Healthcare Data Security Credentialing UK: What ISO 27001 Actually Protects

A single account without multi-factor authentication cost one NHS supplier £3.07 million

In 2025, the Information Commissioner's Office fined Advanced Computer Software Group £3.07 million after a ransomware attack disrupted NHS services and exposed the personal data of 79,404 people, including sensitive health information. The attacker gained access through a customer account that lacked multi-factor authentication (ICO, Enforcement Notice, April 2025).

That breach is now the reference point for every procurement team evaluating healthcare data security credentialing UK suppliers must meet. It demonstrated that a single access control failure in a third-party platform can compromise patient records, disrupt clinical services, and trigger a seven-figure fine.

For IT directors and compliance leads assessing credentialing platforms, the question is specific. A credentialing system holds DBS results, professional registration data, right-to-work evidence, health declarations, identity documents, and employment history. If that system is breached, the data exposure is not limited to email addresses. It includes the most sensitive categories of personal data that exist.

Data breach notifications are running at 443 per day

The volume of data breach notifications reported to the ICO reached a record high in the year to January 2026, averaging 443 per day for the first time. That represents a 22% year-on-year increase (ICO, Annual Report Data, January 2026).

The average ICO fine jumped from £150,000 to over £2.8 million in the same period. The regulator is not simply processing more incidents. It is penalising failures more heavily, particularly where basic security controls were absent.

Healthcare organisations are disproportionately represented in breach statistics because of the sensitivity of the data they process and the number of third-party systems involved in clinical and administrative workflows. A credentialing platform sits at the intersection of several high-risk data categories: criminal records, health information, professional fitness to practise data, and government-issued identity documents.

NHS DSPT Version 8 changes the rules for IT suppliers

NHS England released Version 8 of the Data Security and Protection Toolkit on 1 September 2025, with submissions due by 30 June 2026. For IT suppliers to NHS organisations, the most significant change is a new mandatory requirement for independent audit (NHS England, DSPT v8 Guidance, September 2025).

The independent assessment covers 11 key cybersecurity areas and must be completed between January and June 2026. The toolkit is now aligned to the National Cyber Security Centre's Cyber Assessment Framework, which provides a structured methodology for evaluating an organisation's cyber resilience across four objectives: managing security risk, protecting against cyber attack, detecting cybersecurity events, and minimising the impact of incidents.

For healthcare organisations selecting a credentialing platform, DSPT compliance is a procurement requirement, not a bonus. If the platform cannot demonstrate DSPT compliance through an independently audited assessment, it cannot supply services to NHS trusts and their partners.

What each certification actually covers

Healthcare data security credentialing UK requirements involve multiple overlapping standards. Each serves a different purpose, and procurement teams need to understand what each one protects and what it does not.

ISO 27001:2022

ISO 27001 is an international standard for information security management systems. The 2022 revision updated the control set to reflect current threats, including cloud security, threat intelligence, and data masking. Certification requires an external audit by an accredited body and annual surveillance audits to maintain it.

What it covers: the organisation's entire approach to information security, from risk assessment and access control to incident management and supplier relationships. It requires documented policies, defined responsibilities, and evidence that controls are operating effectively.

What it does not cover: ISO 27001 does not specify technical implementation details. Two organisations can hold the same certification with very different security architectures. The value is in the management system and the external verification that it operates as documented.

SOC 2

SOC 2 is a US-originated framework that evaluates an organisation's controls against five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. A SOC 2 Type II report covers controls over a period of time, not a point-in-time snapshot.

What it covers: independent verification that security controls are designed appropriately and operating effectively over a sustained period. SOC 2 reports are typically requested by enterprise buyers and procurement teams as evidence of operational security maturity.

What it does not cover: SOC 2 is not a certification. It is an attestation by an independent auditor. There is no pass or fail. Buyers must read the report and assess the findings.

Cyber Essentials Plus

Cyber Essentials Plus is a UK government-backed scheme that verifies an organisation's defences against the most common cyber threats. The "Plus" level includes hands-on technical verification by a qualified assessor, not just a self-assessment questionnaire.

What it covers: five technical control areas. Firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. The assessment includes vulnerability scanning and testing of live systems.

What it does not cover: Cyber Essentials Plus addresses common attack vectors but does not assess the broader security management system. It is a baseline, not a ceiling. Organisations that hold only Cyber Essentials Plus without ISO 27001 have demonstrated technical hygiene but not necessarily a mature security management programme.

NHS Data Security and Protection Toolkit

The DSPT is NHS England's mechanism for organisations to demonstrate they meet data security standards when handling NHS data. Version 8, aligned to the NCSC Cyber Assessment Framework, requires IT suppliers to undergo independent assessment across 11 cybersecurity areas.

What it covers: data security standards specific to the NHS context, including how data is handled, who has access, how incidents are managed, and how staff are trained. It is the gateway to supplying technology services to NHS organisations.

What it does not cover: DSPT compliance is specific to NHS data. It does not replace ISO 27001 or SOC 2 for broader information security assurance. Organisations operating across NHS, private, and international healthcare need multiple certifications to satisfy different buyers.

What a credentialing platform actually holds

The data stored within a credentialing system includes categories that carry the highest sensitivity under UK GDPR and the Data Protection Act 2018.

Criminal records data from DBS checks falls under Article 10 of UK GDPR, which imposes additional safeguards for processing. Health declarations and occupational health records qualify as special category data under Article 9. Professional registration records include fitness to practise history, conditions, and sanctions. Identity documents include passport scans, visa documentation, and right-to-work evidence.

An HR system might store a name, a job title, and a start date. A credentialing platform stores whether someone has a criminal record, whether they are medically fit to work, and whether their professional body has placed restrictions on their practice. The security standard applied to these two systems should not be the same.

For the clinician uploading their documents, the experience matters too. A nurse scanning their passport and submitting a health declaration is trusting that the platform receiving this information will protect it with the same rigour a hospital would apply to patient records. If that trust is misplaced, it is the clinician whose data is exposed.

The procurement question compliance leads should be asking

When evaluating credentialing platforms, the security conversation often stops at "are you ISO 27001 certified?" That question is necessary but insufficient.

A more complete assessment would cover several areas. Where is the data physically stored, and does the vendor guarantee UK data residency with no cross-region data movement? Is the independent DSPT audit complete, and can the vendor share the assessment outcome? Does the vendor hold both ISO 27001:2022 and SOC 2, providing coverage across UK and international assurance frameworks? Has the vendor achieved Cyber Essentials Plus, confirming technical controls are tested rather than self-assessed? How is data encrypted at rest and in transit, and who controls the encryption keys?

Vendors that hold a single certification may have genuine security practices. Vendors that hold multiple, independently verified certifications across different frameworks provide layered assurance that reduces procurement risk.

How Credentially protects credentialing data

Credentially holds ISO 27001:2022 certification, SOC 2 attestation, Cyber Essentials Plus certification, and NHS DSPT compliance. It is fully GDPR compliant, with data processing agreements in place for all customer relationships.

All data is encrypted at rest using AES-256 via AWS Key Management Service and in transit using TLS 1.2 or higher. Data residency is fixed to the customer's selected region, with UK data held in AWS London. There is no cross-region data movement.

The platform architecture runs on AWS with containerised microservices, multi-availability-zone deployment, and automated failover. Recovery time objective is two hours or less. Recovery point objective is 24 hours or less, with daily automated snapshots and point-in-time recovery.

Role-based access control governs who can view, edit, or export data within the platform. Audit logging records every action, providing a verifiable trail for compliance reviews and CQC inspections. Platform status is monitored continuously, with live availability published at status.credentially.io.

For NHS suppliers evaluating healthcare data security credentialing UK requirements for 2026, this combination of certifications addresses the DSPT v8 independent audit requirement, the ISO 27001 management system standard, the Cyber Essentials Plus technical baseline, and the SOC 2 operational assurance framework.

Five security questions for your credentialing platform procurement

Confirm UK data residency. Ask the vendor to confirm, in writing, that your data will be stored in the UK and will not be transferred to or processed in another region. "AWS hosted" is not the same as "UK data residency guaranteed".

Request the DSPT assessment outcome. With Version 8 requiring independent audit for IT suppliers, any credentialing platform serving NHS organisations should be able to share evidence of a completed assessment. If the vendor cannot, they may not meet the June 2026 deadline.

Check ISO 27001 certification currency. ISO 27001 requires annual surveillance audits. Ask for the most recent certificate and confirm the certification body is UKAS accredited. A certificate from 2021 under the old standard does not demonstrate current compliance with the 2022 revision.

Review the SOC 2 report scope. SOC 2 reports vary in scope. A Type I report assesses control design at a point in time. A Type II report assesses whether controls operated effectively over a period. Type II provides stronger assurance. Ask which type the vendor holds, and which trust service criteria are covered.

Assess incident response capability. The Advanced breach demonstrated that the damage from a security incident depends on how quickly the organisation detects, contains, and communicates. Ask the vendor about mean time to detect, incident escalation procedures, and their obligation to notify you as a data controller if a breach occurs.