VdS 10000 Audit: Preparation and Process

VdS 10000 Audit: How to Prepare Optimally

The VdS 10000 certification audit verifies whether your information security management system (ISMS) meets the requirements of the standard. Thorough preparation determines whether you pass the audit on the first attempt or need to address findings. This guide walks you through the complete audit process, typical findings, and practical tips for audit day.

The Audit Process in Detail

The VdS 10000 audit consists of three phases:

Phase 1: Document Review (Stage 1)

The auditor reviews your ISMS documentation for completeness and formal correctness in advance. This phase typically takes place remotely and covers:

• Information security policy: Approved by senior management, with clear objectives and scope
• Risk analysis and treatment: Documented information assets, threats, vulnerabilities, and derived measures
• Policies and procedures: Access control, data backup, incident handling, supplier management
• Training records: Documentation of completed awareness training sessions
• Internal audit report: Results of the internal review and initiated corrective actions
• Management review: Minutes of the management review with ISMS assessment

After the document review, you receive feedback with any open items that should be resolved before the on-site audit.

Phase 2: On-Site Audit (Stage 2)

During the on-site audit, the auditor verifies whether documented processes are actually practiced. Typical sequence:

• Opening meeting: Presentation of the audit plan, clarification of organizational matters
• Interviews: Discussions with the ISO, IT management, senior management, and selected employees
• Site inspection: Review of physical security measures (server room, access control, clean desk)
• Sampling: Verification of permissions, backup logs, patch levels, and log data
• Closing meeting: Summary of results, identification of nonconformities and recommendations

The on-site audit typically lasts 1-2 days for SMEs.

Phase 3: Follow-Up Audit (if needed)

If major nonconformities are identified during the audit, you receive a deadline (typically 3 months) to address them. A follow-up audit then verifies that the nonconformities have been resolved. Minor nonconformities can often be verified during the next surveillance audit.

Audit Criteria: What Gets Checked?

The auditor reviews all 75 VdS 10000 measures against the following criteria:

• Documentation: Is the measure formally documented and approved?
• Implementation: Is the measure actually implemented and effective?
• Evidence: Is there proof (logs, screenshots, reports) confirming implementation?
• Currency: Are documents and measures up to date?
• Effectiveness: Has effectiveness been verified, e.g. through testing or internal audits?

Typical Findings and How to Avoid Them

Audit practice reveals recurring weaknesses. Knowing them in advance lets you address them proactively:

Common Major Nonconformities

• Missing risk analysis: No risk assessment conducted or only a superficial one
• Incomplete documentation: Key policies are missing or outdated
• No internal audit: The internal review was not performed
• Missing management review: Senior management has not formally reviewed the ISMS

Common Minor Nonconformities

• Backup tests not documented: Backups are performed but recovery has never been tested
• Incomplete training records: Not all employees attended the awareness training
• Stale permissions: Access rights of departed employees were not revoked
• Missing patch documentation: Security updates are installed but not logged

Do's and Don'ts During the Audit

Audit Day Checklist

Use this checklist to be optimally prepared on the day of the on-site audit:

• Prepare the room: Meeting room with projector/screen, internet access, and refreshments
• Documentation at hand: Make all ISMS documents accessible digitally or in print
• Brief contacts: Inform the ISO, IT management, senior management, and selected employees about the schedule
• Server room tidy: Access lists current, cabling neat, air conditioning functional
• Update evidence: Backup logs, patch reports, and training lists up to date
• Emergency plans ready: Emergency manual at hand, results from the last emergency drill documented
• Check clean desk: All workstations tidy (lock away confidential documents, lock screens)

The complete step-by-step guide is available in our VdS 10000 checklist.

The Role of the ISO in the Audit

The Information Security Officer (ISO) is the primary contact for the auditor. They guide the audit, answer technical questions, and coordinate evidence provision. Good preparation of the ISO is critical:

• Knowledge of all 75 measures: The ISO must know how each measure is implemented and where the evidence is stored
• Explain the risk landscape: Present the risk analysis comprehensibly and justify why certain risks were accepted or treated
• Demonstrate the improvement process: Show that improvements are derived from findings, incidents, and internal audits
• Communication with management: Demonstrate that senior management is regularly informed and supports the ISMS

Choosing a Certification Body

VdS 10000 certification is conducted by VdS Schadenverhutung GmbH or by VdS-recognized testing organizations. When choosing, consider industry experience, availability, and costs. All details are available on our VdS 10000 certification bodies page.

After the Audit: Continuous Improvement

Certification is not the endpoint but the beginning of a continuous improvement process. After the initial audit, the following activities are required:

• Annual surveillance audit: The auditor reviews the ongoing effectiveness of the ISMS
• Recertification every 3 years: A comprehensive audit similar to the initial certification
• Implement corrective actions: Systematically address and document findings from the audit
• Evolve the ISMS: Assess new risks, adjust measures, and continuously raise the security level