WHITEPAPER

Data Center Certification:

What You Need to Know

We create trust
We
create
trust
WHITEPAPER Data Center Certification: What You Need to Know

Data Center To reduce the probability of system failures and

data losses in such highly concentrated and
Certification complex environments, sophisticated security
concepts and reliable security assessments
based on a recognized criteria catalogue are
essential.
Information and communication systems pro-
vide the basis for many corporate decisions Businesses can profit in many ways from a cer-
and activities. Their availability is of fundamental tification of the mission critical infrastructure of
significance for any modern company. Failures a data center. It gives evidence to own efforts
can quickly threaten the proper operation or to have built up a state of the art data center.
existence of an enterprise. Time-critical access, It confirms proper installations to colocation
just-in-time activities, intensive networking and service providers. Additionally a ranking like the
a large volume of on-line business require a high one’s of the German company TÜV Information-
level of system availability and resilience. Com- stechnik GmbH (Member of TÜV NORD GROUP,
bined with the trend towards centralization of short: TÜViT) with 4 different clearly levels de-
business-critical productive hardware, it increas- fined in its TSI (Trusted Site Infrastructure) meth-
es the demand on system performance, data od, the European Standard EN 50600, which
management and the corresponding mission crit- allows a proper classification with its 4 availability
ical infrastructure. These aspects are not granted classes or the 4 different Tier classifications by
for sure. Data center tenants treat the topic with the Uptime Institute. The EN 50600 is the first of
grown sensitivity. Therefore, the demand for its kind official data center standard on an Euro-
TÜViT’s certification services in the data center pean level, which was developed to ensure the
environment has expanded rapidly over the last physical security and availability during the de-
years. sign, construction and operation of a data center.

3 www.tuvit.de
WHITEPAPER Data Center Certification: What You Need to Know

Different Data Center Standards

TSI.STANDARD EN 50600 Uptime Tier

■ TÜV iT’s own developed criteria ■ O f f icial European guideline ■ Privately owned evaluation/
catalog -Ba sis for the upcoming ISO cer tif ication method
■ German Engineering Approach 22237 (future global data
■ Ha s its origin in the USA
center standard)
■ Takes into consideration best ■ Globally known
practices and standards ■ Clear dif ferentiation through
4 dif ferent availabilit y cla sses ■ Dif ferentiation into 4 Tiers
■ Clear dif ferentiation through 4
■ Criteria Aspects: Environ- ■ Focuses mainly require-
dif ferent levels ments in the power supply,
ment, Construction, Fire
■ Clearly def ined criteria, which Protection S ystems, Securit y air conditioning systems
allow comparabilit y S ystems, Power, Supply, and organization

■ Criteria a spects: Environment, Air Conditioning S ystems, ■ Requires prior design cer ti-
Construction, Fire Protection Organization and Documen- f ication before a construct-
S ystems, Securit y S ystems, tation ed facilit y can be cer tif ied
Power Supply, Air Conditioning ■ Provides a ssistance in ever y ■ Divides into design, con-
S ystems, Organization, Docu- pha se: Idea, Design, Con- structed facilit y and opera-
mentation and Dual Site Data struction and Operation tion cer tif icates
Center
■ No prior design cer tif ication
■ Provides a ssistance in ever y is required to receive a cer-
pha se: Idea, Design, Construc- tif icate of the constructed
tion and Operation facilit y
■ No prior design cer tif ication is ■ Originally meant a s a guide-
required to receive a cer tif icate line ,however by applying
of the constructed facilit y the TSI-method it becomes
■ Makes use of a criteria catalog, cer tif iable by using the cri-
therefore the operator ha s teria catalog of TÜV iT TSI.
transparency during the evalu- EN50600
ation process
■ Fulf illment of par t of the re-
■ Clearly def ined criteria in the quirements are risk ba sed
levels
■ Full coverage of EN 50600 re-
quirements

Table 1: Shows the relevant approaches with its properties as noted in the internet

4 www.tuvit.de
WHITEPAPER Data Center Certification: What You Need to Know

If you are unsure whether the data center still TÜViT’s criteria catalogs TSI.STANDARD and TSI.
conforms to all applicable standards, if you intend EN50600 provide the optimal method for assess-
to rent data center space, or if you are taking ing data centers for their reliability and security.
over a data center and want a neutral, engineer- The method has been developed and published
ing opinion on the current status (e. g., usage, in 2001 and has been continuously developed in
spatial layout, power supply, cooling, network, order to confirm a state of art data center. Today
security, organization), then these are all reasons it is in alignment with the European data center
to consider contracting an experienced exter- standard EN 50600 and it counts more than 1000
nal third party to perform an audit of your data evaluation and certification projects,
center or to ask for a relevant certificate before especially in the banking, energy and ITC
you move with your IT equipment. sectors, with increasing colocation and cloud
infrastructure configurations.

5 www.tuvit.de
WHITEPAPER Data Center Certification: What You Need to Know

What is the foundation The auditor(s) should be trustworthy special-

ist(s), preferably with an engineering background
of such a certification? and experienced in audit areas relevant to data
centers.
A quality audit should (and for a later certification
it must) involve the client’s operational staff who
Certification is a process conducted by a neutral are familiar with the data center, from IT and
institution (certification body) to confirm that the facilities personnel, to internal electrical and me-
target of evaluation is conform with a standard, a chanical engineers if part of the client’s organiza-
criteria catalog or a normative document. tion or the equivalent external professionals who
have worked with the client before.
Whether the institution is trustworthy or not
depends on various aspects, for example how The evaluation should take the specific char-
are such evaluations conducted? Does the acteristics of a client’s data center into consid-
certification body act independently from the eration using an engineering based and pro-
evaluation body or is there a separation at all? tection-objective approach. This offers greater
Are the certification processes in alignment with flexibility than basic check-lists. Therefore, the
ISO 17065 and does the certification body have approach of the TSI evaluation program is „com-
an accreditation? Furthermore, how is the team ply or explain“. Even though a data center, de-
of auditors set up? Are these all experts in the pending on its intended availability level, should
required disciplines? be in conformance with the criteria laid out in
criteria catalogues such as TSI.STANDARD, some
In order to make certifications comparable it aspects may deviate from the ideal described by
needs a public criteria catalogue, which defines a standard. Some deviations from the standards
the extent of evaluation and the assessments to may be intentional because alternative solutions
be done. It helps to perform identical evaluations. are more common in some regions. Important
Each certificate is the result of such a criteria is that the alternative solution serves the same
based evaluation and everybody can understand objectives in the same effective manner.
how the result is produced.

6 www.tuvit.de
WHITEPAPER Data Center Certification: What You Need to Know

The TSI.STANDARD for data centers, for example,

specifies the proximity to major highway traffic
arteries for a Level 3 data center as being great-
er than 75 meters. If the site of a data center is
closer, a basic checklist audit would likely result
in a failed rating. Auditors with an engineering
approach to the protection objective would look
at a variety of other aspects before making a
judgment on this criterion, including:

■ What is the structure of the building, housing
of the data center?
■ What is the f loor layout? Where are the rooms
located that are critical to the function of the
data center in relation to the traf f ic ar ter y?
■ What is the elevation? Is the traf f ic ar ter y on
the same level a s the facilit y, lower or higher?
■ Does the traf f ic ar ter y run parallel to the
building, at an angle or are there cur ves or
intersections?
■ What is the speed limit of the nearby road?
■ What are the traf f ic statistics (e.g., frequency
of vehicles, predominate t ype of vehicles and
accident statistics)?
■ What is the speed limit of the nearby road?
■ Are ex ternal protective mea sures in place
(e.g., traf f ic barriers or boulders)?

If the descriptive documents show measures that

were implemented to compensate any risk and
their effectiveness can be verified by the onsite
inspection, this criterion could be considered as
fulfilled.

An evaluation and certification of a data center

must follow thoroughly documented procedures
and should define exact assessment criteria for
the evaluation.

7 www.tuvit.de
WHITEPAPER Data Center Certification: What You Need to Know

What is the process of

such a certification?

An evaluation and certification of a data center

consists usually of the following steps:

Step 1: Provision of Documentation comprehend which specific threats and physical

and It’s Review risks have been considered, which security re-
quirements have been derived and how security
Before any auditor visits a data center, they requirements have been implemented in the
will typically review the provided documen- form of concrete measures. Furthermore, the
tation. implementation in the specific criteria areas will
be explained and technical systems and compo-
The documents required for an audit can vary nents employed will be introduced. In addition,
slightly but, in general, they should enable the the facility operations and the security service will
auditor to gain insight into the different areas be described.
and a proper understanding of the implemented
concepts. In case of a certification the extent of In addition to the security concept, other strate-
the document set is defined and its delivery is gic and conceptual documents include:
mandatory.
■ Environmental risk and threat analysis
The security concept is the central document
■ Fire protection concept
from which context, security situation, security
■ Alarm strategy
requirements, design concepts and imple-
mentation measures are derived. The security ■ Annual maintenance schedule
concept describes the functioning of a data ■ Verif ication and testing cer tif icates
center as a whole, serves as an overview that
all required measures are in place and serves as The submitted documents will be reviewed and
verification that no important aspects have been evaluated.
neglected. From the security concept, one can

8 www.tuvit.de
WHITEPAPER Data Center Certification: What You Need to Know

Step 2: The On-site Inspection and

Audit The duration of the activities during the onsite
inspection should be sufficient for the auditor(s)
After evaluation of the documentation, to gain a proper understanding of the data
on-site inspections will be conducted as center and to verify all aspects as required by the
part of the audit. The on-site inspection criteria catalogue. This will help to evaluate and
verifies that all the measures described in record the complete infrastructure reliability, re-
the documentation has been implemented silience, deficiencies and operational capabilities
properly. in a highly efficient and integrated way.

This includes an evaluation of the present load Step 3-4: Evaluation Report and Cer-
condition, an assessment of capacity and ca- tification
pacity constraints, identification of potential risks
for system down-time and an assessment of the
Submit a written report specific to the cli-
concurrent maintenance abilities of the site. The
ent’s facility with particular problems and
duration and the number of auditors of the audit
concerns.
depend on the size, complexity and availability
This report describes the purpose of the audit,
level of the data center.
the result is a summary of the findings and details
regarding each assessment criterion. The report
If the inspections include any test runs potentially
will also include a judgment on the capabilities
influencing mission-critical systems, the exact
of the facility and its strengths and weaknesses,
scope including the ambient condition, person-
make practical recommendations for impro-
nel, tools and measuring instruments required
vements and lists all findings of non-conformities.
should be agreed upon beforehand.
Since the findings and recommendations may
have far-reaching consequences, every conclusi-
The testing of non-critical functions should al-
on in an audit report must be reproducible.
ways be performed during an audit. These tests
could include:
The report is submitted to the certification body.
It reviews the results of the report, checks the
■ Triggering a door-to-long-open alarm qualification of the auditors, examines the com-
■ Handing your access control card to another pleteness of evaluation and verifies the indepen-
person should not enable this person to use dence of the auditors. At the end, the certifica-
the card for the same ingress (i.e., anti-pa ss- tion body decides whether a certificate will be
back) granted to the data center operator. Additionally
■ A small amount of liquid applied to a leakage it publishes the certificate on its website and ser-
detection band should trigger an alarm of the ves as contact for any certification matters and
system future re-certification inquiries.
■ Deactivate redundant components

All of these non-critical tests should also result

in an appropriate technical or organizational
response as described by the data center’s se-
curity concept.

9 www.tuvit.de
WHITEPAPER Data Center Certification: What You Need to Know

Benefits

A certification or even a data center audit

from experienced, reputable auditors can
provide many benefits, including:

■ Avoidance of downtime by identif ying risks

beforehand
■ Provision of general and specif ic guidelines to
improve or optimize the mission-critical infra-
structure of a data center
■ A valuable tool during contract negotiations
with third par ties like co-locator
■ A marketing tool to demonstrate the qualit y of
a data center
■ Proof of compliance with applicable data
center standards (e.g. EN 50600)

10 www.tuvit.de
WHITEPAPER Data Center Certification: What You Need to Know

About TÜViT With our evolved TSI.ECOSYSTEM we create

added value for our customers and the market.
Our competencies, methods and services ensure
transparency, comparability and security throug-
hout the entire life cycle of your data center.
TÜV Informationstechnik GmbH focuses solely
on security in information technology and, as an
independent testing service provider for IT secu-
rity, is an international leader. Numerous corpora-
tions already benefit from the TÜViT-tested secu-
rity. Its portfolio includes cyber security, software
and hardware evaluation, IoT/Industry 4.0, data
protection, ISMS, Smart Energy, mobile security,
automotive security, eID and identity verification
services as well as the testing and certification
of data centers for physical security and high
availability. TÜV Informationstechnik, founded in
1995 and headquartered in Essen, Germany, is
a member of the TÜV NORD GROUP, one of the
world's largest technology service providers with In doing so, we always keep in mind the goal
over 10,000 employees and business activities in of identifying weak points as early as possible,
70 countries worldwide. which would otherwise lead to high correction
costs, availability restrictions or even the downti-
TÜViT is the brand of the IT division of the TÜV me of a data center later on.
NORD GROUP and is one of six global business
units. The IT business unit includes the compa- TÜViT has completed over 1,000 evaluation and
nies TÜV Informationstechnik GmbH and TÜV certification projects of data centers.
NORD IT Secure Communications GmbH & Co. To learn more about TÜViT’s services and certifi-
KG, a Berlin-based consulting company founded cations in the data center sector visit:
in January 2018.
https://www.tuvit.de/en/services/data-cen-
TÜViT has been doing this for almost 20 years ters-colocation-cloud-infrastructures/
now with "Trusted Site Infrastructure - TSI". A
proven standard in the data center market and
matured over the years into a valuable proce-
dure, TSI guarantees the physical security and
high reliability of mission critical infrastructures
in data centers. At its heart is our increasing-
ly sought-after TSI certificate, which proves
TSI-compliant implementation.

11 www.tuvit.de
WHITEPAPER Data Center Certification: What You Need to Know

Contact

TÜV Informationstechnik GmbH Mario Lukas V1.0 20210319

TÜV NORD GROUP Senior Account Manager

Langemarckstraße 20
T +49 201 8999-567
45141 Essen
E [email protected]

T +49 201 8999-9

Karim Marcel Odeh
F +49 201 8999-888
Account Manager International
E [email protected]
W www.tuvit.de T +49 201 8999-580
E [email protected]

12 www.tuvit.de