What Is VdS 10000?

The guideline VdS 10000 contains specifications and offers concrete assistance for the implementation of an information security management system, especially for small and medium-sized enterprises (SMEs). It also describes concrete measures that can be used to secure the IT infrastructures of these companies in order to achieve an appropriate level of protection. VdS 10000 replaces the predecessor standard VdS 3473.

What is VdS 10000?

The title of the VdS 10000 guideline is “Information Security Management System for Small and Medium-sized Enterprises (SMEs).” The guideline was developed and published by VdS Schadenverhütung GmbH. It replaced the predecessor standard VdS 3473 in 2018. VdS Schadenverhütung GmbH is a wholly-owned subsidiary of the German Insurance Association. (GDV) and the largest institute for corporate security in Europe.

The content of VdS 10000 includes specifications and concrete assistance for implementing an information security management system (ISMS), especially in small and medium-sized enterprises. It also describes concrete measures that can be used to secure the IT infrastructures of these companies in order to achieve an appropriate level of protection.

The guideline was developed with the aim of not overburdening SMEs financially and organizationally, but still achieving an appropriate level of protection. The guideline is upwardly compatible with ISO/IEC 27001 and IT-Grundschutz, but requires considerably less effort. It is virtually a subset of the basic IT protection and can be used as a starting point for implementing an ISMS in accordance with ISO 27001. Companies can be certified to VdS 10000 in just a few steps.

  What is Security by Design?

Compared to the predecessor standard VdS 3472, some details have been improved, terminology adapted or changed, and errors corrected. The VdS 10000 guideline is available to the public free of charge and is industry-neutral. A supplement to VdS 10000 is VdS 10020, which is a guideline for the implementation and interpretation of the guideline for industrial automation systems.

Content of the guideline

VdS 10000 is 43 pages long in total. Of these 43 pages, 29 pages contain specific recommendations and measures. The binding nature of the recommendations and measures is regulated by the terms “can”, “should not”, “should”, “must not” and “must”. For the IT resources named in the guideline, a distinction is made between the two levels “critical” and “non-critical”.

Simple basic protection is sufficient for non-critical resources. According to VdS 10000, extended security measures are necessary to protect critical resources, and individual risk analyses and risk treatments must be carried out. Also included in the guideline is the establishment of a security guideline and continuous improvement processes.

Certification according to VdS 10000

The certification according to VdS 10000 usually takes place in these three steps:

  1. Web-based self-disclosure with questions on the various fields of action.
  2. Quick audit by independent auditors on-site to check the status of information security
  3. Actual certification by the VdS certification body

Advantages of certification according to VdS 10000

Certified small and medium-sized companies benefit from these advantages, among others:

  • Proof that the company is technically and organizationally prepared for the most important attack scenarios and has suitable defense and protection measures in place
  • Better transparency of existing risks
  • Easier transfer of residual risks to insurers
  • Greater trust in the company among customers, business partners, suppliers, and insurers
  • Competitive advantages over the competition