Topic: compliance mapping security
MCP server compliance mapping — SOC 2, GDPR, HIPAA, ISO 27001 control mapping for MCP security grades
Organizations under SOC 2, GDPR, HIPAA, or ISO 27001 frameworks need to demonstrate that third-party tools used in their environment — including MCP servers — meet appropriate security controls. MCP servers present a new challenge: traditional vendor questionnaires assume the tool runs on the vendor's servers, not locally on your developers' machines. SkillAudit grades are designed to answer exactly the questions these frameworks ask about locally-executed, credential-bearing, LLM-driven tools. This page maps each SkillAudit sub-score to specific compliance control requirements across the four major frameworks, and describes how to use scan evidence in your compliance program.
1. SOC 2 Trust Services Criteria mapping
SOC 2 is structured around five Trust Services Categories. Most MCP server compliance obligations fall under Security (CC), with some overlap into Availability (A) and Confidentiality (C). The relevant criteria and their mapping to SkillAudit sub-scores:
SOC 2 Criterion | SkillAudit Sub-score | What the mapping covers
─────────────────────────────────────────────────────────────────────────────
CC6.1 | Security | Logical and physical access controls — SSRF,
(Logical access | | injection, path traversal vulnerabilities
controls) | | demonstrate failures in logical access control
| |
CC6.3 | Permissions | Role-based access / least privilege — MCP tools
(Access removal | | requesting minimum-necessary permissions and
& least privilege) | | narrowly-scoped schemas satisfy CC6.3's
| | requirement to limit access to authorized users
| |
CC6.7 | Credentials | Encryption of credentials in transit/at rest —
(Encryption) | | credential hygiene patterns (no plaintext logging,
| | rotation without restart) address CC6.7
| |
CC7.1 | Maintenance | Monitoring for security vulnerabilities —
(Monitoring) | | dependency pinning, lockfiles, npm audit
| | demonstrate systematic vulnerability monitoring
| |
CC8.1 | Maintenance | Change management — lockfile commits enforce
(Change management) | | reproducible installs and documented dependency
| | changes as required by CC8.1
| |
CC2.2 | Documentation | Communication of security policies —
(Communication) | | SECURITY.md and disclosure policy satisfy the
| | "communicate security responsibilities" aspectUsing SkillAudit as SOC 2 evidence
When a SOC 2 auditor asks about third-party tool security controls (typically under CC9.2 — vendor risk management), an MCP server's SkillAudit scan report serves as documented evidence that the tool was evaluated against a defined security standard. Specifically:
- A dated scan report demonstrates the tool was evaluated at a specific point in time (CC9.2 requires periodic monitoring)
- The sub-score breakdown maps directly to the specific criteria being tested
- Grade thresholds (e.g., "no MCP server below B is approved for use with production credentials") constitute a documented policy that satisfies CC9.2's requirement for defined vendor risk criteria
- Quarterly rescans demonstrate the ongoing monitoring required by CC7.1
2. GDPR mapping (Articles 25 and 32)
GDPR's security obligations come primarily from Article 25 (data protection by design and by default) and Article 32 (security of processing). For organizations using MCP servers that process personal data, both articles create direct obligations around how those servers are selected and monitored.
GDPR Requirement | SkillAudit Sub-score | Mapping
─────────────────────────────────────────────────────────────────────────────
Art. 25(1) | Permissions | Data minimisation by default — an MCP tool
(Data protection | | requesting only the specific repos it needs,
by design) | | rather than full repo access, implements
| | Art. 25(1)'s data minimisation requirement
| |
Art. 25(2) | Permissions | Data minimisation by default — narrow schema
(Data minimisation) | | argument constraints limit data processed
| | to what is necessary for the stated purpose
| |
Art. 32(1)(a) | Security | Pseudonymisation and encryption — prompt
(Appropriate | | injection resistance and SSRF controls
technical measures) | | constitute "appropriate technical measures"
| | to ensure security appropriate to the risk
| |
Art. 32(1)(b) | Credentials | Ongoing confidentiality of processing —
(Confidentiality) | | credential logging hygiene (no tokens in
| | error logs) directly addresses Art. 32(1)(b)
| |
Art. 32(1)(d) | Maintenance | Regular testing and evaluation — dependency
(Regular testing) | | audit cadence and SECURITY.md disclosure
| | process constitute "regular testing" of
| | technical security measuresGDPR DPIA considerations for MCP servers
If your organization conducts Data Protection Impact Assessments (DPIAs) for new tools, MCP servers processing personal data typically trigger a DPIA under GDPR Article 35 because they involve a new technology (LLM-driven tool calling) with characteristics that make privacy risk assessment non-obvious. SkillAudit scan results should be included as an annex to the DPIA, demonstrating that technical controls were evaluated.
3. HIPAA Technical Safeguards mapping
HIPAA's Security Rule (45 CFR Part 164) applies to MCP servers used in healthcare organizations or by business associates handling Protected Health Information (PHI). The Technical Safeguards (§164.312) are most directly relevant.
HIPAA Safeguard | SkillAudit Sub-score | Mapping
─────────────────────────────────────────────────────────────────────────────
§164.312(a)(1) | Security + | Access control implementation — SSRF and
(Access Control) | Permissions | injection controls + least-privilege schemas
| | together implement the access control
| | standard for ePHI access via MCP tools
| |
§164.312(a)(2)(i) | Permissions | Unique user identification — narrow token
(Unique User ID) | | scope (user-specific, not shared admin token)
| | supports attribution of ePHI access to a
| | specific user or system account
| |
§164.312(b) | Security + | Audit controls — prompt injection resistance
(Audit Controls) | Maintenance | and dependency monitoring contribute to the
| | ability to generate audit logs for ePHI access
| |
§164.312(c)(1) | Security | Integrity controls — injection vulnerability
(Integrity) | | absence demonstrates ePHI cannot be altered
| | or destroyed in an unauthorized manner
| | through the MCP interface
| |
§164.312(d) | Credentials | Authentication — credential hygiene patterns
(Authentication) | | (minimum-scope tokens, rotation support)
| | address the authentication standard for
| | verifying persons seeking ePHI access
| |
§164.312(e)(1) | Credentials + | Transmission security — credential encryption
(Transmission Security) | Security | in transit + SSRF controls preventing
| | unauthorized data transmission together
| | address the transmission security standardHIPAA BAA implications
If your organization has Business Associate Agreements (BAAs) with MCP server vendors, the BAA should specify minimum security grade requirements. Recommend including a clause requiring the vendor to maintain a minimum SkillAudit Security sub-score of 75 (B) or better, with quarterly scan evidence provided on request. For servers handling ePHI directly, require a minimum overall A grade.
4. ISO 27001 Annex A control mapping
ISO 27001:2022 restructured Annex A from 114 controls across 14 domains to 93 controls across 4 themes. The most relevant controls for MCP server security map to the Technological Controls (Theme 8) and People Controls (Theme 6) sections.
ISO 27001 Control | SkillAudit Sub-score | Mapping
─────────────────────────────────────────────────────────────────────────────
A.5.15 | Permissions | Access control — least-privilege tool schemas
(Access control) | | and minimum-necessary token scopes implement
| | the access control policy required by A.5.15
| |
A.5.37 | Documentation | Documented operating procedures —
(Documented | | SECURITY.md and runnable README constitute
operating | | documented operating procedures for the
procedures) | | security-relevant aspects of MCP server use
| |
A.8.5 | Credentials | Secure authentication — minimum-scope tokens,
(Secure | | no plaintext credential exposure, rotation
authentication) | | support address the secure authentication
| | management requirements of A.8.5
| |
A.8.8 | Maintenance | Management of technical vulnerabilities —
(Management of | | lockfile commits, npm audit clean, dependency
technical | | pinning directly address the technical
vulnerabilities) | | vulnerability management requirements
| |
A.8.20 | Security | Network security — SSRF allowlisting and
(Networks security) | | outbound request controls implement network
| | security for MCP server communications
| |
A.8.24 | Credentials | Use of cryptography — token encryption and
(Use of | | secure credential storage address the
cryptography) | | cryptographic key management requirements
| |
A.8.28 | Security | Secure coding — absence of injection
(Secure coding) | | vulnerabilities, path traversal, and SSRF
| | demonstrates the secure coding practices
| | required by A.8.285. Building a compliance-ready MCP security program
The frameworks above create overlapping requirements. Rather than maintaining separate compliance processes for each, organizations can maintain a single MCP server security program built around SkillAudit grades that satisfies all four frameworks simultaneously.
MCP Security Program Structure — maps to SOC 2, GDPR, HIPAA, ISO 27001
1. INVENTORY (CC9.2 / GDPR Art. 30 / HIPAA §164.308(a)(1) / ISO A.8.8)
─────────────────────────────────────────────────────────────────────
Maintain a register of all MCP servers in use with:
- Server name, version, repository URL
- SkillAudit overall grade + 5 sub-scores at last scan
- Date of last scan, next scheduled scan
- Credentials configured (scope, rotation schedule)
- Data classification: does it touch personal data / PHI / PCI?
- Approval status, approving authority, approval date
2. GRADE THRESHOLDS (CC6.1 / Art. 25 / §164.312(a) / ISO A.5.15)
─────────────────────────────────────────────────────────────────────
Policy: minimum grade requirements by data classification
- No personal/regulated data: B overall required
- Personal data (GDPR-scoped): A overall, Security ≥ 85 required
- PHI (HIPAA-scoped): A overall, Security ≥ 90, Credentials ≥ 85
- Sub-score override: any Security or Credentials sub-score < 60
triggers immediate quarantine regardless of overall grade
3. CHANGE MONITORING (CC7.1 / Art. 32(1)(d) / §164.312(b) / ISO A.8.8)
─────────────────────────────────────────────────────────────────────
Rescan schedule:
- Quarterly: all servers in inventory
- On version update: rescan within 5 business days
- On critical CVE in dependency: rescan within 48 hours
- Grade drop (any tier): immediate review, notify DPO if personal data
4. EVIDENCE RETENTION (CC2.2 / Art. 5(2) / §164.316(b) / ISO A.5.37)
─────────────────────────────────────────────────────────────────────
Retain for audit evidence:
- SkillAudit scan reports: 3 years minimum
- Approval records: 3 years minimum
- Rescan history showing grade over time
- Exception approvals (C-grade servers with sign-off) with risk acceptance
5. INCIDENT RESPONSE (CC7.3 / Art. 33 / §164.308(a)(6) / ISO A.5.26)
─────────────────────────────────────────────────────────────────────
If an MCP server is found to have been exploited:
- Immediately revoke and rotate all credentials the server had access to
- Determine if personal data / PHI was exposed (notification obligations)
- Pull current SkillAudit report — the finding that was exploited will
appear as a high/critical finding in the Security sub-score section
- The finding's CWE identifier maps directly to the CVE classification
needed for breach notification assessmentSkillAudit checks relevant to compliance
- Security sub-score findings → SOC 2 CC6.1, GDPR Art. 32(1)(a), HIPAA §164.312(c)(1), ISO A.8.28: SSRF, injection, prompt injection patterns — direct compliance control failures
- Permissions sub-score findings → SOC 2 CC6.3, GDPR Art. 25(2), HIPAA §164.312(a)(2)(i), ISO A.5.15: Over-broad token scopes, unrestricted tool schema arguments — least-privilege control gaps
- Credentials sub-score findings → SOC 2 CC6.7, GDPR Art. 32(1)(b), HIPAA §164.312(d), ISO A.8.5: Plaintext credential logging, no rotation path, overly-scoped tokens — authentication and confidentiality control gaps
- Maintenance sub-score findings → SOC 2 CC7.1, GDPR Art. 32(1)(d), HIPAA §164.312(b), ISO A.8.8: Missing lockfile, known CVE dependencies, no SECURITY.md — vulnerability management gaps
- Grade below threshold for data classification: A server graded below the required level for its data classification generates a compliance gap finding that must be remediated before production use with regulated data
— SkillAudit scans generate reports with findings keyed to the CWE and control mappings your compliance team needs. Scan your MCP server.