Summary of standards’ requirements

An overview of the requirements of all Ofqual standards.

OFQ-00001 Writing a principle

Last updated: 31 October 2025

• A principle MUST have a title
• A principle MUST have a description
• A principle MUST have a rationale
• A principle MUST state expected applications and implications
• A principle MUST have tags
• A principle MUST show the role of the person that owns the principle
• A principle MUST show when it was last updated

OFQ-00002 Writing a standard

Last updated: 31 October 2025

• A standard MUST have an ID
• A standard MUST have a Title
• A standard MUST have a Description
• A standard MUST have one or more Requirements
• A standard MUST have Tags
• A standard MUST show when it was Last Updated

OFQ-00003 Security In First Party Software

Last updated: 14 July 2025

• Developers MUST scan their code using security scanning tools before merging code
• Developers MUST attempt to fix security issues at first sight
• Vulnerabilities MUST be reviewed on a monthly basis by the Security Team
• Developers MUST undertake security training on a regular basis

OFQ-00004 Build Pipelines for Digital Infrastructure

Last updated: 1 October 2025

• Build pipelines MUST run SAST Analysis before building artifacts
• Build pipelines MUST run automated tests before building artifacts
• Build pipelines MUST build and publish an appropriate artifact

OFQ-00005 Release Pipelines in Digital Services

Last updated: 1 October 2025

• Release pipelines MUST have a Dev stage that deploys automatically
• Release pipelines MUST have a Preprod stage that deploys manually
• Release pipelines MUST have a Prod stage that requires managerial approval

OFQ-00006 VIPER-Style Architecture in C# Front-Ends

Last updated: 28 August 2025

• C Sharp Front-ends MUST use Views
• C Sharp Front-ends MUST use Interactors (Services, Mappers and Clients)
• C Sharp Front-ends MUST use Presenters (ViewModels)
• C Sharp Front-ends MUST use Entities (Models)
• C Sharp Front-ends MUST use Routers (Controllers)

OFQ-00007 Secret Management

Last updated: 16 September 2025

• Managed Identites MUST be used over secrets where possible
• Secret information MUST be stored in Key Vaults when Managed Identities is unavailable
• Secrets MUST be revoked when deemed compromised

OFQ-00008 Static Web Applications

Last updated: 1 October 2025

• Static Apps MUST only be used for simple websites
• Static Apps MUST use Node with an approved build and deployment tools

OFQ-00008 Data Driven Architecture

Last updated: 7 October 2025

• Developers MUST start design with data modelling where appropriate and involve data engineers
• Developers MUST prioritise creating systems that leverage databases
• Developers MUST leverage alternate data-driven solutions where databases are not suitable

OFQ-00009 Developer Testing

Last updated: 10 October 2025

• Tests must be clear, purposeful, and maintainable
• Tests must be run automatically in the CI/CD pipeline
• Tests must cover new features and bug fixes
• Tests must be documented and reviewed in the PR
• Tests must be designed to reduce maintenance effort
• Tests must include effectiveness metrics
• Tests must consider edge cases

OFQ-00010 Infrastructure as Code

Last updated: 12 November 2025

• IaC must be written using Microsoft Bicep
• IaC must be considered first
• IaC must be modular
• IaC must be hosted in Azure DevOps

OFQ-00011 Back-end development

Last updated: 12 November 2025

• All repositories MUST be set up in a consistent manner
• All exceptions MUST be handled and logged

OFQ-00012 Front-end Development

Last updated: 12 November 2025

• All repositories MUST be set up in a consistent manner
• All exceptions MUST be handled and logged

OFQ-00013 Shutter page content

Last updated: 13 November 2025

• You SHOULD follow the GOV.UK design system pattern
• You MUST be as specific as possible without being confusing
• You MUST choose a template based on which service is unavailable
• You MUST choose content sections based on the facts to hand
• You SHOULD update the page as the facts change

OFQ-00014 Commit Messages

Last updated: 13 November 2025

• Commit message format MUST follow this structure
• Components you MUST use in commits
• Examples

OFQ-00015 IaC Build Configuration Standard

Last updated: 10 November 2025

• IaC must follow a standard folder structure
• The name of the bicep configuration file must follow the defined format
• The bicep configuration file must be in the form of our template
• The bicep configuration file must define the tags
• The bicep configuration file must define the environment variables
• The bicep configuration file must map the secrets being used
• The bicep configuration file must define the docker container image to be deployed
• the bicep configuration file must define the runtime machine
• the bicep configuration file must define the environment; dev/pprd/prd

OFQ-00016 Naming Conventions

Last updated: 20 November 2025

• Azure Resources
• Service Principal Names
• SQL Database Objects
• Azure Data Factory Objects

OFQ-00017 Defining a Service in Ofqual

Last updated: 1 December 2025

• Be defined by the outcome they deliver to users
• Include all channels through which users interact (digital and non-digital)
• Include all components required to deliver the outcome (systems, processes, people, infrastructure)
• Be designed around user needs, not organisational structures
• Be assessed and improved using the Service Standard