Data Center

Certification
What You Need to Know

TÜV®
 Data Center Certification

Table of contents
Data Center Certification 4

What is the foundation of such a certification? 6

What is the process of such a certification? 7

About TÜVIT 9
Data Center Certification
Data information and communication systems provide Businesses can profit in many ways from a certification
the basis for many corporate decisions and activities. of the mission critical infrastructure of a data center.
Their availability is of fundamental significance for any It gives evidence to the company's own efforts to have
modern company. Failures can quickly threaten the built up a state-of-the-art data center. It confirms
proper operation or existence of an enterprise. Time- proper installations to colocation service providers.
critical access, just-in-time activities, intensive net-
working and a large volume of online business require Additionally, a certification enables the classification
a high level of system availability and resilience. Com- in a ranking system like the one of the German com-
bined with the trend towards centralization of business- pany TÜV Informationstechnik GmbH (member of
critical productive hardware, this increases the demand TÜV NORD GROUP, short: TÜVIT) with 4 different,
on system performance, data management and the clearly defined levels in the TSI (Trusted Site Infra-
corresponding mission critical infrastructure. These as- structure) method. Also possible is a classification
pects are not granted for sure. Data center tenants treat into the 4 availability classes of the European stan-
the topic with grown sensitivity. Therefore, the demand dard EN 50600 or into the 4 different tier classifica-
for TÜVIT’s certification services in the data center envi- tions of the Uptime Institute.
ronment has expanded rapidly over the last years.
The EN 50600 is the first of its kind official data center
To reduce the probability of system failures and data standard on an European level, which was developed to
losses in such highly concentrated and complex ensure the physical security and availability during the
environments, sophisticated security concepts and design, construction and operation of a data center.
reliable security assessments based on a recognized
criteria catalogue are essential.

4
 Data Center Certification

DIFFERENT DATA CENTER STANDARDS

TSI.STANDARD EN 50600 Uptime Tier

ƒ TÜVIT’s own developed criteria catalog ƒ Official European guideline ƒ Privately owned evaluation/certification
ƒ German engineering Approach – Basis for the upcoming ISO 22237 method
ƒ Takes into consideration best practices (future global data center standard) ƒ Has its origin in the USA
and standards ƒ Clear differentiation through 4 different ƒ Globally known
ƒ Clear differentiation through 4 different availability classes ƒ Differentiation into 4 Tiers
levels ƒ Criteria aspects: Environment, ƒ Focuses mainly requirements in the
ƒ Clearly defined criteria, which allow Construction, Fire Protection Systems, power supply, air conditioning systems
comparability Security Systems, Power, Supply, Air and organization
ƒ Criteria aspects: Environment, Conditioning Systems, Organization ƒ Requires prior design certification
Construction, Fire Protection Systems, and Documentation before a constructed facility can be
Security Systems, Power Supply, Air ƒ Provides assistance in every phase: certified
Conditioning Systems, Organization, idea, design, construction and ƒ Divides into design, constructed facility
Documentation and Dual Site Data operation and operation certificates
Center ƒ No prior design certification is
ƒ Provides assistance in every phase: required to receive a certificate of the
idea, design, construction and constructed facility
operation ƒ Originally meant as a guideline,
ƒ No prior design certification is however by applying the TSI-method
required to receive a certificate of the it becomes certifiable by using the
constructed facility criteria catalog of TÜVIT TSI.EN50600
ƒ Makes use of a criteria catalog, ƒ Fulfillment of part of the requirements
therefore the operator has are risk based
transparency during the evaluation
process
ƒ Clearly defined criteria in the levels
ƒ Full coverage of EN 50600
requirements

Table 1: Shows the relevant approaches with its properties as noted in the internet

If you are unsure whether the data center still con- TÜVIT’s criteria catalogs TSI.STANDARD and/or
forms to all applicable standards, if you intend to rent TSI.EN 50600 provide the optimal method for assess-
data center space, or if you are taking over a data ing data centers for their reliability and security. The
center and want a neutral, engineering opinion on method has been developed and published in 2001
the current status (e. g., usage, spatial layout, power and has been continuously developed in order to
supply, cooling, network, security, organization), then confirm a state-of-the-art data center. Today it is in
these are all reasons to commission an experienced alignment with the European data center standard
external third party to perform a professional audit EN 50600 and it counts more than 1500 evaluation
of your data center or to ask for a relevant certificate and certification projects, especially in the banking,
before you move with your IT equipment. energy and ITC sectors, with increasing colocation
and cloud infrastructure configurations.

5
What is the foundation
of such a certification?
Certification is a process conducted by a neutral insti- aspects may deviate from the ideal described by a
tution (certification body) to confirm that the target of standard. Some deviations from the standards may
evaluation is conform with a standard, a criteria cata- be intentional because alternative solutions are more
log or a normative document. common in some regions. Important is that the al-
ternative solution serves the same objectives in the
Whether the institution is trustworthy or not depends same effective manner.
on various aspects, for example, how such evalua-
tions are conducted? Does the certification body act The TSI.STANDARD for data centers, for example,
independently from the evaluation body or is there a specifies the proximity to major highway traffic arter-
separation at all? Are the certification processes in ies for a Level 3 data center as being greater than 75
alignment with ISO 17065 and does the certification meters. If the site of a data center is closer, a basic
body have an accreditation? Furthermore, how is the checklist audit would likely result in a failed rating.
team of auditors set up? Are they all experts in the Auditors with an engineering approach to the protec-
required disciplines? tion objective would look at a variety of other aspects
before making a judgment on this criterion, including:
In order to make certifications comparable, it needs
a public criteria catalog, that defines the extent of ƒ W
 hat is the structure of the building, housing of
evaluation and the assessments to be done. It helps to the data center?
perform identical evaluations. Each certificate is the ƒ What is the floor layout? Where are the rooms
result of such a criteria based evaluation and every- located that are critical to the function of the data
body can understand how the result is produced. center in relation to the traffic artery?
ƒ What is the elevation? Is the traffic artery on the
The auditor(s) should be trustworthy specialist(s), pref- same level as the facility, lower or higher?
erably with an engineering background and experienced ƒ Does the traffic artery run parallel to the building,
in audit areas relevant to data centers. A quality audit at an angle or are there curves or intersections?
should (and for a later certification must) involve the ƒ What is the speed limit of the nearby road?
client’s operational staff familiar with the data center, ƒ What are the traffic statistics (e.g., frequency
from IT and facilities personnel to internal electrical and of vehicles, predominate type of vehicles and
mechanical engineers if they are part of the client’s accident statistics)?
organization, or equivalent external professionals who ƒ What is the speed limit of the nearby road?
have worked with the client before. ƒ Are external protective measures in place (e.g.,
traffic barriers or boulders)?
The evaluation should take the specific characteris-
tics of a client’s data center into consideration us- If the descriptive documents show measures that
ing an engineering based and protection-objective were implemented to compensate any risk and their
approach. This offers greater flexibility than basic effectiveness can be verified by the onsite inspec-
checklists. Therefore, the approach of the TSI evalu- tion, this criterion could be considered as fulfilled.
ation program is „comply or explain“. Even though a
data center, depending on its intended availability An evaluation and certification of a data center must
level, should be in conformance with the criteria laid follow thoroughly documented procedures and should
out in criteria catalogs such as TSI.STANDARD, some define exact assessment criteria for the evaluation.

6
What is the process
of such a certification?
An evaluation and certification of a data center consists usually of the following steps:

Provision of a set On-site Generation of Certification,

of documents inspection an evaluation done by the
by the operator. and audit report by the certification
They are reviewed evaluation body
and evaluated by body
the auditors.

Step 1: Provision of documentation Besides the security concept, other strategic and
 and its review conceptual documents include:

Before visiting a data center, any auditor will ƒ Environmental risk and threat analysis
typically review the documentation provided. ƒ Fire protection concept
ƒ Alarm strategy
The documents required for an audit can vary slightly ƒ Annual maintenance schedule
but, in general, they should enable the auditor to gain ƒ Verification and testing certificates
insight into the different areas and a proper under-
standing of the implemented concepts. In case of a The submitted documents will be reviewed and eval-
certification, the extent of the document set is de- uated.
fined and its delivery is mandatory.

The security concept is the central document from

which context, security situation, security require-
ments, design concepts and implementation mea-
sures are derived. The security concept describes Step 2: The On-site inspection and
the functioning of a data center as a whole, serves as  audit
an overview that all required measures are in place
and serves as verification that no important aspects After evaluation of the documentation, on-site
have been neglected. From the security concept, inspections will be conducted as part of the audit.
one can comprehend which specific threats and The on-site inspection verifies that all the mea-
physical risks have been considered, which security sures described in the documentation has been
requirements have been derived and how security implemented properly.
requirements have been implemented in the form of
concrete measures. Furthermore, the implementa- This includes an evaluation of the present load
tion in the specific criteria areas will be explained condition, an assessment of capacity and capacity
and technical systems and components employed constraints, identification of potential risks for sys-
will be introduced. In addition, the facility operations tem down-time and an assessment of the concur-
and the security service will be described. rent maintenance abilities of the site. The duration
7
What is the process of such a certification?

and the number of auditors of the audit depend on also include a judgment on the capabilities of the
the size, complexity and availability level of the data facility and its strengths and weaknesses, make
center. practical recommendations for improvements and
lists all findings of non-conformities. Since the find-
If the inspections include any test runs potentially ings and recommendations may have far-reaching
influencing mission-critical systems, the exact scope consequences, every conclusion in an audit report
including the ambient condition, personnel, tools and must be reproducible.
measuring instruments required should be agreed
upon beforehand. The report is submitted to the certification body. It
reviews the results of the report, checks the qualifi-
The testing of non-critical functions should always be cation of the auditors, examines the completeness
performed during an audit. These tests could include: of evaluation and verifies the independence of the
auditors. At the end, the certification body decides
ƒ Triggering a door-to-long-open alarm whether a certificate will be granted to the data cen-
ƒ Handing your access control card to another ter operator. Additionally it publishes the certificate
person should not enable this person to use the on its website and serves as contact for any certifi-
card for the same ingress (i.e., anti-passback) cation matters and future re-certification inquiries.
ƒ A small amount of liquid applied to a leakage
detection band should trigger an alarm of the system
ƒ Deactivate redundant components

All of these non-critical tests should also result in an

appropriate technical or organizational response as Benefits
described by the data center’s security concept.
A certification or even a data center audit from
The duration of the activities during the onsite inspec- experienced, reputable auditors can provide
tion should be sufficient for the auditor(s) to gain a many benefits, including:
proper understanding of the data center and to verify all
aspects as required by the criteria catalogue. This will ƒ A
 voidance of downtime by identifying risks
help to evaluate and record the complete infrastructure beforehand
reliability, resilience, deficiencies and operational capa- ƒ Provision of general and specific guidelines
bilities in a highly efficient and integrated way. to improve or optimize the mission-critical
infrastructure of a data center
ƒ A valuable tool during contract negotiations with
third parties like co-locator
ƒ A marketing tool to demonstrate the quality of a
data center
Step
 3-4: Evaluation Report and ƒ Proof of compliance with applicable data center
Certification standards (e.g. EN 50600)

Submit a written report specific to the client’s fa-

cility and their particular problems and concerns.

This report describes the purpose of the audit, the

result is a summary of the findings and details re-
garding each assessment criterion. The report will

8
About TÜVIT
TÜVIT is the umbrella brand of the IT business TÜV Informationstechnik focuses solely on security in
unit, one of the six globally positioned business information technology and, as an independent test-
units within the TÜV NORD GROUP. The IT busi- ing service provider for IT security, is an international
ness unit is represented by the companies TÜV leader. Numerous customers already benefit from
Informationstechnik GmbH and the consulting the company’s tested security. Its portfolio includes
company TÜV NORD IT Secure Communications cyber security, software and hardware evaluation,
GmbH & Co. KG with headquarters in Berlin. IoT/Industry 4.0, data protection, ISMS, smart energy,
mobile security, automotive security, eID and trust
services.

Since 2001, TÜVIT has also specialized in the evalua-

tion and certification of physically secure and highly
available data center infrastructures. TSI stands
for Trusted Site Infrastructure and is a proven and in-
dustry-recognized method to assess and certify data
centers. It is based on TÜVIT’s own criteria catalog
TSI.STANDARD, which has been continuously developed
since its market launch to reflect the state-of-the-art.

9
We
create
Trust

10
Contact

Mario Lukas Karim Marcel Odeh

Senior Account Manager Account Manager International

T +49 201 8999-567 T +49 201 8999-580

E [email protected] E [email protected]

TÜV Informationstechnik GmbH

TÜV NORD GROUP
Am TÜV 1
45307 Essen

tuvit.de

TÜV®