Information Security in a Multinational Corporate Environment: VertiGIS Establishes Centrally Managed ISMS and Achieves ISO 27001 Certification

13. March 2024

Especially in fast-growing industries, companies are faced with the challenge of adapting their information security to the constantly growing risks. The implementation of ISO 27001 measures is an effective tool for reducing risks from cyber attacks, data breaches and other security incidents. VertiGIS, one of the global market leaders for innovative spatial asset management solutions and geographic information systems (GIS), decided to set up a centrally controlled information security management system (ISMS) to sustainably strengthen their information security. The ISMS implementation project started in September 2021 and was successfully completed in September 2023 under the guidance of Maximilian Müller (Managing Security Consultant) and Fruzsina Temesi (Senior Security Consultant) from usd .

The first challenge: the right scoping in a multinational corporate environment

Like many dynamically growing companies, VertiGIS has an IT and organizational landscape at many locations worldwide. The task of Maximilian Müller and Fruzsina Temesi from usd AG was therefore to develop a standardized, centralized solution for the different processes and software products at the various locations.

In order to lay the foundation for an efficient, centralized ISMS that meets the needs of VertiGIS, VertiGIS decided together with usd to initially implement the ISMS for all locations in Germany, Austria and Switzerland

A key driver for our decision was, in addition to our own demand for strong information security in our own environment, the needs of our customers. Many VertiGIS customers operate critical infrastructures in the areas of public administration and utilities. In the DACH region in particular, we have therefore noticed an increasing demand for verifiable information security in accordance with ISO 27001. We are happy to meet these requirements by taking this step.

Sebastian Bernarello, Head of IT VertiGIS DACH

Requirements analysis, guidelines and tooling: important project phases during implementation

Following an in-depth requirements analysis, the usd project team drew up standardized information security guidelines which defined information security requirements and responsibilities for all company units in the scope. In the next step, usd and VertiGIS jointly defined the most important ISMS processes and established new roles, such as asset and risk owners.

In order to ensure efficient asset, risk and service provider management across all company units in the scope, usd provided a suitable GRC tool (governance, risk and compliance) based on a requirements analysis. VertiGIS employees in the roles of asset or risk owners use the tool to record and manage their assets and risks using a standardized process. The tool is also used for comprehensive service provider management, i.e. for reviewing and monitoring service providers according to their criticality, and enables the tracking of measures resulting from risk assessments and internal and external ISO 27001 audits.

Processes, roles and responsibilities: Onboarding of all stakeholders

An ISMS can only work well if all stakeholders know and support the processes, roles and responsibilities. The newly developed ISMS processes were implemented in various training sessions, protection requirements were determined for assets and targeted risk treatment measures were defined.

Everyone involved at VertiGIS drove the process forward in a very open and results-oriented manner. As professionals, they naturally know how important the topic of information security is and that the corresponding processes and measures must be supported by everyone.

Fruzsina Temesi, usd AG

Internal and external audit: dress rehearsal and final certification

In April 2023, the project team was able to celebrate the first major milestone: the newly created guidelines were published and implementation at VertiGIS entered the next phase with the internal audit. For VertiGIS employees, this was the perfect preparation for the external audits carried out by TÜV Rheinland in the following months. In September 2023, VertiGIS successfully passed the intensive ISO/IEC 27001:2013 audits and was awarded the certificate at the beginning of October 2023.

Continuous improvement: usd remains a partner

Information security is never completed but always an ongoing process. Even after the successful ISO 27001 certification, the usd team will continue to provide support in tracking information security measures. The transition to the 2022 version of ISO 27001 will also be completed by October 2025

In the ISMS project with VertiGIS, we not only supported the development of the ISMS, but are still here while the ISMS is lived in the company. Continuous improvement is an integral part of information security - and we look forward to continuing to support VertiGIS in the future.

Maximilian Müller, usd AG

Information security cannot be achieved by individuals, but must always be collectively supported by all employees at all levels of a company. We are delighted that our ISO 27001 compliance certification by an independent certification body means we can now demonstrate that we have achieved this. We would like to thank everyone involved in the project for this great success.

Christoph Ihnenfeld, Chief Information Security Officer, VP Global IT & Security of VertiGIS

About VertiGIS

VertiGIS is a leading provider of asset management and geographic information system (GIS) solutions and software developer. The company focuses on developing software solutions and services that enable professionals in the utilities, government, telecommunications and infrastructure market segments to connect their business processes with spatial asset management solutions. Used by more than 5,000 customers and millions of end users worldwide, VertiGIS' product portfolio is designed to extend the capabilities of leading GIS software, particularly Esri's ArcGIS®. Learn more at

Also interesting:

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

The Digital Operational Resilience Act (DORA) will apply as of January 17, 2025. In addition to routine operational resilience testing, DORA will also make it mandatory for certain financial companies to carry out threat-led penetration testing (TLPT) every three...

Security Advisory on Gambio

Security Advisory on Gambio

The pentest professionals at usd HeroLab examined the online shop software Gambio during their pentests. The software offers merchants various functions that support the management of inventory and orders. Our professionals discovered a vulnerability in the password...