Hosting & Infrastructure
ID | S29 |
---|---|
Version | 2.0.1 |
Type | Overarching Standard |
Status | Effective |
Effective Date | Jul 1, 2025 |
Contracting Vehicle(s) |
- 1 Introduction
- 2 Baseline Assurance Standard Requirements
- 2.1 NHS Cloud Hosting Standards & Guidance
- 2.2 The Authority's Associated Cloud Guidance Links:
- 2.2.1 Cloud Hosting Standards
- 2.3 Co-location and Provider Data Centre Hosting & Infrastructure Requirements
- 2.4 Scope
- 2.4.1 External Standards
- 2.4.2 Physical Aspects
- 2.4.3 IT Infrastructure
- 2.4.4 Servers
- 2.4.5 Network
- 2.4.6 Data Storage
- 2.4.7 Reporting & Documentation
- 2.4.8 Security
- 3 Further Requirements
- 3.1 Co-location and Provider Data Centre Hosting & Infrastructure Requirements
- 3.1.1 External Standards
- 3.1.2 Physical Aspects
- 3.1.3 Power
- 3.1.4 IT Infrastructure
- 3.1.5 Servers
- 3.1.6 Network
- 3.1.7 Management of Services and Infrastructure
- 3.1.8 Asset Management
- 3.1.9 Service Monitoring
- 3.1.10 Device Management
- 3.1.11 Data Storage
- 3.1.12 Reporting & Documentation
- 3.1 Co-location and Provider Data Centre Hosting & Infrastructure Requirements
- 4 Additional Information
- 5 Roadmap
Introduction
Supports best practices for infrastructure and hosting of systems. For example, ensuring that systems are cost effective, secure, reliable, resilient, safe, manageable and energy efficient.
It is essential that Solutions delivered under the Catalogue and Contracting Vehicles follow standards and guidance.
The previous GPSoC infrastructure requirements pulled together best practice from recognised standards and industry guidance, however, feedback from Suppliers and other stakeholders identified that these requirements were complex and challenging to evidence as part of the assurance process.
In addition it is a Supplier's responsibility to ensure they fully understand industry standards & best practice and cannot rely on The Authority explicitly defining requirements at a point in time. The previous requirements documents were developed at a point in time and technology and security vulnerabilities change rapidly.
The UK Government continues to promote a Cloud First policy, with the adoption of public cloud hosting for health services having significantly matured in recent years. The technology strategy remains committed to delivering services via cloud-based solutions, with a strong emphasis on cloud-native architectures. However, the Authority acknowledges that cloud hosting may not be suitable for all services, particularly where data sensitivity, scale, or architectural constraints require alternative approaches.
Fundamentally there are three core options for hosting services:-
Applicable Contracting Vehicle(s) | Hosting Option | Description | Preference Status | Level | Section |
All | Cloud – Public or Private | The Public / Private cloud provider offers self-managed virtualised, elastic/on demand scalable infrastructure as a service where the cloud provider owns the underlying datacentres and physical infrastructure. The Supplier rents the use of the virtualised infrastructure. | Strongly Preferred | Suppliers SHOULDhost Solutions via one of these options.
| |
| Colocation | The physical infrastructure is owned by the Supplier and hosting of the physical infrastructure is provided within the Colo providers datacentres, the management of the infrastructure can be done by the Colo provider, a 3rd party or the Supplier themselves. | Preferred | BAS - Co location & Provider Datacentre Standards Further Requirements - Co location & Provider Datacentre Standards | |
| Provider own facilities | The datacentres and physical infrastructure are owned by the Supplier. The management of the infrastructure can be done by a 3rd party or the Supplier themselves. | Not recommended |
The Authority does not recommend that Suppliers should attempt to host services themselves due to the cost and complexity of providing data centre capabilities that meet the necessary requirements.
Previously the GPSoC framework provided a set of requirements for local hosting of services. Given the security and service risks of this form of infrastructure the Catalogue and Contracting Vehicles will not formally assure local hosting of services. Buyers purchasing services which are locally hosted will be required to satisfy themselves that the security and service risks are mitigated and managed appropriately.
The standards to support infrastructure and hosting are split into two sections, depending on the mechanism being deployed:-
Cloud – Based on published NHS wide risk assessments and guidance
Co-Location / provider facilities – specific requirements & assurance processes
Baseline Assurance Standard Requirements
The Baseline Assurance Standard (BAS) provides a quicker risk-based assurance approach for Solutions; balancing safety against efficiency by combining a minimum set of essential Requirements from the DSIC Overarching Standards. Completing the BAS is the first step to achieving full assurance with the Overarching Standards allowing Supplier Solutions to be published on the Buying Catalogue. Upon meeting this Standard, Solutions are required to meet all the remaining Overarching Standards subject to the timelines laid out by the Authority.
All Baseline Assurance Requirements can be found here. Each Solution will be assigned a category of A, B or C that determines the level of assurance applied to that Solution. See the relevant category column to understand the assurance required for each Requirement. For information on Solution Categories see Solution Categories for Assurance in DSIC.
The following tables of Requirements are the Requirements in the Baseline Assurance Standard related to Hosting and Infrastructure.
NHS Cloud Hosting Standards & Guidance
The following is a summary of the "NHS and social care data: off-shoring and the use of public cloud services" gathered from cloud guidance information published by the Authority. It makes clear what evidence is to be sought from a Supplier, where it is deemed necessary to assure compliance with the 4 step process.
Some key points of note:
All decisions in relation to the security of data are the responsibility of the data controller(s). Also, in many cases organisations will have a SIRO responsible for data and cyber security
Where a professional body exists, there is certainly merit in seeking their approval for the migration of data to cloud, but ultimately the data controller remains the key approver
Data Controllers need to understand the risks of moving to cloud, and any impact
Data controllers must take into account the standard CIA triad (Confidentiality, Integrity, Availability), and also other relevant factors, including, but not limited to, cost, security, resilience, capability and funding
The Authority's Associated Cloud Guidance Links:
Applicable Contracting Vehicle(s) | ID | Requirement | Level | Category A | Category B | Category C |
Cloud Hosting Standards | ||||||
All
| CH1.0 | Understand the data All data managed by NHS and social care organisations should be treated as OFFICIAL or OFFICIAL-SENSITIVE data, in line with the Government Security Classification Policy. The Authority has further elaborated the very broad classifications. The Health and Social Care Cloud Risk Model is more granular than the Government Security Classification Policy. | must | Self-certification with Supporting Evidence Supporting evidence to include:
| Self-certification with Supporting Evidence Supporting evidence to include:
| Self-certification with Supporting Evidence Supporting evidence to include:
|
All | CH2.0 | Assess the Risks The Authority's Health and Social Care data risk framework and associated data risk model are both used to establish the risk level of the data. Typically Personally Identifiable Data (PID) would be Level 5. Please refer to the link NHS and social care data: off-shoring and the use of public cloud services for latest versions of Cloud risk framework and Health and social care data risk model. | must | Self-certification with Supporting Evidence Self-certification description to include:
Supporting evidence to include:
| Self-certification with Supporting Evidence Self-certification description to include:
Supporting evidence to include:
| Self-certification with Supporting Evidence Self-certification description to include:
Supporting evidence to include:
|
All | CH3.0 | Implement the appropriate controls Care organisations, such as GPs, retain the data controller responsibilities and they are therefore ultimately responsible for ensuring that proportionate controls are put in place to mitigate all risks. The data controllers may rightly request to see these controls (proposed by the Supplier) before considering any migration to cloud. | must | Full Assessment Self-certification description to include:
Supporting evidence to include:
Note: To submit this evidence, download and complete the Cloud Good Practice Guide template for the data classification level identified in CH2.0. | Self-certification with Supporting Evidence Self-certification description to include:
Supporting evidence to include:
Note: To submit this evidence, download and complete the Cloud Good Practice Guide template for the data classification level identified in CH2.0. | Self-certification with Supporting Evidence Self-certification description to include:
Supporting evidence to include:
Note: To submit this evidence, download and complete the Cloud Good Practice Guide template for the data classification level identified in CH2.0. |
All | CH4.0 | Monitoring the Implementation All cloud providers take on data processor responsibilities, with Care organisations (e.g. GP practices) retaining the data controller responsibilities, and they must ensure the selected cloud provider remains fit for purpose. | must | Self-certification | Self-certification | Self-certification |
Co-location and Provider Data Centre Hosting & Infrastructure Requirements
Scope
The scope of this document covers the infrastructure requirements a Supplier must meet when providing services where a Supplier has co located their service & infrastructure within a data centre providers facilities OR where the Supplier is using their own facilities. The requirements will cover a number of aspects including but not limited to:
Provision of power and cooling
Networking and IT Infrastructure
Management of the Data Centre
Physical presence of the data centre and the IT build processes
Racks
Mechanical and electrical plant
Data Floor
Operating Systems / Virtualisation
Software (Solution Management)
Business practices
Security
For the avoidance of doubt these requirements do not cover cloud provision.
Applicable Contracting Vehicle(s) | ID | Requirement | Level | Category A | Category B | Category C |
External Standards | ||||||
In addition to the below requirements the following standards (or equivalent) MUST be adhered to and where appropriate, accreditation achieved with a valid certificate and a Statement of Applicability (SoA) and documented scope provided. | ||||||
All | ES1.0 | NHS and social care data: off-shoring and the use of public cloud services guidance The geographical location (or specific range of locations) of the clinical data at rest and service management activities at any given time are to be known and communicated to the Authority. Operating the Solution or elements of the Solution outside of England will be with the permission of the Authority, the data controllers and their representative organisations. Note: There are no absolute barriers to the off-shoring of data or services, although the requirements of UK Government IA policy must be able to be met in the overseas location. See Data Protection Act and Offshoring for statements on the offshoring of information. | MUST | Self-certification with Supporting Evidence Supporting evidence could include:
| Self-certification with Supporting Evidence Supporting evidence could include:
| Self-certification with Supporting Evidence Supporting evidence could include:
|
All | ES2.0 | Sanctions, embargoes and restrictions The Supplier will require approval from the Authority for any part of the Solution that is hosted or communicates with services outside of England. The communication between systems will not be made to those countries or states prohibited by Government Policy. | MUST | Self-certification with Supporting Evidence Supporting evidence could include:
| Self-certification with Supporting Evidence Supporting evidence could include:
| Self-certification with Supporting Evidence Supporting evidence could include:
|
All | ES3.0 | Protect your organisation against cyber attacks. | MUST | Self-certification with Supporting Evidence Supporting evidence to include:
| Self-certification with Supporting Evidence Supporting evidence to include:
| Self-certification with Supporting Evidence Supporting evidence to include:
|
All | ES11.0 | General Data Protection Regulation General Data Protection Regulation (GDPR) The Guide to the UK GDPR explains the provisions of the UK GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection. The UK GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, from 25 May 2018. | MUST | Self-certification with Supporting Evidence Supporting evidence could include:
| Self-certification with Supporting Evidence Supporting evidence could include:
| Self-certification with Supporting Evidence Supporting evidence could include:
|
Physical Aspects | ||||||
This section is concerned with the physical aspects of a Data Centre including where the Data Centre is located, some of its physical attributes and factors near that data centre which could affect its operation and security. | ||||||
| HPA32.0 | Data Centre - declaration of Resilience: The Supplier’s Solution will provide at a minimum two separate geographically physical locations to hold the data and capability to run the services. The distance between the two locations will be such that they cannot both be affected by concurrent loss due to overlapping items on the Location Risk Assessment. | MUST | Self-certification | Self-certification | Self-certification |
IT Infrastructure | ||||||
This section is concerned with the physical infrastructure that makes up the service, how it is built and the policies around its setup. | ||||||
| HI13.0 | Live Service Separation: The Supplier will ensure that Live environments are segregated from the development activity by using processors, virtual servers, domains and partitions that are not in use by live and by storing development utilities away from the live environment. | MUST | Self-certification | Self-certification | Self-certification |
Servers | ||||||
This section is concerned with servers that provide clinical applications, including operating systems and use of virtualisation. | ||||||
| HS20.0 | Server Operational Design: Application Security: The Supplier will ensure that servers are configured to disable or restrict:
| MUST | Self-certification | Self-certification | Self-certification |
Network | ||||||
This section covers the use of networks in the provision of the Supplier’s service. The NHS Wide Area Network is now known as HSCN; referred to as the “NHS Network” below. The Health and Social Care Network (HSCN) is the successor to N3. In 2018 N3 was already closed to new implementations when The Authority published its 'Internet First' strategy. The strategy mandates that health systems should be designed to use the Internet rather than HSCN. | ||||||
All | HNT1.0 | External Networking: The Supplier’s data centre to be connected to the Internet and the NHS Network, for clinical services holding PID that are accessed from either an Internet or NHS Network attached end point. | MUST | Self-certification | Self-certification | Self-certification |
All | HNT7.0 | Data Centre Network Resilience: The data centre will have dual Internet and dual NHS Network connections via two exchanges, where available. | MUST | Self-certification | Self-certification | Self-certification |
Data Storage | ||||||
This section is concerned with how data is protected when a failure occurs within the Solution. This covers both clinical and non-clinical data. | ||||||
All | HDP1.0 | Data Access Protection: The Supplier to ensure protection of clinical data at the storage level through the use of RAID, block snapshot, replication or mirroring technology within a single data centre / data hall. | MUST | Self-certification | Self-certification | Self-certification |
All | HDP2.0 | Data Loss protection: The Supplier to ensure clinical data is protected using methods against up to two disk or media failures, within any one device configuration offering a discrete storage service. | MUST | Self-certification | Self-certification | Self-certification |
All | HDP3.0 | Data Integrity Implementation: The Supplier will provide Transactional Integrity for clinical data by the use of a 2nd physical location for storing of data. Note: The 2nd site could be a DR Site, Active 2nd site or a site used for storage replication. | MUST | Self-certification | Self-certification | Self-certification |
All | HDP5.0 | Data Handling Conformance: The clinical data transferred to additional locations will be stored in accordance of the Authority’s data handling policies. | MUST | Self-certification | Self-certification | Self-certification |
All | HDP6.0 | Data Integrity Approach: The Supplier’s approach to Transaction Integrity to securing data to at least two separate physical locations to be communicated to and assured by the Authority at the Suppliers design stage. | MUST | Self-certification | Self-certification | Self-certification |
All | HDP9.0 | Data Replication: The Supplier will ensure that the clinical data applied to the primary site and sent to the 2nd site is processed in time order of how the data was applied to the primary site. Thus ensuring a consistent data set across the two sites and to maintain the application integrity. | MUST | Self-certification | Self-certification | Self-certification |
Reporting & Documentation | ||||||
All | HD1.0 | Documentation: The Supplier will provide documentation which represents the non-functional technical architecture of the Solution, including but not limited to: data centre design, local and wide network architecture, and physical technology models. Documentation should include diagrams, and associated textual descriptions, as necessary to enable effective assurance of key Solution aspects as noted below:
Note: Document artefacts to be concise with a preference for diagrammatical form where the Supplier utilises as much of their own internal documentation as possible to reduce extra document production. | MUST | Self-certification with Supporting Evidence Supporting evidence to include:
| Self-certification with Supporting Evidence Supporting evidence to include:
| Self-certification with Supporting Evidence Supporting evidence to include:
|
Security | ||||||
This section is concerned with how data is protected when a failure occurs within the Solution. This covers both clinical and non-clinical data. | ||||||
All | SEC1.0 | The Supplier will comply with all requirements in the "Co-location and Provider Data Centre Hosting & Infrastructure Requirements - Security" file. | MUST | Refer to “Co-location and Provider Data Centre Hosting & Infrastructure Requirements - Security” file for details. | Refer to “Co-location and Provider Data Centre Hosting & Infrastructure Requirements - Security” file for details. | Refer to “Co-location and Provider Data Centre Hosting & Infrastructure Requirements - Security” file for details. |
Further Requirements
Suppliers must complete assurance for these Requirements in addition to Requirements in the Baseline Assurance Standard in order to achieve full compliance with the Hosting and Infrastructure Standard. Suppliers can complete these at the same time as requirements within the Baseline Assurance Standard or following the publication on the Buying Catalogue subject to meeting the timelines laid out by the Authority.
Co-location and Provider Data Centre Hosting & Infrastructure Requirements
Applicable Contracting Vehicle(s) | ID | Requirement | Level | Category A | Category B | Category C |
External Standards | ||||||
In addition to the below requirements the following standards (or equivalent) MUST be adhered to and where appropriate, accreditation achieved with a valid certificate and a Statement of Applicability (SoA) and documented scope provided. | ||||||
All | ES4.0 | ISO 27001 - IT Security Management Systems ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organisations, regardless of type, size or nature. Note: This requirement is only applicable to Suppliers whose Solution is hosted by a non-pre-accredited third party. | MUST | Self-certification with Supporting Evidence Supporting evidence to include:
| Self-certification with Supporting Evidence Supporting evidence to include:
| Self-certification with Supporting Evidence Supporting evidence to include:
|
| ES7.0 | ISO 14001 Environmental management systems ISO 14001:2015 specifies the requirements for an environmental management system that an organisation can use to enhance its environmental performance. ISO 14001:2015 is intended for use by an organisation seeking to manage its environmental responsibilities in a systematic manner that contributes to the environmental pillar of sustainability. ISO 14001:2015 helps an organisation achieve the intended outcomes of its environmental management system, which provide value for the environment, the organisation itself and interested parties. Consistent with the organisation 's environmental policy, the intended outcomes of an environmental management system include: · enhancement of environmental performance · fulfilment of compliance obligations · achievement of environmental objectives ISO 14001:2015 is applicable to any organisation, regardless of size, type and nature, and applies to the environmental aspects of its activities, products and services that the organisation determines it can either control or influence considering a life cycle perspective. ISO 14001:2015 does not state specific environmental performance criteria. ISO 14001:2015 can be used in whole or in part to systematically improve environmental management. Claims of conformity to ISO 14001:2015, however, are not acceptable unless all its requirements are incorporated into an organisation 's environmental management system and fulfilled without exclusion. | may | Self-certification with Supporting Evidence Supporting evidence to include one of the following:
Note: If your Solution is being hosted by a 3rd party data centre provider, then the above evidence should be in relation to the data centre provider. | Self-certification with Supporting Evidence Supporting evidence to include one of the following:
Note: If your Solution is being hosted by a 3rd party data centre provider, then the above evidence should be in relation to the data centre provider. | Self-certification with Supporting Evidence Supporting evidence to include one of the following:
Note: If your Solution is being hosted by a 3rd party data centre provider, then the above evidence should be in relation to the data centre provider. |
| ES8.0 | ISO 50001 Energy management systems This document specifies requirements for establishing, implementing, maintaining and improving an energy management system (EnMS). The intended outcome is to enable an organisation to follow a systematic approach in achieving continual improvement of energy performance and the EnMS. This document: a) is applicable to any organisation regardless of its type, size, complexity, geographical location, organisation al culture or the products and services it provides b) is applicable to activities affecting energy performance that are managed and controlled by the organisation c) is applicable irrespective of the quantity, use, or types of energy consumed d) requires demonstration of continual energy performance improvement, but does not define levels of energy performance improvement to be achieved e) can be used independently, or be aligned or integrated with other management systems Annex A provides guidance for the use of this document. Annex B provides a comparison of this edition with the previous edition | may | Self-certification with Supporting Evidence Supporting evidence to include one of the following:
|