Skip to content
All posts

Security you can verify: why our clients trust us with their data

When organisations in healthcare, government and research choose a partner to help govern their most sensitive data, "you can trust us" isn't good enough. Security claims should be tested, audited and independently certified.

That's the standard we hold ourselves to at MetadataWorks. We want our partners to know they can verify our security credentials for themselves. Here's an overview of the accreditations we hold, what each one actually means, and why they matter to the organisations we work with.

ISO/IEC 27001:2022 — Information Security Management

ISO 27001 is the international gold standard for information security. Certification means an organisation runs a formal Information Security Management System (ISMS): a structured, risk-based approach to identifying threats, applying controls and continually improving, all verified by an external auditor.

MetadataWorks has been certified since October 2020, and we hold the latest 2022 version of the standard, certified by BSI, a UKAS-accredited certification body. Crucially, our certified scope covers the heart of what we do: the design, development, operation and support of our metadata catalogue and data discovery software, including metadata management, access control and API federation services, whether delivered as SaaS, licensed software or professional services.

Why it matters: ISO 27001 isn't a one-off badge. It requires ongoing surveillance audits and evidence that security is embedded in how the business runs day to day. For customers, it means our security practices are independently examined, not self-declared.

ISO 9001:2015 — Quality Management

Security and quality go hand in hand. Our delivery and support processes are governed by a Quality Management System certified to ISO 9001:2015, also by BSI, with a certified scope covering the design, build and management of data management systems for healthcare and public sector services.

Why it matters: Many security incidents stem not from sophisticated attacks but from inconsistent processes. ISO 9001 certification gives customers assurance that our delivery is consistent, well-controlled and continually improving, reducing the risk of errors that could compromise data or service.

Cyber Essentials Plus — Independently Tested Cyber Hygiene

Cyber Essentials is the UK Government-backed scheme, developed with the National Cyber Security Centre (NCSC), covering the fundamental technical controls that prevent the most common cyber attacks. We hold the Plus level — the important distinction being that, unlike the self-assessed baseline, Cyber Essentials Plus requires hands-on, independent technical verification of our controls by a qualified assessor.

Our certification covers the whole organisation (excluding development and test networks) and was awarded in June 2026 under the latest profile by Axiom (WorkNest), an IASME-accredited certification body.

Why it matters: Cyber Essentials Plus is increasingly a baseline requirement for UK public sector contracts — and for good reason. It proves that essential defences like secure configuration, access control and malware protection have been tested, not just claimed.

Independent Penetration Testing

Certifications tell you an organisation has the right systems and controls. Penetration testing tells you whether they hold up against a real attack. Our platform and cloud environment are regularly tested by Bulletproof, whose testers are qualified by CREST, the industry-recognised accreditation body for technical security testing.

In our most recent assessment — conducted from an authenticated (grey-box) perspective — zero critical, high, medium or low-risk vulnerabilities were identified. The independent assessors rated our configuration, authentication and encryption as "Strong".

Why it matters: A clean penetration test from CREST-qualified testers is one of the strongest signals a software provider can offer. It demonstrates that security works in practice, not just on paper.

Security by Design

These accreditations don't sit on top of our toolkit — they reflect how it's built and operated:

  • Data residency: hosted on Sovereign-based Cloud infrastructure, keeping data within the country of choice.
  • Open standards: built on ISO 11179, W3C DCAT and PROV, avoiding vendor lock-in.
  • Governed access: role-based access control and the Five Safes data-access governance framework applied to data access management.
  • Encryption throughout: data encrypted in transit and at rest, with authentication and configuration independently rated "Strong".
  • Continuous improvement: governed by the ISO 27001 ISMS, including regular independent testing and review.

Why Independent Accreditation Matters

Any company can say it takes security seriously. Accreditation changes the conversation in three ways;

It replaces claims with evidence. Every certification above involves external scrutiny. Auditors, assessors or ethical hackers examining what we actually do.

It reduces risk and effort for our customers. Organisations handling sensitive health and public sector data face rigorous due diligence obligations. Working with a certified supplier shortens procurement, simplifies security questionnaires and demonstrates supply-chain diligence to their own regulators.

It keeps us improving. Certifications expire. Auditors return. Penetration testers come back each year. Independent accreditation builds a cycle of continuous improvement into the business itself.

Verify It Yourself

Transparency means our credentials shouldn't be taken on trust either. Our BSI certificates (ISO 27001: IS 737114; ISO 9001: FS 737109) can be authenticated online at www.bsigroup.com/ClientDirectory, and our Cyber Essentials Plus certificate can be verified via the QR code on the certificate of assurance.

For further information, a security questionnaire response, or to request our full assurance pack under NDA, please get in touch.