Skip to main content

Security Compliance: Accredited tier in detail

This page contains the principles associated with the Accredited tier of commitment - the requirements on the supplying organisation in terms of what the supplier needs to have/hold, and what they will need to do to meet the requirements of the tier.

Page contents

Accredited tier

I commit that our organisation has:

  • ensured that the scope of the services proposed for HSCN Compliance meets the definitions laid out in the 'scoping' category of Annex A (found in the HSCN Compliance Operating Model Appendix 3)
  • identified where compliance with the technical, security and service management sections of the HSCN Obligations Framework is evidenced within supporting documentation supplied (i.e. High Level Designs, contracts and service management documentation)
  • obtained a valid CESG Assured Services (Telecommunications) certification from a CAS auditing company
  • implemented the Mandatory controls within the Business Continuity Planning category of Annex A, to the level specified within column D - "CAS(T) additional guidance"
  • created a plan of how all Mandatory controls in Annex A will be audited (to the level specified within column D - "CAS(T) additional guidance") prior to the second anniversary of the HSCN Compliant supplier award or the 31st March 2019 (whichever is the sooner) 
  • ensured an IT Health Check (ITHC) is conducted by an organisation delivering CHECK, CREST or Tiger security testing services for the scope of service provided as per the government ITHC guidance, incorporating the additional requirements within A.18.2.3 from Annex A and renewed prior to the anniversary of achieving Stage 1 HSCN Compliance
  • provided a residual risk statement (or null return) covering:
    • all unremediated ITHC findings higher than medium
    • all components that are critical to the delivery of services that are not assured to the correct level of availability under Chapter Five of the CAS(T) security procedures
    • all components of services out of the providers' control and send it on request to HSCN Consumers, potential HSCN Consumers and the HSCN Authority

 

I commit that our organisation will:

  • communicate the intended date for implementation of all mandatory controls (to the level specified within column D - "CAS(T) additional guidance") to the HSCN Authority
  • maintain the plan to audit the controls
  • ensure that any changes to the assurance tier of the service shall be notified to the HSCN Authority
  • ensure that all additional/amended services shall be delivered to the level of assurance committed to, on the date committed
  • keep our key contacts updated, and review them at least annually
  • ensure that the ITHC is conducted on the scope of the service prior to the expiry date
  • ensure that any changes to the assurance tier of the service shall be notified to the HSCN Authority

Last edited: 8 September 2020 1:08 pm