VdS 10000 Consulting

Icon Audits, © NESEC GmbH

The VdS Guideline 10000 for information security defines minimum requirements for an information security management system for small and medium-sized companies. It is based on the recognized standards ISO 27001 and BSI basic protection. With around 20% of the effort compared to ISO 27001, companies can derive measures and processes from the VdS guidelines with which they can achieve an appropriate level of protection in the IT area.

VdS Schadenverhütung in Cologne has hit the bull's eye with VdS 10000 and its predecessor, VdS 3473. VdS 10000 is the ideal solution for small and medium-sized companies for whom ISO 27001 is too complex, BSI basic protection too powerful and ISIS 12 too opaque. VdS 3473 was already honored with the "Security Innovation Award" in 2018. VdS 10000 is even simpler and more clearly structured and makes it possible to set up basic information security management even with limited resources.

In order to minimize the analysis effort, the standard only differentiates between "critical" and "non-critical" IT resources. Critical IT resources are essential for the company and their loss typically jeopardizes its existence. Everything else is non-critical. Basic protection has been defined for non-critical IT resources, which must be implemented if technically possible. Only if a company decides not to implement basic protection is a risk analysis necessary in order to minimize the resulting risks. For critical IT resources, VdS 10000 requires extended protective measures as well as an individual risk analysis and treatment.

Implementation of VdS 10000

VdS 10000 can be implemented in just a few steps.

  1. Determination of the business processes
  2. Identification of sensitive information
  3. Identification of critical systems
  4. Risk analysis of the critical systems
  5. Implementation of basic protection
  6. Definition and implementation of additional measures
  7. Creation of necessary concepts and procedures
  8. Informing and sensitizing employees
  9. Annual and ad hoc review of concepts and procedures

The first step is to determine the existing business processes in the company. This determination can be based on the existing structure of the company. The business processes do not have to be described down to the last detail. It is more important to determine which of these business processes are critical for the company, i.e. could threaten its existence in the event of a failure. The existential threat is derived, for example, from major revenue losses or high contractual penalties.

The second step involves identifying other particularly sensitive information that is independent of these business processes and is also critical for the company. This includes research and development data, for example, but also personal data that is particularly worthy of protection. Both the loss of this critical data and its damage or unwanted publication can result in potentially life-threatening damage.

The IT systems that are required for critical business processes to be carried out or on which critical data is stored or processed are then identified. These IT systems may include, for example, a merchandise management system that is a prerequisite for all orders or a database system on which particularly confidential data is stored.

According to VdS 10000, a risk analysis is required for critical systems in order to identify particular hazards. The risk analysis procedure used is not specified in VdS 10000, but the standard recommends using proven standards such as BSI 200-3 or ISO 27005.

Basic protection must be implemented for all non-critical systems. Basic protection includes the secure procurement of software from trustworthy sources, the restriction of network traffic, e.g. by means of a firewall, the logging of errors and login attempts, protection against malware, the authentication of users and the restriction of administrative rights.

Further measures are required for critical systems, which are defined in the standard, e.g. documentation, data backup and monitoring, but which may also result from the risk analysis.

In addition to the documentation of the systems and infrastructure, a series of guidelines and various procedures must also be documented. Guidelines are necessary, for example, for the use of mobile IT systems, for the use of cloud computing, for data backup and for the handling of faults, failures and security incidents. Procedures define procedures and processes that are required, for example, for the commissioning and decommissioning of IT systems, for the loss of mobile IT systems and data carriers or for data backup.

The policy, guidelines and all procedures must be implemented by the management and all affected employees as well as employees of service providers and contractual partners must be informed. In addition, all guidelines and procedures must be reviewed regularly and as required, e.g. in the event of security incidents, and revised if necessary.

Our Service

We support you with the introduction of VdS 10000, starting with the development of the concepts through to the final audit.

SecuriZen is our tool for the professional introduction of VdS 10000 in your company. With SecuriZen you can record your business processes, carry out your risk analysis, define measures and track the status of implementation. You can also create all the necessary guidelines and procedures directly with SecuriZen and use our extensive templates.

We also advise you on implementation, implement additional security measures on request, train and sensitize your employees and prepare you for the audit by VdS Schadenverhütung.