What is the UCS?
The Unified Certification Standard (UCS) audit for Cloud and Managed Service Providers was developed 9 years ago by the MSPAlliance as a way to a) provide a path of operational excellence for MSPs, and b) to distinguish those MSPs who were abiding by these best practices compared to those that were not.
Who Developed the UCS?
The MSPAlliance advisory board consisting of MSPs serving the large enterprise, mid-market, and SMB, saw a need to have a standard made specifically for MSPs. For over a year these MSPs worked on creating a standard for self regulation to ensure high quality and excellence in the managed services profession.
What is the difference between the UCS and MSAP?
The Managed Services Accreditation Program™ (MSAP) was the original name of the standard created nearly 8 years ago. The MSAP is now called the UCS, after the program went through a considerable review and change in 2011. The standard is largely the same, but now has considerably enhanced audit and reporting benefits previously not available with the MSAP.
How does the UCS differ from other so-called MSP and Cloud Certifications?
While other certifications, seals, etc, may simply require a provider to submit information and promise to adhere to some industry standards, the UCS certification requires all applicants to submit to a comprehensive audit and onsite facilities inspection. When MSPA first launched this accreditation and certification many years ago, the bar was firmly set high. All data is verified by third party auditors, so the accreditation validates the quality of a Managed Services practice and is an achievement any company can be proud of.
Does the UCS overlap with ISO 27001?
The UCS audit is based was developed utilizing many different components of other international standards, including control objectives unique to the MSPAlliance. These international components include the COSO framework, COBIT, ITIL, and ISO 27001. While the UCS does not include all of the control objectives or controls from any one of the standards referenced above, it does include the control objectives and controls deemed most critical to Cloud and Managed Service Providers by the MSPAlliance.
Does the UCS overlap with SSAE 16?
The UCS and SSAE 16 audits serve different purposes. The SSAE 16 audit is an auditor to auditor report, while the UCS is a public report. The two reports, for members that complete the UCS and SSAE 16 audits simulatneously, utilize the same control objectives with the exception of Financial Health which is not included in the SSAE 16 scope. Both audits use nearly identical testing protocols.
Furthermore, the UCS is an international standard and is recognized globally, whereas SSAE 16 is largely a US audit methodology. MSPAlliance can provide you with both the UCS and SSAE 16 audits and certifications.
Can the UCS be used for compliance purposes?
Absolutely. Because the UCS certification is also an audit, and performed by well trained IT auditors familiar with managed services and cloud computing models, and has a detailed audit report for each company that goes through the process, many MSPs and cloud organizations use the UCS audit report for compliance purposes. Because it is a public document, the UCS report also has the advantage of being used for sales and marketing purposes also.
If I have my vendor certifications do I still need the UCS?
Vendor certifications are very useful for determining a MSP’s skill in using a particular vendor’s product. For example, if you are skilled in using Microsoft products then achieving Microsoft Gold might be a worthy objective. However, by itself, vendor certifications are not enough. In fact, it can be potentially misleading to customers if the MSP only has vendor certifications and no other 3rd party certification or audit. Many MSPAlliance members who have have achieved our certifications also have other vendor certifications.
How do I know if my company needs the UCS?
There are many reasons why your company would want to go through the UCS audit process. Our industry is unregulated, which means end user customers have no real mechanism for determining who is a credible and qualified MSP. The UCS is a great tool for giving end user customers that assurance, while also giving the MSP guidance and comfort in knowing that their policies and procedures conform with industry best practices.
Is the UCS audit difficult to achieve?
Unlike taking a test, the UCS is not an exam that you pass or fail; it is an audit and certification. The hardest part of the UCS tends to be just getting started, but once MSPs go through the process, they tend to find it very helpful for making sure their managed services or cloud practice is running smoothly.
Is it true I can also get free consulting during the UCS audit?
Yes. MSPAlliance has an interest in making sure each company has a beneficial UCS experience. Because MSPAlliance does not charge by the hour, we can provide a great amount of information and consulting advice throughout the UCS audit process to help our MSPs achieve success and excellence. This advice can include pricing, documentation, security policies, operational benchmarks, and much more. If you have questions about how your firm can benefit from the UCS audit process, please ask us.
What are the steps involved in completing the UCS process?
- Complete the UCS application.
- Complete UCS data gathering document (during this phase MSPAlliance will work with your team to help complete this document)
- Audit team schedules visit to your facilities to perform testing
- UCS audit report is written by MSPAlliance and audit team, reviewed by MSP
- UCS certification is issued by MSPAlliance and UCS audit report is issued by auditor.