devguard keeps your ISMS audit-ready year-round, so the surveillance audit is a check, not a two-week fire drill. Whether you’re earning your first certificate or keeping the ones you have, the gap list is visible months out, not the week before. Swiss-hosted, German and English, on-prem possible. If you’re moving off another tool, we migrate your existing ISMS across ourselves, at a fixed price on a fixed date.
Most tools optimize for getting the first certificate. The expensive part is the years after — the spreadsheet sprawl, the evidence you reassemble from memory the week before an audit, the client (or control) you haven't looked at since last cycle. That's the part no first-cert tool was built for.
Set your frameworks up once, then keep them audit-ready through the same loop: coverage, reviews, audits, policies and the reports you hand the auditor.
Control coverage per framework moves from unknown to partial to full as each control maps to the policies, assets and risks that satisfy it. An open gap shows up months before the surveillance audit, not the week of it.
Asset, risk and vendor reviews each run draft to in-progress to completed, with findings, recommendations and the next review date set on completion. A deadlines view surfaces what’s due early, so the cadence holds across the year instead of bunching before the audit.
Log audit findings with their root cause and corrective measure, each with its own deadline, and carry every non-conformity through to closed. When the auditor returns, the state of the last cycle is something you show, not reconstruct.
Author your policies in devguard, then move them draft, needs-approval, published, with the full version history kept. The auditor sees the current policy and the approval standing behind it, without you digging through email.
Generate the documents an auditor expects as PDFs, including the Statement of Applicability, plus audit, risk, asset, vendor, policy and review reports. The artifact you hand over is produced from the live workspace, not assembled by hand the night before.
Not a metrics wall (we're early; we won't invent numbers). The differentiators we can stand behind today:
Reviews run on a cadence and gaps surface early, so readiness is a state you hold across the year, not a sprint before each audit.
The ISMS core is the product. Policies, reviews, audits and reports are one workspace, not a separate invoice each.
You control where your evidence sits, in German and English, and it exports in full whenever you ask.
Versioned policies, tracked findings and ten report types including the Statement of Applicability, in the shape an audit expects.
You run your ISMS and keep it audit-ready in the workspace. If you’re moving off another tool, the first migration is work we do for you. Here’s exactly what’s self-serve and what the conversation adds — no number on the page, because the right price depends on your setup and we work it out together.
Hosted in Switzerland by default, on-prem possible, German and English throughout — so when a customer or auditor asks where your compliance evidence sits, you have a precise answer. Your data exports in full, any time.
No empty workspace handed over. If you’re switching from another tool, we migrate your existing ISMS into devguard ourselves, on a fixed scope and a fixed date, and nothing is switched over until you’ve checked it side by side. Then you run from there, and your data exports in full whenever you want it.
We agree exactly what the migration covers, which frameworks and how much evidence, so the engagement isn’t open-ended.
The founder moves your ISMS from wherever it lives today, whether another tool, spreadsheets, Word or Confluence, on an agreed schedule, not a ticket queue.
You check the auditor-facing trail side by side. When you’re satisfied it’s intact, you’re live and you run from there.
Yes. We take your existing ISMS, wherever it lives today, whether another tool, spreadsheets, Word or Confluence, and move it into devguard ourselves, at a fixed price on a fixed date. Nothing is switched over until you’ve reviewed it side by side and you’re satisfied the auditor-facing trail is intact.
A 15-minute conversation, not a sales demo. How your ISMS works today, whether devguard fits, and what moving it across, or earning a first certificate, would look like.
Yes. devguard is the ISMS whether you’re earning your first certificate or keeping the ones you have. Coverage shows what each framework still needs, policies and reviews give you the trail, and the reports are the documents an auditor expects. We won’t put a date on your certification, that’s between you and your auditor, but the workspace is the same one certified companies use to stay ready year-round.
Ten PDF report types generated from the live workspace, including the Statement of Applicability, plus audit, risk, asset, vendor, policy and review reports. You produce them on demand instead of assembling documents by hand the week before the audit.
Asset, risk and vendor reviews run on a cadence, each with its next review date set on completion, and a deadlines view surfaces what’s due early. Control coverage per framework shows open gaps months out, so the work spreads across the year instead of bunching before a surveillance audit.
Hosted in Switzerland by default, in German and English. On-prem is possible, so your data residency stays under your control — which matters when a customer or auditor asks where your compliance evidence sits.
No lock-in by design. Your policies, evidence and review history export to CSV, and your reports to PDF, whenever you want. The export is part of the product, not a favour you have to ask for.