Skip to main content

verinice is a tool for managing information security. The software comes without license or subscription costs and is provided under the GPLv3 license. As open source software, it is available for free.

You can use verinice for:

  • establishing, maintaining and improving an ISMS based on ISO 27001

  • assuring the compliance with standards such as ISO 27002, BSI IT-Baseline Security, VDA IS-Assessments and many more

  • performing risk analysis based on ISO 27005

  • auditing, document management, report generation and much more

verinice runs on Windows, Linux and Mac OS.


For more information, please visit our homepage:




verinice helps you to build and operate your management system for information security (ISMS). Whether you base it on ISO 27001, BSI IT Baseline Protection, IDW PS 330 or another standard: verinice supports you in your daily work as a CISO or IT Security Officer.

All relevant standards are either already integrated in the tool or can be easily imported. All data is stored in an object model that is tailored to the requirements of information security and is dynamically expandable. This makes your data the basis for a sustainable IS process.


Risk Assessment

verinice lets you execute a full risk analysis of your information assets and derive further actions from the results. Add threats and vulnerabilities from various existing sources such as a vulnerability scanner or penetration test. Use the results in your risk analysis and automatically perform a risk assessment for all assets. Whether you identify your risks according to ISO 27005, BSI Standard 100-3 or any other process: verinice supports you!

Build your own risk scenarios as part of your risk assessment workshops – or resort to the risks listed in the BSI IT Baseline Protection catalog. All risks contained here can be used in a risk analysis according to ISO 27005 – thus allowing verinice to maintain risk assessments by drag-n-drop.

Don't even think about starting your risk assessment with Excel spreadsheets – the resulting redundancies inevitably lead to chaos in the future. Rather start with verinice instead.

verinice.PRO additionally contains a catalog with generic risk scenarios cumulated by experienced consultants. The catalog is assiduously broken down into threats and vulnerabilities in order to enable a simple and realistic risk assessment. You can even add the risk catalog to the basic verinice standalone version by buying it in the verinice.SHOP.


Asset register

Using verinice gives you the possibility to maintain your processes and information assets. An asset register within the meaning of the ISO 27001 (Inventory of Assets) can be exported at the push of a button.

Link your assets with processes, process owners and other assets. verinice is capable of automatically inheriting business impact values in the asset tree. Additional filtering and processing functions such as the mass editor simplify the daily work furthermore.

A variety of import and export formats (CSV, XML, XLS ...) facilitates the transfer of data from existing sources and further processing with other tools.


Information Security Assessment (ISA)

Questionnaires such as the Information Security Assessment (ISA) of the German Association of the Automotive Industry (VDA) offer a guided self assessment based on the ISO 27002. The ISA gives organizations across all industries the opportunity to assess their own state of information security or to learn about those of their contractors. In close cooperation with the VDA the verinice.TEAM has developed the ISA working perspective. The VDA ISA Catalog is available in German and English and is included by default in verinice.

With about a days effort verinice helps you to assemble a snapshot of the state of information security in your organization. verinice makes it easy to visualize the results and to communicate the status to the company's management or to determine the progress within an IS project. By combining verinice and the VDA ISA you succeed so well the first contact and the opportunities provided the subject information systems management.

Since version 1.10 verinice supports the new edition of the VDA IS-Assessment in version 2.x. Apart from the actual catalog, the method of calculating the averages and the "Total Security Figure" have been adjusted. The issued report includes radar charts for each chapter shows the reached maturity and the target level of maturity . A consolidator allows the acquisition of assessment results, which are carried out according to the VDA 1.x standard.


IT Baseline Protection

verinice has licensed the IT Baseline Protection Catalogs published by the German Federal Office for Information Security (BSI). The full text is available in English – especially international teams benefit from this, simplifying the work with the IT Baseline Protection significantly. Users of the native ISO 27001:2013 can profit from the comprehensive catalog of risks and controls as well: during risk assessment and risk treatment the Baseline Protection Catalogs can be used as a comprehensive database, e.g. on specific topics like Windows or SAP. All risks can be used as scenarios in an individual risk assessment. Simply drag-and-drop the risks or whole modules into the risk model. The catalogs, containing more than 1,500 Baseline Protection controls, will proof to be useful during risk treatment. As specific controls, they supplement the generic requirements of ISO / IEC 27002:2013. The English IT Baseline Protection Catalogs correspond to the 13th catalog update from the BSI.


Managing documents and records

verinice simplifies managing your ISMS documentation:

  • Insert regulations, policies and records of any kind in verinice in a structured and logical way.

  • Maintain metadata such as author, version and release.

  • Keep everything auditable in several versions.

The documents can be either stored directly in the verinice database or URLs in external sources (DMS, wiki, etc.) are referenced. Bring your entire document pyramid together at a central location, no matter how scattered the documents are in your organization.

All of these functions are available in the standard version of verinice. With verinice.PRO you're able to deploy a central document repository to which multiple users can access from different locations.



Creating reports for auditors, the management, process owners and finally compiling reference documents for the certification process, is one of the strengths of verinice. verinice reports are used to document as well as to support the decision-making and planning. They indicate the state of information security in your organization with tables and charts.

All reports can be generated in a variety of formats for publishing or further editing. These include: PDF, HTML, DOC, XLS, ODT, ODS.

Users of verinice.PRO also receive the vDesigner - the report designer of verinice.PRO. Thus, all of the templates can be adapted, including contents and the branding / corporate design. You can even create completely individual reports.



One of verinice's main concepts is to be open. The tool is published as open source software, uses open standards and provides numerous interfaces itself.

The Inventory / Asset-Import (XML interface) or the full-text search with CSV export are just two of many import and export formats of verinice. They facilitate the transfer of data from existing sources and further processing it with other tools. This allows, for example, importing your own catalogs to implement individual work requirements or standards.

The integration of verinice with an Open Vulnerability Assessment System (OpenVAS) such as the Greenbone Security Manager (GSM) advances vulnerability scans to a centrally controlled process for vulnerability management. The connection of verinice to OTRS combines service management and information security management. With the BIRT-based vDesigner custom reports can be created and used in verinice.


Audit & Certifications

verinice enables efficient and sustainable audits, regardless of whether you use the tool for internal or external audits. Standard catalogs such as ISO 27001 or the complete contents of the BSI IT Baseline Protection Catalogs are ready-to-use once verinice is started.

ISO 27001 lead auditors, financial auditors and IT auditors benefit from prepared questionnaires, tailored data entry screens and a variety of auxiliary functions. These include the Dynamic Object Model that can be adapted to own working methods, the support for maturity models as well as the import of interview partners from an Active Directory etc.

verinice is developed by IS auditors with IS auditors and is therefore constantly adjusted to meet changing requirements.


Technical Details


Eclipse Rich Client Platform

verinice is a Java application. The graphical surface is implemented with the Rich Client Platform (RCP).  This makes verinice platform independent while using the native GUI elements of the operating system.

Also part of the Eclipse platform is the BIRT Report Designer. All verinice reports can be customized – and you’re able to design completely new reports which can be exported as PDF, HTML or Excel (CSV) file.


Dynamic Object Model (HitroUI)

The HitroUI Framework is a part of verinice. A simple XML-file defines all fields and field types which appear in the application. So the database data and all displayed forms are generated dynamically.

This dynamic object model allows you to define additional data fields for specific objects as needed or to remove unneeded fields from the standard forms. That is how you can adapt verinice to your working methods and the requirements of your organization.



By using the object-relational mapper Hibernate, verinice is able to connect with different database systems. The supported database systems are:

  • PostgreSQL

  • Apache Derby

  • Oracle DB


Three-Tier Architecture

verinice uses a three-tier architecture where independent software modules are implemented. A centralized database and an application server provide data to the client.

The verinice.PRO application server complements the pure client with a centralized IS repository hosted in your company. It enables multiple people to work on one ISMS – even across different locations.



Detailed information

Last update


Only facilitators and authors can create content.
Non moderated