VdS 10000 Measures: 75 Controls

VdS 10000 Measures: 75 Controls Explained

VdS 10000 defines a total of 75 specific measures that small and medium-sized enterprises (SMEs) must implement to achieve an adequate level of information security. These measures are grouped into four categories: organizational, technical, personnel, and physical security measures. Each measure is assigned a priority level that helps you plan implementation effectively.

Compared to ISO 27001 with over 90 controls in Annex A, VdS 10000 is intentionally leaner. The focus is on practicability for SMEs without omitting essential security aspects. A detailed comparison is available in our requirements overview.

Understanding Priority Levels

VdS 10000 assigns one of three priority levels to each measure. These help you determine the order of implementation and allocate resources strategically:

• Priority 1 (Must): Fundamental measures that must be implemented. Certification is not possible without them. They form the foundation of your ISMS.
• Priority 2 (Should): Important measures that should generally be implemented. Deviation is possible but must be justified and documented.
• Priority 3 (Can): Recommended measures for a higher security level. They are optional but increase the maturity of your ISMS and pave the way for a future upgrade to ISO 27001.

For certification, all Priority 1 measures must be fully implemented and all Priority 2 measures must be largely in place. A practical step-by-step overview is available in our VdS 10000 checklist.

Organizational Measures

Organizational measures form the backbone of your information security management system (ISMS). They ensure that responsibilities are defined, processes are established, and policies are documented.

Information Security Policy

Management must approve an information security policy that defines objectives, scope, and responsibilities. This policy is the foundation for all subsequent measures and must be communicated to all employees.

Roles and Responsibilities

An Information Security Officer (ISO) must be appointed. The ISO coordinates all measures, reports to management, and serves as the primary contact for audits. In SMEs, this role can be filled on a part-time basis.

Risk Management

A structured risk management process is mandatory: identify information assets, assess threats and vulnerabilities, classify risks, and define treatment options. VdS 10000 requires an annual risk analysis and updates when significant changes occur.

Documentation and Policies

All security-relevant processes must be documented. This includes policies for access control, data backup, incident handling, and supplier management. Documentation must be kept current, versioned, and accessible to authorized personnel.

Additional Organizational Measures

• Asset management: Maintain an inventory of all information assets and assign owners
• Supplier management: Embed security requirements in contracts with service providers
• Emergency management: Create emergency plans and test them regularly
• Internal audits: Regular reviews of the effectiveness of all measures
• Management review: Annual ISMS review by senior management

Technical Measures

Technical measures protect IT systems, networks, and data from unauthorized access, manipulation, and loss. They form the technical backbone of your ISMS.

Network Security

The network must be protected through firewalls, segmentation, and access controls. VdS 10000 requires documented network architecture, separate network segments for different security zones, and regular review of firewall rules.

Access Control and Authentication

Access to systems and data must follow the need-to-know principle. The policy covers password requirements, authorization concepts, and regular review of access rights. Enhanced authentication is recommended for privileged accounts.

Backup and Recovery

Regular backups of all business-critical data are mandatory. Backups must be tested, stored encrypted, and kept physically separate from the primary system. VdS 10000 requires documented recovery tests at least annually.

Additional Technical Measures

• Malware protection: Up-to-date antivirus solution on all endpoints and servers
• Patch management: Timely installation of security-relevant updates
• Encryption: Transport encryption (TLS) and encryption of sensitive data at rest
• Logging: Log security-relevant events and make them auditable
• Mobile devices: Policies for BYOD and company-owned mobile devices, enable remote wipe
• Wi-Fi security: WPA3 encryption, guest network separated from corporate network

Personnel Measures

People are often the weakest link in the security chain. Personnel measures ensure that employees can recognize security risks and respond appropriately.

Training and Awareness

All employees must receive regular information security training. VdS 10000 requires an initial briefing at onboarding and annual refresher training. Topics include phishing recognition, password handling, social engineering, and handling of confidential information.

Human Resources Management

Security aspects must be considered throughout the entire employee lifecycle: at hiring (confidentiality agreement), during employment (roles and permissions), and at offboarding (return of assets, removal of access rights).

Additional Personnel Measures

• Deputy arrangements: Security-relevant roles must have designated deputies
• Confidentiality agreements: Written commitment of all employees to confidentiality
• Disciplinary measures: Clear consequences for violations of security policies

Physical Measures

Physical security measures protect premises, hardware, and storage media from unauthorized access, theft, and environmental impacts.

Access Control

Server rooms and other security-critical areas must have restricted access. VdS 10000 requires a documented access concept with different security zones. Visitors must be accompanied and registered.

Infrastructure Protection

Technical infrastructure must be protected against fire, water, power failure, and overheating. This includes UPS systems, server room air conditioning, and fire protection equipment.

Additional Physical Measures

• Media disposal: Secure destruction according to DIN 66399 or equivalent standard
• Mobile device protection: Encrypt and secure laptops and storage media during transport
• Clean desk policy: Lock away confidential documents when leaving the workplace

Measures Overview by Category

Implementation Recommendations

Take a structured approach to implementing all 75 measures:

• Phase 1 (Month 1-2): Implement all Priority 1 measures. Start with the policy, appointing the ISO, and risk management.
• Phase 2 (Month 2-4): Address Priority 2 measures. Focus on technical hardening, training programs, and supplier management.
• Phase 3 (Month 4-6): Review and selectively implement Priority 3 measures. Conduct an internal audit and establish audit readiness.

Detailed information on timeline and budget can be found on our costs and process page. Tips for optimal audit preparation help you avoid common pitfalls.

Managing Measures Efficiently

Tracking 75 measures manually in spreadsheets is error-prone and time-consuming. A GRC platform like Kopexa maps all VdS 10000 measures as a pre-loaded catalog. You can see at a glance which measures are implemented, in progress, or open. Evidence is attached directly to each measure, and when upgrading to ISO 27001 later, existing evidence is automatically cross-mapped.