Independent, AI-assisted research · Affiliate disclosure
Uptime
← All Tools

Compliance Readiness Check

A 12-control self-assessment for HIPAA, PCI-DSS v4.0.1, SOC 2, and CMMC 2.0 Level 2. Output: a prioritized list of gaps to hand to your MSP — and the controls you should keep in-house.

Which frameworks apply to you?

Pick all that apply. We'll filter the assessment accordingly.

9 controls

Score yourself honestly

1.Multi-factor authentication on all admin & remote accesshigh

Do all admin accounts and remote access (VPN, RDP, SaaS) require phishing-resistant MFA?

SMS does not count. Authenticator apps, FIDO2, or hardware keys only.

2.Tested, immutable backupshigh

Do you have offsite, immutable backups that are tested at least quarterly?

Untested backups are wishes. Restore tests must be documented.

3.Documented patching SLAmedium

Are critical OS and application patches deployed within a defined SLA (e.g., 14 days for critical CVEs)?

If you can't produce a patch report by Tuesday, the answer is no.

4.Encryption at rest and in transithigh

Is sensitive data (PHI, CHD, CUI, customer data) encrypted at rest and in transit using current standards?

AES-256 at rest, TLS 1.2+ in transit. Email encryption for PHI/PII workflows.

5.Quarterly user access reviewsmedium

Do you formally review user access (least privilege, terminations, role changes) at least quarterly?

Look for a signed-off ticket or report — verbal reviews don't count.

6.Incident response plan + tabletop exerciseshigh

Is there a written IR plan that is tested via tabletop exercise at least annually?

A plan in a binder no one has read is not a plan.

7.Annual security awareness + phishing simulationlow

Do all employees complete annual security training and receive monthly phishing simulations?

Check completion rates — under 95% means it's not really running.

8.Vendor risk management & BAAs/contractsmedium

Do you have BAAs (HIPAA), DPAs, or executed vendor contracts for every third party touching sensitive data?

Includes the MSP itself, cloud providers, SaaS, and any subcontractors.

9.Written information security policiesmedium

Do you have a written ISMS / set of security policies that are reviewed annually?

Acceptable Use, Data Classification, Access Control, Incident Response at minimum.

0 of 9 answered

Disclaimer: Self-assessments are not a substitute for a formal gap assessment by a QSA, accredited C3PAO, or qualified HIPAA security officer. Use this tool to direct conversations, not to certify compliance. Last updated: April 2026.

Related Reading

HIPAA Compliance MSP Checklist
What a HIPAA-ready MSP actually looks like — and the BAA traps to avoid.
CMMC 2.0 Level 2: MSP Selection Guide
The 110 controls, the C3PAO timeline, and how to vet an MSP that can deliver.
SOC 2 Readiness for SaaS Companies
A practical roadmap from "we should probably do this" to a clean Type II.

Compliance updates, monthly

Regulatory changes, control mapping shifts, and what they mean for your MSP relationship.