Civica UK Limited

Civica CFRMIS Hosted Solution

CFRMIS (Community Fire Risk Management Information System) allows Fire & Rescue Services’ to manage prevention and protection activities within a single interface whether it be Community Fire Safety, Technical Fire Safety, Operational Intelligence, Fire Investigation or Vulnerable People.


  • CFS including HFSC and Safe & Well visits
  • TFS including FSA and Short Audits
  • OPS Intelligence including PORIS and SSRS's
  • Vulnerable Persons - Full subject management
  • API allowing full corporate integration
  • CFRMIS mobile allowing full mobile working
  • Customisable reporting with integration to corporate reporting systems
  • Geographically displayed data via embedded GIS
  • User definable dashboards
  • 256-bit document encryption


  • Improves accessibility, efficiency and return on investment
  • CFRMIS’s Welcome Screens presents a unique view of the jobs
  • Jobs can be categorised for quick access
  • Can be supplemented with MS SQL Reporting Services
  • Create corporate dashboards allowing quicker access to vital data
  • All in one environment, automated enforcement management
  • Saves time and ensures consistency of information
  • Eliminates paper based data gathering, improving data quality
  • Improves risk identification and reduces the risk of incident
  • Reduces likelihood of failed prosecution attempt


£2666 per user per month

  • Free trial available

Service documents

G-Cloud 11


Civica UK Limited

Civica UK Limited

020 7760 2800

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints None
System requirements
  • CFRMIS is browser-based so doesn't require any additional licenses
  • Does not require any third party licenses

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response times differ based on Civica SLA.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Civica provides a support Service Desk during Service Hours, this includes all maintenance windows, the release process and any Priority 1 incidents.

Civica's Service Desk is available during support hours to log incidents. Civica's Support Portal is available 24 x7. All incidents logged by the Service Desk are referred to the support teams who provide support during the following:

• 09:00am to 17.00pm Monday-Friday: Civica's Service Desk available to log incidents. Civica's Support Portal is available 24 x7. Incidents logged by the Service Desk are referred to the support teams who provide support.

Support hours extensions after normal hours can be provided (please contact us for more details.

Civica's technical support team assist in the resolution of problems when necessary.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The types of training which can be provided, based on the training needs of the target audience, are typically as follows;
- Project Team training
- System Administration training
- User training
- Go Live ‘floor walking’
- Refresher
- Speciality Courses
- Train the Trainer

Civica training courses are designed to deliver a good understanding of the functionality or skillset required work effectively with the solution.

The specific methods to be used are be agreed at the outset of the project, these may include:

- Classroom training
- Use of customised training environment, configuration and data set
- Some eLearning materials distributed using external media or via the internet
- Shorter, remote training courses

There are prerequisites to our training courses to be aware of and these will be discussed on the outset of a project. Please, note the following exclusions apply unless otherwise agree;

- Consultancy
- Fault resolution with existing Civica solutions
- Configuration or forms development activities
- Testing support
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction There is no specific data extraction process at the end of contract, however Civica would look to provide the data within a format that can be accessible to the data owner. If any further services are required eg data cleansing or data manipulation these would be chartable at the day rate of the sold contract.
End-of-contract process Three months from the end date of the contract Civica will enter into discussions with the client to determine whether the contract will be extended. If the client decides to enter into a further contract term then a new contract will be issued.

If the client decides not to extend beyond the contract end date, within seven days following the contract end date the Licensee shall (at the option of the Licensor) return or destroy all copies, forms and parts of the program and documentation which are covered by this License and shall certify to the Licensor in writing that this has been done.

Once notice has been received that the customer will not extend beyond the contract end date then, Civica will email the customer confirming the notice has been received and a member of our technical department will contact you to arrange removal of the system from your servers.

Any assistance the client may require to migrate existing data off the system on termination of this contract will be chargeable.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices No
What users can and can't do using the API The “CFRMIS External Integration” is similar to an API which allows a fire service to create their own web-pages in their corporate intranet/extranet/standalone web-browser to interact with CFRMIS to create new jobs/edit existing records.

The integration provides two fundamental aspects:

1. The ability to query the data in CFRMIS and return the results in a generic manner.
2. The ability to save data to the CFRMIS database which may/may not include the sending of emails/other notifications.

Civica provides a method to the CFRMIS database allowing a query to be enacted against it. The results are returned in XML format for interpretation by the calling application.

Civica provides a universal and generic way of sending data to the CFRMIS website. The CFRMIS website processes the data sent according to a very specific set of business rules in conjunction with any specific customer requirements, i.e. sending of emails/notifications.

Civica expects its customers to create their own web-based or other user interface. This user interface can consume the API to enact requests to the CFRMIS website, in exactly the same manner as the CFRMIS web application itself.

The API receives HTTP Post requests which accepts a URL and an accompanying JSON object.
API documentation Yes
API documentation formats
  • PDF
  • Other
API sandbox or test environment No
Customisation available Yes
Description of customisation Customers can customise the user interface by hiding fields or re-labelling fields but cannot make any changes to the CFRMIS SQL Database.

Customisation can be carried out by competent users either via editing the XML files or using the Graphical User Interface Editor. Where a customer would prefer the work can be carried out by Civica. Customisation by Civica will occur additional costs.


Independence of resources The CFRMIS Hosted Solution is configured based on the concurrent usage information supplied by the customer. This data is then used to size the server requirements.


Service usage metrics Yes
Metrics types Where CFRMIS is hosted Civica can provide usage metrics at an additional cost.

Service metrics can be configured based on the customers requirements at an additional cost
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach CFRMIS allows the exporting of data via CSV, XLS and XML and can be exported from any query screen or Code Table. CFRMIS can import data either through spreadsheets based on code tables, via Bulk Data Import screen where data has been consumed from a Third Party agency or via the Data Import Screen.
Data export formats
  • CSV
  • Other
Other data export formats
  • Excel
  • XML
Data import formats
  • CSV
  • Other
Other data import formats CFRMIS's Bulk Data Import allows users to import from Excel/CSV.

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks CFRMIS will be configured to meet the customers Code of Connection.
Data protection within supplier network Other
Other protection within supplier network CFRMIS will be configured to meet the customers Code of Connection.

Availability and resilience

Availability and resilience
Guaranteed availability CFRMIS is build on the Microsoft Azure cloud platform that is backed by guratneed availabilty levels of 99.99%. This provides geo-redundant data centres to ensure a high level of resiliance.
Approach to resilience The Azure datacentres are built to industry leading standards and provide built in resiliance within their design.
Outage reporting CFRMIS is buld on the Microsoft Azure platform which has a public dashboard for outages of their systems. Civica will manage any software outages where appropriate. Any schedule maintenance will be performed outside of the normal contracted hours.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Other
Other user authentication By default CFRMIS uses SQL Authentication but this can be expanded to meet the customers requirements.
Access restrictions in management interfaces and support channels CFRMIS uses User Groups to restrict access to data once a user has logged into the system. Additional restrictions can be placed on the system to restrict access to individual IP Address or an IP Range.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 ISO QAR
ISO/IEC 27001 accreditation date 06/12/2017
What the ISO/IEC 27001 doesn’t cover Nothing.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Cyber Essentials Plus
  • ISO22301

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes In order to provide a wide range of services to public and private sector organisations, Civica maintains an active information security programme. This programme requires regular internal and external audit inspection of both physical and logical data protection structures. The policies and procedures are aligned to ISO 27001 and Cyber Essentials Plus certifications.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All hosted assets metadata is stored in a Configuration Management Database. This database is access controlled to authorised staff only. The CMDB provides information essential to the secure hosting of client critical services. Civica's Change Management process ensures that all changes are considered and planned, and appropriate, and that there is a clear audit trail of all changes.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Civica implement and review against best practices to secure against known threats and vulnerabilities, focussing on the OWASP top 10 vulnerabilities. We perform static code based analysis of potential threats, using Veracode, as well as dynamic analysis using tools such as OWASP Zap. Civica performs 3rd party PEN testing on all major releases.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Civica take a proactive approach to information security through a process of continual monitoring and review. As part of a documented risk assessment methodology to identify and manage information security risks a dedicated security team update the risk register monthly. CFRMIS is built on top of the Microsoft Azure platform which leads the world in cyber security and allows granualry monitoring of all the solutions from machine access. Civica uses MS Azure WAF to protect and monitor against know vulnerbility exploits.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Civica have developed an Incident Management process (PRM07) under ISO 20000 standards which details both the Incident and Service Request Management processes. The Civica Service Desk manages end user Service Requests, Incidents and Requests for Change (RFCs) which can be logged by e-mail, telephone and web portal. Monthly customer reports will detail incident information.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks Public Services Network (PSN)


Price £2666 per user per month
Discount for educational organisations No
Free trial available Yes
Description of free trial Civica can arrange access to their CFRMIS Beta Site.

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑