NHS Greater Manchester Integrated Care

Private and Public Cloud Hosting & Consultancy

GMSS provides a flexible low-cost alternative to owning/operating a data centre. Offering secure, scalable, high-performance public/private cloud hosting for severs, applications and data storage. Hosting is quickly mobilised, UK-based and scalable (up/down). Solutions can be tailor-made. We are ISO27001 accredited and a Microsoft Gold Partner.


  • Server Hosting, including backup, monitoring and DR
  • Hybird Cloud Approach
  • Single, private and multi-tenant cloud solutions
  • Secure highly resilient infrastructure
  • Customised service providing remote monitoring and systems management
  • Production and DR environments with 24x7x365 monitoring
  • 24/7/365 IT Service Desk Support with engineering teams on call


  • Microsoft Gold Partner with qualified staff
  • Flexible capacity with secure UK Data Centres
  • Secure highly resilient infrastructure means more uptime for your business
  • Reliable, tailored service
  • Scaleable architecture
  • Prince 2 qualified project managers
  • All Staff resident and vetted in the UK
  • ITIL processes
  • Backed with years of NHS experience


£252 to £737 a unit a day

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ann.halpin@nhs.net. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

8 1 5 5 8 8 3 1 6 5 5 8 7 8 8


NHS Greater Manchester Integrated Care Ann Halpin
Telephone: 07967184535
Email: ann.halpin@nhs.net

Service scope

Service constraints
Monthly routine and emergency maintenance windows.
System requirements
Internet connected devices.

User support

Email or online ticketing support
Email or online ticketing
Support response times
We respond to queries within 15 minutes in core UK working hours and, through a 24/7 call back facility, within 30 minutes outside of core UK working hours.
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
IT Service Desk agents are available by chat. They can provide first line support and log issues onto other GMSS IT Teams for further diagnosis and resolution.
Web chat accessibility testing
We continually develop and test our customer portal to add new functionality to ensure it is functioning as designed and updating with new content.
Onsite support
Onsite support
Support levels
Our dedicated team of IT Service Delivery Managers (SDMs) are key points of contact for new customers and service requirements. They are also escalation points for important issues. Each customer is assigned a named IT Service Delivery Manager. Our IT Service Desk offers a highly technical and customer focused Single Point of Contact (SPoC). Faults, queries and requests can be logged by telephone and online through the GMSS Service Portal. GMSS services align to ITIL industry best practice and we have 4-star certification from the Service Desk Institute (SDI) for our excellent customer service and robust processes. This demonstrates that the GMSS has Business-Led IT Service Desk. We are a member of the Institute for Customer Services (ICS), and comply with GP IT Futures Framework. Our IT Service Desk prioritises incidents following an Incident Prioritisation criteria. Our systems generate alerts to other Teams and Service Management leads when a high priority status is assigned so that they receive prompt attention. Standard IT Service Desk hours are 7:30am to 6:00pm Monday to Friday, excluding Bank Holidays. Calls made to the Service Desk outside of these core business hours are escalated to on-call support for urgent system wide issues.
Support available to third parties

Onboarding and offboarding

Getting started
GMSS provides qualified and dedicated staff to help our clients begin to use our service. A dedicated team will be available to engage regularly during the onboarding process. Customers will be given their credentials and instructions to enable them to use our support service.
Service documentation
Documentation formats
End-of-contract data extraction
The client data can be extracted and supplied to the client in a format that is agreeable to both parties.
End-of-contract process
If the customer does not wish to renew their subscription with GMSS they will need to provide contractual notice so that we can plan and provide support for the data extraction/migration of the specific subscription. The client will continue to pay for services to the point of the account termination. The client retains ownership of their data and will be deleted from our system 30 days after account termination. Any additional hardware / software / resource costs to enable the off-boarding will be the responsibility of the client.

Using the service

Web browser interface
Using the web interface
Service Now portal to raise/manage tickets related to the customers SLA
Web interface accessibility standard
WCAG 2.1 AA or EN 301 549
Web interface accessibility testing
Testing is done in a development environment prior to updating to new releases/upgrades.
Command line interface
Command line interface compatibility
Using the command line interface
CLI is used by GMSS to manage infrastructure systems, this would not generally be available to customers however read-only access can be provided to some systems for troubleshooting.


Scaling available
Scaling type
Independence of resources
Multi-tenant environment with data/resource partitioning, auto-scaling and monitoring.
Usage notifications
Usage reporting
  • Email
  • Other


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • Memory
  • Network
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
We utilise full drive and blade encryption as standard (Bit locker) and SQL DTE Encryption
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
What’s backed up
  • Virtual Machines
  • VMware
  • Hyper-V
  • Files
  • Windows
Backup controls
Customers can choose backup schedules and retention periods based on business requirements. Alternatively the GMSS will backup systems and data to a regular schedule.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
GMSS operate a private MPLS network, managed by Virgin Media (IP VPN). This infrastructure can have multiple different VRFs to segregate customers and traffic as required.

Availability and resilience

Guaranteed availability
Our availability KPI is 99.9%. The GMSS IT Service Desk will prioritise incidents following its Incident Prioritisation criteria. Our systems generate alerts to other IT teams and Service Management leads when a high priority (P1 or P2) status is assigned so that they receive prompt attention.
Approach to resilience
The GMSS has a on-prem Data Centre, Microsoft Azure and Amazon Web Services clouds and a geographically separate Backup, Archiving and Disaster Recovery facility. More data is available upon request. We have a team of trained and qualified engineers to ensure we are able to maintain staffing levels for all customers and manage holiday/sickness along with demand. We also operate an on call rota.
Outage reporting
GMSS send communications regarding planned, unplanned and national outages/issues via email to customers from the IT Service Desk. We will also publish notification on the GMSS Service Portal and telephony system for high impacting issues.

The GMSS also publishes reporting information on the Service Portal. Closure reports are published for any major incidents and problem records.

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Separate management accounts for vetted and cleared staff only - more info available upon request
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information
Users receive audit information on a regular basis
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
All GMSS IT services are within scope of our ISO27001 certification. The physical locations of our customers offices are out of scope, although work performed at these locations by GMSS IT teams is within scope.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications
Any other security certifications
Data Security and Protection Toolkit (DSPT)

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Data Security and Protection Toolkit (DSPT) and Cyber Essentials Plus
Information security policies and processes
The GMSS IT service has all the relevant Information and IT Security policies in place in compliance with its ISO 27001 certification. These includes Network Security, Business Continuity, Risk Management and other policies/procedures. Policies are enforced and checked using the relevant logs and technological systems where possible (including firewall logs, server logs, pen testing, CCTV etc.). The GMS IT Security Manager reports to the Head of IT, who is a Senior Management Team member reporting to the Managing Director

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The GMSS has an IT Change Control Policy and ITIL change management processes in place. We operates weekly Technical Review Group (to review any technical requirements) and Change Advisory Board (to approve any changes prior to implementation) meetings. Any new service requirements are assessed by the GMSS IT Security Team and must meet the GMSS IT Code of Connection. All changes are risk assessed and a member of the GMSS IT Security team attends the Change Advisory Board to authorise changes from a security perspective.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The GMSS utilises the NHS Digital CareCert monitoring and alerting service, and has Advanced Threat Protection on its managed assets. We also have our own log aggregation tool, monitoring and alerting systems in place managed by the GMSS IT Security Team. The GMSS has a monthly patching policy in place for servers and devices. Patches are tested and deployed within one week of release. Any critical / urgent patches receive immediate attention and are tested/deployed outside of the monthly patching schedules as required.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We manage and monitor the end point security of supplied devices via a central management console, and also collate and monitor system audit log information via our SIEM log aggregation tool. Any potential compromises are logged as a high priority category 2 incident, and are investigated and managed by our IT Security Team. Our systems generate alerts to other Teams and Service Management leads when a high priority status is assigned so that they receive prompt attention. Priority 2 issues have a target resolution time of 8 service hours.
Incident management type
Supplier-defined controls
Incident management approach
GMSS run incident management according to ITIL best practice. All incidents are reported to our 24/7/365 IT service desk via the GMSS Service Portal or telephone and are prioritised and managed in line with our incident management policy/processes. Customers initially receive an automated e-mail with the incident number and details, and can view any updates on the record as investigations and the resolution progresses. Closure reports are published for any Major Incidents and Problem records. Incident reports are available via our Service Delivery Managers and can be discussed in service review meetings.

Secure development

Approach to secure software development best practice
Supplier-defined process

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
How shared infrastructure is kept separate
We utilise VMware Firewalls and NSX for Micro Segmentation. Various firewalls are used depending on the cloud environment.

Energy efficiency

Energy-efficient datacentres
Description of energy efficient datacentres
We follow the guidelines and recommendations set out in the European Energy Efficiency Platform (E3P). We also have a footprint in Microsoft Azure and Amazon Web Services.

Social Value

Equal opportunity

Equal opportunity

The GMSS pays due regard to the requirements of the Public Sector Equality Duty (PSED) of the Equality Act 2010 in policy development and implementation. As a NHS organisation, we are committed to ensuring our activities do not unlawfully discriminate on the grounds of any of the protected characteristics defined by the Equality Act, which are age, disability, gender re-assignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation. We are committed to ensuring that our activities also consider the disadvantages that some people in our diverse population experience when accessing health services. Such disadvantaged groups include people experiencing economic and social deprivation, carers, refugees and asylum seekers, people who are homeless, workers in stigmatised occupations, people who are geographically isolated, gypsies, Roma, and travellers. As employers, we are committed to promoting equality of opportunity in recruitment, training, and career progression and to valuing and increasing diversity within our workforce. To help ensure that these commitments are embedded in our day-to-day working practices.


One of GMSS organisational values is Everyone Counts, and Health and Wellbeing of staff is a priority for the organisation. The ‘Everyone Counts’ section of our intranet provides staff with information about health and wellbeing activities that are taking place across the organisation, national campaigns, local events and general health and wellbeing hints and tips. GMSS has an employee assistance programme and Mental Health First Aiders trained to listen and be a point of contact for anyone who may be experiencing a mental health issue or emotional distress. As part of the NHS, our staff also have access to Our NHS People that offers a range of support to suit different needs and help manage health and wellbeing including a confidential staff support line, free apps that offer psychological support, self-guided mental health support bereavement and loss support, and Common Rooms to meet other professionals in a safe and guided space. Time taken to participate in health and wellbeing activities in encouraged to be incorporated as part of the normal working day.


£252 to £737 a unit a day
Discount for educational organisations
Free trial available
Description of free trial
Initial consultation free of charge and potential Proof Of Concepts (POCs).

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ann.halpin@nhs.net. Tell them what format you need. It will help if you say what assistive technology you use.