Frequently Asked Questions

Why does MVSP exist?

MVSP is a minimum checklist that serves as a stepping stone. We are aware of the XKCD comic, however MVSP is not a standard and does not intend to compete with existing standards. Rather, it fills a void in standardized RFPs, contractual language, and many other areas.

What differentiates MVSP from other industry standard questionnaires?

MVSP is a basic framework and is not intended to be a comprehensive checklist. It is also not intended to replace more complex questionnaires, but rather as a starting point for companies that are currently developing their information security capabilities or who want to quickly understand the security capabilities of an enterprise-ready solution or service.

Many other complex standards focus on a wide range of controls that should be implemented across the enterprise. MVSP, on the other hand, focuses specifically on the security of applications, which can vary from service to service. While a company can claim overall ISO compliance at a company level, MVSP would apply to a single application due to its narrow focus.

Will I need to fill out yet another questionnaire?

It is possible, although the MVSP controls are designed to be brief. If you need to comply with different standards, you are likely meeting the MVSP requirements and will not need to gather data to complete the MVSP checklist. However, different companies may choose to use MVSP in different ways. We aim to ensure that widely used tools will support MVSP and use existing data to reduce your workload, even if a questionnaire is required.

Does completing the MVSP checklist require sharing sensitive information?

No, MVSP is specifically designed as a straightforward baseline checklist where controls are either met or not met.

What sort of audit artifacts are required for MVSP?

MVSP is not a standard, but rather a basic checklist. As such, it is not designed to include the collection of audit artifacts that are present in more comprehensive standards such as SOC2.

Can we rely on a SOC2 or other standard instead of using MVSP?

Yes. If SOC2 or another standard better meets your organization’s needs than MVSP, we encourage you to use those more stringent standards where applicable. We believe that MVSP is well-suited for quickly measuring the security of internal and external products, and it reduces the burden on the review process by providing valuable and low-effort signals to your risk management processes.

Can I use MVSP for ${thing}?

Yes. That is the beauty of MVSP. You can use it for whatever you want. It is freely available and can be used to solve a variety of problems. We would love to hear from you if you find an innovative use for MVSP that we have not considered before.

Do I have to pay for MVSP?

No. MVSP is released under creative commons license, and free for all to use.

Why doesn't MVSP include a control about ${thing}?

MVSP is a minimum set of controls, so we may have omitted controls that are important to your specific use case. This is because sometimes tough decisions need to be made in order to keep the control list focused on the problems that MVSP is designed to address. However, MVSP is free and open-source, so you can fork and adapt it for your own use. Alternatively, if you think a control meets the bar for a minimum baseline, you can reach out to the MVSP team or submit a pull request to the alpha branch of the MVSP repo for consideration.

Why doesn't MVSP talk about enterprise security?

MVSP was created to address application security controls. As such, it tries not to cross over into enterprise security aspects unless they are directly connected to the security of an enterprise application or service. This may mean that we stop short of adding a control that you may feel is important, or occasionally add something that is more enterprise-focused than we would like. We try to maintain this balance, but we may not always get it exactly right.

I think the MVSP controls are too strict

While this is a common response, we believe that the controls presented in MVSP provide a reasonable baseline for enterprise-ready applications and services. The controls were debated and refined over a 12-month period before the initial control set was publicly released. This included input from a variety of contributors, listed and unlisted, to pressure test assumptions. We may not always get it right, but we are confident that the controls are a good balance between being too strict and too loose.

I think the MVSP controls are too loose

This is a common response. While many people say that the controls are too strict (see above), we also regularly hear that they are too loose and do not go far enough. As with any baseline or minimum, we could always go higher. However, we feel that going too high would reduce the applicability and usefulness of the control set. In some areas, we are pushing the industry to adopt sensible minimums that they may not currently consider. However, this needs to be carefully measured to prevent from pushing too far.

We use MVSP and would like to share our experience?

We would be delighted to hear from you and learn from your experiences. Please do not hesitate to contact us at [email protected].