Hosting & Infrastructure
- Eleanor Davill (Unlicensed)
- Martin Perou
- Imran Majid (Deactivated)
ID | S29 |
|---|---|
Version | 2.0.0 |
Type | Overarching Standard |
Status | Effective |
Effective Date | May 27, 2025 |
Contracting Vehicle(s) |
- 1 Introduction
- 2 Requirements - External Standards
- 2.1 Physical Aspects
- 2.2 Power
- 2.3 IT Infrastructure
- 2.4 Servers
- 2.5 Network
- 2.6 Management of Services and Infrastructure
- 2.7 Asset Management
- 2.8 Service Monitoring
- 2.9 Device Management
- 2.10 Data Storage
- 2.11 Security
- 2.12 Reporting & Documentation
- 2.12.1 Additional Information
- 3 Applicable Capabilities
- 4 Roadmap
Introduction
Supports best practices for infrastructure and hosting of systems. For example, ensuring that systems are cost effective, secure, reliable, resilient, safe, manageable and energy efficient.
It is essential that Solutions delivered under the Catalogue and Contracting Vehicles follow standards and guidance.
The previous GPSoC infrastructure requirements pulled together best practice from recognised standards and industry guidance, however, feedback from Suppliers and other stakeholders identified that these requirements were complex and challenging to evidence as part of the assurance process.
In addition it is a Supplier's responsibility to ensure they fully understand industry standards & best practice and cannot rely on The Authority explicitly defining requirements at a point in time. The previous requirements documents were developed at a point in time and technology and security vulnerabilities change rapidly.
Whilst UK Government has promoted a Cloud First policy, it is only recently (2018) that the hosting within public cloud has become a reality for health based services. The Technology Strategy has a fundamental principle of delivery of services via cloud provision and specifically the architecting of Solutions to be cloud native. The Authority recognises that cloud hosting may not be appropriate for some services e.g. based on the sensitive and scale of data or the manner in which the service is architected.
Fundamentally there are three core options for hosting services:-
Applicable Contracting Vehicle(s) | Hosting Option | Description | Preference Status | Level | Section |
|---|---|---|---|---|---|
All | Cloud – Public or Private | The Public / Private cloud provider offers self-managed virtualised, elastic/on demand scalable infrastructure as a service where the cloud provider owns the underlying datacentres and physical infrastructure. The Supplier rents the use of the virtualised infrastructure. | Strongly Preferred | Suppliers SHOULDhost Solutions via one of these options.
| |
| Colocation | The physical infrastructure is owned by the Supplier and hosting of the physical infrastructure is provided within the Colo providers datacentres, The management of the infrastructure can be done by the Colo provider, a 3rd party or the Supplier themselves. | Preferred | ||
| Provider own facilities | The datacentres and physical infrastructure are owned by the Supplier. The management of the infrastructure can be done by a 3rd party or the Supplier themselves. | Not recommended |
The Authority does not recommend the Suppliers should attempt to host services themselves due to the cost and complexity of providing data centre capabilities that meet the necessary requirements.
Previously the GPSoC framework provided a set of requirements for local hosting of services. Given the security and service risks of this form of infrastructure the Catalogue and Contracting Vehicles will not formally assure local hosting of services. Buyers purchasing services which are locally hosted will be required to satisfy themselves that the security and service risks are mitigated and managed appropriately.
The standards to support infrastructure and hosting are split into two sections, depending on the mechanism being deployed:-
Cloud – Based on published NHS wide risk assessments and guidance
Co-Location / provider facilities – specific requirements & assurance processes
NHS Cloud Hosting Standards & Guidance
The following is a summary of the "NHS and social care data: off-shoring and the use of public cloud services" gathered from cloud guidance information published by the Authority. It makes clear what evidence is to be sought from a Supplier, where it is deemed necessary to assure compliance with the 4 step process.
Some key points of note:
All decisions in relation to the security of data are the responsibility of the data controller(s). Also, in many cases organisations will have a SIRO responsible for data and cyber security
Where a professional body exists, there is certainly merit in seeking their approval for the migration of data to cloud, but ultimately the data controller remains the key approver
Data Controllers need to understand the risks of moving to cloud, and any impact
Data controllers must take into account the standard CIA triad (confidentiality, Integrity, Availability), and also other relevant factors, including, but not limited to, cost, security, resilience, capability and funding
The 4 steps to inform the data controller on a risk based decision are detailed below.
Applicable Contracting Vehicle(s) | Step | Step Description | Evidence |
All
| Step 1 - Understand the data | All data managed by NHS and social care organisations should be treated as OFFICIAL or OFFICIAL-SENSITIVE data, in line with the Government Security Classification Policy. The Authority has further elaborated the very broad classifications. The Health and Social Care Cloud Risk Model is more granular than the Government Security Classification Policy. | EVIDENCE requested for step 1:
|
All | Step 2- Assess the Risks | The Authority's Health and Social Care data risk framework and associated data risk model are both used to establish the risk level of the data. Typically Personally Identifiable Data (PID) would be Level 5. Please refer to the link NHS and social care data: off-shoring and the use of public cloud services for latest versions of Cloud risk framework and Health and social care data risk model. | EVIDENCE requested for step 2:
|
All | Step 3 - Implement the appropriate controls | Care organisations, such as GPs, retain the data controller responsibilities and they are therefore ultimately responsible for ensuring that proportionate controls are put in place to mitigate all risks. The data controllers may rightly request to see these controls (proposed by the Supplier) before considering any migration to cloud. | EVIDENCE requested for step 3:
|
All | Step 4 - Monitoring the Implementation | All cloud providers take on data processor responsibilities, with Care organisations (e.g. GP practices) retaining the data controller responsibilities, and they must ensure the selected cloud provider remains fit for purpose. | EVIDENCE requested for step 4:
|
The Authority's Associated Cloud Guidance Links:
Co-location and Provider Data Centre Hosting & Infrastructure Requirements
Scope
The scope of this document covers the infrastructure requirements a Supplier must meet when providing services where a Supplier has co located their service & infrastructure within a data centre providers facilities OR where the Supplier is using their own facilities. The requirements will cover a number of aspects including but not limited to:
Provision of power and cooling
Networking and IT Infrastructure
Management of the Data Centre
Physical presence of the data centre and the IT build processes
Racks
Mechanical and electrical plant
Data Floor
Operating Systems / Virtualisation
Software (Solution Management)
Business practices
Security
For the avoidance of doubt these requirements do not cover cloud provision.
Required Evidence
Unless stated otherwise, the evidence expected for each requirement is to provide formal confirmation of compliance to the requirement.
Requirements - External Standards
In addition to the below requirements the following standards (or equivalent) MUST be adhered to and where appropriate, accreditation achieved with a valid certificate and a Statement of Applicability (SoA) and documented scope provided.
Applicable Contracting Vehicle(s) | Req. ID | Standard | Name | Description | Level | Evidence |
|---|---|---|---|---|---|---|
All | ES1.0 | NHS and social care data: off-shoring and the use of public cloud services guidance | NHS and social care data: off-shoring and the use of public cloud services guidance | The geographical location (or specific range of locations) of the clinical data at rest and service management activities at any given time are to be known and communicated to the Authority. Operating the Solution or elements of the Solution outside of England will be with the permission of the Authority, the data controllers and their representative organisations. Note: There are no absolute barriers to the off-shoring of data or services, although the requirements of UK Government IA policy must be able to be met in the overseas location. See Data Protection Act and Offshoring for statements on the offshoring of information. | MUST | Provide formal confirmation of compliance to requirement.
|
All | ES2.0 | Sanctions, embargoes and restrictions | The Supplier will require approval from the Authority for any part of the Solution that is hosted or communicates with services outside of England. The communication between systems will not be made to those countries or states prohibited by Government Policy. | MUST | Provide formal confirmation of compliance to requirement. | |
All | ES3.0 | Certified cyber security | Protect your organisation against cyber attack | MUST | Supplier should have a valid Cyber Essential Plus Certificate. | |
All | ES4.0 | ISO/IEC 27001 | ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organisations, regardless of type, size or nature. Note: This requirement is only applicable to Suppliers whose Solution is hosted by a non-pre-accredited third party. | MUST | ISO/IEC 27001 Accreditation | |
All | ES5.0 | ISO 9001:2015 | ISO 9001:2015 specifies requirements for a quality management system when an organisation: a) needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and b) aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements. All the requirements of ISO 9001:2015 are generic and are intended to be applicable to any organisation, regardless of its type or size, or the products and services it provides. | MUST | Data Centre Provider - Valid ISO 9001:2015 Certificate or evidence of compliance with Quality Management procedures aligned to ISO 9001. | |
| ES7.0 | ISO 14001:2015 | ISO 14001:2015 specifies the requirements for an environmental management system that an organisation can use to enhance its environmental performance. ISO 14001:2015 is intended for use by an organisation seeking to manage its environmental responsibilities in a systematic manner that contributes to the environmental pillar of sustainability. ISO 14001:2015 helps an organisation achieve the intended outcomes of its environmental management system, which provide value for the environment, the organisation itself and interested parties. Consistent with the organisation 's environmental policy, the intended outcomes of an environmental management system include: · enhancement of environmental performance · fulfilment of compliance obligations · achievement of environmental objectives ISO 14001:2015 is applicable to any organisation, regardless of size, type and nature, and applies to the environmental aspects of its activities, products and services that the organisation determines it can either control or influence considering a life cycle perspective. ISO 14001:2015 does not state specific environmental performance criteria. ISO 14001:2015 can be used in whole or in part to systematically improve environmental management. Claims of conformity to ISO 14001:2015, however, are not acceptable unless all its requirements are incorporated into an organisation 's environmental management system and fulfilled without exclusion. | may | Data Centre Provider - Valid ISO 14001:2015 Certificate or evidence of compliance with Environmental Management procedures aligned to ISO 14001. | |
| ES8.0 | ISO 50001:2018 | This document specifies requirements for establishing, implementing, maintaining and improving an energy management system (EnMS). The intended outcome is to enable an organisation to follow a systematic approach in achieving continual improvement of energy performance and the EnMS. This document: a) is applicable to any organisation regardless of its type, size, complexity, geographical location, organisation al culture or the products and services it provides b) is applicable to activities affecting energy performance that are managed and controlled by the organisation c) is applicable irrespective of the quantity, use, or types of energy consumed d) requires demonstration of continual energy performance improvement, but does not define levels of energy performance improvement to be achieved e) can be used independently, or be aligned or integrated with other management systems Annex A provides guidance for the use of this document. Annex B provides a comparison of this edition with the previous edition | may | Data Centre Provider - Valid ISO 50001:2018 Certificate or evidence of compliance with Energy Management procedures aligned to 50001. | |
| ES9.0 | BS 6701:2010 | If you work in the telecommunications industry, and are responsible for installing, operating or the administration and maintenance of copper or optical fiber cabling or equipment, then this newly-revised standard will be of interest. Conformance to specific aspects of BS 6701 is a requirement of the Wiring Regulations (BS 7671) and is applicable in virtually all premises. In addition, it addresses cabling external to buildings and should be followed by anyone installing cabling. Correctly specified and installed cable management systems ensure that telecommunication cabling performs at its best – so it is important that cable management be considered from the start of a project. In addition to specifying the requirements beyond the scope of the BS EN 50174 series of standards for telecommunications cabling, BS 6701 provides requirements for installing telecommunications equipment. The application of BS 6701 will ensure that equipment is properly set up, which means the customer will be reassured their risk-managed cabling installations work to optimum performance, thus assuring more profitable business practice. As one of the few national standards that are directly linked to the EN 50174 series, BS 6701 could also be used in other countries. It supports all cabling media. | SHOULD | Data Centre Provider - A valid BS 6701:2010 Certificate required from UKAS registered accreditation organisation. | |
| ES10.0 | EUCoC | This Code of Conduct has been created in response to the increasing energy consumption in data centres and the need to reduce the related environmental, economic and energy supply security impacts. The aim is to inform and stimulate data centre operators and owners to reduce energy consumption in a cost-effective manner without hampering the mission critical function of data centres. The Code of Conduct aims to achieve this by improving understanding of energy demand within the data centre, raising awareness, and recommending energy efficient best practices and targets. | SHOULD | Provide formal confirmation of compliance to requirement.
| |
All | ES11.0 | GDPR / DPA 2018 | The Guide to the GDPR explains the provisions of the GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection. The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, from 25 May 2018. | MUST | Provide formal confirmation of compliance to requirement. | |
| ES13.0 | BS EN 50600-2-1:2014. Building construction (Minimum availability class 3) | BS EN 50600-2-1:2014 | The unrestricted access to internet-based information demanded by the information society has led to an exponential growth of both internet traffic and the volume of stored/retrieved data. Data Centres are housing and supporting the information technology and network telecommunications equipment for data processing, data storage and data transport. They are required both by network operators (delivering those services to customer premises) and by enterprises within those customer premises. Data Centres need to provide modular, scalable and flexible facilities and infrastructures to easily accommodate the rapidly changing requirements of the market. In addition, energy consumption of data centres has become critical both from an environmental point of view (reduction of carbon footprint) and with respect to economical considerations (cost of energy) for the data centre operator. The implementation of data centres varies in terms of: The needs of data centres also vary in terms of availability of service, the provision of security and the This series of European Standards specifies requirements and recommendations to support the various parties involved in the design, planning, procurement, integration, installation, operation and maintenance
| SHOULD | Suppliers MUST be able to provide evidence to demonstrate alignment with the scope and aims of BS EN 50600. Note. Formal accreditation (when available) will become a mandatory requirement as detailed in the Standards Roadmap. |
| ES14.0 | BS EN 50600-2-2:2014. Power distribution (Minimum availability class 3) | BS EN 50600-2-2:2014 | SHOULD | ||
| ES15.0 | BS EN 50600-2-3:2014. Environmental control (Minimum availability class 3) | BS EN 50600-2-3:2014 | SHOULD | ||
| ES16.0 | BS EN 50600-2-4:2015. Telecommunications cabling infrastructure (Minimum availability class 3) | BS EN 50600-2-4:2015 | SHOULD | ||
| ES17.0 | BS EN 50600-2-5:2016. Security systems (Minimum availability class 3) | BS EN 50600-2-5:2016 | SHOULD | ||
| ES18.0 | BS EN 50600-3-1:2016. Management and operational information (Minimum availability class 3) | BS EN 50600-3-1:2016 | SHOULD | ||
| ES19.0 | BS EN 50600-4-1:2016. Overview of and general requirements for key performance indicators (Minimum availability class 3) | BS EN 50600-4-1:2016 | SHOULD | ||
| ES20.0 | BS EN 50600-4-2:2016. Power Usage Effectiveness (Minimum availability class 3) | BS EN 50600-4-2:2016 | SHOULD |
Physical Aspects
This section is concerned with the physical aspects of a Data Centre including where the Data Centre is located, some of its physical attributes and factors near that data centre which could affect its operation and security.
Applicable Contracting Vehicle(s) | Requirement ID | Requirement Text | Level |
|---|---|---|---|
| HPA4.0 | Data Centre Locations: The Supplier will provide the data centre address and the current data centre owner’s / operator’s details, to the Authority. | MUST |
| HPA5.0 | Data Centre Build: The Supplier will provide the build date of the data centre, its current age and any planned or expected data centre services uplift or refit covering but not limited to:
| MUST |
| HPA16.1 | Data Centre Intrusion Detection: The Supplier will ensure that the data centre perimeter is protected by an IDS (Intrusion Detection System) compliant to BS EN 50131-1:2006. | SHOULD |
| HPA25.0 | Data Centre Vehicle Access: The Supplier’s data centre will have arrangements such that a vehicle is unable to enter the site before all the checking of the vehicle and driver has been completed.The gate will prevent the tail gating of vehicles. | MUST |
| HPA32.0 | Data Centre - declaration of Resilience: The Supplier’s Solution will provide at a minimum two separate geographically physical locations to hold the data and capability to run the services. The distance between the two locations will be such that they cannot both be affected by concurrent loss due to overlapping items on the Location Risk Assessment. | MUST |
| HPA34.0 | Data Centre Access Declaration: The Supplier will provide permanent access to the data centre and equipment, supported by an access request process of 24hrs notice for normal maintenance requests and 1hr for emergency access, with unlimited frequency, for the purpose of maintaining the systems and services. Note: If the hosting provider is a 3rd party / sub-contractor to the Supplier and escorted access is the policy enforced then permanent access to the data centre will still be provided. | MUST |
Power
This section covers the power to the Data Centre, Data Hall and cabinets.
Applicable Contracting Vehicle(s) | Requirement ID | Requirement Text | Level |
|---|---|---|---|
| HPW11.0 | Data Centre Standby Operation: Refuelling of the tanks for the generators will be possible with the generators in use. | MUST |
IT Infrastructure
This section is concerned with the physical infrastructure that makes up the service, how it is built and the policies around its setup.
Applicable Contracting Vehicle(s) | Requirement ID | Requirement Text | Level |
|---|---|---|---|
| HI2.0 | Log File Timestamp: The Supplier to ensure that log files written, even if the device is passive, will write the log with the synchronised time to NHS Network and written in UTC but can be displayed in the Supplier’s application in local time. | MUST |
| HI3.0 | Time Synchronisation: The Supplier will ensure the infrastructure’s time is synchronised with a NHS & National Apps, Cloud / CNSP NTP service, delivered as a minimum, by a stratum 3 service. | MUST |
| HI5.0 | The Supplier to ensure that message time stamping is performed using UTC, for all infrastructure, but can be displayed in the Suppliers supported applications in local time. Note: This requirements scope is the infrastructure; see IG Requirements for further related time stamping and representation. This requirement is to ensure that there is a consistent time stamping policy across all infrastructures and messaging so that correlation can occur locally, between Suppliers and also national applications. The requirement is to ensure that the raw date use is of the format defined. Local support applications (Applications used to manage the service) can represent the date in their local time if required and in line with the IG Requirements. | MUST |
| HI9.0 | Support Agreement Confirmation: The Supplier to ensure that all hardware, devices, servers and components have support agreements in place to replace faulty items if they fail. The replacing of components will not impact live service and meet SLA and planned down time agreements. | MUST |
| HI13.0 | Live Service Separation: The Supplier will ensure that Live environments are segregated from the development activity by using processors, virtual servers, domains and partitions that are not in use by live and by storing development utilities away from the live environment. | MUST |
Servers
This section is concerned with servers that provide clinical applications, including operating systems and use of virtualisation.
Applicable Contracting Vehicle(s) | Requirement ID | Requirement Text | Level |
|---|---|---|---|
| HS9.0 | Server Operational Design: Hardening: The Supplier will ensure that all operating systems and applications have undergone a hardening process to ensure only the necessary services are in place, within their domain of responsibility in the equipment and services they provide. Note: Hardening is the process of securing a system reducing its vulnerability, through the use of patching, removal of unnecessary software and services. Good Practice guidance can be found on The Authority's website The Supplier to ensure that due diligence to hardening is performed for their domains of responsibility. If the Supplier is responsible for the hardware / OS then this hardening will be performed on the hardware and OS. If the Supplier only provides application software then the necessary hardening will have been performed on that application software. If the mobile device hardware (Phone, Medical Device, mobile appliance) is provided by the Supplier as part of their Solution then hardening on the components they have provided will have been performed. Where a BYO device is used the Supplier will ensure their application is hardened to protect the data and application.
| MUST |
| HS20.0 | Server Operational Design: Application Security: The Supplier will ensure that servers are configured to disable or restrict:
| MUST |