Baseline Assurance Standard, Solution Categories & new structure of Overarching Standards
ID | RM265 |
|---|---|
Version | 1.0.0 |
Type | Roadmap Item |
Contracting Vehicle(s) |
Title | Baseline Assurance Standard, Solution Categories & new structure of Overarching Standards |
|---|---|
Description | Introduction of Baseline Assurance Standard (BAS), Solution Categories & new structure of the Overarching Standards. |
Date Added | May 9, 2025 |
Standards and Capabilities | Business Continuity and Disaster Recovery, Clinical Safety, Commercial, Data Migration, Data Standards, Hosting and Infrastructure, Information Governance, Interoperability, Non-Functional Questions, Service Management, Testing, Training |
Change Route | Managed Capacity - Minor/Patch uplifts |
Change Type | New/Uplift |
Status | Closed |
Publication Date | Jul 4, 2025 |
Effective Date | Jul 4, 2025 |
Incentives / Funding | No |
Incentive / Funding Dates | N/A |
Background
The Baseline Assurance Standard (BAS) provides a quicker risk-based assurance approach for Solutions; balancing safety against efficiency by combining a minimum set of essential requirements from the DSIC Overarching Standards. Completing assurance against requirements in the BAS allows Supplier Solutions to be published on the Buying Catalogue and is the first step to achieving full compliance with the Overarching Standards. Upon meeting this Standard, Solutions are required to meet all the remaining Further Requirements over the following 12 months. The structure of the Overarching Standards has been updated to display BAS requirements under the Baseline Assurance Standard Requirements section, and requirements not in the BAS are displayed under the Further Requirements section.
As part of this change, the Authority has recognised that some requirements take a significant length of time to achieve e.g. obtaining an ISO27001 certificate. New requirements have been added to the BAS which allows Suppliers to show evidence that they’re on the path to achieving compliance with the requirement, but they do not need to be fully compliant until completing the associated requirements as part of assurance for the Further Requirements.
In addition, the Authority is also implementing a new method of assuring Suppliers by assigning Solution Categories. Solution Categories are assigned to Supplier Solutions based on the Capabilities that the Solution delivers, operational characteristics and the associated risks. The Solution Category determines the level of assurance the Supplier’s Solution will undertake as part of the Baseline Assurance Standard and assurance of the Further Requirements. This means that the level of assurance is proportional to the level of risk the Solution poses.
Solution Categories will be determined based on the Capabilities the Supplier selects and their responses to a set of questions sent out as part of the Onboarding process.
Once a Solution Category has been assigned (A, B or C), Suppliers can see what level of evidence they need to provide for each requirement. There are four options:
Self-certification - the Supplier will need to provide a description of how the Solution meets the Requirement. The Authority will review the description and may ask questions for clarification, but additional evidence will not typically need to be provided. Some Self-certification Requirements outline specific scenarios or details that the Supplier will need to include in their description; Suppliers should ensure this detail is included in their response where requested.
Self-certification with Supporting Evidence - the Supplier will need to provide a description and supporting evidence of how the Solution meets the Requirement. Supporting evidence may include certifications, data extracts, or examples of policies and processes designed to manage the Requirement. The evidence for each Requirement contains detailed descriptions of the types of evidence that are suitable for each Solution Category. The Authority will review the description and the evidence provided.
Full Assessment - the Supplier will need to provide a description and full and comprehensive evidence for how the Solution meets the Requirement, and the Authority will conduct a thorough assessment. The evidence for each Requirement contains detailed descriptions of the types of evidence that are suitable for each Solution Category. In addition, this may involve arranging a Live Witness Assessment where the Supplier will demonstrate the evidence to the Authority who will have the opportunity to ask questions and provide feedback on the evidence.
N/A - the Requirement is not applicable for this category of Solution.
Solution Categories will be reviewed at appropriate intervals and Suppliers may need to comply with providing additional assurance evidence if the risk level of their Solution increases.
As part of the updates to the Overarching Standards to accommodate these changes, some minor changes to the content of the Standards will also be made. These changes will provide clearer instructions and remove areas of ambiguity and duplication within the Standards.
Outline Plan
N/A
Summary of Change
Baseline Assurance Standard: new Standard added |
New Baseline Assurance Standard added, see Full Specification. |
Baseline Assurance Standard: new Requirements added | |||
Applicable Contracting Vehicle(s) | ID | Requirement | Level |
All | GP-IG-16-4 | ISO/IEC 27001 AccreditationProvide either a: Valid ISO 27001 Certificate from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances. or Implementation plan to achieve ISO 27001 Certification from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances. | Must
|
All | SCT3.7 | Coding & TerminologyIf your Solution contains Clinical Information it must be coded against the UK Edition SNOMED CT. For further information, see SNOMED CT. | Must |
Interoperability Standard: Requirement removed | ||
ID | Requirement | Level |
ISNFR02 | The system will provide comprehensive audit facilities for ALL messages, including acknowledgements, over ALL transports and using ALL message types/syntax in order to satisfy general Information Governance requirements and specific message flow requirements to ensure that support desks have access to the required information when investigating incidents/issues. | Must
|
Training Standard: Requirement removed | ||||
Applicable Contracting Vehicle(s) | ID | Requirement | Level | Self-directed |
All | TR-9.2 | Training Environment - Link to path to live training environment Training environments shall link to The Authority's path to live training environment (Spine training environment) when users need to be trained on transactions between the Supplier System or Capability and the National Services. (e.g. e-Referral, Summary Care Record, NHS number, etc.) | Must
| No |
Overarching Standards: Structural & Patch changes applied |
|
Baseline Assurance Standard and Solution Categories for Assurance in DSIC: new Reference Page added |
New Reference Page added, see Full Specification. |
Full Specification
The full set of updated Overarching Standards will be added at a later date. Proposed changes to the structure can be viewed in the following example - Business Continuity and Disaster Recovery.
See Baseline Assurance Standard for the full set of requirements included in the BAS.
See Baseline Assurance Standard and Solution Categories for Assurance in DSIC for reference information on the BAS and Solution Categories.
Assurance Approach
Suppliers Onboarding onto a new Contracting Vehicle will first be assured against the Baseline Assurance Standard and will then have a further 12 months to become fully compliant with all Overarching Standards.
Suppliers that have completed assurance of the Overarching Standards and are not currently Onboarding onto a new Contracting Vehicle will not require any action.