Facebook-f Twitter Youtube Pinterest Linkedin
  • Taylors Falls
    Mon – Fri: 8:30AM – 5PM
  • Managed Technology Support and Services, serving Minneapolis/St. Paul, east-central Minnesota and north-west Wisconsin
Contact our Team
Local Managed IT Partner — Reliable, Secure, Always On
>
What IT Compliance Standards Should Professional Services Firms Follow (PCI-DSS, SOC 2, CIS Controls) — and How Do You Get Compliant?

What IT Compliance Standards Should Professional Services Firms Follow (PCI-DSS, SOC 2, CIS Controls) — and How Do You Get Compliant?

By MattIn UncategorizedPosted

Professional services firms don’t need to comply with every security framework—but they do need a defensible baseline. For most firms with 10–25 employees, that baseline is the CIS Critical Security Controls, with additional standards like PCI-DSS or SOC 2 applying only in specific situations. In practice, most firms can reach a compliant, auditable security posture in 60–120 days, at an average managed IT cost of $125–$175 per user per month, depending on scope and documentation requirements.

The key is knowing which standards actually apply to your business—and avoiding overpaying for ones that don’t.

Quick Definitions

PCI-DSS: A standard for entities that store, process, or transmit cardholder data.
SOC 2: An AICPA standard focused on five Trust Services Criteria.
CIS Controls: A prioritized set of cybersecurity best practices (widely recommended as a baseline).

Step 1: Start With CIS Controls as Your Foundation

For small and mid-sized professional services firms (legal, accounting, insurance, consulting), CIS Controls v8 is the most practical and widely accepted framework.

Why CIS Controls matter:

  • They define reasonable security in plain language

  • They map to cyber insurance requirements

  • They support FTC Safeguards expectations

  • They are achievable without disrupting daily operations

Most firms should target CIS IG1 or IG2, not enterprise-level security.

Step 2: Know When PCI-DSS Actually Applies

PCI-DSS is not universal. It only applies if your firm:

  • Processes credit card payments

  • Stores cardholder data

  • Manages payment portals or POS systems

If you outsource payments properly, your PCI scope may be minimal. If you don’t, compliance becomes a real risk—both financially and legally.  Please keep in mind, that even if you simply process credit card payments using an outside service you absolutely have PCI-DSS requirements that you must follow.

Step 3: Understand Where SOC 2 Fits (and Where It Doesn’t)

SOC 2 is not a requirement for most professional services firms.  However, some cyber-insurance policies may require it as a matter of course.

SOC 2 is typically required when:

  • You are a technology provider

  • You host or manage client data as a service (personally identifying information)

  • Your clients contractually demand it

Many firms mistakenly pursue SOC 2 when CIS Controls + documentation would meet their real obligations at a fraction of the cost.

Step 4: Implement the Right Controls (Without Breaking the Business)

Compliance fails when security is layered on after workflows are built.

A business-first compliance approach includes:

  • MFA for email and remote access

  • Managed endpoint security and patching

  • Secure, tested backups

  • Logging and visibility

  • Policies that reflect how your firm actually works

Security should support productivity—not slow it down.

Step 5: Document, Test, and Maintain Compliance

Compliance isn’t just technical—it’s needs to be provable!

Most firms need:

  • Incident response policy

  • Acceptable use policy

  • Backup and disaster recovery documentation

  • Ongoing reviews as staff, tools, and workflows change

This documentation is what protects you during:

  • Client security questionnaires

  • Cyber insurance renewals

  • Regulatory reviews

  • Legal disputes after incidents

CIS-Driven Compliance Without Overengineering

A 14-employee accounting and advisory firm began receiving client security questionnaires asking about MFA, incident response plans, and data protection controls. They were unsure whether they needed SOC 2, PCI-DSS, or something else entirely—and were concerned about cost and disruption.

Instead of pursuing an unnecessary certification, the firm aligned to CIS Controls IG1 over a 75-day period. This included:

  • Enabling MFA across email and remote access

  • Standardizing endpoint security and patching

  • Implementing secure, tested backups

  • Documenting incident response and acceptable use policies

The result:

  • Passed client security reviews without exceptions

  • Renewed cyber insurance with no premium increase

  • Avoided the cost and overhead of SOC 2

  • Maintained normal day-to-day workflows with no productivity loss

This approach gave the firm documented, defensible security aligned with real business risk—not a checkbox exercise.

The Bottom Line

Most professional services firms don’t need SOC 2.
Some need PCI-DSS.
All need CIS-aligned, documented security.

The goal isn’t perfection—it’s reasonable, defensible, and auditable security that protects your business and client trust.

author avatar
Matt CEO
Founder and CEO of The Bitworks, Inc., a managed IT services company based in Taylors Falls, Minnesota. With over three decades of experience in IT leadership and infrastructure, Matt has held senior roles at companies such as Lockheed Space Operations, Piper Jaffray, and Deluxe Corporation before launching his own business in 2005. A seasoned technologist and business strategist, Matt is deeply committed to aligning technology with business outcomes and has a passion for community engagement, leadership development, and delivering world-class managed services.
See Full Bio