News and information about verinice.

As one of the first ISMS tools, verinice offers support for the EU directive NIS2. The "NIS2 verinice risk catalog" was developed in close cooperation between the Verband Deutscher Maschinen- und Anlagenbau (VDMA) and the verinice team at SerNet GmbH. The new catalog supports organizations in meeting the NIS2 requirements and ISO/IEC 27001:2022. It is available directly at the verinice.SHOP in a free and a paid version and is therefore ready for immediate use.

The NIS2 Directive imposes increased IT security requirements on companies in the EU from October 2024: It applies to companies that, depending on their size and turnover, act as essential or important service providers in sectors such as energy, transport, health and digital infrastructure. The timely establishment of an information security management system (ISMS) in accordance with ISO 27001 is one possible way to meet the requirements of the directive.

Advantages of the verinice risk catalog

The "NIS2 verinice Risk Catalog" is based on the "verinice Risk Catalog (ISO/IEC 27001:2022) - ISM Edition", which has been available for many years. A team at SerNet customer and VDMA member Krones AG has mapped the NIS2 requirements to the current ISO/IEC 27001:2022 and made them available to the verinice team via the VDMA. Thanks to the cooperation between VDMA and SerNet, this mapping can now be made available to the general public. In addition to the already extensive contents of the risk catalog, 24 requirements of NIS2 have now been added, which are linked to the corresponding requirements of ISO/IEC 27001:2022 and are thus also taken into account in the risk analysis. The catalog is aimed at companies of all sizes and types and is an essential resource for achieving and maintaining compliance with the NIS2 directive and ISO/IEC 27001:2022. The use of this catalog enables risk management processes to be accelerated and optimized thanks to its detailed and comprehensive preparation

Availability and live demo

The "NIS2 verinice risk catalog" is an add-on module for use in the ISMS tool verinice from version 1.26. It can be obtained from the verinice store and integrated into the tool. Two versions are available:

• The paid full version of the "verinice risk catalog" including access to the original ISO standards (licensed via Beuth-Verlag), which has been expanded to include the mapping of the NIS2 guideline to ISO27001:2022.
• The free version (German only), which only contains the catalog content of the ISO standard in encrypted form - for licensing reasons, full access is only available in the paid full version.

If you are already using the risk catalog together with verinice, you can use the NIS2 content of the VDMA at no additional cost by downloading the ZIP file again. If you want to test everything free of charge, you can do so with the EVAL version of the verinice client and the free NIS2 catalog.

The verinice team offers the opportunity to get to know the catalog better. In regular webinars, the team demonstrates the risk catalog and, in the future, the NIS2 integration in verinice as an extension for an ISMS. Stanislav Striegler, who made a significant contribution to the realization of the "NIS2 verinice risk catalog", leads the live demos himself and is happy to answer questions.

The verinice team is starting the new year with the release of version 1.27: The release date is scheduled for the first calendar week of 2024. The version brings new functions, detailed changes and bug fixes.

Relevant innovations in verinice 1.27 include the further integration of emergency management (BCM) according to BSI standard 200-4 with now comprehensive reporting, the integration of a "Management Summary Report IT-Grundschutz" and the provision of verinice for RHEL 8 / Alma Linux 8.

The verinice team is happy to assist with updates. An (existing) support contract or the support budget (verinice.SHOP) can be used for this. Please contact us to arrange an appointment.

The updated versions of two BSI minimum standards are available for verinice: The minimum standard for using external cloud services and the minimum standard for logging and detecting cyber attacks. Both are available free of charge in the verinice shop for use in verinice (German only). 

The minimum standard for the use of external cloud services formulates security requirements according to § 8 para. 1 BSIG.  It addresses the two scopes of use and shared use of external cloud services.  In version 2.1 the implementation notes and the reference table have been updated based on Edition 2022 of the IT-Grundschutzkompendium.

In version 2.0, and with it a completely new structure, the minimum standard for logging and detecting cyber attacks is available. It is intended to ensure a uniform approach to the detection of cyber attacks and substantiates the building blocks OPS.1.1.5 Logging and DER.1 Detection of security-relevant events from the modernized IT-Grundschutz. A significant innovation is the extensive integration of the "Logging Guideline for the Federal Government" (PR-B), which was previously available as an annex. 

The minimum standards of the Federal Office for Information Security (BSI) are primarily aimed at the federal administration. Other organizations such as state administrations or companies can also achieve a minimum level of security with their help. Companies and authorities that follow the BSI minimum standards benefit from a clear structure and orientation as far as ensuring the security of data and systems is concerned. Working with the minimum standards in the ISMS tool verinice also offers all the advantages of centrally managing information security - users can focus fully on implementing security requirements.

For more information and discussion, visit the verinice.FORUM or watch the latest videos on YouTube.

The next verinice.XP digital via Zoom will take place on February 28th, 2024. There, everything will revolve around information security and data protection with verinice. Various workshops on verinice will also be offered via Zoom on the day before the conference. The call for papers and ticket sales have already started. Conference tickets are available for 95 €.

Call for Papers
You would like to contribute something to verinice.XP and have an idea for an exciting presentation? Then submit your proposal using the form at https://veriniceXP.org. The program committee, consisting of Michael Flürenbrock (SerNet), Volker Jacumeit (DIN), Boban Kršić (Fresenius), Isabel Münch (BSI) and Jens Syckor (TU Dresden), will review the contributions. Do you implement interesting projects with verinice or use the tool for special application scenarios? We are particularly pleased to receive practical examples from the application. Co-speakers are also welcome. All speakers receive free access to the conference.

About the verinice.XP
For many years, IT decision-makers, security managers and data protection officers from different companies, institutions and authorities have been coming together at verinice.XP. They all use verinice for the management of information security or data protection. At the conference, participants can share their best practices with the verinice team and with each other. The verinice.XP is organized annually by SerNet.

verinice gets an update: Version 1.26.1 is now available in the verinice.SHOP or in the customer repository. With the release, the verinice team fixes two bugs. Read more about verinice 1.26 and 1.26.1 in the Release Notes.

The verinice team has corrected the signing of verinice packages to SHA-256, which is particularly relevant for Windows users. Before the update, some users occasionally received warning messages from Microsoft Defender when installing the client on Windows. This issue is now history with the latest version.

In addition, the team has improved the handling of Unicode encoding to prevent a theoretically possible path traversal (see CWE-176: Improper Handling of Unicode Encoding for details). However, exploitation is not evaluated as real in verinice's usage scenario.

We recommend this update to all verinice users, especially those who received Microsoft Defender warnings during the client installation on Windows.

From October 10-12, 2023, verinice can be found at the it-sa in Nuremberg. The it-sa is the largest trade fair in the field of IT security in Europe. At booth 7-114 in hall 7, the verinice team of SerNet together with co-exhibitors sila consulting and neam IT-Services will be available for questions and discussions.

Visitors of the booth can get information about the different verinice products. As a special highlight, the latest web-based tools of the platform verinice.veo verinice DSMS and verinice ISMS will be presented. Michael Flürenbrock (Product Owner) and Daniel Murygin (Head of Development) will be happy to report on the latest developments.

The range of services offered by the verinice.PARTNERs can also be learned about. This includes, among other things, consulting on various standards (e.g. BSI IT-Grundschutz, ISO 27001), BCM and the development of an ISMS.

You would like to make an appointment with the verinice team or one of the verinice.PARTNERs? Then send us an E-mail to itsa@remove-this.sernet.de.

Free day ticket - get it now!
For a free ticket, redeem voucher code 503252itsa23 at https://it-sa.de/voucher. We are looking forward to welcoming you at our booth.

The verinice team has released the new version of the risk catalog: it now takes into account ISO/IEC 27001:2022-10, ISO/IEC 27002:2022-02 and ISO/IEC 27005:2022-10. The verinice Risk Catalog (ISO/IEC 27001:2022) - ISM Edition is available for download from the verinice.SHOP or the Update Repository for use in verinice version 1.26 and later.

The updated standards of the 2700x family are currently only officially available in English - therefore, the English Risk Catalog has been updated first. The German Risk Catalog will follow suit as soon as possible, when the German translations are available.

In the new version, the verinice Risk Catalog is again intended to significantly accelerate risk analysis as an add-on module. This is made possible by pre-modeled sample processes and assets as well as threats, vulnerabilities, risk scenarios and controls from the ISO standards:

• 180 generic risk scenarios applicable to any organization, in various categories such as physical damage, inadequate maintenance, cyber-attacks, etc.

• Over 1000 relationships between the risk scenarios and controls as per ISO/IEC 27001:2022 (Annex A) to address these risks. As an organization, all you need to do is complete the implementation status of the controls and customize the relationships.

• 60 basic threats in various categories such as impairment of functions, human actions, technical failure, etc.

• 84 inherent information processing vulnerabilities in categories such as hardware, network, personnel, location, etc.

• 147 sample assets associated with seven basic business processes, in categories such as hardware, information, personnel, location, etc.

There are currently no plans to update the verinice Risk Catalog Plus (ISO 27001 / ISO 27019). Please contact us directly via vertrieb@remove-this.sernet.de if you have any questions about this.

Version 1.26 of verinice and verinice.PRO is now available for download from the verinice.SHOP or from the Customer Repository. The verinice.TEAM provides new features, detail changes and bug fixes with this release. Support for the new ISO/IEC 27001:2022 is the main new highlight. Details are available in the full Release Notes.

The team plans to release the new verinice risk catalog with the relevant content of the ISO 27001 family shortly. In parallel, the customization of the risk analysis in the ISM/ISO perspective has been simplified. In the associated report templates, the risk matrices for confidentiality, integrity and availability can now be customized.

As part of the product maintenance, verinice 1.26 also updates the Rich Client Platform (RCP) and the Java Development Kits (JDK) in addition to numerous detail improvements and bug fixes.

In addition to the new edition of the risk catalog, the data protection module with IT-Grundschutz-Kompendium Edition 2023 should also be available soon.

In addition to the development of the classic verinice, SerNet is working intensively on the new platform verinice.veo, which has been launched with the first product verinice DSMS. Learn more about the fully web-based data protection manager and test our next generation tool for one month free of charge: find out more at verinice.com/veo or contact our sales team directly at vertrieb@remove-this.sernet.de.

The verinice team is not only working on the further development of the professional application, but is also constantly opening up new areas. Among other things, Alexander Koderman, developer and verinice inventor from the very beginning, has dealt intensively with graph databases. Together with Mirko Prehn, he published the article "The Use of Graph Databases in Compliance Automation" in issue 36/December 2022 of IT-Governance magazine, the professional journal of the ISACA Germany Chapter e.V.. We make the article available here as a special PDF edition (read complete article).

From the content: Modern graph databases are perfectly suited to solve typical challenges in compliance management. They can be perfectly combined with current developments in machine-readable formats such as the recently completed OSCAL standard. However, some challenges remain.

At the GraphConnect 2022 conference, Koderman also presented "Cybersecurity Automation with OSCAL and Neo4J." The presentation was recorded and can be viewed on YouTube: https://youtu.be/FVCFmSIsYic.

The verinice.XP 2023 was the meeting point for users of the ISMS tool verinice at the end of February. A special highlight was a report by Alexander Koderman (verinice.TEAM / SerNet GmbH) directly from the verinice lab: the integration of ChatGPT into the new platform verinice.veo using the veo copilot as a browser plugin. Koderman has published the associated code on GitHub: https://github.com/Agh42/veo-copilot.

The entire talk (in German) can be seen at https://verinice.com/chatgpt In it, Koderman also immediately cleared up a common misconception when dealing with language models, which can be solved with the necessary background knowledge and the right query. 

Koderman highlights the tremendous progress of language models that everyone has seen in recent weeks and months. Not only can they now solve puzzles faster than humans can even read them. ChatGPT and co. are also now processing the concepts behind them. The impact of AI on information security management is correspondingly far-reaching, he says: "The way we analyze cybersecurity risks, implement measures and ensure compliance will change dramatically." The use of AI-powered tools in information security management has the potential to significantly improve the efficiency and effectiveness of the work, he said.

ChatGPT as copilot

Koderman also sees a lot of potential for verinice: "The ongoing development and expansion of language models presents us as tool developers with challenges and opportunities: how can we incorporate natural language interfaces into traditional user interfaces? In the coming months, we will answer these questions and add exciting new features to verinice.veo."

A first answer is already available as an experiment: The veo copilot as a browser plugin. This can be used to test and play in the web-based verinice DSMS, which is available now. In his presentation, Koderman not only demonstrates how this works, but also takes this opportunity to give a little insight into the latest generation verinice. Meanwhile, the copilot also uses the current language model behind ChatGPT, which is now available via the OpenAI API.

More recordings of verinice.XP 2023 will be gradually published on the verinice YouTube channel: https://www.youtube.com/c/verinice