Skip to main content
HSCN Compliance Operating Model

2. Overview and governance


Summary

An overview of the processes, organisation, people, information, and technology required to achieve and maintain HSCN Compliance and the governance around this.

A detailed level walk-through of the HSCN Compliance process

This walk-through will explain, how the process will work over the three key stages.

Pre stage 1

HSCN will sign-post Suppliers to a section of the HSCN website which accommodates information covering the HSCN Obligations Framework and this document – a HSCN Compliance Stage 1 application form will also reside in this location.

HSCN will advise that any Supplier who holds an interest in applying to become a CNSP downloads the HSCN Obligations Framework, the CN-SP Deed and the Mandatory Supplemental Terms and runs these through their internal governance to assess whether, or not, applying to become a CN-SP is likely to be achievable for them.

If the Supplier, upon conducting an internal review process, decides that Compliance is likely to be achievable then they will complete the HSCN Compliance Stage 1 application form which will ask a set of key questions about the Supplier and also existing certification that they hold, covering PSN, ISO/IEC standards and CAS(T).

1. Stage 1

Summary description and purpose

The first stage of Compliance that, once confirmed, allows a Supplier to market/sell HSCN-badged services and therefore, become a CN-SP.

The Supplier will begin the process by completing the HSCN Compliance application form that will be available on the HSCN website

Information required, or pre requisites

The Supplier will be asked to complete an application form. This form will incorporate a set of questions covering:

  • The Company – including the Company number, details of leadership, the D-U-N-S number, details of the country of registration
  • Certification that is held (or the Supplier ‘may’ hold) across PSN, ISO/IEC and CAS(T) - in addition, the Supplier will be asked to declare a formal commitment that they will adhere to the HSCN Obligations Framework and the CN-SP Deed, and will seek no amendments to the published documentation prior to signature

In addition to the questions, there is a set of obligations (from the HSCN Obligations Framework) that any Supplier applying for Stage 1 will need to adhere to. Each obligation will require:

  1. A short response whether this be a declaration that the applicant will adhere to the Obligation or a response based upon their solution
  2. A response to meet the requirement of the evidence cell in the spreadsheet (column D) which will state the type of response that is required.

Following on from the Obligations Framework response we will require a High Level Design document that covers the solutions based thinking (including network architecture) of the solution that the applicant is proposing. Each Obligation that is responded to must then be clearly referenced in to the High Level Design Document. Therefore a synopsis response will be required to the spreadsheet based Obligation and this must then be referenced to a High Level Design document section/page number.

The Supplier will be asked to provide a findings report from their IT HealthCheck (ITHC) – this must meet the requirements set out in the official government guidance on ITHCs.

In addition to the findings report the applicant must also provide the accompanying Remediation Action Plan which will detail how all open issues are to be resolved, and when.

The Stage 1 obligations are cited in the HSCN Obligations Framework – column D (‘Evidence required for HSCN Compliance’).

Assessment approach that will be employed, or tools approach

The HSCN authority programme team (incorporating the Compliance Review Group) will run a set of checks based on the questions asked and the declarations provided. This will include checks on certificates held through PSN, Data Standards Online, and checks with independent CAS(T) assessors.

Evidence should be submitted either as a written response (which HSCN can then check against) or an attachment referenced from the relevant obligation.

Note: The ITHC will require a specific written response in accordance with the standard HM Government guidance linked to above. 

Tools

The Compliance Review Group (CRG) administrator will utilise a spreadsheet model that is based on the HSCN Obligations Framework – equivalent certification held is filtered to enable the CRG to determine a super-set of specific obligations that require assessment.

Compliance, or failure notification method

Confirming Stage 1 Compliance (a ‘pass’)

If the Supplier passes Stage 1 checks then they will achieve CN-SP status – in order for this to be formally confirmed the Supplier will be required to sign the CN-SP Deed at this stage.

Upon receipt of the signed CN-SP Deed, HSCN will write to the Supplier and will provide the HSCN Assurance Mark for marketing purposes.

In addition we will cite their compliant status in the list of compliant Suppliers on our website.

If the Supplier fails this stage

If a Stage 1 application fails the Supplier will be advised of this and the reasons for failure in writing. In such an instance the Supplier will be able to re-submit an application as long as the requirements cited in the reason for the initial failure are rectified.

Maintenance required once this stage has been confirmed

Once a Supplier passes through Stage 1 and becomes a CN-SP it will be legally obliged (due to signing the CN-SP Deed) to maintain its status based on all certifications assessed and obligations adhered to – the Stage 3 Compliance checks (which will incorporate a yearly re-assessment of Compliance) will ensure that the HSCN authority will police adherence robustly.

Stage 1 - further information

Declaration of commitment to adhere to the HSCN Obligations Framework and CN-SP Deed

It is at this stage where we will ask (in the application form) for the applicant to specifically declare a commitment that they will adhere to the conditions of the HSCN Obligations Framework and they will formally commit to undertake activities that are key for the service(s) being delivered. This ensures both the HSCN authority, and indeed, HSCN Consumers whom the Supplier may wish to market services to post Stage 1 that the HSCN Assurance Mark is issued with auditable evidence that the Supplier has stated explicitly that they will fully comply to the HSCN Obligations in the event of challenge or non-conformance when HSCN Connectivity Services are operational, or prior to operational go live status.

The application form

The contents of the application form, and the outcomes of our assessment will also be held by the HSCN authority in a data and information management repository (initially a SharePoint solution) – in the future ‘steady state’ this data will be held in the HSCN Management System (HMS).

The key information required for Stage 1, and asked for on the application form, will include:

  • company name;
  • country of registration1
  • name of the company officer signing the CN-SP Deed
  • name of the company officer accountable for completing the Compliance application process and a nominated point of contact for the HSCN authority whilst the assessment process is being undertaken
  • Companies House number and also a D-U-N-S number
  • ISO certification claimed – declared
  • ISO certification numbers
  • CAS(T) (or ISO 27001) certification claimed and proof – or, formal sign-up to the limited time transition period (***ADD LINK HERE***please refer to section 2.4) if only ‘critical’ conditions can be met at this time
  • PSN compliance claimed and proof
  • the ‘commitment’ statement box check
  • a statement declaring that ITHC findings will be provided to HSCN for review - and, if necessary, any remediation actions required will have taken place prior to provisioning any service, and the outcomes of this will be available to HSCN consumers

Evidence should be submitted either as a written response (which the HSCN authority can then check against) or an attachment referenced from the relevant obligation. These artefacts will then be assessed by HSCN staff with the relevant experience/skills.

If a Stage 1 application fails the Supplier will be advised of this and the reasons for failure in writing. The Supplier will be able to re-submit an application as long as the requirements cited in the reason for the initial failure are rectified. The application form questions for Stage 1 are presented in this application form.

1If a company is not registered and or operating from the UK then the HSCN authority reserves the right to request further information around the company structure.

2. Stage 2

Summary description and purpose

The second stage of Compliance that, once confirmed, allows a Supplier (now the CNSP) to provision a permanent live connection between their network and the HSCN authority stood-up services – such as the Peering Exchange Network, HSCN Data Security Centre and the Authoritative Technology Services - and a service to a HSCN Consumer.

Stage 2 therefore engages at the on-boarding stage and can begin once the core HSCN capabilities, such as the HSCN authority stood-up services, are deployed and ready to be connected to.

Stage 2 Compliance will ensure that the CN-SP is able to connect to the HSCN without putting the network at risk and that the Supplier has the processes in place to support the collaborative approach in the multiple Supplier eco-system, such as working together to solve incidents.

It is at this stage, when the Supplier is close to provisioning HSCN Connectivity Services (note – the core HSCN capabilities such as HSCN authority stood-up services such as the Peering Exchange Network, HSCN Data Security Centre and the Authoritative Technology Services must be in place at this point), where an additional assessment will be carried out by the Compliance Review Group covering the Supplier’s technical, security and service management capabilities. This stage will cover the key ‘pre go-live’ checks.

Information required, or pre requisites

The Supplier will need to present the following types of evidence at Stage 2:

  1. A written response (if specifically required) to the Obligations if required in the HSCN Obligations Framework ‘Evidence required for HSCN Compliance’ section – this will include uplifting the Stage 1 High Level Design in to a detailed design document.
  2. The Supplier shall meet the requirements of the HSCN CN-SP Service Management Requirement Addendum (via a detailed service management design) providing specific responses to this which the authority can assess (again the specifics on what is required in the response are articulated in the Obligations Framework evidence column D) - the authority may also request that the supplier runs service rehearsals or service acceptances tests that are to be witness-able by the authority. Please draw this in to a specific detailed design which is sectioned out by the process areas listed in the obligations framework.
  3. For Technical/Security and Operations/Governance the Supplier will provide design documentation as stipulated in the HSCN Obligations Framework advising where content related to a specific obligation sits.
  4. The authority will provide guidance on how the Supplier should connect to HSCN infrastructure components such as the Peering Exchange, ANM and NAS. This will also include a specification of the types of tests that will need to be run and the Supplier will be asked to provide a test plan to cover their approach to testing.

The specific evidence required is cited in the HSCN Obligations Framework.

  • A statement of residual risk
  • Operational processes and procedures (or null return if applicable);
  • Test plans and results – based on Peering Exchange testing;
  • Sample Quality of Service utilisation report; and
  • For the Service Management assessment, all Suppliers will be required to provide Service Desk contact details and network monitoring tool accounts.

Assessment approach that will be employed, or tools

Approach

The assessment approach at this stage will involve the HSCN authority CRG subject matter experts across the full sphere of technical, security, service management, commercial and legal running an assessment based upon artefacts provided by the Supplier.

Artefacts should be submitted as a written response (which the HSCN authority can then check against). The artefacts will likely be existing Supplier design documents and the HSCN authority will ask the Supplier to point to specific sections of their documentation which covers the requirements of specific obligations (referring to the HSCN Obligations Framework ‘Evidence required for HSCN Compliance’ section).

Tools

The HSCN authority CRG administrator will utilise a bespoke spreadsheet model that is based on the HSCN Obligations Framework – this will support the CRG in checking off obligations that have been confirmed as being met based upon the assessment of Supplier presented artefacts.

Compliance, or failure notification method

Confirming Stage 2 Compliance (a ‘pass’)

If the Supplier passes Stage 2 assessment then they will be allowed to connect to the HSCN via the Peering Exchange.

The HSCN authority will write to the Supplier to advise them of their confirmed status; and in addition we will cite their compliant status in our list of compliant Suppliers on our website.

If the Supplier fails this stage

If a Stage 2 application fails, the Supplier will be advised of this and the reasons for failure in writing. In such an instance the Supplier will be able to re-submit an application as long as the requirements cited in the reason for the initial failure are rectified.

Maintenance required once this stage has been confirmed

Once a Supplier passes through Stage 2 and is permitted to connect to HSCN and physically provision services to Consumers they will be legally obliged (due to signing the CN-SP Deed) to maintain the statuses based on all certifications assessed and obligations adhered to – the Stage 3 Compliance checks (which will incorporate a yearly re-assessment of Compliance) will ensure that HSCN will police adherence robustly.

3. Stage 3

Stage 3 Compliance focusses on the assessment of the on-going adherence to the HSCN Obligations Framework – Stage 3 can only be conducted when CN-SPs are supplying live HSCN Connectivity Services as it is solely reliant upon live performance.

Although the CN-SPs will be monitored throughout their contract tenures as a matter of course they will be formally assessed once per year, as outlined below.

Those obligations that require a regular data feed will be used to generate a dashboard that will show service status to the HSCN authority. Performance against quantitative (measurable) obligations will be monitored by the service co-ordinator and network analytics service. Any significant issues will be picked up by the HSCN authority for actioning.

In the event that either monitoring or a HSCN Consumer complaint raises a significant issue with performance, or adherence to the HSCN Obligations Framework, the HSCN authority will, with the service co-ordinator and network analytics capability, work to determine a root cause of the issue. Then, supported by the CN-SP Deed, the HSCN authority will work to implement a resolution with the CN-SP to ensure the issue is concluded satisfactorily.

Figure 2 presents the key stages, and the logic that supports these stages.

 

Figure 2: the three stages Compliance process – logic flow

Monitoring types

Ongoing monitoring

The HSCN authority will carry out operational monitoring on an on-going basis to ensure that the service(s) are being delivered in a manner appropriate to the requirements of the HSCN Obligations. Any issues will be captured by the HSCN Service Coordinator and managed via the HSCN authority – it is the HSCN authority  that will inform the CN-SP that is in non-compliance and manage the issue through to remedy with the CN-SP.

Once per year assessment

A specific assessment into Supplier conformance to the HSCN Obligations will be carried out once per year on, or as close as possible to, the anniversary date of a CN-SP achieving Stage 1 HSCN Compliance. Again, the HSCN authority will be responsible for communicating any issues to the CN-SP and managing these through to remedy. 

Proof of compliance

There will be two methods of identifying the Suppliers who have achieved HSCN Compliance:

  1. A list of compliant Suppliers on the HSCN website
  2. Use of the HSCN Assurance Mark which will be granted subject to specific terms and conditions

Once the Supplier has achieved Stage 1 Compliance they will be provided with the HSCN Assurance Mark to promote their HSCN service offerings.

Note: HSCN Compliance will not automatically enable a supplier to qualify for any framework such as those operated by the Crown Commercial Service. The Supplier shall be solely responsible for any such applications in accordance with the relevant procurement regulations.

Issuing the HSCN Assurance Mark – business rules

  1. The HSCN Assurance Mark will be issued once the Supplier passes Stage 1 compliance and has signed the CN-SP Deed to become a CN-SP.
  2. The HSCN Assurance Mark will be issued to the Supplier via secure NHSmail as a JPEG file once the CN-SP Deed has been signed.
  3. Terms and conditions covering the use of the HSCN Assurance Mark will be attached to this issue email – this will include legal conditions and guidance covering how the HSCN Assurance Mark should be incorporated in to documents/web pages.

Note: If a Supplier is deemed to be non-compliant to the HSCN Obligations Framework or the CN-SP Deed, the HSCN authority can after complying with the process described in the CNSP Deed require that the HSCN Assurance Mark is removed from Supplier materials – please refer to the section below (non-compliance) for more information on the rejection/revocation of HSCN Compliance status.

Non-compliance

Rejection of HSCN Compliance status

If, based on the Compliance assessment at either Stages 1 or 2 (therefore pre go-live), it is found that a Supplier is not meeting, or adhering, to an obligation, the HSCN authority will notify the Supplier with specific information covering the item(s) that need to be rectified prior to Compliance being awarded – the Supplier may then take remedial action for reassessment.

Revocation of HSCN Compliance status

Where the Supplier holds HSCN Compliance status and is found to be non-compliant with one or more of the HSCN Obligations, the HSCN authority may use any of the remedies described in the CN-SP Deed.

Mandatory exclusions

Where the Supplier would be excluded from participation in a procurement procedure pursuant to one of the grounds for mandatory exclusion contained in section 57 of the Public Contracts Regulations 2015, the HSCN authority shall take this into account regarding that Supplier's HSCN Compliance status, and:

  • where the Supplier is in the process of applying for HSCN Compliance status, such status will be rejected
  • where the Supplier holds HSCN Compliance status, such status will be revoked

Security and service management compliance through CAS(T) assurance

The primary security obligation for HSCN is equivalence to the CAS(T) certification. The HSCN Information Assurance Requirements for HSCN Suppliers are based on the CAS(T) (CESG Assured Service (Telecommunications)) requirements. CAS(T) does also cover some key service management, business continuity and disaster recovery requirements – which have been augmented to ensure that specific HSCN security and service management requirements are incorporated prior to award of stage one compliance.

These controls are taken from ISO/IEC-27001:2013 (ISO27001) and were identified in consultation with the Industry, CESG (now the National Cyber Security Centre) and the HSCN Programme Security Sub-Board and the NHS Digital Service Management function as being an appropriate control set against the risk of compromise leading to loss of availability of HSCN services.

Further information on CAS(T)

The scope of Compliance shall be the end-to-end provision of HSCN services.

The CAS(T) Annex A (which can be found in Appendix 3) sets out the minimum scope for controls required for HSCN Compliance.

If as part of that scope of service, the HSCN Supplier is providing services that are already CAS(T) certified, assurance is met by the existing certificate. Further assurance will, however, be required for those parts of the service that are not covered by existing certification.

Security and service management compliance requirements

Annex A sets out the minimum scope for information and service assurance required for the HSCN Security Compliance.

The minimum baseline set of compliance requirements to become an HSCN Supplier are:

  • requirements marked as HSCN Minimum Compliance Baseline in Annex A – these set out the minimum set of security, business continuity and service management controls
  • requirements marked as HSCN Minimum Compliance Baseline under the Business Continuity Planning, Configuration management, Control performance, Governance, Incident management, Operations management, Risk assessment, Scope and Supply chain assurance categories in Annex A – these complete the HSCN baseline for compliance
  • carry out an ITHC scoped in accordance with guidance in Annex B – ITHC scoping

This ITHC ensures a minimum quality of security controls in place, and provides information to HSCN Consumers about the quality of a HSCN Supplier’s security controls with regard to HSCN services. An ITHC carried out as part of the CAS(T) certification will suffice as long as the minimum scope is met, and that the CAS(T) certification covers the proposed HSCN services.

Assurance of security compliance

There are three ways in which a HSCN Supplier can demonstrate Compliance with the minimum security requirements. Each HSCN Supplier must provide assurance for the HSCN services through at least one of the three methods set out below:

  1. Accredited - hold and maintain full (thus meeting all controls currently) current CAS(T) certification for the services provided – to the level required for the HSCN Minimum Compliance Baseline – as per the MCB filter in Annex A of the Compliance Addendum. A plan articulating how the remaining requirements marked as ‘Mandatory’ will be audited must be created for stage 1 application and available for HSCN authority review (on request).
  2. Audited - hold and maintain current ISO/IEC-27001:2013 certification (for the services provided) for an ISMS that includes the HSCN Minimum Compliance Baseline requirements at the point of becoming an HSCN Supplier (that is - prior to Stage 1 application) and achieve coverage for the remaining CAS(T) requirements marked as ‘Mandatory’ by 1st April 2019 at the latest. A plan articulating how the remaining requirements marked as ‘Mandatory’ will be implemented must be created for stage 1 application and available for HSCN Authority review (on request). For this tier – all ‘Critical’ and ‘Mandatory’ controls required by HSCN for the minimum compliance baseline need to be implemented and evidenced prior to stage 1 application – as per the MCB filter in Annex A of the Compliance Addendum. ISMS certification audits must be conducted by a UKAS-accredited auditor and attaining Accredited Status by 1st April 2019 at the latest
  3. Asserted - self-assert compliance (for the services provided) with the CAS(T) ‘Critical’ and ‘Mandatory’ requirements for the HSCN Minimum Compliance Baseline at the point of becoming an HSCN Supplier (that is - prior to Stage 1 application) and achieve coverage for the remaining CAS(T) requirements marked as ‘Mandatory’ by 1st April 2019 at the latest. Must also attain Accredited status by 1st April 2019 (or if asked to by the HSCN authority). A plan articulating how the remaining requirements marked as ‘Mandatory’ will be implemented must be created for stage 1 application and available for HSCN authority review (on request). For this tier – all ‘Critical’ and ‘Mandatory’ controls required by HSCN for the minimum compliance baseline need to be implemented and evidenced prior to stage 1 application.

The HSCN Minimum Compliance Baseline controls are outlined in Annex A of the Compliance Addendum.

In each case, HSCN Suppliers must make available a statement of residual risk available to Consumers (current and future) and the HSCN authority on request. Residual risks that must be included are:

  • all un-remediated ITHC findings higher than medium
  • all components that are part of the MCB (as defined within the CAS(T) security procedures referenced above) to the delivery of the services that are not assured to the correct level of availability under CAS(T)
  • all components of the services that are under the Consumer’s management or out of the providers’ control (that is - wires only circuits and radio from the mast in terms of mobile respectively)

Please note: As part of the Compliance process HSCN will require that CAS(T) certification and ISO27001:2013 certification is provided by an independent provider.

How will HSCN manage cases where applicants do not hold full Compliance at the point of application?

A staged approach has been agreed, which is summarised in figure 3 below, using the Declaration and Certification options for verification. The staged approach provides for the following statuses in relation to security Compliance - Asserted, Audited and Accredited as identified above. This approach will be known as the ‘Transition period for formal assurance of Compliance’- this will be referred to as the ‘Transition period’.

Compliance with HSCN requirements for information and service assurance remains part of the overall Compliance process, while having its own transitionary approach to full Compliance. Achieving Asserted status will satisfy the HSCN minimum compliance baseline, but CAS(T) certification from a UKAS auditor must be achieved by 1 April 2019 and to attain Accredited Status.

In order to ensure full visibility of any Supplier’s progress (a Supplier that is subject to the transition period), the HSCN authority will set a number of checks against each Supplier over the Transition period. This will ensure that the HSCN authority is kept fully appraised of progress made toward full Compliance and is able to act early if it seems likely that full Compliance will not be met within the Transition period. The HSCN authority will have the right, under the terms of the CN-SP Deed, to revoke Compliance and stop a Supplier from selling any further services should they fail to achieve compliance required from the Audited or Accredited tier within the defined transition period or retain existing Audited or Accredited certification.

The CAS(T) Transition period – what must a Supplier do?

Suppliers will be able to achieve HSCN compliance during the Transition period without full (Accredited) CAS(T) certification but must:

  1. Be (and remain) compliant with the HSCN minimum compliance baseline from the outset.
  2. Provide an assurance that this baseline is implemented from the outset – therefore they must have an independent member of the CHECK scheme carry out an IT health check before selling services (and annually thereafter), and make a copy of the residual risk report available to the HSCN authority (and potential customers). The ITHC that will be required for Stage 1 is a key assurance for PSN Suppliers and is necessary for CAS(T) compliance. Please refer to Annex B of the Compliance Addendum for more information on how to conduct an ITHC.
  3. Achieve formal CAS(T) accredited certification within 2 years of achieving Stage 1 compliance or by 1 April 2019 (as a firm deadline) if Stage 1 compliance is achieved after 1 April 2017.
  4. Obtain CAS(T) accredited certification from an independent assurance body that is recognised by NCSC (for CAS(T)).
  5. Retain compliance and the Supplier will not be able to obtain interim HSCN Compliance on the basis of a lapsed formal certification (Note: Suppliers, holding PSN compliance, or certification with ISO/IEC-20000:2011 or ISO/IEC-22301:2012 cannot downgrade their compliance and take advantage of the transition period – that’s not what its intended for).

Risk mitigation

To further mitigate risks associated with non-independently verified Suppliers HSCN apply some conditional measures on Suppliers during the transition period. HSCN has incorporated wording in to the CN-SP Deed that:

  1. Makes provision for the HSCN Authority to require any Supplier (irrespective of current assurance level) to conduct a risk assessment, based on market share and taking into account geography and care settings of customers. This risk assessment shall review the risk to the availability of the HSCN service, including impact levels of all assets providing the service and be based on an agreed risk methodology. The output of that risk assessment must include any additional security controls and / or levels of assurance required, and must be satisfactory to the HSCN authority (acting reasonably) based on the risk to availability of the HSCN and impact levels of all providing services.
  2. If the Supplier fails to comply or reach agreement with the HSCN authority, then the ultimate sanction available to the HSCN authority is to suspend the Supplier from selling HSCN services. This means the HSCN authority monitoring the number and type of connections that each Supplier has sold against agreed criteria of what constitutes an acceptable market share to the HSCN authority/DH for Suppliers with no independent assurance of the implementation of the security controls.

Maintenance of CAS(T) compliance

Suppliers that are already CAS(T) certified will not be allowed a Transition period and must retain (and maintain) their CAS(T) certification (compliant with the HSCN minimum compliance baseline) from the point that they apply for HSCN Compliance.

Figure 3: Security compliance routes and alternatives.

HSCN security compliance routes and alternatives

The full CAS(T) control list (CAS(T) Annex) can be found in Appendix 3.

This annex lists the security controls, categories, criticality of the control, sets out additional guidance and also provides a mapping (if appropriate) to other existing ISO/IEC controls.

Please note the ‘criticality’ column outlines a status for each control in terms of the HSCN requirement to have the control and, at what point.

Suppliers must be compliant with the critical and mandatory conditions in the Governance category of the Annex as a minimum at the point of Stage 1 application.

Ultimately, in order to become a HSCN CN-SP the Supplier needs to be compliant with the HSCN minimum compliance baseline at the stage one compliance application, all the controls set out in the CAS(T) annex by 1 April 2019 and be able to demonstrate compliance through independent assurance (CAS-(T) or ISO27001)).

Governance

Ownership for the Compliance business system will sit in the HSCN authority which will be responsible for sourcing the required skills. Prior to this the HSCN programme will manage the process to bring the first wave of CN-SPs in to the HSCN.

Changes to the Compliance process and HSCN Obligations Framework will be managed through the change control process (a separate piece of collateral), which encourages collaboration between industry and the HSCN authority.

The HSCN authority will continue to work collaboratively with Innopsis and other industry bodies which may become appropriate, to develop and maintain the Compliance process to meet the needs of both the HSCN authority and the commercial needs of the Suppliers.

Last edited: 18 February 2019 5:11 pm