Features and functions of the ISMS tool

Get to know verinice in detail


verinice is a tool for managing information security and supports you in your daily work as a CISO or IT Security Officer. The software is provided under the GPLv3 license aopen source software.

You can use verinice for:

  • establishing, maintaining and improving an ISMS based on ISO 27001, BSI IT Baseline Protection, IDW PS 330 or other standards;
  • assuring the compliance with standards such as ISO 27002, BSI IT-Baseline Protection, VDA IS-Assessments (VDA ISA) and many more;
  • performing risk analysis based on ISO 27005;
  • auditing, document management, report generation and much more,
  • standards overview: ISO 27001, ISO 27002, ISO 27005, ISO 27018, ISO 27019, ISO 27004, BSI 100-1 bis -4, PCI DSS, COBIT, BDSG, EU DSGVO, SSAE 16, BCBS 239, ISAE 3402, MaRisk-E, SREP, VDA ISA, IDW PS 330, IDW PH 9.330.1

verinice runs on Windows, Linux and macOS.

All relevant standards are either already integrated in the tool or can be easily imported. All data is stored in an object model that is tailored to the requirements of information security and is dynamically expandable. This makes your data the base for a sustainable IS process.

Risk Assessment

verinice lets you execute a full risk analysis of your information assets and derive further actions from the results. Add threats and vulnerabilities from various existing sources such as a vulnerability scanneror penetration test. Use the results in your risk analysis and automatically perform a risk assessment for all assets. Whether you identify your risks according to ISO 27005, BSI Standard 100-3 / 200-3 or any other process: verinice supports you!

Build your own risk scenarios as part of your risk assessment workshops – or resort to the risks listed in the BSI IT Baseline Protection catalog. All risks contained here can be used in a risk analysis according to ISO 27005 – thus allowing verinice to maintain risk assessments by drag-n-drop.

verinice.PRO additionally contains a catalog with generic risk scenarios. The catalog is broken down into threats and vulnerabilities in order to enable a simple and realistic risk assessment. You can even add the risk catalog to the basic verinice standalone version by buying it in the verinice.SHOP.

Asset Register

Use verinice to maintain your processes and information assets. An asset register in accordance with ISO 27001 (Inventory of Assets) can be exported with the click of a button.

Link your assets with processes, process owners and other assets. verinice is capable of automatically inheriting business impact values in the asset tree. Additional filtering and processing functions such as the mass editor simplify the daily work furthermore.

A variety of import and export formats (e.g. CSV, XML, XLS ...) facilitates the transfer of data from existing sources and enables further processing with other tools.

Information Security Assessment (ISA)

Questionnaires such as the Information Security Assessment (ISA) of the German Association of the Automotive Industry (VDA) offer a guided self assessment based on the ISO 27002. The ISA gives organizations across all industries the opportunity to assess their own state of information security or to learn about those of their contractors. In close cooperation with the VDA the verinice.TEAM has developed the ISA working perspective. The VDA ISA Catalog is available in German and English and is included by default in verinice.

With about a days effort verinice helps you

  • to assemble a snapshot of the state of information security in your organization.
  • to visualize the results and
  • to communicate the status to the company's management or
  • to determine the progress within an IS project. 

With verinice and the VDA ISA you succeed with your firs steps in information security management.

IT Baseline Protection

verinice has licensed the IT Baseline Protection Compendium published by the German Federal Office for Information Security (BSI). The full text is available in English, too – especially international teams benefit from this, simplifying the work with the IT Baseline Protection significantly.

Users of the native ISO 27001:2013 can profit from the catalog of risks and controls as well: during risk assessment and risk treatment the Baseline Protection Catalogs can be used as a comprehensive database, e.g. on specific topics like Windows or SAP. All risks can be used as scenarios in an individual risk assessment. Simply drag-and-drop the risks or whole modules into the risk model.

Documents and Records

verinice simplifies managing your ISMS documentation:

  • Insert regulations, policies and records of any kind in verinice in a structured and logical way.
  • Maintain metadata such as author, version and release.
  • Keep everything auditable with several versions.

The documents can be either stored directly in the verinice database or referenced by URL to external sources (DMS, wiki, etc.). Bring your entire document pyramid together at a central location, no matter how scattered the documents are in your organization.

All of these functions are available in the standard version of verinice. With verinice.PRO you gain the possibility to deploy a central document repository to which multiple users can access from different locations.


Creating reports for auditors, the management, process owners and compiling reference documents for the certification process, is one of the strengths of verinice.

verinice reports are used to document as well as to support the decision-making and planning. They indicate the state of information security in your organization with tables and charts.

All reports can be generated in a variety of formats for publishing or further editing. These include: PDF, HTML, DOC, XLS, ODT, ODS.

Users of verinice.PRO also receive the vDesigner - the report designer bundled with verinice.PRO. Thus, all of the templates can be adapted, including contents and the branding / corporate design. You can even create completely individual reports.


Main concept of verinice is to be open. The tool is published as open source software, uses open standards and provides numerous interfaces itself.

The Inventory / Asset-Import (XML interface) or the full-text search with CSV export are just two of many import and export formats of verinice. They facilitate the transfer of data from existing sources and further processing it with other tools. This allows, for example, to import own catalogs to implement individual work requirements or standards.

The integration of verinice with an Open Vulnerability Assessment System (OpenVAS) such as the Greenbone Security Manager (GSM) advances vulnerability scans to a centrally controlled process for vulnerability management. With the BIRT-based vDesigner custom reports can be created and used in verinice.

Audits & Certifications

verinice enables efficient and sustainable audits, regardless of whether you use the tool for internal or external audits. Standard catalogs such as ISO 27001 or the complete contents of the BSI IT Baseline Protection Catalogs are ready-to-use once verinice is started.

ISO 27001 lead auditors, financial auditors and IT auditors benefit from prepared questionnaires, tailored data entry screens and a variety of auxiliary functions. These include the Dynamic Object Model that can be adapted to own working methods, the support for maturity models as well as the import of interview partners from an Active Directory etc.

verinice is developed by IS auditors with IS auditors and is therefore constantly adjusted to meet changing requirements.

Deutsch English Lingua italiana Český jazyk
Contact us

We are here for you!

Our sales team will be happy to help you with any questions you may have about SerNet's verinice products and services - personally and tailored to your individual interests.

You can reach us directly by phone at +49 551 370000-0.
Send us an email at vertrieb@remove-this.sernet.de.

* mandatory fields
© SerNet GmbH, 2024