Skip to main content

Virtual Smartcard Service provided by Isosec

A virtual smartcard product and service that enables users to authenticate securely, which includes an app on their mobile device, to gain access to health and care systems and services.

The Isosec product is a 3rd party application and service that works with the Care Identity Service (CIS) to provide 2 Factor Authentication (2FA) to a range of national and local systems. 

It is an option for authentication to Spine systems and it works through a combination of Isosec specific local client software and an Isosec application that can be downloaded and installed on a user’s mobile device. Virtual Smartcards can be issued and managed by Registration Authorities across their user estate.

This virtual smartcard solution and service is built, managed and supported by Isosec. The new version of the service has undergone product assurance reviews by NHS Digital's Cyber Security, Solutions Assurance and Information Governance functions.

Isosec Product Statement

NHS Digital and Isosec have been working collaboratively to agree the design and implementation for an enhanced solution from Isosec that meets all of NHS Digital’s requirements.

The enhanced product, using versions of the software outlined below, has now been through that review process - our cyber security team has confirmed that the design of the solution now constitutes an Advanced Electronic Signature (AdES) and can be used for authentication. The only approved versions of the software are those outlined below and must be deployed with the user's unique keys held on a mobile device. Multiple user's keys cannot be stored on a mobile device and a mobile device cannot be used by multiple users.

We are currently working with Isosec and the Electronic Prescription Service (EPS) team to ensure that the enhanced service can be used to sign prescriptions for use with EPS.

Isosec can now start working with its customers under our agreement to roll out the enhanced software elements as outlined in the Product Assurance section below for authentication and will work with its customers to rollout support for EPS when confirmed as signed off by the EPS team.

Isosec Product Assurance

NHS Digital has developed and implemented a requirements framework for Virtual Smartcard solutions to be assessed. This framework will be kept under review at least annually. We will manage change to this framework either as a result of changes to the requirements or changes implemented by supplier systems.  

The enhanced Isosec product has been through a rigorous process of assessment against a number of attributes and acceptance criteria, which has given NHS Digital and Isosec confidence that it can now be made available to NHS organisations under the agreement with NHS Digital.

The assessment covered:

  • consumer contracting and agreement
  • solution overview and how it met security and operational requirements
  • administration – how system admin activities are undertaken and how they are protected from being compromised
  • test and assure – the process and methods for build and test
  • deployment methods and approach
  • change and configuration management
  • monitoring and service management
  • governance
  • risk management including business continuity and disaster recovery

Through the review, a number of additional artefacts have been created and agreed between Isosec and NHS Digital including a Connection Agreement, Customer Acceptable Use Policy, Change Control Process and Remediation Process that improves the agreements in place between NHS Digital, Isosec and its customer base.

NHS organisations taking the Isosec solution under NHS Digital agreement should review and accept additional agreements before rolling out the new software and service.

Isosec can provide this or a copy can be provided on request. Email:

NHS Digital has assured the Isosec solution against the following versions of Isosec software:

Component Version Description
vSC Server 2.0 Cloud based virtual smartcard component
vSC Authenticator 3.0 Virtual smartcard authenticator mobile app
iO Identity Agent 9.0 Identity agent
vSC Issuance 2.0 Virtual smartcard RA issuance component

These are the only versions of the Isosec software that are accredited for use and must be deployed with user's unique keys held on the mobile device. Mobile devices must only contain a single user’s keys and must not be share devices.

No other deployment pattern is approved for use by NHS Digital.

A copy of the NHS Digital Assurance Framework can be provided on request by contacting

Whilst NHS Digital has reviewed the Isosec solution, all customers are advised to perform their own due diligence and pre-deployment checks and tests prior to the use of the solution to ensure that it meets the commercial, legal and policy requirements of their organisation.


In April 2020 NHS Digital procured a limited number of licenses to remove local burden.

Licenses should continue to only be granted and used to help NHS organisations with their COVID-19 response.

NHS Digital has agreed with Isosec that NHS organisations already approved to use the solution under our contract can request that the term of the licence can be extended to the end of March 2022. There is limited funding available and therefore this will be agreed by Isosec on a first come first serve basis.  

Any organisations who will not make full use of their existing approved licences are encouraged to contact to offer unused licences back to NHS Digital. Those licences may then be made available to new or existing organisations that can make use of the service. 

Apply for Isosec Virtual smartcards

We are not currently accepting any new applications for Isosec virtual smartcards. If NHS organisations return licences they don’t believe they can fully utilise, then we will work with Isosec to engage customers on a first come first serve basis. 

NHS organisations can contact Isosec directly via: to enquire about how to procure their Virtual Smartcards.

If you wish to be notified if any further licences become available you can email with the following details: 

  • email title - Isosec VSC
  • organisation name
  • contact name, email and phone number
  • how many licences you’d like
  • overview of the systems the users would use the Isosec VSC with

Contact us

If you have questions or need help with your application you can email

Last edited: 29 November 2021 4:18 pm