Unified Certification Standard for Cloud and Managed Service Providers

Unified Certification Standard for Cloud and Managed Service Providers v.23 

Objectives and Requirements 

Overview 

The following UCS (Unified Certification Standard) Objectives and underlying Requirements will be used by the independent auditor to perform the necessary verification procedures to issue a report on the MSP/Cloud MSP seeking certification. In addition to being used by the independent auditor, these requirements can be used by the MSP to anticipate specific documentation and verification requirements that will likely arise during the examination process.  

This version of the UCS became effective on September 1, 2023. 

UCS Objective 1: Governance 

UCS Objective Summary and Purpose:  The goal of the Governance Objective is to provide assurance to the Customer that the MSP has established a corporate and organizational structure designed to maximize efficiency, minimize risk, provide sufficient oversight and accountability with regard to the services delivered. This objective also addresses external service provider management protocols of the MSP.  

01.01 Organizational Structure

01.02 Strategic Planning

01.03 Risk Assessments

01.04 Software Licensing

01.05 External Service Provider Management

UCS Objective 2: Policies and Procedures 

UCS Objective Summary and Purpose:  The goal of the Policies and Procedures Objective is to ensure the MSP has documented the necessary policies and procedures in order to maintain effective service delivery levels, as well as to minimize deviation from those established policies and procedures. 

02.01 Documentation of Policies and Procedures

02.02 Data Breach and Cyber-Attack Policies and Procedures

02.03 Periodic Review and Approval 

02.04 Internal Audit

02.05 Employee Acceptance 

02.06 Training and Orientation

UCS Objective 3: Confidentiality, Privacy and Service Transparency 

UCS Objective Summary and Purpose:  The goal of the Confidentiality and Privacy Objective is to ensure the MSP has sufficient policies and procedures related to the protection and disclosure of Customer data, specifically protocols safeguarding confidentiality, privacy, geolocation of managed data (including external service provider managed data) and identification of applications utilized to deliver services.  

03.01 Employee Background Checks 

03.02 Employee Confidentiality and Privacy Acceptance

03.03 Data Classification and Encryption 

03.04 MSP Data Geolocation Disclosure

03.05 External Service Provider Geolocation Disclosure 

03.06 External Service Provider Access Management 

03.07 External Service Provider Access Disclosure 

UCS Objective 4: Change Management 

UCS Objective Summary and Purpose:  The goal of the Change Management Objective is to ensure the MSP has formalized change management policies and procedures that may include, if applicable, the modification of MSP and Customer configurations, capacity planning and patch management.  Customer change management policies are documented based on the level of services delivered to the Customer by the MSP. 

04.01 Configuration Documentation 

04.02 Service Level Categorization 

04.03 Internal Change Tracking 

04.04 Customer Change Tracking

04.05 Capacity Planning 

04.06 Patch Management 

UCS Objective 5: Service Operations Management 

UCS Objective Summary and Purpose: The goal of the Service Operations Management Objective deals with how the MSP identifies and responds to IT (Information Technology) related events that could impact services delivered to the Customer.  In this UCS objective, the examination covers the MSP’s Network Operations Center (“NOC”), Trouble Ticketing systems and Service Desk operations specifically related to event management policies and procedures. 

05.01 Centralized Operations Center 

05.02 Support and Problem Logging 

05.03 Categorization and Correlation 

05.04 Support and Problem Resolution 

05.05 Operations Monitoring 

UCS Objective 6: Information Security 

UCS Objective Summary and Purpose:  The goal of the Information Security Objective is to ensure the MSP has implemented necessary controls to effectively govern access to managed data, networks and systems that may compromise security of both the MSP and the Customer. This includes remote access policies, user account administration, authentication, wireless access, segregation of duties, network security scans and assessments, and the monitoring of access to Customer systems.  

06.01 Access to Applications and Environments

06.02 Super-User and Administrator Access Security 

06.03 Unique Users and Passwords

06.04 Revocation of Access 

06.05 Strong Passwords 

06.06 Segregation of Access

06.07 Periodic Review of Access Rights

06.08 Secure Remote Access

06.09 Network and Endpoint Security Management and Monitoring 

06.10 Email Security 

06.11 Antivirus 

06.12 Wireless Network Security 

06.13 Network Security Review

UCS Objective 7: Data and Device Management 

UCS Objective Summary and Purpose:  The goal of the Data Management Objective is to confirm the MSP has sufficient policies and procedures to ensure the integrity and availability of managed Customer and MSP internal data in the event of natural disasters, cyber-attacks (i.e., ransomware), and user error or malfeasance. This includes the implementation of data backup as well as encryption, security, retention, and restoration of managed Customer and MSP internal data.  

07.01 Customer Data Backup and Replication

07.02 MSP Data Backup and Replication 

07.03 Data Recovery Testing 

07.04 Disaster and Business Continuity Planning 

07.05 Internal Data Destruction 

07.06 Customer Data Destruction 

07.07 Device and Asset Management 

UCS Objective 8: Physical Security 

UCS Objective Summary and Purpose: The goal of the Physical Security Objective is to ensure the MSP has documented policies and procedures governing physical access and environmental security of the MSP’s assets.  MSP must demonstrate sufficient physical security controls at each facility, including controls such as physical access administration, card key, CCTV, on-site security, visitor/guest logs and other effective security and environmental controls.   

08.01 Office Security 

08.02 Logging of Visitors 

08.03 Sensitive Area Security 

08.04 Revocation of Physical Access 

UCS Objective 9: Billing and Reporting 

UCS Objective Summary and Purpose: the goal of the Billing & Reporting Objective is to ensure the MSP is accurately monitoring service delivery, reporting, and invoicing for Customers following SLAs (service level agreements) signed by both parties. 

09.01 Signed Contracts and Agreements

09.02 Accuracy of Service Invoices 

09.03 Report Availability

UCS Objective 10: Corporate Health 

UCS Objective Summary and Purpose: The goal of the Corporate Health Objective is to ensure sufficient corporate and financial health on the part of the MSP so that all of its Customers are adequately protected.  Technical proficiency is only part of the MSP’s value to the Customer.  The MSP must be on firm financial footing, as well as risk averse in a variety of areas unique to managed services and cloud in order to effectively deliver its services to the Customer. 

10.01 Operational Sustainability 

10.02 Significant Customer Risk 

10.03 Gross Profit Margin on Services 

10.04 Customer Commitments 

10.05 Insurance 

10.06 Customer and Employee Retention Tracking 

Copyright 2000 – 2024 MSPAlliance® – All Rights Reserved