1. Introduction

This document describes the end state for the Compliance process for HSCN (referred to as 'HSCN Compliance'). It details the processes, organisation, people, information, and technology required to achieve and maintain Compliance.

As stated in obligation OPCERT.1 of the HSCN Obligations Framework, in order for a Supplier to sell HSCN Connectivity Services they must hold HSCN Compliance status. HSCN Compliance status confirms that the Supplier adheres to the standards and policies that are set out in the HSCN Obligations Framework. The HSCN Compliance process described in this document sets out how HSCN Compliance status is tested and awarded.

The compliance model adheres to the following set of core principles – the model:

• clear as to what is being audited for Compliance, for how long and by whom
• recognises equivalent certifications that could be validated as contributing to HSCN Compliance – this includes a set of ‘foundation’ certifications including PSN and ISO/IEC
• reuses existing processes and resources where appropriate
• minimises cost and time whilst being sufficiently robust to act as a useful control and assurance mechanism
• outlines a process for withdrawal of Compliance and impact
• assists suppliers with published support

The HSCN Obligations Framework adheres to the following set of core principles:

• the HSCN programme will aim to maximise supplier participation in the HSCN Marketplace (including small, medium and large suppliers)
• minimise upfront investment costs for end users and suppliers
• take a default position to align to and reuse existing standards commonly adhered to already (such as ISO and PSN) and minimise unique requirements – hence the use of ‘equivalent’ certifications.

Note there are a set of specific HSCN Obligations that relate directly to Compliance, these are OPCERT 1 to 5:

OPCERT.1: Minimum compliance
OPCERT.2: Supplier assessment
OPCERT.3: Obligation evidence
OPCERT.4: Compliance decision
OPCERT.5: Renewal cycle

Please refer to the HSCN Obligations Framework for more information.

Note

Suppliers are responsible for their own full compliance and on-boarding costs.

The principles described above can be combined into the following objectives for the HSCN Compliance process.

The process will:

• document clear business and technical scope of service
• reuse existing standards and equivalent certifications
• minimise cost and time to suppliers in terms of the application process
• minimise cost and time to the HSCN authority in terms of the auditing process both pre supplier provision of services and products and also during operational assessment once live
• minimise upfront investment where possible
• provide robust assessment and assurance of service to consumers
• provide consistent service to suppliers independent of the size of the supplier business therefore barriers to entry will be minimised where possible

The compliance model is made up of 3 core stages:

Stage 1 

Obligations which must be reviewed and met before the Supplier can connect to central capabilities and progress on to the next stage of the compliance process. This step is the initial engagement which includes submission of the application form and high level design documents providing evidence of a suppliers service offering.

Stage 2 (pre-live)

The relevant obligations which must be met before a Supplier can begin marketing, selling, and supplying services to Consumers and connect to the HSCN Authority stood up services – the Peering Exchange Network, HSCN Data Security Centre Secure Boundary Service and the Network Analytics Service, this stage is part of the wider on-boarding process run by the Service Co-ordination function operated by the HSCN Authority (please refer to the HSCN Solution Overview).

Note: Once the Supplier commences delivery of services, they will be subject to a 3 month probation check where the Authority will run a set of checks to ensure that the Supplier is operating in adherence to the Obligations.

Stage 3 Live Operations Compliance Management (Post-live)

Obligations which can only be proven by Supplier performance once the Supplier is delivering HSCN services.

As part of Live Operations Compliance Management, there will be regular and an annual assessment of Supplier performance and adherence to the HSCN Obligations Framework and HSCN’s core network analysis and Service Co-ordinator capabilities will be brought in to play to achieve this

If a Supplier is found to be non-compliant with any obligation the HSCN Authority can invoke a number of remedies, the ultimate of which would be to revoke Compliance – this process is detailed later in this document. This process would be governed by the conditions set out in the CN-SP Deed and would require formal HSCN Senior Responsible Owner (SRO) approval.

In addition to the HSCN Obligations Framework being used as a basis for Compliance, the Compliance process is supported by three further key governing mechanisms

1. The CN-SP Deed: The deed, which is signed as part of Stage 1, ensures that the Supplier will adhere to the obligations set by the HSCN Authority and that the Supplier will co-operate with other Suppliers operating in the disaggregated HSCN eco-system. It is a legally binding document between the HSCN Authority and each CN-SP.  The deed is therefore the key legal mechanism that supports the Compliance process and the HSCN Obligations Framework itself.

2. The Mandatory Supplemental Terms (MST): A set of HSCN terms and conditions that also support Compliance and the HSCN Obligations Framework. The MST must be included in the CN-SP/Consumer contract.

3.  Memorandum of Understanding (MoU): The MoU sets out the obligations on the Supplier and the HSCN Authority in respect of progressing through the Compliance Process.  

The Supplier’s attention is drawn to Clause 5.0 (in particular 5.2) of the CN-SP Deed which may require the Supplier to agree to additional Security Risk Assessments (to be defined between the HSCN Authority and the Supplier).

Figure 1 (below) explains diagrammatically how all of these components work together.