VdS 10000 Requirements: All 19 Chapters

VdS 10000 Requirements: A Complete Overview

The VdS Guideline 10000 (VdS 10000) is the successor to VdS 3473 and defines an Information Security Management System (ISMS) specifically designed for small and medium-sized enterprises (SMEs). The standard comprises a total of 75 controls across 16 thematic chapters (Chapters 4 through 19). This makes VdS 10000 a pragmatic entry point into information security without the scope and complexity of ISO 27001 and its 93 controls.

This page provides a detailed overview of all 16 requirement areas. If you are already familiar with ISO 27001, our VdS 10000 vs. ISO 27001 comparison will help you understand the key differences.

The 16 Requirement Areas in Detail

Chapter 4: Organisation of Information Security

The foundation of any ISMS: you must establish a clear organisational structure for information security. This includes appointing an Information Security Officer (ISO), defining roles and responsibilities, and engaging senior management. The management body must actively support information security and allocate sufficient resources.

Chapter 5: Information Security Policy

Senior management must approve an information security policy. This document defines security objectives, the scope of the ISMS, and the general direction of the security strategy. The policy must be reviewed regularly and updated as needed. It serves as the overarching framework from which all further policies and measures are derived.

Chapter 6: Risk Management

VdS 10000 requires a systematic risk analysis and assessment. You identify threats and vulnerabilities, evaluate likelihood and potential impact, and derive risk treatment measures. The process must be documented and repeated regularly. Compared to ISO 27001, the approach is deliberately simplified and tailored to SME needs.

Chapter 7: Personnel Security

Employees are a central factor in information security. Chapter 7 requires measures before, during, and after employment: background checks during hiring, regular awareness training and education, and clear procedures for offboarding and role changes. Every employee must understand their role in maintaining information security.

Chapter 8: Asset Management

All information assets must be identified, inventoried, and classified. This includes hardware, software, data, services, and infrastructure components. An owner must be assigned to each asset. Classification by protection requirements (confidentiality, integrity, availability) forms the basis for all subsequent protective measures.

Chapter 9: Access Control

VdS 10000 requires restrictive access controls based on the principle of least privilege. User accounts must be individually assigned, permissions reviewed regularly, and unnecessary access promptly revoked. Password policies, multi-factor authentication, and the separation of administrative and regular accounts are core requirements.

Chapter 10: Cryptography

The standard requires the proper use of cryptographic methods to protect data during transmission and storage. You must create a cryptography policy defining when and how encryption is used. Key management, the use of current algorithms, and secure key storage are essential components.

Chapter 11: Physical and Environmental Security

IT systems and sensitive areas must be protected against unauthorised physical access, environmental hazards (fire, water, power), and theft. VdS 10000 requires access control systems for server rooms, protection against environmental impacts, and policies for securely handling equipment outside business premises.

Chapter 12: Operations Security

This comprehensive chapter addresses secure IT operations: documented procedures, change management, capacity planning, separation of development and production environments, malware protection, backup, logging and monitoring, and vulnerability management. Regular backups and recovery tests are particularly important.

Chapter 13: Communications Security

The focus is on securing networks and data transmissions. VdS 10000 requires network segmentation, secure network services, and policies for information exchange. Firewalls, VPN connections, email security, and protection of network boundaries are typical implementation topics.

Chapter 14: System Development and Maintenance

If you develop or procure software, security requirements must be considered from the start (Security by Design). The standard requires secure development processes, testing of security functions, and controlled change management for existing systems.

Chapter 15: Supplier Relationships

VdS 10000 requires systematic management of information security in supplier relationships. You must contractually agree on security requirements, assess suppliers regarding their security practices, and monitor compliance. This is especially important for cloud services and IT service providers with access to sensitive data.

Chapter 16: Incident Management

Security incidents must be detected, reported, assessed, and resolved. You need clear processes for incident handling: Who reports what to whom? How are incidents escalated? How is post-incident review conducted? Lessons learned must feed back into risk management and improvement of protective measures.

Chapter 17: Business Continuity Management

Maintaining business operations during security incidents or outages is a central topic. VdS 10000 requires contingency plans, defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), and regular testing of emergency plans. The focus is on pragmatic measures that are feasible for SMEs.

Chapter 18: Compliance

You must identify and comply with legal, regulatory, and contractual requirements for information security. This includes data protection laws (GDPR), industry-specific regulations, and contractual obligations towards customers and partners. Regular compliance reviews are required.

Chapter 19: Documentation and Records

All relevant processes, decisions, and measures must be traceably documented. VdS 10000 defines requirements for the creation, control, retention, and disposal of documents. Structured documentation is not only important for the audit but forms the basis for a functioning ISMS in day-to-day operations.

Requirements at a Glance

How Does VdS 10000 Compare to ISO 27001?

VdS 10000 covers the same topic areas as ISO 27001 with its 75 controls, but is deliberately leaner and more practice-oriented. The standard reduces the extensive documentation requirements of ISO 27001 and focuses on pragmatic implementation over formal completeness. This makes it ideal as an entry point into certified information security and as preparation for a later ISO 27001 upgrade. For a detailed comparison, see our VdS 10000 vs. ISO 27001 page.

How to Implement the Requirements

Implementing all 75 controls requires a structured approach. Start with a gap analysis against the 16 requirement areas and prioritise by risk and effort. Our VdS 10000 Checklist provides a 10-step plan from initial analysis through to certification. Practical technical and organisational guidance can be found on our VdS 10000 Measures page.

A typical SME with 50 to 250 employees can achieve VdS 10000 certification in 3 to 6 months. Certification costs start from EUR 3,599, which is significantly less than ISO 27001 (from approx. EUR 15,000). This makes VdS 10000 the most cost-effective option for entering certified information security.