Hosting & Infrastructure

Hosting & Infrastructure

ID

S29

Version

2.0.1

Type

Overarching Standard

Status

Effective

Effective Date

Jul 1, 2025

Contracting Vehicle(s)

 

Introduction

Supports best practices for infrastructure and hosting of systems. For example, ensuring that systems are cost effective, secure, reliable, resilient, safe, manageable and energy efficient.

It is essential that Solutions delivered under the Catalogue and Contracting Vehicles follow standards and guidance.

The previous GPSoC infrastructure requirements pulled together best practice from recognised standards and industry guidance, however, feedback from Suppliers and other stakeholders identified that these requirements were complex and challenging to evidence as part of the assurance process.

In addition it is a Supplier's responsibility to ensure they fully understand industry standards & best practice and cannot rely on The Authority explicitly defining requirements at a point in time. The previous requirements documents were developed at a point in time and technology and security vulnerabilities change rapidly.

The UK Government continues to promote a Cloud First policy, with the adoption of public cloud hosting for health services having significantly matured in recent years. The technology strategy remains committed to delivering services via cloud-based solutions, with a strong emphasis on cloud-native architectures. However, the Authority acknowledges that cloud hosting may not be suitable for all services, particularly where data sensitivity, scale, or architectural constraints require alternative approaches.

Fundamentally there are three core options for hosting services:-

Applicable Contracting Vehicle(s)

Hosting Option

Description

Preference Status

Level

Section

All

Cloud – Public or Private

The Public / Private cloud provider offers self-managed virtualised, elastic/on demand scalable infrastructure as a service where the cloud provider owns the underlying datacentres and physical infrastructure. The Supplier rents the use of the virtualised infrastructure.

Strongly Preferred

Suppliers SHOULDhost Solutions via one of these options.

 

NHS Cloud Hosting Standards & Guidance

  • GP IT Futures

  • DFOCVC

  • Vaccinations - Local/PCN Delivery

Colocation

The physical infrastructure is owned by the Supplier and hosting of the physical infrastructure is provided within the Colo providers datacentres, the management of the infrastructure can be done by the Colo provider, a 3rd party or the Supplier themselves.

Preferred

BAS - Co location & Provider Datacentre Standards

Further Requirements - Co location & Provider Datacentre Standards

  • GP IT Futures

  • DFOCVC

  • Vaccinations - Local/PCN Delivery

Provider own facilities

The datacentres and physical infrastructure are owned by the Supplier. The management of the infrastructure can be done by a 3rd party or the Supplier themselves.

Not recommended

The Authority does not recommend that Suppliers should attempt to host services themselves due to the cost and complexity of providing data centre capabilities that meet the necessary requirements. 

Previously the GPSoC framework provided a set of requirements for local hosting of services. Given the security and service risks of this form of infrastructure the Catalogue and Contracting Vehicles will not formally assure local hosting of services. Buyers purchasing services which are locally hosted will be required to satisfy themselves that the security and service risks are mitigated and managed appropriately.

The standards to support infrastructure and hosting are split into two sections, depending on the mechanism being deployed:-

  • Cloud – Based on published NHS wide risk assessments and guidance

  • Co-Location / provider facilities – specific requirements & assurance processes

Baseline Assurance Standard Requirements

The Baseline Assurance Standard (BAS) provides a quicker risk-based assurance approach for Solutions; balancing safety against efficiency by combining a minimum set of essential Requirements from the DSIC Overarching Standards. Completing the BAS is the first step to achieving full assurance with the Overarching Standards allowing Supplier Solutions to be published on the Buying Catalogue. Upon meeting this Standard, Solutions are required to meet all the remaining Overarching Standards subject to the timelines laid out by the Authority.

All Baseline Assurance Requirements can be found here. Each Solution will be assigned a category of A, B or C that determines the level of assurance applied to that Solution. See the relevant category column to understand the assurance required for each Requirement. For information on Solution Categories see Solution Categories for Assurance in DSIC.

The following tables of Requirements are the Requirements in the Baseline Assurance Standard related to Hosting and Infrastructure.

NHS Cloud Hosting Standards & Guidance

The following is a summary of the "NHS and social care data: off-shoring and the use of public cloud services" gathered from cloud guidance information published by the Authority. It makes clear what evidence is to be sought from a Supplier, where it is deemed necessary to assure compliance with the 4 step process.

Some key points of note:

  • All decisions in relation to the security of data are the responsibility of the data controller(s). Also, in many cases organisations will have a SIRO responsible for data and cyber security

  • Where a professional body exists, there is certainly merit in seeking their approval for the migration of data to cloud, but ultimately the data controller remains the key approver

  • Data Controllers need to understand the risks of moving to cloud, and any impact

  • Data controllers must take into account the standard CIA triad (Confidentiality, Integrity, Availability), and also other relevant factors, including, but not limited to, cost, security, resilience, capability and funding

The Authority's Associated Cloud Guidance Links:

Applicable Contracting Vehicle(s)

ID

Requirement

Level

Category A

Category B

Category C

Cloud Hosting Standards

All

 

CH1.0

Understand the data

All data managed by NHS and social care organisations should be treated as OFFICIAL or OFFICIAL-SENSITIVE data, in line with the Government Security Classification Policy.

The Authority has further elaborated the very broad classifications. The Health and Social Care Cloud Risk Model is more granular than the Government Security Classification Policy.

must

Self-certification with Supporting Evidence

Supporting evidence to include:

  • A data dictionary or equivalent document which evidences that you have:

    • Identified all data, data types and attributes.

    • Assessed the data against the model.

    • Binary objects identified within the data set, such as JPEG, PDF, etc, and can still be classified by their content.

    • An understanding of the percentage splits between data types, which may alter the overall classification.

Self-certification with Supporting Evidence

Supporting evidence to include:

  • A data dictionary or equivalent document which evidences that you have:

    • Identified all data, data types and attributes.

    • Assessed the data against the model.

    • Binary objects identified within the data set, such as JPEG, PDF, etc, and can still be classified by their content.

    • An understanding of the percentage splits between data types, which may alter the overall classification.

Self-certification with Supporting Evidence

Supporting evidence to include:

  • A data dictionary or equivalent document which evidences that you have:

    • Identified all data, data types and attributes.

    • Assessed the data against the model.

    • Binary objects identified within the data set, such as JPEG, PDF, etc, and can still be classified by their content.

    • An understanding of the percentage splits between data types, which may alter the overall classification.

All

CH2.0

Assess the Risks

The Authority's Health and Social Care data risk framework and associated data risk model are both used to establish the risk level of the data. Typically Personally Identifiable Data (PID) would be Level 5. Please refer to the link NHS and social care data: off-shoring and the use of public cloud services for latest versions of Cloud risk framework and Health and social care data risk model.

must

Self-certification with Supporting Evidence

Self-certification description to include:

  • A statement to support the selection of classification as per the Health and Social Care Cloud Risk Framework.

Supporting evidence to include:

Self-certification with Supporting Evidence

Self-certification description to include:

  • A statement to support the selection of classification as per the Health and Social Care Cloud Risk Framework.

Supporting evidence to include:

Self-certification with Supporting Evidence

Self-certification description to include:

  • A statement to support the selection of classification as per the Health and Social Care Cloud Risk Framework.

Supporting evidence to include:

All

CH3.0

Implement the appropriate controls

Care organisations, such as GPs, retain the data controller responsibilities and they are therefore ultimately responsible for ensuring that proportionate controls are put in place to mitigate all risks. The data controllers may rightly request to see these controls (proposed by the Supplier) before considering any migration to cloud.

must

Full Assessment

Self-certification description to include:

  • Confirmation that where there are many data controllers using a Solution (e.g. GP system), the communication strategy to inform all data controllers of any data risks identified will be made available to the Authority prior to implementation.

  • Confirmation that a Data Protection Impact Assessment (DPIA) has been completed and will be provided to the Authority if requested.

  • Confirmation that the relevant data protection legislation is adhered to.

Supporting evidence to include:

Note: To submit this evidence, download and complete the Cloud Good Practice Guide template for the data classification level identified in CH2.0.

Self-certification with Supporting Evidence

Self-certification description to include:

  • Confirmation that where there are many data controllers using a Solution (e.g. GP system), the communication strategy to inform all data controllers of any data risks identified will be made available to the Authority prior to implementation.

  • Confirmation that a Data Protection Impact Assessment (DPIA) has been completed and will be provided to the Authority if requested.

  • Confirmation that the relevant data protection legislation is adhered to.

Supporting evidence to include:

Note: To submit this evidence, download and complete the Cloud Good Practice Guide template for the data classification level identified in CH2.0.

Self-certification with Supporting Evidence

Self-certification description to include:

  • Confirmation that where there are many data controllers using a Solution (e.g. GP system), the communication strategy to inform all data controllers of any data risks identified will be made available to the Authority prior to implementation.

  • Confirmation that a Data Protection Impact Assessment (DPIA) has been completed and will be provided to the Authority if requested.

  • Confirmation that the relevant data protection legislation is adhered to.

Supporting evidence to include:

Note: To submit this evidence, download and complete the Cloud Good Practice Guide template for the data classification level identified in CH2.0.

All

CH4.0

Monitoring the Implementation

All cloud providers take on data processor responsibilities, with Care organisations (e.g. GP practices) retaining the data controller responsibilities, and they must ensure the selected cloud provider remains fit for purpose.

must

Self-certification

Self-certification

Self-certification

Co-location and Provider Data Centre Hosting & Infrastructure Requirements

Scope

The scope of this document covers the infrastructure requirements a Supplier must meet when providing services where a Supplier has co located their service & infrastructure within a data centre providers facilities OR where the Supplier is using their own facilities. The requirements will cover a number of aspects including but not limited to:

  • Provision of power and cooling

  • Networking and IT Infrastructure

  • Management of the Data Centre

  • Physical presence of the data centre and the IT build processes

  • Racks

  • Mechanical and electrical plant

  • Data Floor

  • Operating Systems / Virtualisation

  • Software (Solution Management)

  • Business practices

  • Security

For the avoidance of doubt these requirements do not cover cloud provision.

Applicable Contracting Vehicle(s)

ID

Requirement

Level

Category A

Category B

Category C

External Standards

In addition to the below requirements the following standards (or equivalent) MUST be adhered to and where appropriate, accreditation achieved with a valid certificate and a Statement of Applicability (SoA) and documented scope provided.

All

ES1.0

NHS and social care data: off-shoring and the use of public cloud services guidance

The geographical location (or specific range of locations) of the clinical data at rest and service management activities at any given time are to be known and communicated to the Authority.

Operating the Solution or elements of the Solution outside of England will be with the permission of the Authority, the data controllers and their representative organisations.

Note: There are no absolute barriers to the off-shoring of data or services, although the requirements of UK Government IA policy must be able to be met in the overseas location. See Data Protection Act and Offshoring for statements on the offshoring of information.

MUST

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Documentation of the geographical location(s) of the clinical data at rest and the related service management activities.

  • Documentation of communication /notification of the clinical data at rest and the related service management activities to the Authority.

  • If operation of the Solution, or elements of the Solution is/are outside of England, provide documented permission from the Authority, data controllers and their representative organisations.

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Documentation of the geographical location(s) of the clinical data at rest and the related service management activities.

  • Documentation of communication /notification of the clinical data at rest and the related service management activities to the relevant Authority.

  • If operation of the Solution, or elements of the Solution is/are outside of England provide documented permission from the Authority, data controllers and their representative organisations.

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Documentation of the geographical location(s) of the clinical data at rest and the related service management activities.

  • Documentation of communication /notification of the clinical data at rest and the related service management activities to the relevant Authority.

  • If operation of the Solution, or elements of the Solution is/are outside of England provide documented permission from the Authority, data controllers and their representative organisations.

All

ES2.0

Sanctions, embargoes and restrictions

The Supplier will require approval from the Authority for any part of the Solution that is hosted or communicates with services outside of England.

The communication between systems will not be made to those countries or states prohibited by Government Policy.

MUST

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Documented approval from the Authority for any part of the Solution that is hosted outside of England.

  • Documented approval from the Authority for any part of the Solution that communicates with services outside of England.

  • Documented confirmation that any communication between systems will not be made to those countries or states prohibited by Government Policy.

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Documented approval from the Authority for any part of the Solution that is hosted outside of England.

  • Documented approval from the Authority for any part of the Solution that communicates with services outside of England.

  • Documented confirmation that any communication between systems will not be made to those countries or states prohibited by Government Policy.

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Documented approval from the Authority for any part of the Solution that is hosted outside of England.

  • Documented approval from the Authority for any part of the Solution that communicates with services outside of England.

  • Documented confirmation that any communication between systems will not be made to those countries or states prohibited by Government Policy.

All

ES3.0

Cyber Essentials Plus

Protect your organisation against cyber attacks.
Cyber Essentials helps you to guard against the most common cyber threats and demonstrate your commitment to cyber security.

MUST

Self-certification with Supporting Evidence

Supporting evidence to include:

  • A valid Cyber Essentials Plus Certificate.

Self-certification with Supporting Evidence

Supporting evidence to include:

  • A valid Cyber Essentials Plus Certificate.

Self-certification with Supporting Evidence

Supporting evidence to include:

  • A valid Cyber Essentials Plus Certificate.

All

ES11.0

General Data Protection Regulation

General Data Protection Regulation (GDPR)

The Guide to the UK GDPR explains the provisions of the UK GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection.

The UK GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, from 25 May 2018.

MUST

Self-certification with Supporting Evidence

Supporting evidence could include:

  • GDPR compliance certificate if available.

Self-certification with Supporting Evidence

Supporting evidence could include:

  • GDPR compliance certificate if available.

Self-certification with Supporting Evidence

Supporting evidence could include:

  • GDPR compliance certificate if available.

Physical Aspects

This section is concerned with the physical aspects of a Data Centre including where the Data Centre is located, some of its physical attributes and factors near that data centre which could affect its operation and security.

  • GP IT Futures

  • DFOCVC

  • Vaccinations - Local/PCN Delivery

HPA32.0

Data Centre - declaration of Resilience:

The Supplier’s Solution will provide at a minimum two separate geographically physical locations to hold the data and capability to run the services. The distance between the two locations will be such that they cannot both be affected by concurrent loss due to overlapping items on the Location Risk Assessment.

MUST

Self-certification

Self-certification

Self-certification

IT Infrastructure

This section is concerned with the physical infrastructure that makes up the service, how it is built and the policies around its setup.

  • GP IT Futures

  • DFOCVC

  • Vaccinations - Local/PCN Delivery

HI13.0

Live Service Separation:

The Supplier will ensure that Live environments are segregated from the development activity by using processors, virtual servers, domains and partitions that are not in use by live and by storing development utilities away from the live environment.

MUST

Self-certification

Self-certification

Self-certification

Servers

This section is concerned with servers that provide clinical applications, including operating systems and use of virtualisation.

  • GP IT Futures

  • DFOCVC

  • Vaccinations - Local/PCN Delivery

HS20.0

Server Operational Design: Application Security:

The Supplier will ensure that servers are configured to disable or restrict:

  • non-essential or redundant services (e.g. X Windows, Open Windows, fingered and web browsers)

  • communication services that are inherently susceptible to abuse (e.g. tftp, RPC, rlogin, rsh or rexec)

  • communication protocols that are prone to abuse, where not required (e.g. HTTP, HTTPS, SSH, FTP, SMTP, Telnet and UUCP)

  • execute permissions on sensitive commands or scripts (e.g. rlogin, rcp, rsh, remsh, tstp and trtp)

  • powerful utilities (e.g. Windows ‘Registry Editor’) or ‘control panels’

  • run commands or command processors (e.g. Perl or Tcl)

MUST

Self-certification

Self-certification

Self-certification

Network

This section covers the use of networks in the provision of the Supplier’s service. The NHS Wide Area Network is now known as HSCN; referred to as the “NHS Network” below. 

The Health and Social Care Network (HSCN) is the successor to N3. In 2018 N3 was already closed to new implementations when The Authority published its 'Internet First' strategy. The strategy mandates that health systems should be designed to use the Internet rather than HSCN.

All

HNT1.0

External Networking:

The Supplier’s data centre to be connected to the Internet and the NHS Network, for clinical services holding PID that are accessed from either an Internet or NHS Network attached end point.

MUST

Self-certification

Self-certification

Self-certification

All

HNT7.0

Data Centre Network Resilience:

The data centre will have dual Internet and dual NHS Network connections via two exchanges, where available.

MUST

Self-certification

Self-certification

Self-certification

Data Storage

This section is concerned with how data is protected when a failure occurs within the Solution. This covers both clinical and non-clinical data.

All

HDP1.0

Data Access Protection:

The Supplier to ensure protection of clinical data at the storage level through the use of RAID, block snapshot, replication or mirroring technology within a single data centre / data hall. 

MUST

Self-certification

Self-certification

Self-certification

All

HDP2.0

Data Loss protection:

The Supplier to ensure clinical data is protected using methods against up to two disk or media failures, within any one device configuration offering a discrete storage service.

MUST

Self-certification

Self-certification

Self-certification

All

HDP3.0

Data Integrity Implementation:

The Supplier will provide Transactional Integrity for clinical data by the use of a 2nd physical location for storing of data. 

Note: The 2nd site could be a DR Site, Active 2nd site or a site used for storage replication.

MUST

Self-certification

Self-certification

Self-certification

All

HDP5.0

Data Handling Conformance:

The clinical data transferred to additional locations will be stored in accordance of the Authority’s data handling policies.

MUST

Self-certification

Self-certification

Self-certification

All

HDP6.0

Data Integrity Approach:

The Supplier’s approach to Transaction Integrity to securing data to at least two separate physical locations to be communicated to and assured by the Authority at the Suppliers design stage.

MUST

Self-certification

Self-certification

Self-certification

All

HDP9.0

Data Replication:

The Supplier will ensure that the clinical data applied to the primary site and sent to the 2nd site is processed in time order of how the data was applied to the primary site. Thus ensuring a consistent data set across the two sites and to maintain the application integrity.

MUST

Self-certification

Self-certification

Self-certification

Reporting & Documentation

All

HD1.0

Documentation:

The Supplier will provide documentation which represents the non-functional technical architecture of the Solution, including but not limited to: data centre design, local and wide network architecture, and physical technology models. Documentation should include diagrams, and associated textual descriptions, as necessary to enable effective assurance of key Solution aspects as noted below:
Non-Functional Specification Defines the non-functional aspects of the system including but not limited to:

  • Details of any relevant contract service schedule(s)

  • Business continuity and disaster recovery design

  • Data Centre resilience design

  • Backup and Recovery Processes

  • Configuration Management including identification, control and verification

  • Performance monitoring design including categorisation of transactions and design of monitoring software including links into the Authority Solutions where relevant e.g. National Monitoring System (NMS)

  • Overall systems security design

  • Migration design showing design for process and data, details of any tools developed to support migration, details of duration and outages required to perform migration and data cleansing strategy

  • Capacity management design incorporating an indicative sizing model, a business transaction data forecast, an impact assessment on existing infrastructure and a baseline capacity plan

  • Availability Management design, including Component Failure Impact Assessment and monitoring

  • Services impact assessment including expected service management processes, helpdesk, maintenance, performance management and reporting changes

  • Support Model design, including dependencies on third parties (including NHS National Service Desk), support hours, escalation model and incident severity guidelines

Note: Document artefacts to be concise with a preference for diagrammatical form where the Supplier utilises as much of their own internal documentation as possible to reduce extra document production.

MUST

Self-certification with Supporting Evidence

Supporting evidence to include:

  • Documentation that covers all aspects listed within the Requirement.

Self-certification with Supporting Evidence

Supporting evidence to include:

  • Documentation that covers all aspects listed within the Requirement.

Self-certification with Supporting Evidence

Supporting evidence to include:

  • Documentation that covers all aspects listed within the Requirement.

Security

This section is concerned with how data is protected when a failure occurs within the Solution. This covers both clinical and non-clinical data.

All

SEC1.0

The Supplier will comply with all requirements in the "Co-location and Provider Data Centre Hosting & Infrastructure Requirements - Security" file.

MUST

Refer to “Co-location and Provider Data Centre Hosting & Infrastructure Requirements - Security” file for details.

Refer to “Co-location and Provider Data Centre Hosting & Infrastructure Requirements - Security” file for details.

Refer to “Co-location and Provider Data Centre Hosting & Infrastructure Requirements - Security” file for details.

Further Requirements

Suppliers must complete assurance for these Requirements in addition to Requirements in the Baseline Assurance Standard in order to achieve full compliance with the Hosting and Infrastructure Standard. Suppliers can complete these at the same time as requirements within the Baseline Assurance Standard or following the publication on the Buying Catalogue subject to meeting the timelines laid out by the Authority.

Co-location and Provider Data Centre Hosting & Infrastructure Requirements

Applicable Contracting Vehicle(s)

ID

Requirement

Level

Category A

Category B

Category C

External Standards

In addition to the below requirements the following standards (or equivalent) MUST be adhered to and where appropriate, accreditation achieved with a valid certificate and a Statement of Applicability (SoA) and documented scope provided.

All

ES4.0

ISO 27001 - IT Security Management Systems

ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.

The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organisations, regardless of type, size or nature.

Note: This requirement is only applicable to Suppliers whose Solution is hosted by a non-pre-accredited third party.

MUST

Self-certification with Supporting Evidence

Supporting evidence to include:

  • A valid ISO 27001 Certificate from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances.

Self-certification with Supporting Evidence

Supporting evidence to include:

  • A valid ISO 27001 Certificate from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances.

Self-certification with Supporting Evidence

Supporting evidence to include:

  • A valid ISO 27001 Certificate from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances.

  • GP IT Futures

  • DFOCVC

  • Vaccinations - Local/PCN Delivery

ES7.0

ISO 14001 Environmental management systems

ISO 14001:2015 specifies the requirements for an environmental management system that an organisation can use to enhance its environmental performance. ISO 14001:2015 is intended for use by an organisation seeking to manage its environmental responsibilities in a systematic manner that contributes to the environmental pillar of sustainability.

ISO 14001:2015 helps an organisation achieve the intended outcomes of its environmental management system, which provide value for the environment, the organisation itself and interested parties. Consistent with the organisation 's environmental policy, the intended outcomes of an environmental management system include:

· enhancement of environmental performance

· fulfilment of compliance obligations

· achievement of environmental objectives

ISO 14001:2015 is applicable to any organisation, regardless of size, type and nature, and applies to the environmental aspects of its activities, products and services that the organisation determines it can either control or influence considering a life cycle perspective. ISO 14001:2015 does not state specific environmental performance criteria.

ISO 14001:2015 can be used in whole or in part to systematically improve environmental management. Claims of conformity to ISO 14001:2015, however, are not acceptable unless all its requirements are incorporated into an organisation 's environmental management system and fulfilled without exclusion.

may

Self-certification with Supporting Evidence

Supporting evidence to include one of the following:

  • Valid ISO 14001:2015 Certificate.

  • Evidence of compliance with Environmental Management procedures aligned to ISO 14001:2015.

Note: If your Solution is being hosted by a 3rd party data centre provider, then the above evidence should be in relation to the data centre provider.

Self-certification with Supporting Evidence

Supporting evidence to include one of the following:

  • Valid ISO 14001:2015 Certificate.

  • Evidence of compliance with Environmental Management procedures aligned to ISO 14001:2015.

Note: If your Solution is being hosted by a 3rd party data centre provider, then the above evidence should be in relation to the data centre provider.

Self-certification with Supporting Evidence

Supporting evidence to include one of the following:

  • Valid ISO 14001:2015 Certificate.

  • Evidence of compliance with Environmental Management procedures aligned to ISO 14001:2015.

Note: If your Solution is being hosted by a 3rd party data centre provider, then the above evidence should be in relation to the data centre provider.

  • GP IT Futures

  • DFOCVC

  • Vaccinations - Local/PCN Delivery

ES8.0

ISO 50001 Energy management systems

This document specifies requirements for establishing, implementing, maintaining and improving an energy management system (EnMS). The intended outcome is to enable an organisation to follow a systematic approach in achieving continual improvement of energy performance and the EnMS.

This document:

a) is applicable to any organisation regardless of its type, size, complexity, geographical location, organisation al culture or the products and services it provides

b) is applicable to activities affecting energy performance that are managed and controlled by the organisation

c) is applicable irrespective of the quantity, use, or types of energy consumed

d) requires demonstration of continual energy performance improvement, but does not define levels of energy performance improvement to be achieved

e) can be used independently, or be aligned or integrated with other management systems

Annex A provides guidance for the use of this document. Annex B provides a comparison of this edition with the previous edition

may

Self-certification with Supporting Evidence

Supporting evidence to include one of the following:

  • Valid ISO 50001:2018 Certificate.