verinice.

verinice has licensed the BSI IT-Grundschutz Compendium and integrated it into the ISMS tool. The specially tailored basic protection perspective enables you to work in a focused manner.

With verinice, you can start modeling your IT security concept immediately. You follow the IT-Grundschutz approach according to BSI standard 200-2. verinice supports you in structural analysis, defining and assigning protection requirements, and automatic protection requirement inheritance. Define and manage role and authorization concepts. Perform basic security checks, additional security checks or guided risk analyses (BSI standard 200-3). Create an implementation and test plan.

With the end of GSTOOL, all users had to switch to a new tool. Exactly one successor – verinice – is

• written under the GPL as free software,
• licensed with the BSI,
• programmed without backdoors
• with source code publicly stored on GitHub.

With verinice, you can perform a complete risk analysis of your information assets and derive further actions from the results.

• Capture threats and vulnerabilities from existing sources such as a vulnerability scanner or penetration tests.
• Use the results in your risk analysis and automatically create a risk assessment for all assets.
• No matter whether you assess your risks according to ISO 27005, BSI-Standard 200-3 or another method: verinice supports you!

Create your own risk scenarios or use the BSI IT-Grundschutz catalog of hazards. All hazards can also be used in a risk analysis according to ISO 27005 - verinice enables you to do risk assessments conveniently via drag-and-drop.

verinice.PRO also includes a catalog of generic risk scenarios. It is broken down into threats and vulnerabilities to enable a simple and realistic assessment of risks. You can purchase the risk catalog for the verinice single-user version via the verinice shop.

Questionnaires such as the Information Security Assessment (ISA) of the German Association of the Automotive Industry (VDA) on the basis of ISO 27002 offer the opportunity across all industries to assess themselves or the contracted service providers on the state of information security. In close cooperation with the VDA, the verinice.TEAM has developed its own working perspective for guided self-assessment. The VDA-ISA catalog is available in German and English and is included in verinice by default.

With about one day of effort, you can get a snapshot of information security in your organization using verinice on-board tools. This is suitable

• for communicating the status to management,
• for determining progress within an IS project
• and simplifies the delivery of results.

With the combination of verinice and VDA ISA, you can get started with IS management immediately.

With the help of verinice, you can maintain your processes and information assets. An asset register in the sense of ISO 27001 (inventory of assets) can be exported at the push of a button.

Link your assets to processes, process owners and other assets. verinice handles the automatic inheritance of business impact values in the asset tree. Additional filter and editing functions, such as the mass editor, further simplify your daily work.

A variety of import and export formats (CSV, XML, XLS...) make it easy to transfer data from existing sources and to process it further with other tools.

Use verinice to manage your ISMS documentation:

• Store regulations, guidelines and records of all kinds in a structured way in verinice.
• Maintain metadata such as author, version and release.
• Store everything in an audit-proof manner in multiple versions.

Documents can be stored directly in the verinice database or referenced via URLs in external sources (DMS, Wiki etc.). This way you can bring your entire document pyramid together in one central place, no matter how distributed the documents are created in your organization.

All these features are already included in the verinice single-user version. With verinice.PRO, you also get a central repository that can be accessed by multiple users from different locations.

One of the strengths of verinice is creating reports for auditors, management, process owners and, finally, compiling reference documents for certification. verinice reports are used for documentation and overview, as a decision and planning aid, and to clearly show the state of information security in your organization in tables and charts.

At the push of a button, you can

• output BSI reference documents for IT baseline protection (A1 - A7),
• generate a VDA ISA report,
• create instant messages or statistical summary messages for the BSI,
• output and publish all reports in a variety of formats (e.g. PDF, HTML, DOC, XLS, ODT, ODS) or edit them further if desired.

verinice.PRO users also receive vDesigner – the verinice.PRO report designer. This allows you to customize all templates – from content to branding/corporate design – or to create your own reports from scratch.

verinice is open: the tool is based on open source, open standards and offers numerous interfaces itself.

The inventory/asset import (XML interface) or the full-text search with CSV export are just two of verinice's import and export formats. They make it easier to transfer data from existing sources and to process it further with other tools. This makes it possible, for example, to import your own catalogs with which you can implement individual work specifications or standards.

The coupling of verinice with an Open Vulnerability Assessment System (OpenVAS) such as the Greenbone Security Manager (GSM) integrates vulnerability scans into a centrally controlled process for vulnerability management. 

With the BIRT based vDesigner you can create customized reports and use them in verinice.

With verinice, you can design audits efficiently and sustainably, whether you use the tool for internal or external audits. For example, you can access standard catalogs such as ISO 27001 or the complete BSI IT Grundschutz compendium.

For IT-Grundschutz auditors, special input masks and customized reports ensure maximum efficiency in certification audits, particularly when verifying the basic security check. ISO 27001 lead auditors, auditors and IT auditors benefit from prepared questionnaires, input masks and a variety of help functions. These include a dynamic object model that can be customized to suit your own working methods, support for maturity models, and the ability to import interview partners from an Active Directory, to name just a few.

verinice is developed by IS auditors for IS auditors and is therefore constantly being adapted to meet practical needs.