MCP Compliance: SOC 2, ISO 27001, and NIST Guidelines

As MCP deployments move from experimental prototypes to production systems handling regulated data, compliance with established security frameworks becomes both a business requirement and a legal obligation. Enterprises deploying AI agents through MCP must demonstrate to auditors, regulators, and customers that their systems meet the same rigorous security standards as any other production infrastructure that processes sensitive data. However, traditional compliance frameworks were written for conventional IT systems and don't explicitly address the unique challenges of AI agent architectures: the dynamic nature of agent permissions, the difficulty of auditing non-deterministic LLM behaviour, the novel attack vectors like prompt injection that don't map neatly to existing control categories, and the complex data flows between agents, tools, and backend systems. This guide maps the most relevant requirements from SOC 2, ISO 27001, and NIST 800-53 to specific MCP security controls, providing a practical compliance roadmap that security teams can implement without reinventing the wheel.

SOC 2 Trust Service Criteria for MCP

SOC 2 Type II audits evaluate the design and operational effectiveness of controls across five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. For MCP deployments, the security and confidentiality criteria are most directly relevant. The security criterion requires controls that protect against unauthorised access to system components, which maps to MCP requirements for mutual authentication between agents and servers, tool-level access controls, network segmentation, and intrusion detection. The confidentiality criterion requires protection of data classified as confidential, which maps to output filtering that prevents agents from returning sensitive data in contexts where it shouldn't appear, encryption of all data in transit and at rest, and data classification policies that define what types of data each agent role can access through which tools. Processing integrity requires demonstrating that system processing is complete, valid, accurate, and timely—which for MCP means implementing input validation on tool parameters, output verification on tool results, and audit logging that provides a complete record of every tool invocation. The key challenge with SOC 2 for MCP is providing auditors with evidence of control effectiveness for non-deterministic systems. Prepare by maintaining comprehensive audit logs, documenting your prompt injection defences, and running regular security tests whose results can serve as evidence of control effectiveness.

ISO 27001 Control Mapping

ISO 27001 provides a systematic approach to managing information security through an Information Security Management System. The 2022 revision organises controls into four themes: organisational, people, physical, and technological. For MCP deployments, the technological controls are most directly applicable. Control A.8.1 requires user endpoint device management, which extends to managing the agent orchestration platforms and MCP clients that connect to your servers. Control A.8.3 requires information access restriction, mapping to tool-level RBAC and parameter-level constraints in MCP. Control A.8.5 requires secure authentication, mapping to mTLS and short-lived token requirements. Control A.8.15 requires logging, mapping to structured audit logging of all tool invocations. Control A.8.16 requires monitoring activities, mapping to behavioural analysis and anomaly detection for agent sessions. The organisational controls are equally important: A.5.1 requires an information security policy that should explicitly cover AI agent systems, A.5.23 requires information security for cloud services which extends to cloud-hosted MCP servers, and A.5.31 requires identification of legal and regulatory requirements applicable to your MCP deployment. Building your ISMS to encompass MCP infrastructure from the start is far more efficient than trying to retrofit compliance after deployment.

NIST 800-53 and the AI Risk Management Framework

NIST provides two complementary frameworks for MCP security: the traditional 800-53 security controls and the newer AI Risk Management Framework (AI RMF). From 800-53, the access control family (AC) maps to MCP tool-level permissions, the audit and accountability family (AU) maps to tool invocation logging, the identification and authentication family (IA) maps to agent and server identity verification, and the system and communications protection family (SC) maps to network segmentation and encryption requirements. The AI RMF adds dimensions specific to AI systems: the Govern function requires establishing policies for AI system operation, the Map function requires identifying and documenting the AI system's context and risks, the Measure function requires assessing AI system trustworthiness, and the Manage function requires implementing controls to address identified risks. For MCP deployments, the AI RMF's emphasis on trustworthiness characteristics—valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair—provides a comprehensive lens through which to evaluate your agent system's behaviour. Combining 800-53 controls with AI RMF trustworthiness characteristics creates a robust compliance framework that addresses both traditional IT security and AI-specific risks.