is why channel firms should build verification into the compliance plan early, not after policies are written and evidence is collected. The path from gap assessment to certification often runs 6 to 18 months (ISO 27001 compliance checklist and audit timeline). Wasting that timeline on weak validation is a mistake. Manual pentesting gives you proof that the controls your client documented can stand up under real pressure.

Internal audit discipline matters too. ISO 27001 requires internal auditors to stay independent from the areas they review, and the audit output needs formal reporting, including nonconformities, observations, and corrective actions (internal audit checklist requirements). A pentest does not replace internal audit. It improves it. It gives your team hard evidence to validate technical controls, support remediation, and keep surprises out of the certification audit.

MSP Pentesting is built for that exact channel motion. We are a channel-only partner. We do not compete with MSPs, vCISOs, GRC firms, CPAs, or resellers. You own the client relationship and the brand. We handle the testing under your label with certified professionals from OSCP, CEH, and CREST backgrounds.

That model solves a real market problem.

Too many compliance-driven pentests are overpriced, too automated, or too slow to fit the engagement. Clients do not want a recycled scanner output wrapped in a PDF. They want manual testing, clear findings, and reports they can use in ISO 27001, SOC 2, HIPAA, and PCI DSS conversations without waiting weeks for cleanup.

We support the environments MSPs sell and secure. Internal networks, external networks, web apps, mobile apps, cloud infrastructure, social engineering, physical pentesting, and red-team-style engagements. For vCISOs, this means faster validation of high-risk controls. For MSPs, it means you can add credible testing to the compliance offer without hiring an in-house offensive security team.

If you are building an ISO 27001 practice, add a pentesting partner early. It shortens remediation cycles, improves the evidence package, and gives clients more confidence that the ISMS works outside the policy binder. If you want a broader hiring-context view of the role, this resource for penetration tester roles gives useful background on what strong testers are expected to do.

Contact us today.


If you're an MSP, vCISO, GRC firm, CPA, or reseller that needs fast, affordable, manual pentesting under your own brand, talk to MSP Pentesting. We deliver white label pentests, penetration tests, and penetration testing support that helps you win more compliance business without competing for your clients.

Author

Connor Cady

Founder

Connor founded MSP Pentesting after working in the pentest industry and seeing a massive gap in the market. MSPs were being forced to choose between overpriced corporate firms or shady, automated scanners that auditors hate. He built this company to solve that "sticker shock" and give the channel a partner that prioritizes their margins and client relationships.

Join our MSP Partner Program

Want Access to Reseller Pricing? Sample Reports? Resources?
Meet with a member of MSP Pentesting to get access.