The organization must ensure that the hosting systems it uses are secure, maintained and comply with the required security standards. The organization should either self-host systems or use certified data centers/hosting services to ensure that security can be effectively verified and monitored.
The security requirements for used data centers and hosting services must be equivalent to those for the organization's own infrastructure. For example, server configurations must be hardened, connections must be encrypted, traffic should be monitored and the hardware used must be up to date.