On behalf of all of us at Scalar, I’m excited to announce that Scalar has achieved SOC 2 certification of our Managed Infrastructure portfolio. I’d like to take a few minutes to outline what the certification means, why we sought certification in the first place, and what it means to our customers (both current and future).
What is SOC 2?
Over the past ten to twenty years, the growth of outsourcing has fueled the need for a common standard of operational performance for Managed Service Providers (MSPs). Basically, customers wanted to have some tangible way of ensuring whether their MSP was operating with strong processes and generally “running a tight ship”. Since it’s not terribly effective for each individual customer to conduct their own, custom audit of their MSP (either for the customer, or for the MSP), over time 3rd party auditors developed their own standard that could be used and widely understood.
While many versions of the standards have existed over time (many readers will be familiar with the SAS70 audit standard), SOC 2 represents the latest version of the standard and was specifically designed (unlike SAS70) for IT services firms. It contains 5 specific trust principles which target various elements of service delivery, and providers can choose those trust principles that are most relevant to the service they provide. For Scalar’s part, we chose Security and Availability as those are foundational to the infrastructure services we deliver to our customers.
Back in 2011, Deloitte wrote “We expect that with SOC 2 reports, at least for the first several years, it may be more difficult to obtain an unqualified opinion than legacy SAS 70 reports. The standards set by the AICPA’s Trust Principles are high ones, and many organizations will need to increase their rigour around internal controls.” This is just one reason why Scalar is proud to be the first managed services infrastructure provider to achieve SOC 2 under the Security and Availability trust principles. While there are several managed hosting providers in Canada that have achieved SOC 2 certification, we are the first non-hosting provider to complete an audit against its managed infrastructure business.
Why did Scalar pursue this certification?
Scalar sought a SOC 2 certification for two reasons. First, our customers wanted us to demonstrate that we were following the processes necessary to deliver stringent uptime and service level requirements. Second, we recognized an increasing need for compliance with 3rd party audits, particularly in heavily regulated industries (finance, insurance, healthcare, government). Our customers were being audited and were asking that we help them make their own audits easier by meeting the same standards sought by their regulators. We continually strive to deliver a superior service experience – a SOC 2 audit allowed us to extend that service beyond infrastructure and into risk and compliance.
What’s the value for Scalar’s current and future managed service customers?
There are a number of practical benefits to working with Scalar’s Managed Infrastructure team.
- Audits are easier! Audits aren’t ever easy, but having a managed service provider that already meets the needs of your auditor will make at least one part of the process go that much more smoothly. Take it from Michael Werneburg, Director of Business Risk and Opportunity at PortfolioAid, a long-time Scalar customer. “Scalar’s SOC 2 report makes our own audit process significantly smoother and faster. We identified this need with Scalar over a year ago, and we couldn’t be happier that they stepped up and delivered."
- Your compliance program will be less expensive – If your auditor is requiring that you establish and meet certain delivery criteria, outsourcing your IT operations to Scalar can save you the trouble and cost of building that program in your own company. We’ve already done the work.
- Demonstrated operational rigour – The criteria in the AICPA’s SOC 2 Availability and Trust principles cover an extensive and comprehensive list of IT service delivery issues. In all, Scalar has to demonstrate compliance in over 120 different areas including backups, monitoring, logical and physical access, change management, incident management, security, and many others.
- Ongoing operational performance – Not only is the list of criteria comprehensive, but it’s also measured over a period of time. Our first report covered 4 months, and subsequent audits will be conducted annually to ensure that we’re continuing to consistently meet the evolving requirements of the program.
- Higher levels of performance and response – While the criteria established in the SOC 2 framework doesn’t specifically establish levels of, say, infrastructure redundancy (e.g. It does not say “All servers require RAID5 hard drive configurations”), it does demonstrate that your provider is delivering a well-managed service. It shows that the provider has established and adheres to tight policies, meets those policies over a period of time, and can prove it to an independent 3rd party (Deloitte LLP in our case). I would argue that over time, that’s more likely to lead to a service that’s more reliable and more consistent.
We believe that there’s tremendous value in this certification, and we further believe that it clearly demonstrates just how committed we are at Scalar to delivering a high quality IT outsourcing experience. We’re thrilled that all of our current managed infrastructure customers can now leverage this report to help meet their audit and compliance needs. We’d love the opportunity to discuss with new potential customers how this can be used to help them solve their business challenges. Please reach out to Scalar and let us know how we can help.