VdS 10000

from Wikipedia, the free encyclopedia

The guidelines VdS 10000 - Information Security Management System for Small and Medium-Sized Enterprises (SMEs) of VdS Schadenverhütung GmbH contain guidelines and assistance for the implementation of an information security management system as well as concrete measures for the organizational and technical protection of IT infrastructures. They are specially designed for SMEs as well as for small and medium-sized organizations with the aim of ensuring an appropriate level of protection without overburdening them organizationally or financially. The VdS 10000 is the successor to the VdS 3473 .

Mark

The VdS 10000 are upwardly compatible with ISO / IEC 27001 and with IT-Grundschutz . They are 43 pages long, 29 of which contain specific measures and recommendations. They have clear language rules for the binding nature of measures (“must” / “must not” / “should” / “should not” / “can”). In order to minimize the analysis effort, the VdS 10000 differentiates only between "non-critical" and "critical" IT resources. In addition, the criteria that lead to the classification of an IT resource as "critical" are very high. A simple basic protection is defined for the non-critical IT resources, which - if technically possible - must be implemented. If the implementing organization decides against the implementation of individual measures, it must carry out an appropriate risk analysis and treatment in order to record and deal with the resulting risks. For critical IT resources, VdS 10000 require extended security measures as well as individual risk analysis and treatment.

VdS 10000 recommends the implementation of established standards from the areas of business continuity management , physical IT security , quality and risk management for various topics (identification of critical IT resources, environment, data backup and archiving, procedures and risk management) . However, companies can define their own procedures. However, these have to implement a few key aspects of the established standards. Part of VdS 10000 is the establishment of a security guideline , corresponding guidelines and procedures as well as the establishment of a continuous improvement process .

In the course of the revision, errors in VdS 3473 were corrected and implementation was further facilitated through detailed improvements, in particular through further reduced analysis effort.

Development history

The VdS 10000 are the successors of the VdS 3473. Their development was also carried out by a project team of VdS and external experts with public participation. The work steps carried out were published during the entire development phase at short intervals, giving interested parties the opportunity to introduce their own optimizations and change requests. The VdS guidelines have been available since November 2018 and are available to the public free of charge.

Relationship to VdS 10010

VdS 3473 (predecessor of VdS 10000) served as a template for VdS 10010 ("VdS guidelines for the implementation of the GDPR") published on December 15, 2017 . So are z. B. Chapters 1 to 8 of both directives are almost identical.

International recognition

CFPA Europe, the European association of more than 20 national security organizations, published its guideline CFPA-E Guideline No 11: 2018 S, "Guideline on Cyber ​​Security for Small and Medium-sized Enterprises" in March 2019. The CFPA-E Guideline No 11: 2018 S is based on VdS 10000 and is also available free of charge. The European insurance association Insurance Europe has officially endorsed the new guidelines through a so-called "endorsement".

Supportive measures

A VdS certificate can be obtained for the implementation of VdS 10000 . In order to make it easier for organizations that want their information security to be certified on the basis of VdS 10000, VdS has developed two upstream instruments.

  • In a web-based self-assessment, companies can gain an initial overview of the current status of their information security and clarify any need for action. The self-assessment consists of 39 questions on the fields of organization, technology, prevention and management. It concludes with a brief analysis including a traffic light system and a detailed status report on the information security of the filling company. A quick check following the same system especially for process automation technology has also been online since CeBIT 2016.
  • In an optional second step, companies can have an audit carried out on the results of the self-assessment. The usually one-day audit is carried out on site by an auditor from VdS Schadenverhütung GmbH, who tests the status of the information security and, if necessary, identifies further improvement needs.

Awards

In 2016, VdS 3473 received the “Security Innovation Award” known as the “Industry Oscar” of the world's leading trade fair for loss prevention, the “Security” in Essen .

Web links

Individual evidence

  1. VdS guideline 10000 information security management system for small and medium-sized enterprises (SMEs) (PDF; 275K)
  2. CFPA Europe website
  3. ^ Press release from CFPA Europe
  4. Website of the VdS-Quick-Check
  5. ^ Website of the VdS-Quick-Check for ICS
  6. ^ Website of the VdS Quick Audit
  7. Website of the "Security Innovation Award"