ID	S29
Version	2.0.1
Type	Overarching Standard
Status	Effective
Effective Date	Jul 1, 2025
Contracting Vehicle(s)	GP IT Futures Tech Innovation DFOCVC Vaccinations - Local/PCN Delivery

1 Introduction
2 Baseline Assurance Standard Requirements
- 2.1 NHS Cloud Hosting Standards & Guidance
- 2.2 The Authority's Associated Cloud Guidance Links:
  - 2.2.1 Cloud Hosting Standards
- 2.3 Co-location and Provider Data Centre Hosting & Infrastructure Requirements
- 2.4 Scope
  - 2.4.1 External Standards
  - 2.4.2 Physical Aspects
  - 2.4.3 IT Infrastructure
  - 2.4.4 Servers
  - 2.4.5 Network
  - 2.4.6 Data Storage
  - 2.4.7 Reporting & Documentation
  - 2.4.8 Security
3 Further Requirements
- 3.1 Co-location and Provider Data Centre Hosting & Infrastructure Requirements
  - 3.1.1 External Standards
  - 3.1.2 Physical Aspects
  - 3.1.3 Power
  - 3.1.4 IT Infrastructure
  - 3.1.5 Servers
  - 3.1.6 Network
  - 3.1.7 Management of Services and Infrastructure
  - 3.1.8 Asset Management
  - 3.1.9 Service Monitoring
  - 3.1.10 Device Management
  - 3.1.11 Data Storage
  - 3.1.12 Reporting & Documentation
4 Additional Information
5 Roadmap

Introduction

Supports best practices for infrastructure and hosting of systems. For example, ensuring that systems are cost effective, secure, reliable, resilient, safe, manageable and energy efficient.

It is essential that Solutions delivered under the Catalogue and Contracting Vehicles follow standards and guidance.

The previous GPSoC infrastructure requirements pulled together best practice from recognised standards and industry guidance, however, feedback from Suppliers and other stakeholders identified that these requirements were complex and challenging to evidence as part of the assurance process.

In addition it is a Supplier's responsibility to ensure they fully understand industry standards & best practice and cannot rely on The Authority explicitly defining requirements at a point in time. The previous requirements documents were developed at a point in time and technology and security vulnerabilities change rapidly.

The UK Government continues to promote a Cloud First policy, with the adoption of public cloud hosting for health services having significantly matured in recent years. The technology strategy remains committed to delivering services via cloud-based solutions, with a strong emphasis on cloud-native architectures. However, the Authority acknowledges that cloud hosting may not be suitable for all services, particularly where data sensitivity, scale, or architectural constraints require alternative approaches.

Fundamentally there are three core options for hosting services:-

Applicable Contracting Vehicle(s)	Hosting Option	Description	Preference Status	Level	Section
All	Cloud – Public or Private	The Public / Private cloud provider offers self-managed virtualised, elastic/on demand scalable infrastructure as a service where the cloud provider owns the underlying datacentres and physical infrastructure. The Supplier rents the use of the virtualised infrastructure.	Strongly Preferred	Suppliers SHOULDhost Solutions via one of these options.	NHS Cloud Hosting Standards & Guidance
GP IT Futures DFOCVC Vaccinations - Local/PCN Delivery	Colocation	The physical infrastructure is owned by the Supplier and hosting of the physical infrastructure is provided within the Colo providers datacentres, the management of the infrastructure can be done by the Colo provider, a 3^rd party or the Supplier themselves.	Preferred		BAS - Co location & Provider Datacentre Standards Further Requirements - Co location & Provider Datacentre Standards
GP IT Futures DFOCVC Vaccinations - Local/PCN Delivery	Provider own facilities	The datacentres and physical infrastructure are owned by the Supplier. The management of the infrastructure can be done by a 3^rd party or the Supplier themselves.	Not recommended

The Authority does not recommend that Suppliers should attempt to host services themselves due to the cost and complexity of providing data centre capabilities that meet the necessary requirements.

Previously the GPSoC framework provided a set of requirements for local hosting of services. Given the security and service risks of this form of infrastructure the Catalogue and Contracting Vehicles will not formally assure local hosting of services. Buyers purchasing services which are locally hosted will be required to satisfy themselves that the security and service risks are mitigated and managed appropriately.

The standards to support infrastructure and hosting are split into two sections, depending on the mechanism being deployed:-

Cloud – Based on published NHS wide risk assessments and guidance
Co-Location / provider facilities – specific requirements & assurance processes

Baseline Assurance Standard Requirements

The Baseline Assurance Standard (BAS) provides a quicker risk-based assurance approach for Solutions; balancing safety against efficiency by combining a minimum set of essential Requirements from the DSIC Overarching Standards. Completing the BAS is the first step to achieving full assurance with the Overarching Standards allowing Supplier Solutions to be published on the Buying Catalogue. Upon meeting this Standard, Solutions are required to meet all the remaining Overarching Standards subject to the timelines laid out by the Authority.

All Baseline Assurance Requirements can be found here. Each Solution will be assigned a category of A, B or C that determines the level of assurance applied to that Solution. See the relevant category column to understand the assurance required for each Requirement. For information on Solution Categories see Solution Categories for Assurance in DSIC.

The following tables of Requirements are the Requirements in the Baseline Assurance Standard related to Hosting and Infrastructure.

NHS Cloud Hosting Standards & Guidance

The following is a summary of the "NHS and social care data: off-shoring and the use of public cloud services" gathered from cloud guidance information published by the Authority. It makes clear what evidence is to be sought from a Supplier, where it is deemed necessary to assure compliance with the 4 step process.

Some key points of note:

All decisions in relation to the security of data are the responsibility of the data controller(s). Also, in many cases organisations will have a SIRO responsible for data and cyber security
Where a professional body exists, there is certainly merit in seeking their approval for the migration of data to cloud, but ultimately the data controller remains the key approver
Data Controllers need to understand the risks of moving to cloud, and any impact
Data controllers must take into account the standard CIA triad (Confidentiality, Integrity, Availability), and also other relevant factors, including, but not limited to, cost, security, resilience, capability and funding

The Authority's Associated Cloud Guidance Links:

NHS and social care data: off-shoring and the use of public cloud services

Applicable Contracting Vehicle(s)	ID	Requirement	Level	Category A	Category B	Category C
Cloud Hosting Standards
All	CH1.0	Understand the data All data managed by NHS and social care organisations should be treated as OFFICIAL or OFFICIAL-SENSITIVE data, in line with the Government Security Classification Policy. The Authority has further elaborated the very broad classifications. The Health and Social Care Cloud Risk Model is more granular than the Government Security Classification Policy.	must	Self-certification with Supporting Evidence Supporting evidence to include: A data dictionary or equivalent document which evidences that you have: Identified all data, data types and attributes. Assessed the data against the model. Binary objects identified within the data set, such as JPEG, PDF, etc, and can still be classified by their content. An understanding of the percentage splits between data types, which may alter the overall classification.	Self-certification with Supporting Evidence Supporting evidence to include: A data dictionary or equivalent document which evidences that you have: Identified all data, data types and attributes. Assessed the data against the model. Binary objects identified within the data set, such as JPEG, PDF, etc, and can still be classified by their content. An understanding of the percentage splits between data types, which may alter the overall classification.	Self-certification with Supporting Evidence Supporting evidence to include: A data dictionary or equivalent document which evidences that you have: Identified all data, data types and attributes. Assessed the data against the model. Binary objects identified within the data set, such as JPEG, PDF, etc, and can still be classified by their content. An understanding of the percentage splits between data types, which may alter the overall classification.
All	CH2.0	Assess the Risks The Authority's Health and Social Care data risk framework and associated data risk model are both used to establish the risk level of the data. Typically Personally Identifiable Data (PID) would be Level 5. Please refer to the link NHS and social care data: off-shoring and the use of public cloud services for latest versions of Cloud risk framework and Health and social care data risk model.	must	Self-certification with Supporting Evidence Self-certification description to include: A statement to support the selection of classification as per the Health and Social Care Cloud Risk Framework. Supporting evidence to include: A completed Health and Social Care Data Risk Model indicating the risk level established from the data detailed in CH1.0.	Self-certification with Supporting Evidence Self-certification description to include: A statement to support the selection of classification as per the Health and Social Care Cloud Risk Framework. Supporting evidence to include: A completed Health and Social Care Data Risk Model indicating the risk level established from the data detailed in CH1.0.	Self-certification with Supporting Evidence Self-certification description to include: A statement to support the selection of classification as per the Health and Social Care Cloud Risk Framework. Supporting evidence to include: A completed Health and Social Care Data Risk Model indicating the risk level established from the data detailed in CH1.0.
All	CH3.0	Implement the appropriate controls Care organisations, such as GPs, retain the data controller responsibilities and they are therefore ultimately responsible for ensuring that proportionate controls are put in place to mitigate all risks. The data controllers may rightly request to see these controls (proposed by the Supplier) before considering any migration to cloud.	must	Full Assessment Self-certification description to include: Confirmation that where there are many data controllers using a Solution (e.g. GP system), the communication strategy to inform all data controllers of any data risks identified will be made available to the Authority prior to implementation. Confirmation that a Data Protection Impact Assessment (DPIA) has been completed and will be provided to the Authority if requested. Confirmation that the relevant data protection legislation is adhered to. Supporting evidence to include: Documentation or statements that cover all aspects listed within Section 8. Appendix A - detailed advice and guidance of NHS and social care data: off-shoring and the use of public cloud services. Note: To submit this evidence, download and complete the Cloud Good Practice Guide template for the data classification level identified in CH2.0.	Self-certification with Supporting Evidence Self-certification description to include: Confirmation that where there are many data controllers using a Solution (e.g. GP system), the communication strategy to inform all data controllers of any data risks identified will be made available to the Authority prior to implementation. Confirmation that a Data Protection Impact Assessment (DPIA) has been completed and will be provided to the Authority if requested. Confirmation that the relevant data protection legislation is adhered to. Supporting evidence to include: Documentation or statements that cover all aspects listed within Section 8. Appendix A - detailed advice and guidance of NHS and social care data: off-shoring and the use of public cloud services. Note: To submit this evidence, download and complete the Cloud Good Practice Guide template for the data classification level identified in CH2.0.	Self-certification with Supporting Evidence Self-certification description to include: Confirmation that where there are many data controllers using a Solution (e.g. GP system), the communication strategy to inform all data controllers of any data risks identified will be made available to the Authority prior to implementation. Confirmation that a Data Protection Impact Assessment (DPIA) has been completed and will be provided to the Authority if requested. Confirmation that the relevant data protection legislation is adhered to. Supporting evidence to include: Documentation or statements that cover all aspects listed within Section 8. Appendix A - detailed advice and guidance of NHS and social care data: off-shoring and the use of public cloud services. Note: To submit this evidence, download and complete the Cloud Good Practice Guide template for the data classification level identified in CH2.0.
All	CH4.0	Monitoring the Implementation All cloud providers take on data processor responsibilities, with Care organisations (e.g. GP practices) retaining the data controller responsibilities, and they must ensure the selected cloud provider remains fit for purpose.	must	Self-certification	Self-certification	Self-certification

Co-location and Provider Data Centre Hosting & Infrastructure Requirements

Scope

The scope of this document covers the infrastructure requirements a Supplier must meet when providing services where a Supplier has co located their service & infrastructure within a data centre providers facilities OR where the Supplier is using their own facilities. The requirements will cover a number of aspects including but not limited to:

Provision of power and cooling
Networking and IT Infrastructure
Management of the Data Centre
Physical presence of the data centre and the IT build processes
Racks
Mechanical and electrical plant
Data Floor
Operating Systems / Virtualisation
Software (Solution Management)
Business practices
Security

For the avoidance of doubt these requirements do not cover cloud provision.

Applicable Contracting Vehicle(s)	ID	Requirement	Level	Category A	Category B	Category C
External Standards
In addition to the below requirements the following standards (or equivalent) MUST be adhered to and where appropriate, accreditation achieved with a valid certificate and a Statement of Applicability (SoA) and documented scope provided.
All	ES1.0	NHS and social care data: off-shoring and the use of public cloud services guidance The geographical location (or specific range of locations) of the clinical data at rest and service management activities at any given time are to be known and communicated to the Authority. Operating the Solution or elements of the Solution outside of England will be with the permission of the Authority, the data controllers and their representative organisations. Note: There are no absolute barriers to the off-shoring of data or services, although the requirements of UK Government IA policy must be able to be met in the overseas location. See Data Protection Act and Offshoring for statements on the offshoring of information.	MUST	Self-certification with Supporting Evidence Supporting evidence could include: Documentation of the geographical location(s) of the clinical data at rest and the related service management activities. Documentation of communication /notification of the clinical data at rest and the related service management activities to the Authority. If operation of the Solution, or elements of the Solution is/are outside of England, provide documented permission from the Authority, data controllers and their representative organisations.	Self-certification with Supporting Evidence Supporting evidence could include: Documentation of the geographical location(s) of the clinical data at rest and the related service management activities. Documentation of communication /notification of the clinical data at rest and the related service management activities to the relevant Authority. If operation of the Solution, or elements of the Solution is/are outside of England provide documented permission from the Authority, data controllers and their representative organisations.	Self-certification with Supporting Evidence Supporting evidence could include: Documentation of the geographical location(s) of the clinical data at rest and the related service management activities. Documentation of communication /notification of the clinical data at rest and the related service management activities to the relevant Authority. If operation of the Solution, or elements of the Solution is/are outside of England provide documented permission from the Authority, data controllers and their representative organisations.
All	ES2.0	Sanctions, embargoes and restrictions The Supplier will require approval from the Authority for any part of the Solution that is hosted or communicates with services outside of England. The communication between systems will not be made to those countries or states prohibited by Government Policy.	MUST	Self-certification with Supporting Evidence Supporting evidence could include: Documented approval from the Authority for any part of the Solution that is hosted outside of England. Documented approval from the Authority for any part of the Solution that communicates with services outside of England. Documented confirmation that any communication between systems will not be made to those countries or states prohibited by Government Policy.	Self-certification with Supporting Evidence Supporting evidence could include: Documented approval from the Authority for any part of the Solution that is hosted outside of England. Documented approval from the Authority for any part of the Solution that communicates with services outside of England. Documented confirmation that any communication between systems will not be made to those countries or states prohibited by Government Policy.	Self-certification with Supporting Evidence Supporting evidence could include: Documented approval from the Authority for any part of the Solution that is hosted outside of England. Documented approval from the Authority for any part of the Solution that communicates with services outside of England. Documented confirmation that any communication between systems will not be made to those countries or states prohibited by Government Policy.
All	ES3.0	Cyber Essentials Plus Protect your organisation against cyber attacks. Cyber Essentials helps you to guard against the most common cyber threats and demonstrate your commitment to cyber security.	MUST	Self-certification with Supporting Evidence Supporting evidence to include: A valid Cyber Essentials Plus Certificate.	Self-certification with Supporting Evidence Supporting evidence to include: A valid Cyber Essentials Plus Certificate.	Self-certification with Supporting Evidence Supporting evidence to include: A valid Cyber Essentials Plus Certificate.
All	ES11.0	General Data Protection Regulation General Data Protection Regulation (GDPR) The Guide to the UK GDPR explains the provisions of the UK GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection. The UK GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, from 25 May 2018.	MUST	Self-certification with Supporting Evidence Supporting evidence could include: GDPR compliance certificate if available.	Self-certification with Supporting Evidence Supporting evidence could include: GDPR compliance certificate if available.	Self-certification with Supporting Evidence Supporting evidence could include: GDPR compliance certificate if available.
Physical Aspects
This section is concerned with the physical aspects of a Data Centre including where the Data Centre is located, some of its physical attributes and factors near that data centre which could affect its operation and security.
GP IT Futures DFOCVC Vaccinations - Local/PCN Delivery	HPA32.0	Data Centre - declaration of Resilience: The Supplier’s Solution will provide at a minimum two separate geographically physical locations to hold the data and capability to run the services. The distance between the two locations will be such that they cannot both be affected by concurrent loss due to overlapping items on the Location Risk Assessment.	MUST	Self-certification	Self-certification	Self-certification
IT Infrastructure
This section is concerned with the physical infrastructure that makes up the service, how it is built and the policies around its setup.
GP IT Futures DFOCVC Vaccinations - Local/PCN Delivery	HI13.0	Live Service Separation: The Supplier will ensure that Live environments are segregated from the development activity by using processors, virtual servers, domains and partitions that are not in use by live and by storing development utilities away from the live environment.	MUST	Self-certification	Self-certification	Self-certification
Servers
This section is concerned with servers that provide clinical applications, including operating systems and use of virtualisation.
GP IT Futures DFOCVC Vaccinations - Local/PCN Delivery	HS20.0	Server Operational Design: Application Security: The Supplier will ensure that servers are configured to disable or restrict: non-essential or redundant services (e.g. X Windows, Open Windows, fingered and web browsers) communication services that are inherently susceptible to abuse (e.g. tftp, RPC, rlogin, rsh or rexec) communication protocols that are prone to abuse, where not required (e.g. HTTP, HTTPS, SSH, FTP, SMTP, Telnet and UUCP) execute permissions on sensitive commands or scripts (e.g. rlogin, rcp, rsh, remsh, tstp and trtp) powerful utilities (e.g. Windows ‘Registry Editor’) or ‘control panels’ run commands or command processors (e.g. Perl or Tcl)	MUST	Self-certification	Self-certification	Self-certification
Network
This section covers the use of networks in the provision of the Supplier’s service. The NHS Wide Area Network is now known as HSCN; referred to as the “NHS Network” below. The Health and Social Care Network (HSCN) is the successor to N3. In 2018 N3 was already closed to new implementations when The Authority published its 'Internet First' strategy. The strategy mandates that health systems should be designed to use the Internet rather than HSCN.
All	HNT1.0	External Networking: The Supplier’s data centre to be connected to the Internet and the NHS Network, for clinical services holding PID that are accessed from either an Internet or NHS Network attached end point.	MUST	Self-certification	Self-certification	Self-certification
All	HNT7.0	Data Centre Network Resilience: The data centre will have dual Internet and dual NHS Network connections via two exchanges, where available.	MUST	Self-certification	Self-certification	Self-certification
Data Storage
This section is concerned with how data is protected when a failure occurs within the Solution. This covers both clinical and non-clinical data.
All	HDP1.0	Data Access Protection: The Supplier to ensure protection of clinical data at the storage level through the use of RAID, block snapshot, replication or mirroring technology within a single data centre / data hall.	MUST	Self-certification	Self-certification	Self-certification
All	HDP2.0	Data Loss protection: The Supplier to ensure clinical data is protected using methods against up to two disk or media failures, within any one device configuration offering a discrete storage service.	MUST	Self-certification	Self-certification	Self-certification
All	HDP3.0	Data Integrity Implementation: The Supplier will provide Transactional Integrity for clinical data by the use of a 2nd physical location for storing of data. Note: The 2nd site could be a DR Site, Active 2nd site or a site used for storage replication.	MUST	Self-certification	Self-certification	Self-certification
All	HDP5.0	Data Handling Conformance: The clinical data transferred to additional locations will be stored in accordance of the Authority’s data handling policies.	MUST	Self-certification	Self-certification	Self-certification
All	HDP6.0	Data Integrity Approach: The Supplier’s approach to Transaction Integrity to securing data to at least two separate physical locations to be communicated to and assured by the Authority at the Suppliers design stage.	MUST	Self-certification	Self-certification	Self-certification
All	HDP9.0	Data Replication: The Supplier will ensure that the clinical data applied to the primary site and sent to the 2nd site is processed in time order of how the data was applied to the primary site. Thus ensuring a consistent data set across the two sites and to maintain the application integrity.	MUST	Self-certification	Self-certification	Self-certification
Reporting & Documentation
All	HD1.0	Documentation: The Supplier will provide documentation which represents the non-functional technical architecture of the Solution, including but not limited to: data centre design, local and wide network architecture, and physical technology models. Documentation should include diagrams, and associated textual descriptions, as necessary to enable effective assurance of key Solution aspects as noted below: Non-Functional Specification Defines the non-functional aspects of the system including but not limited to: Details of any relevant contract service schedule(s) Business continuity and disaster recovery design Data Centre resilience design Backup and Recovery Processes Configuration Management including identification, control and verification Performance monitoring design including categorisation of transactions and design of monitoring software including links into the Authority Solutions where relevant e.g. National Monitoring System (NMS) Overall systems security design Migration design showing design for process and data, details of any tools developed to support migration, details of duration and outages required to perform migration and data cleansing strategy Capacity management design incorporating an indicative sizing model, a business transaction data forecast, an impact assessment on existing infrastructure and a baseline capacity plan Availability Management design, including Component Failure Impact Assessment and monitoring Services impact assessment including expected service management processes, helpdesk, maintenance, performance management and reporting changes Support Model design, including dependencies on third parties (including NHS National Service Desk), support hours, escalation model and incident severity guidelines Note: Document artefacts to be concise with a preference for diagrammatical form where the Supplier utilises as much of their own internal documentation as possible to reduce extra document production.	MUST	Self-certification with Supporting Evidence Supporting evidence to include: Documentation that covers all aspects listed within the Requirement.	Self-certification with Supporting Evidence Supporting evidence to include: Documentation that covers all aspects listed within the Requirement.	Self-certification with Supporting Evidence Supporting evidence to include: Documentation that covers all aspects listed within the Requirement.
Security
This section is concerned with how data is protected when a failure occurs within the Solution. This covers both clinical and non-clinical data.
All	SEC1.0	The Supplier will comply with all requirements in the "Co-location and Provider Data Centre Hosting & Infrastructure Requirements - Security" file.	MUST	Refer to “Co-location and Provider Data Centre Hosting & Infrastructure Requirements - Security” file for details.	Refer to “Co-location and Provider Data Centre Hosting & Infrastructure Requirements - Security” file for details.	Refer to “Co-location and Provider Data Centre Hosting & Infrastructure Requirements - Security” file for details.

Further Requirements

Suppliers must complete assurance for these Requirements in addition to Requirements in the Baseline Assurance Standard in order to achieve full compliance with the Hosting and Infrastructure Standard. Suppliers can complete these at the same time as requirements within the Baseline Assurance Standard or following the publication on the Buying Catalogue subject to meeting the timelines laid out by the Authority.

Co-location and Provider Data Centre Hosting & Infrastructure Requirements

Applicable Contracting Vehicle(s)	ID	Requirement	Level	Category A	Category B	Category C
External Standards
In addition to the below requirements the following standards (or equivalent) MUST be adhered to and where appropriate, accreditation achieved with a valid certificate and a Statement of Applicability (SoA) and documented scope provided.
All	ES4.0	ISO 27001 - IT Security Management Systems ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organisations, regardless of type, size or nature. Note: This requirement is only applicable to Suppliers whose Solution is hosted by a non-pre-accredited third party.	MUST	Self-certification with Supporting Evidence Supporting evidence to include: A valid ISO 27001 Certificate from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances.	Self-certification with Supporting Evidence Supporting evidence to include: A valid ISO 27001 Certificate from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances.	Self-certification with Supporting Evidence Supporting evidence to include: A valid ISO 27001 Certificate from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances.
GP IT Futures DFOCVC Vaccinations - Local/PCN Delivery	ES7.0	ISO 14001 Environmental management systems ISO 14001:2015 specifies the requirements for an environmental management system that an organisation can use to enhance its environmental performance. ISO 14001:2015 is intended for use by an organisation seeking to manage its environmental responsibilities in a systematic manner that contributes to the environmental pillar of sustainability. ISO 14001:2015 helps an organisation achieve the intended outcomes of its environmental management system, which provide value for the environment, the organisation itself and interested parties. Consistent with the organisation 's environmental policy, the intended outcomes of an environmental management system include: · enhancement of environmental performance · fulfilment of compliance obligations · achievement of environmental objectives ISO 14001:2015 is applicable to any organisation, regardless of size, type and nature, and applies to the environmental aspects of its activities, products and services that the organisation determines it can either control or influence considering a life cycle perspective. ISO 14001:2015 does not state specific environmental performance criteria. ISO 14001:2015 can be used in whole or in part to systematically improve environmental management. Claims of conformity to ISO 14001:2015, however, are not acceptable unless all its requirements are incorporated into an organisation 's environmental management system and fulfilled without exclusion.	may	Self-certification with Supporting Evidence Supporting evidence to include one of the following: Valid ISO 14001:2015 Certificate. Evidence of compliance with Environmental Management procedures aligned to ISO 14001:2015. Note: If your Solution is being hosted by a 3rd party data centre provider, then the above evidence should be in relation to the data centre provider.	Self-certification with Supporting Evidence Supporting evidence to include one of the following: Valid ISO 14001:2015 Certificate. Evidence of compliance with Environmental Management procedures aligned to ISO 14001:2015. Note: If your Solution is being hosted by a 3rd party data centre provider, then the above evidence should be in relation to the data centre provider.	Self-certification with Supporting Evidence Supporting evidence to include one of the following: Valid ISO 14001:2015 Certificate. Evidence of compliance with Environmental Management procedures aligned to ISO 14001:2015. Note: If your Solution is being hosted by a 3rd party data centre provider, then the above evidence should be in relation to the data centre provider.
GP IT Futures DFOCVC Vaccinations - Local/PCN Delivery	ES8.0	ISO 50001 Energy management systems This document specifies requirements for establishing, implementing, maintaining and improving an energy management system (EnMS). The intended outcome is to enable an organisation to follow a systematic approach in achieving continual improvement of energy performance and the EnMS. This document: a) is applicable to any organisation regardless of its type, size, complexity, geographical location, organisation al culture or the products and services it provides b) is applicable to activities affecting energy performance that are managed and controlled by the organisation c) is applicable irrespective of the quantity, use, or types of energy consumed d) requires demonstration of continual energy performance improvement, but does not define levels of energy performance improvement to be achieved e) can be used independently, or be aligned or integrated with other management systems Annex A provides guidance for the use of this document. Annex B provides a comparison of this edition with the previous edition	may	Self-certification with Supporting Evidence Supporting evidence to include one of the following: Valid ISO 50001:2018 Certificate.

Hosting & Infrastructure

Introduction

Baseline Assurance Standard Requirements

NHS Cloud Hosting Standards & Guidance

The Authority's Associated Cloud Guidance Links:

Cloud Hosting Standards

Co-location and Provider Data Centre Hosting & Infrastructure Requirements

Scope

External Standards

Physical Aspects

IT Infrastructure

Servers

Network

Data Storage

Reporting & Documentation

Security

Further Requirements

Co-location and Provider Data Centre Hosting & Infrastructure Requirements

External Standards