VdS 10000 Checklist: Step by Step

VdS 10000 Checklist: 10 Steps to Certification

The VdS Guideline 10000 defines 75 controls across 16 chapters. A structured approach is essential to achieve certification efficiently. This checklist guides you through ten concrete steps from initial analysis to successful certification. Each step includes a description, references to the relevant VdS 10000 chapters, and a realistic time estimate.

The total duration for VdS 10000 certification typically ranges from 3 to 6 months with a GRC tool and 6 to 12 months without tool support. Certification costs start from EUR 3,599.

Step 1: Conduct a Gap Analysis

Objective: Assess your current state against all 75 VdS 10000 controls and identify the most significant gaps.

Relevant chapters: Ch. 4-19 (entire guideline)

Timeframe: 1-2 weeks

Systematically work through each of the 16 chapters and document the extent to which requirements are already met. Prioritise gaps by criticality and effort. Kopexa provides a pre-loaded VdS 10000 requirements catalogue that immediately shows you where action is needed.

Step 2: Establish Organisational Structure

Objective: Appoint an Information Security Officer (ISO) and formally engage senior management.

Relevant chapters: Ch. 4 (Organisation)

Timeframe: 1 week

VdS 10000 requires a designated ISO who coordinates information security. In SMEs, this role can be performed part-time. The key point is that senior management formally acknowledges its responsibility for information security and allocates sufficient resources. Document the role assignments and reporting lines.

Step 3: Create the Information Security Policy

Objective: Approve a security policy that defines objectives, scope, and responsibilities.

Relevant chapters: Ch. 5 (Policy)

Timeframe: 1 week

The policy is the overarching document of your ISMS. It must be approved by senior management and communicated to all employees. Keep it practical and understandable. Avoid jargon that not every employee can follow. The policy must be reviewed at least annually.

Step 4: Perform Risk Analysis

Objective: Systematically identify, assess, and define treatment measures for information security risks.

Relevant chapters: Ch. 6 (Risk Management)

Timeframe: 2-3 weeks

Identify threats and vulnerabilities for your critical assets. Evaluate risks by likelihood and impact. For each risk, decide whether to mitigate, accept, transfer, or avoid it. VdS 10000 offers a simplified approach compared to ISO 27001 that is well suited for SMEs. More details on our Measures page.

Step 5: Build the Asset Inventory

Objective: Inventory all information assets, classify them, and assign owners.

Relevant chapters: Ch. 8 (Asset Management)

Timeframe: 2-3 weeks

Capture all relevant assets: servers, workstations, mobile devices, software, cloud services, databases, and network components. Assign an owner to each asset and classify by protection requirements. This inventory forms the foundation for risk analysis and all technical protective measures.

Step 6: Implement Technical Controls

Objective: Implement the technical requirements from Chapters 9-14.

Relevant chapters: Ch. 9 (Access Control), Ch. 10 (Cryptography), Ch. 11 (Physical Security), Ch. 12 (Operations Security), Ch. 13 (Communications Security), Ch. 14 (System Development)

Timeframe: 3-6 weeks

This is the most extensive step. Implement measures across all technical areas: authorisation concept, password policies, encryption, backup strategy, patch management, network segmentation, and logging. Many SMEs already have basic measures in place. The gap analysis from Step 1 shows you where further action is needed. Detailed implementation guidance can be found on our VdS 10000 Measures page.

Step 7: Set Up Supplier Management

Objective: Define security requirements for suppliers and service providers and anchor them contractually.

Relevant chapters: Ch. 15 (Supplier Relationships)

Timeframe: 1-2 weeks

Identify all suppliers and IT service providers with access to sensitive data or delivering critical services. Review existing contracts for security clauses and add missing requirements. Define a procedure for regularly assessing supplier security.

Step 8: Create Incident Management and Contingency Plans

Objective: Define processes for detecting, handling, and reviewing security incidents, as well as contingency plans.

Relevant chapters: Ch. 16 (Incident Management), Ch. 17 (Business Continuity)

Timeframe: 2-3 weeks

Define clear reporting channels and escalation levels for security incidents. Create contingency plans for the most important scenarios (ransomware, data loss, server failure). Set Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Plan at least one annual emergency drill.

Step 9: Train and Raise Employee Awareness

Objective: Train all employees in information security and strengthen security awareness.

Relevant chapters: Ch. 7 (Personnel Security)

Timeframe: 1-2 weeks

Conduct foundational training for all employees: password handling, phishing recognition, clean desk policy, and incident reporting channels. Senior management must also be trained. Document all training sessions with content, participants, and dates. Plan regular refresher training.

Step 10: Audit Preparation and Certification

Objective: Ensure audit readiness and successfully pass the certification audit.

Relevant chapters: Ch. 18 (Compliance), Ch. 19 (Documentation)

Timeframe: 2-3 weeks

Conduct an internal audit against all VdS 10000 requirements. Ensure sufficient evidence exists for each of the 75 controls: approved policies, risk analysis, asset inventory, training records, and technical configuration evidence. Remediate identified weaknesses before the external audit. Tips for optimal preparation can be found on our Audit Preparation page.

Timeframes: With vs. Without GRC Tooling

The time savings with Kopexa result from pre-loaded requirements catalogues, integrated templates for policies and risk assessments, automated evidence management, and real-time progress tracking. The platform makes the biggest difference during gap analysis and asset inventory.

Common Pitfalls to Avoid

• Starting with technology too early: Implement the organisational foundations (Steps 1-4) first before investing in technical measures. Without a risk analysis, you do not know where the greatest risks lie.
• Neglecting documentation: The VdS auditor checks not only whether measures exist but whether they are documented. Maintain documentation alongside implementation from the start.
• Not engaging senior management: ISMS projects regularly fail without active support from senior management. Ensure leadership is informed and engaged.
• Forgetting employee training: The best technology is useless if employees open phishing emails or share passwords. Training is mandatory, not optional.
• Not testing contingency plans: An emergency plan that has never been tested is worthless in a real crisis. Plan at least one annual drill.