Why your public safety software vendor should be ISO/IEC 27001:2013 certified

According to the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency, cybersecurity is one of the most important security considerations for emergency services sector organizations. It says that from targeted incidents, such as ransomware attacks, to unintentional acts, such as failure to properly install security updates, poor cybersecurity practices can cause severe operational problems and the needless expenditure of funds.

One important step these organizations can take to ensure the foundational robustness of their public safety software systems such as computer-aided dispatch (CAD) is to choose a vendor that is ISO/IEC 27001:2013 certified.

ISO/IEC 27001:2013 explained

ISO/IEC 27001:2013 Information Security Management Systems Certification specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

It is the international standard that defines best practices for an organization’s ISMS and allows it to assure clients and other stakeholders that it is managing the security of their information.

Choosing a software vendor that is ISO/IEC 27001:2013 certified provides confidence that the vendor has taken the steps required to safeguard data assets from myriad security risks.

Security built in

Part of the assurance clients using an ISO/IEC 27001:2013 certified vendor’s products have is that security is built into the software at every level and maintained through feedback during development cycles.

Each time something is coded, it’s added to the product and built, and each time it’s built it’s tested. This results in more and more tests, with results fed back to the developer more quickly. When the code is tested early, it prevents vulnerability from being brought into the main version of the product. Further down the pipeline that main version is deployed and different types of security tests are performed.

This is how an organization the builds software bakes in security and develops software that is less vulnerable to attacks.

Hexagon’s public safety software

The information security management system of Hexagon’s Safety & Infrastructure division has been approved by Lloyd’s Register Quality Assurance to ISO 27001:2013.

“The ISO 27001 certification shows that across our organization, we have strict quality and security controls in place for our information management systems,” said Karen Ball, vice president, global product development at Hexagon. “The certification gives us a competitive edge to win global business while providing customers with ease knowing their data will be protected, whether on-premises or in the cloud.”

Furthermore, the company’s Global Product Center (GPC), through its application security policy, ensures each product release is more secure than the last and also requires those working on public safety product have training in the FBI’s Criminal Justice Information Services Division (CJIS) compliance standards.

The GPC’s architecture review board checks for security in each new product and feature, with threat modeling completed during planning phases.

The verification process includes vulnerability management and verification through static application security testing (SAST), dynamic application security testing (DAST), pull requests (PR), threat model analysis and penetration testing.

Bill Campbell, senior vice president, North America, for Hexagon’s Safety, Infrastructure & Geospatial division, recently wrote, “…Unfortunately, it’s common for public safety agencies to have limited resources, so they must perform their own due diligence. Many still work with vulnerable legacy software housed on outdated servers, so that task could seem daunting at first. But there have been many technological developments, particularly with respect to ‘the cloud,’ that significantly reduce the cost and complexity.  Modern cloud solutions are very capable of securely storing the applications and data needed for emergency response departments. Experienced cloud providers adhere to the FBI’s Criminal Justice Information Services Division (CJIS) compliance standards to ensure the best security measures are in place.”

Learn more

Find out more about Hexagon’s public safety solutions, including the HxGN OnCall Portfolio of call-taking and dispatch, records, analytics, major event management and mobility products.

Enjoy this post? Subscribe to our blog and have industry insights delivered right to your inbox each week. Subscribe now.


  • Explore tech-focused stories, industry trends and customer insights in Hexagon's Safety, Infrastructure & Geospatial division blog.

  • Recent Posts

  • Most Popular Tags