News and Press Releases

    Page 1 of 6.
  • 1
  • 2
  • 3

version 1.22.2 of verinice and verinice.PRO is now available for download in the verinice.SHOP or in the customer repository. verinice 1.22.2 (Release Notes) is a security update. The verinice.TEAM recommends all users to apply the available patch as soon as possible.

With verinice 1.22.2 the team fixes a vulnerability, details are described in the Security Advisory. The official CVE ID is CVE-2021-36981. We would like to especially thank Frank Nusko (Secianus GmbH), who found the vulnerability and informed us about it. Together we were able to prepare a Coordinated Disclosure. 

Secianus will publish the details of the vulnerability shortly, so that verinice users have enough time to update. If you need help with this or have any open questions, please feel free to contact us at

As of now, the verinice.TEAM provides the BSI published Benutzerdefinierte Bausteine for use in verinice free of charge. They can be ordered and downloaded from the verinice.SHOP

Users of IT-Grundschutz have the opportunity to contribute their expertise to IT-Grundschutz by creating so-called Benutzerdefinierte Bausteine (user defined building block). To do this, an institution picks out a topic or partial aspect for which no IT-Grundschutz building block has yet been published and on which it would like to work. Those responsible for information security can put their experience and work results, such as security assessments of threats and requirements, into the form of a building block. This user defined building block can then be published on the IT-Grundschutz website. Companies that want to address similar topics can benefit from the existing expertise and, at best, develop the content further.

The BSI does not review the content of user-defined building blocks, and the building blocks are not usually published in the IT-Grundschutz compendium. If there is a high demand for a topic, it is possible to revise a module further and include it in the IT-Grundschutz-Kompendium. The modules were created by IT-Grundschutz users and kindly made available to the BSI for publication. They may be used free of charge for IT security concepts based on IT-Grundschutz without the author's consent and without providing a source reference.

[Translate to English:] Screenshot aus dem verinice-Weinar zum Modernisierten IT-Grundschutz

New dates for verinice webinars introducing how to "Establish an ISMS according to ISO 27001 in verinice.PRO" are available. Thus, the verinice.TEAM offers the opportunity to get to know the tool for information security management and to ask questions directly to the verinice makers in the second half of 2021.

The presentation will take place via GoTo Webinar, please register directly there. You can also find further information on our webinar info page.

The verinice.TEAM has also recorded webinars: Interested parties can also watch these to get a first insight into the ISMS tool and the concrete implementation. All videos are compiled at Questions can be sent to


Example organization of the IT Baseline Protection Profile control centers in verinice

The IT Baseline Protection Profile for control centers is now available for use in verinice ( as of version 1.22). The Baseline Protection Profile is published by the Fachverband Leitstellen e.V. – in German only – and can now be directly integrated into verinice. It is available free of charge via the verinice.SHOP.

The IT Baseline Protection Profile for Control Centers helps users to install an information security process in a control center and to adapt it to the corresponding requirements. The Baseline Protection Profiles are intended by the BSI as a template for information security: with their help, users who have similar security requirements should use the template to "check the level of security in a resource-saving way or start to set up an information security management system (ISMS) according to IT Baseline Protection." (see BSI-Infoseite zu IT-Grundschutz-Profilen, German only).

The target group for this profile is primarily the decision-makers responsible for information technology in the area of control centers. It is also intended to serve as a guideline for information security concepts in control centers for manufacturers of control center technology and specialist planners commissioned with the technical planning of control centers. But other interested parties can also apply the sample scenario to their individual framework conditions.

The "IT Baseline Protection Profile for Control Centers for verinice" contains two sample organizations based on the IT Baseline Protection Kopendium in Edition 2020 as well as in Edition 2021. The updated version was created by the verinice.TEAM and can be used optionally - depending on which edition users are working with. By importing the corresponding file into verinice, an information network with modeled target objects according to the IT Baseline Protection Profile is then available for further use and individual adaptation.

The original IT Baseline Protection Profile for control centers can be downloaded as PDF from the BSI (German only).

The verinice.TEAM has published the additional module verinice PCI DSS. This requirements catalog maps the Payment Card Industry Data Security Standard (PCI DSS) in verinice. The module can be used with verinice starting with version 1.22 in the ISM perspective. It is available to purchase in the verinice.SHOP

About the module verinice PCI DSS

The module verinice PCI DSS enables tool-supported verification of compliance with PCI DSS requirements. Requirements from other standards or laws (e.g. GDPR, HIPAA, ISO 27001 etc.) can also be conveniently mapped to avoid redundancies. verinice thus enables an integrated management system. 

Together, verinice and the PCI DSS module make it much easier to check and process compliance with the requirements. The module contains the complete PCI DSS requirements, which are imported into verinice. Users can thus skip the time-consuming and tedious part of the work, and use time more productively for working with the standard. In addition, responsibilities can be stored in verinice and individual requirements can be delegated so that colleagues can work together on the assessment. The associated reports provide meaningful overviews of the status quo of the organization.


The Payment Card Industry Data Security Standard (PCI DSS) was developed to improve the security of cardholder data and facilitate the adoption of consistent data security measures around the world. The PCI-DSS provides basic technical and operational requirements for protecting cardholder data. The PCI-DSS applies to all entities involved in the processing of payment cards – including merchants, processors, billing entities, card issuers and service providers, and other entities that store, process, or share CHD (Cardholder Data) and/or SAD (Sensitive Authentication Data).

Icon B3S

verinice. as well as verinice.PRO and the add-on module Zusatzmodul B3S Krankenhaus are qualified for funding from the Hospital Future Fund (KHZF). SerNet thus offers clinics and hospitals that have to improve their IT security and introduce information security management by the deadline of 01.01.2022 a comprehensive solution that meets their needs and is also eligible for funding. The corresponding proof of suitability for eligible service providers is held by SerNet.

The ISMS tool verinice or verinice.PRO is already in use as a reliable solution in the healthcare sector (e.g. Universitätsklinikum Halle, Charité Universitätsmedizin Berlin). The verinice.TEAM has also integrated the "Industry-Specific Security Standard for Healthcare in Hospitals" (B3S Krankenhaus), which is published by the German Hospital Association. The combination of verinice and the industry standard supports hospitals in meeting the requirements of the Patientendaten-Schutz-Gesetz (PDSG). According to this, by 01.01.2022, clinics and hospitals that are not classified as KRITIS (>30,000 full inpatient cases) are also "obliged to take appropriate organisational and technical precautions in accordance with the state of the art to prevent disruptions to the availability, integrity and confidentiality of their IT systems in order to ensure the functionality of the respective hospital and the security of the processed patient information." 

In accordance with the Krankenhauszukunftsgesetz für die Digitalisierung von Krankenhäusern 

funding can be applied for for the procurement and operation of verinice or verinice.PRO as well as the verinice module B3S Hospital since 1.1.2021. The responsible colleagues from the SerNet sales team have also obtained the necessary certificate in accordance with the Hospital Structure Fund Ordinance (KHSFV). SerNet is thus an authorised service provider. 

Some verinice.PARTNERS can also already show the "KHZG certificate" and offer comprehensive advice on the topics of: Improving IT security, ISMS for hospitals in general or specifically with the B3S and the funding from the KHZF. You can identify the relevant partners via our Partner-Locator.

The new version of the ISMS tool verinice 1.22.1 is available.

(UPDATE: See below at the end of the text for the short-term changes from 1.22 to 1.22.1).

Users can either obtain it from the verinice.SHOP or download it from the repository for Pro customers. In the release notes for verinice 1.22 we list all new features. 

The BSI IT-Grundschutz-Kompendium Edition 2021 is now also available in the verinice.SHOP or in the Pro repository. It is recommended to use it in combination with verinice 1.22 – an update is possible from the former Edition 2020 is possible.

Particularly noteworthy in the new version are: 

  • VDA ISA / TISAX version 4 and 5 (catalogs and report templates): For the modeling of the self-assessment according to VDA ISA / TISAX, both the current version 5 (default) and the previous version 4 are delivered with verinice 1.22, including the respective report templates.
  • Reporting form according to BSIG 8b for security incidents: The Incident target object has been updated for both the ISM perspective and the modernized IT-Grundschutz perspective and now maps security incidents.
  • Correction of the link view under macOS BigSur: This issue was identified and resolved together with the verinice community. 
  • Acceleration of VNA export for scopes with more than 20,000 elements.

Data protection module 3 for verinice (German only) is also available in a revised perspective. It now includes the BSIG 8b notification form for data protection incidents for the respective perspective (IT-Grundschutz and ISO/ISM). This also applies to the Risk Catalog Plus incl. data protection module, which is aimed in particular at energy network operators who have to implement the mandatory IT security catalog and the requirements contained therein in accordance with Section 11 (1a) EnWG (based on DIN ISO/IEC 27001:2017, DIN ISO/IEC 27002:2017, ISO/IEC 27005:2018 and DIN EN ISO/IEC 27019:2020). In addition, the data protection module for the Basic Protection Perspective has been updated to the new Basic Protection Compendium Edition 2021. 

verinice 1.23 is scheduled for week 40 (October 4-8, 2021). The planning for this can be viewed in the verinice.FORUM. Native support for Apple M1, an update to Java 11 and an update of the RCP framework are already set. A decision on the CentOS successor should also be made by the time of the release in the fall.

Update: 1.22 to 1.22.1

With verinice 1.22.1, the verinice.TEAM fixes an error when updating a modelled information network to Edition 2021 of the IT-Grundschutz Compendium. Mistakenly, changes from the previous edition 2020 were not deleted during the remodelling but kept as "new" changes from the edition 2021. The problem is described in detail in this post in the forum: The problem can be easily corrected in verinice 1.22.1 by remodelling with the new version 9.1 of the IT-Grundschutz-Kompendium of Edition 2021 published in parallel. For each update (remodelling) from one edition of the IT-Grundschutz-Kompendium to a newer one, at least verinice 1.22.1 must be used!

IT-Grundschutz-Kompendium 9.1 Edition 2021

With the **IT-Grundschutz-Kompendium 9.1 Edition 2021**, the verinice.TEAM provides a new version of the IT-Grundschutz-Kompendium to correct the error fixed with verinice 1.22.1 when updating the IT-Grundschutz-Kompendium. The new version replaces the previous one with the same content, but the newer release tag [2021-1] enables the correction through simple re-modelling. Users who have modelled an information network without updating from a previous edition with the previous version *IT-Grundschutz-Kompendium 9 Edition 2021* can continue to use it. An update from version 9 to version 9.1 is not required. Note: For each update (remodelling) from one edition of the IT-Grundschutz-Kompendium to a newer one, at least verinice 1.22.1 must be used!

Ausschnitt Agenda der verinice.XP 2021 Tag 1

The final program for verinice.XP 2021 is online. For the first time, the conference will take place completely in digital form on February 24 and 25. The speakers will give their presentations live via Zoom – participants can follow the conference flexibly from any location. The agenda is published on the conference website, tickets are available for 99 euros.

The main language of the conference is German; have a look at this article about the program. If you would be interested in a verinice.XP in English or an Workshop please contact us at

About verinice.XP

verinice.XP is the conference for users of the OpenSource ISMS tool verinice.

For years, verinice.XP has brought together IT decision-makers, security managers and data protection officers from companies, institutions and public authorities. They all share the use of verinice for information security management or data protection management.

With verinice. SerNet GmbH provides the only open source tool for the management of information security (ISMS). In order to grow dynamically and to further advance the development of the software, the team is looking for additional members with immediate effect.

Three positions are currently open:

The verinice.TEAM works distributed at the locations Berlin (Mitte) and Göttingen (headquarters of SerNet). Interested parties can apply for both locations. Details on tasks, requirements and benefits are included in the respective job description.

About verinice.

verinice is the only tool for information security management under open source license. It is in use in 4 German states and in more than 40 federal authorities, as well as in a large number of municipalities, public utilities and other public sector institutions, especially in critical infrastructures. For the industrial sector, verinice supports not only the IT Baseline Protection of the BSI but also the ISO 27001 and is used here by companies throughout Europe and also by the Council of the European Commission or European national banks.

Working at SerNet

You can find more information from SerNet about the working environment online, as well as further information about training, studying and women in STEM professions. Furthermore, you can read here how we deal with COVID-19 and working from home.

For questions about the positions or to apply (PDF format), please contact SerNet Managing Director Reinhild Jung at

The verinice.TEAM at SerNet has released a new version of the OpenSource ISMS tool verinice. From now on, verinice and verinice.PRO in version 1.21 are available for download in the verinice.SHOP or in the customer repository.

verinice 1.21 includes more than 50 new features, detail changes and bug fixes. Users get support for essential tasks:

  • In the modernised IT Baseline Protection, the consolidator can be used to transfer contents of modules, requirements, threats and measures to similar elements.
  • The target object Incident in the ISO/ISM perspective and in the perspective modernised IT Baseline Protection has been updated and now represents security incidents and data protection incidents.
  • verinice now supports the VDA ISA catalogue version 5.0.2. 
  • The target object Document has been extended extended.
  • The dialogue for report generation has been optimised and thus offers a context-related selection of report-templates.
  • Reports can be generated across multiple scopes if the report-template supports this function.
  • In the Link Maker, in addition to the scope the parent objects are now displayed for better assignment.
  • With the IT Baseline Protection Profiler it is possible to create a basic protection profile, including the documentation.

The most important new features are described in detail in the Release Notes.

If you have any questions regarding the new version, please contact the verinice.TEAM via the verinice-Forum (mainly German) or mail.  There you have the opportunity for discussion and also to formulate feature requests for future versions.

    Page 1 of 6.
  • 1
  • 2
  • 3

Search News

Press contact:

Claudia Krell


Deutsch English Lingua italiana Český jazyk
© SerNet GmbH, 2021