devguard is where compliance consultancies, vCISOs and MSPs run their client ISMSs. Each client is its own isolated workspace, your methodology and your structure, with one login across all of them. Swiss-hosted, on-prem possible. We don’t consult and we don’t resell, so we never compete for your mandates.
You run the mandates and keep the client relationship. devguard is the tooling underneath, and the first migration is work we do for you. Here’s exactly what’s self-serve and what the conversation adds — no number on the page, because the right per-client price depends on your mandate mix and we work it out together.
In devguard every client is its own workspace — its own data, members and frameworks kept fully separate, the isolation your clients expect. One login belongs to all your client workspaces, and you switch between them in a click, instead of juggling a tool per client.
The cross-mandate overview above is in design — a single view of every mandate, so you spot the client with a review due before they call. Today that’s real isolation plus one-click switching; the overview is where this is heading, and the first partners shape it.
Set up each client on your own method, then keep them audit-ready through the same loop: coverage, policies, reviews, audits and the reports you hand over.
Control coverage per framework moves from unknown to partial to full as you map each control to the policies, assets and risks that satisfy it. An open gap is visible months out, not the week before a surveillance audit.
Author each client’s policies in devguard, then move them draft, needs-approval, published, with the version history kept. The auditor sees the policy and the approval that stands behind it, per mandate.
Asset, risk and vendor reviews each run draft to in-progress to completed, with findings, recommendations and the next review date set on completion. Deadlines surface early, so a review never sneaks up the week it’s due.
Log audit findings with their root cause and the corrective measure, each with its own deadline, and carry every non-conformity through to closed. The state of an internal audit is something you can show, not reconstruct.
Generate the documents an auditor expects as PDFs — the Statement of Applicability, plus audit, risk, asset, vendor, policy and review reports. The artifact you hand over per client is produced from the live workspace, not assembled by hand the night before.
Not a metrics wall (we're early; we won't invent numbers). The differentiators we can stand behind today:
The ISMS core is the product; training and device monitoring aren't a separate invoice.
You control where client data sits, and it exports in full whenever you ask.
Your structure and process stay yours; devguard is where the work lives, not a method imposed on you.
No consulting arm, no certification services, nothing resold to your clients — by design and by capacity.
Hosted in Switzerland by default, on-prem possible, German and English throughout — so when a client asks where their compliance evidence sits, you have a precise answer. Your data exports in full, any time.
No empty workspace handed over. Pick one low-stakes mandate. We migrate its existing ISMS into devguard ourselves, on a fixed scope and a fixed date, and nothing is switched over until you’ve checked it side by side. Then you run from there, and your data exports in full whenever you want it.
We agree exactly what the first migration covers, which frameworks and how much evidence, so there’s no open-ended engagement.
The founder moves the ISMS from wherever it lives today, whether spreadsheets, Word or Confluence, on an agreed schedule, not a ticket queue.
You check the auditor-facing trail side by side. When you’re satisfied, the mandate is live and you run it from there.
No. devguard has no consulting arm and sells no certification services, by design and by capacity, and that won’t change. We don’t resell to your clients either. You stay the expert your client hired; devguard is where your delivery work lives.
Yes. Each client is its own workspace, with its own data, members and frameworks kept separate, so nothing leaks between mandates. One login belongs to all of them and you switch between them in a click.
Per client, with a one-time setup fee for the hand-migration. There’s no published number because the right one depends on your mandate mix, so we work it out together in the conversation. Once it’s set, it isn’t re-negotiated against you later.
Ten PDF report types generated from the live workspace, including the Statement of Applicability, plus audit, risk, asset, vendor, policy and review reports. You produce them per client instead of assembling documents by hand before the audit.
Hosted in Switzerland by default, in German and English. On-prem is possible, so client data residency stays under your control, which matters when your clients ask where their compliance evidence sits.
No lock-in by design: your data, your clients’ policies and evidence are yours, exportable to CSV and PDF whenever you want. For the migration, we take one client’s existing ISMS, wherever it lives today, and move it into devguard ourselves at a fixed price on a fixed date. Nothing is switched over until you’ve reviewed it side by side and you’re satisfied the auditor-facing trail is intact.
A 20-minute conversation, peer to peer — not a sales demo. How your delivery works today, whether devguard fits, and what moving a first client would look like.