We port your ISMS estate from verinice, HiScout, Eramba, SAVe/QSEC or Secfix into a modern workspace. Structured, traceable, mapped to your frameworks.
Why migrate
Migration is not a goal in itself. It pays off when the legacy tool creates more friction than value.
Java desktop clients, slow releases, no self-service. Your team avoids the tool, the ISMS withers on paper.
Classic GRC tools hand you empty checklists. We hand you context-aware suggestions for risks, controls and policies.
Legacy tools sell consulting through external partners. Here, consulting is its own pillar, documented in the workspace.
Four phases
Standard migration in four phases over four to eight weeks. Enterprise migrations with large data volumes or on-premise sources run longer and are planned individually.
We assess your legacy tool, its data model and the export options. Scope, goal and interfaces are set.
We map your data model onto KaitoSec structures and run a dry import into a sandbox. Rehearsal before the real cutover.
Structured import into the production workspace. Every object carries its source reference for the audit trail.
Sign-off by your team, admin training, decommission of the legacy tool. KaitoSec becomes the source of truth.
What we migrate
What the legacy tool keeps structured, we move structured. What sits as PDFs on SharePoint lands as linked documents in the workspace.
IT systems, applications, sites, owners, classification.
Risk assessments with likelihood, impact and control mapping.
Control catalogue with owners, status and due dates.
Existing policies. Optional mapping to templates from the Open Compliance Registry.
Audit evidence, training records, minutes. Linked back to the source or attached.
Existing framework mappings (ISO 27001, BSI Grundschutz, NIS2, DORA) ported or recreated.
Source systems
We have migration paths documented for the common DACH ISMS tools. Other sources we vet in the discovery call.
Java desktop client from 2007, heavy setup, no AI. verinice.veo (SaaS) still rolling out, the migration between verinice generations is itself non-trivial.
We import
Asset trees, BSI Grundschutz modules, risks, ISO 27001 controls, documents. Export via verinice XML or CSV.
Enterprise suite with a complex data model, long rollouts, no free tier. Often oversized for SMB.
We import
ISMS, BCMS and DSMS data, mappings, risks, controls. Export via HiScout interface or structured reports.
Open source, but Community Edition is limited. Self-hosting costs time, no DACH support, no BSI Grundschutz.
We import
Controls, risk register, policy library, audit plans, incidents. Export via Eramba API or CSV.
Classic on-premise tools with a dated architecture. Internal maintenance burden grows, modernisation pressure rises.
We import
Control catalogues, asset lists, audit reports. Export via CSV or database dump after review.
Automation-first, but no BSI Grundschutz, no on-premise option, no structured consulting mandate.
We import
Controls, evidence, risk register, policies, integration state. Export via Secfix API or CSV.
What we commit to
Migration is touchy. We treat it like an audit: structured, documented, ready to sign off.
Sandbox first, production workspace second. You see the result before the legacy tool gets switched off.
Every imported object carries the source ID. End-to-end audit trail from old system to new.
The legacy tool stays read-only for 30 days. If something is missing, we fetch it. Only then we decommission.
Standard migrations as fixed price. Edge cases (large volumes, custom interfaces) on time-and-materials with a cap.
After migration, customer success takes over. Onboarding weeks plug in directly.
We assess your legacy estate for free in the discovery call and quote a fixed price, duration and risks.
KaitoSec