VdS 10005 ISMS for SMEs

Icon Audits, © NESEC GmbH

The guideline VdS 10005 "Minimum requirements for information security in small and micro-enterprises" from VdS Schadenverhütung GmbH is an easy-to-implement, systematic and expandable approach to increasing security in your company quickly and cost-effectively. The guideline has been developed for companies in which around 20 employees work predominantly with IT systems and applications.

Requirements for Information Security

The guideline sets out requirements for information security, which are divided into the following chapters:

1. Responsibilities

Responsibility for implementing the policy must be defined. The responsibility can lie with the management, but also with an employee or an external person. In addition, at least one expert administrator should be appointed. In particular, many cybersecurity insurers also require system administration to be carried out by a dedicated administrator.

2. Usage Policy

A usage policy must be established for employees, including external employees, which sets out rules for dealing with IT and is mandatory for all employees. In addition, a procedure must be defined for granting and withdrawing rights, for example when hiring and after leaving the company.

3. IT Systems and Applications

IT systems must be inventoried and a procedure for secure commissioning and decommissioning must be defined. All IT systems must be protected against malware by suitable measures. Applications may only be obtained from trustworthy sources and must be licensed. Suitable security measures must be established for mobile IT systems and data carriers.

4. Networks

Active network components must be secured in the same way as IT systems. Network transitions, especially to the Internet, must be secured by suitable measures, e.g. firewalls. Network traffic must be suitably restricted.

Exposed services, e.g. those accessible from the Internet, are minimized and secured by multi-factor authentication and/or VPN.

Wireless networks are protected by current security standards.

5. Physical Infrastructure

Where appropriate and necessary, systems are secured by structural measures (server rooms, lockable cabinets), air conditioning and an uninterruptible power supply.

6. Data Storage Locations and Data Backup

The locations where the data of the organization may be stored must be defined. It is advisable to set up a central repository to make data backup and recovery easier.

All company data must be backed up according to a plan. Backups must also be stored off-site, e.g. via cloud backup.

7. Emergency Concept

In the event of an emergency, an emergency concept with a restart plan must be prepared. The restart plan must contain the necessary steps and the sequence for restoring operational capability.

8. IT Service Providers

Contracts must be concluded with IT service providers and cloud providers that regulate the obligations of the service providers. If necessary, service providers must be obliged to comply with usage rules. If personal data is processed, an order processing agreement must be concluded.

Our Service

We support you in the introduction and implementation of all appropriate and necessary measures to secure your infrastructure. Use our cloud-based ISMS tool "SecuriZen", which you can use to record your business processes, information, IT systems and applications in a VdS-compliant manner. SecuriZen also contains all the necessary guidelines and procedures.