MetricStream UK Limited

Governance Risk & Compliance Software as a Service

MetricStream provides a complete portfolio of enterprise Governance, Risk and Compliance (GRC) Applications in a SaaS model. This integrated approach leads to tremendous gains in enterprise-wide visibility of risks, strengthen compliance with multiple regulations, policies, and standards. Analytics, reporting and regulatory notifications enable you to minimize liability and optimize opportunities.


  • Modern responsive interface, intuitive, engaging, efficient, personalised
  • Integrated, secure GRC Applications and Platform on the Cloud
  • Lean, modern, scalable, extensible SOA architecture
  • Innovative Data Explorer for visualisation
  • API centric design for versatile mobility, layering, third-party integration
  • Real-time Analytics, Reports and Dashboards with Reports Wizard
  • AppStudio form and workflow designer: configure forms, reports, workflow
  • Feature rich Governance, Risk, Compliance management applications
  • Modular applications and libraries that integrate seamlessly
  • User productivity tools like search, tasks, offline briefcase


  • Exemplary user experience to simplify and accelerate user adoption
  • Seamless collaboration and sharing across devices enabling anywhere access
  • Easily configure the system to meet changing or growing requirements
  • Rapid deployment reducing costs and improving acceptance
  • Modular applications structure allows buying only what is needed
  • Application integration provides unified view across enterprise
  • Integration prevents content duplication and ensures common language
  • Easily carry out audits, surveys, map risks, threats, vulnerabilities, controls
  • Integrate, aggregate external information like threat scanners, content feeds


£100 to £5000 per user per year

Service documents


G-Cloud 11

Service ID

1 3 1 1 5 0 8 3 3 2 5 6 6 2 3


MetricStream UK Limited

MetricStream, Inc.


Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Private cloud
  • Hybrid cloud
Service constraints Planned maintenance is carried out periodically for which customers are notified in advance.
System requirements
  • Meets the UK government privacy requirements for cloud
  • Web Browser
  • License for the Metricstream platform and relevant application
  • Primary and back-up cloud service provider in the UK
  • Dedicated monitoring service is optional

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Weekend support can be purchased as an optional service
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AAA
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels 4 levels of Support are provided using offshore resources:
1. Bronze 8x5 is the standard offering. SaaS subscription on Cloud will have this included.
2. Silver - 12x5. Costs will be % age of SaaS subscription fees. 10% on annual SaaS subscription
3. Gold - 24x5. 20% of annual SaaS subscription
4. Platinum - 24x7 - 25% of annual SaaS subscription
If only European resources are stipulated, costs would be higher.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Online help, user documentation as well as online training are available for users. We provide train the trainer programme as part of our implementation services.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction We provide data export facility for users to extract their data.

Client can take full backups too.
End-of-contract process The contract includes the right to use the software, create data and reports. Standard 8x5 remote support is included. Additional support hours are available for an additional charge.
The software is implemented as per the user's requirements. There is a fee for the implementation.
At the end of the contract, the service can be renewed or terminated. Users can export the data and save them. Migration services are available at extra cost.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Display will be scaled to fit the mobile device
Service interface No
What users can and can't do using the API Users do not need API to access the service. They do so directly through their web-browser.
The MetricStream system uses API based integrations to integrate with external systems. Integrations are supported by Infolets technology. The Infolets framework allows for bi-directional data exchanges with appropriate security and authentication wrappers and helps provide RESTful and SOAP web services that together form a complete MetricStream integration framework.
Changes on APIs are to be only performed for integrations with external systems.
There are no limitations as such.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Our applications can be configured as well as customised by users. Configuration is possible by selecting different functionality and options. Super users and System administrators can configure.
Customisation is available via our customisation tool, AppStudio. Superusers or developers can be trained on AppStudio to customise the system.


Independence of resources MetricStream Cloud is designed as multi-instance SaaS - which means each customer gets its own full stack (web, application and database tiers). This eliminates co-mingling of data as well as any performance concerns across customers. In addition, within each stack, appropriate planning and sizing considerations are put in to ensure Performance and Service Level delivery. These are monitored 24x7 by MetricStream Cloud Operations to provide sustained assurance on SLAs.


Service usage metrics Yes
Metrics types User access and activity metrics can be provided. MetricStream offers a web-based customer support portal that is powered by MetricStream GRC Platform, where customers can log issues, view the status of their open issues, and the current resolution status to those issues. All issues, whether reported via phone, email or the customer support portal, are logged to the same TAR (Technical Action Request) system and are viewable online via customer-specific reports and dashboards.
MetricStream can also provide these reports manually via preset customer meetings, as well as have these reports automatically emailed to selected users if desired.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach Data at Rest Encryption: MetricStream uses encrypted file system (enabled at the Operating System level) to store the files in which database data is stored. The encryption is transparent to the application.
It employs the Advanced Encryption Standard (AES) algorithm for encrypting attachments. It supports 256-bit key.
Backups: All backups are encrypted and stored.
Database at Rest Encryption (Optional Capability): The MetricStream platform leverages Oracle Transparent Data Encryption (TDE) technology, and can be configured to encrypt the entire table space, or specific columns stored in database files (available only with Oracle Enterprise Edition at an additional cost).
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users can export data via the Reporting option.
Data export formats Other
Other data export formats
  • Excel
  • XML
Data import formats Other
Other data import formats Excel

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability MetricStream supports 99.5% system availability. For higher system availability, MetricStream provides advanced Cloud tiers.
MetricStream strives to minimize downtime as much as possible. Patches can often be applied in a hot-fix mode supported by our architecture. If the system has been down outside the scheduled maintenance window, the system is usually restored within 5 minutes on average after the call is reported to MetricStream’s help desk. Our standard SLA provides for credit if the downtime exceeds 4 hours in a month.
Note: MetricStream has never encountered a downtime of this duration.
Approach to resilience MetricStream partners with SSAE 16 Type II Audited Tier III/IV data centers with state-of-the-art infrastructure and services for serving our clients in UK, Europe, North and South America, Asia and Africa. Beyond being widely adopted by small and medium enterprises, even some of the world’s largest companies are using the MetricStream Cloud after rigorously testing the security and reliability of our infrastructure.
In addition, MetricStream is SSAE 16 SOC 2 Type II compliant for its internal processes and Cloud operations.
MetricStream’s solution is a web-based, J2EE n-tier application, using a database, application and web server architecture. Our solutions can run on any hardware and operating systems.
High-availability deployment architecture is supported by MetricStream and can be used to provide fail-over capabilities.
• At the presentation and application server layers, MetricStream can be configured in a redundant manner with a hot standby that automatically wakes up and starts accepting requests if the primary servers go down
• At the database layer, MetricStream recommends that it be configured using approaches outlined by Oracle for high availability.
Further details can be provided on request.
Outage reporting Email alerts and notification on Support Portal

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels MetricStream has a dedicated CloudOps and Support team who have access to Scoped Systems and Data. Role based security ensures restricted access.
Physical access is restricted to Senior Onsite CloudOps Engineers. The datacenter has multi-layer security controls. Each customer gets dedicated full-stack servers so there is no co-mingling of data.
On the logical layer of application and database, while staff has access to data, they need to access it only for periodic software updates as well as for troubleshooting application issues/support.
Access list is validated on a quarterly basis.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 14/02/2016
What the ISO/IEC 27001 doesn’t cover Not sure what is not covered. The certificate is provided to our parent company for research & development, services, cloud engineering, partner, sales and marketing as well as support functions.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Self-certified using standards from PCI Standards Council
PCI DSS accreditation date 28/02/2018
What the PCI DSS doesn’t cover Covers all of MetricStream
Other security certifications Yes
Any other security certifications US Regulation HIPAA

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Metricstream follows ISO27001 guidelines, based on which it has built policies and processes. It is an Information Security team reporting to the CTO who is a board member.

MetricStream has its Information Security Management System (ISMS) certified on ISO27001 with well-defined policies and procedures, roles and responsibilities, objectives, awareness programs etc. MetricStream has well-defined policies and procedures for Information Security documented as a part of MetricStream's Information Security Management System (ISMS) policy. This document is approved by the management and communicated to appropriate constituents and has an owner and a review manager.
The Information Security organization comprises of Information Security Head, Information Security Manager and IS team. Then we have the Information Security Management (ISMC) and Working committees (ISWC) teams which has representations from each business unit who would be interfaces for the communication, review, implementation of Information Security programs and activities.
We are also audited by external independent auditors for SOC2 and HIPAA controls.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach MetricStream’s Quality process includes a change management procedure that minimizes the impact to a customer system while it ensures that a customer is aware of any changes being made to the system.
As part of the change management procedure, MetricStream can optionally offer and implement a ‘staging’ system that emulates the production system. This allows MetricStream’s support and QA staff as well as our customers to test and verify the software change before any change is applied to the production environment.
As part of the SLA contract, scheduled maintenance windows are also defined.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Logging is enabled on the network firewalls to capture current activity. These activity logs are retained for subsequent review.
Network vulnerability assessments are regularly done to identify potential vulnerabilities. These assessments help identify weaknesses within the network configuration, systems that have not been updated with the latest service packs and security patches, or systems that still require specific hardening techniques for which non-intrusive assessments are performed for a range of addresses. Results are reviewed and posted internally.
A formal anti-virus management process to monitor and remediate virus vulnerabilities where anti-virus software monitors/detects/prevents virus signatures from being transmitted.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Automated monitoring tools poll the system every 5 minutes and test such connections as the web server, the Application server, the database server, and various parts of the application layer.
HTTP requests monitor connections and failures trigger alerts over email and/or pager to the help desk.
Website and application availability are monitored by Alertbot, Nagios and Kace to provide uptime, response time, and cause reports.
Incident Response: Immediately isolate the respective V-LAN or Server or set of servers. MetricStream will first arrest the breach and notify both Data Center and end customer.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach In case of any incident, MetricStream will notify the customer in case of incident and breach. The incidents are typically handled based on standard operating procedures setup which details the corrective actions, key personnel to be involved and informed as well as risk mitigations to be put in place. MetricStream will first arrest the breach and notify both Data Center and end customer. The point of contact (POC) within the customer and others in their team are notified. MetricStream will work in tandem until the incident is solved and respective notifications are done and acknowledged by customer.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £100 to £5000 per user per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑