Risk Management According to VdS 10000

Risk Management Under VdS 10000: A Systematic Approach

Risk management is the core element of VdS 10000 (Chapter 6). It ensures that your organization systematically identifies, assesses, and reduces information security risks to an acceptable level through appropriate measures. Unlike ISO 27001, which starts at approximately EUR 15,000 in certification costs, VdS 10000 certification is available from EUR 3,599, making it particularly attractive for SMEs.

VdS 10000 takes a pragmatic approach: the effort required for risk analysis should be proportional to the size of the organization. Nevertheless, all essential steps of a structured risk management process must be completed. The specific VdS 10000 requirements define the framework you need to follow during implementation.

Identifying and Classifying Information Assets

The first step in VdS 10000 risk management is the complete inventory of all information assets within your organization. Information assets are all resources relevant to information processing whose loss, impairment, or disclosure would cause harm to the organization.

These include in particular:

• IT systems and hardware: servers, workstations, network components, mobile devices
• Software and applications: operating systems, business applications, cloud services
• Data and information: customer data, financial data, intellectual property, contracts
• Premises: server rooms, offices, archive spaces
• Personnel: employees with critical know-how or special access rights
• Service providers: external IT service providers, cloud providers, maintenance partners

Each information asset is classified according to its importance to the organization. VdS 10000 recommends a simple three-tier classification: normal, high, and very high. The classification is based on the potential impact of a loss of confidentiality, integrity, or availability.

Threat Analysis: What Dangers Exist?

In the second step, you identify the relevant threats for each identified information asset. VdS 10000 distinguishes between different threat categories:

• Force majeure: fire, water damage, power outages, natural disasters
• Organizational deficiencies: missing policies, unclear responsibilities, inadequate documentation
• Human error: incorrect operation, carelessness, lack of training
• Technical failure: hardware defects, software bugs, network outages
• Deliberate actions: cyber attacks, data theft, sabotage, social engineering

For SMEs, it is especially important not to get lost in theory. Focus on the threats that are realistically relevant to your industry and your specific information assets. A manufacturing company has different priorities than a financial services provider.

Vulnerability Assessment

Threats can only become effective if vulnerabilities exist that they can exploit. In the vulnerability assessment, you examine each information asset and each relevant threat for specific vulnerabilities.

Typical vulnerabilities in the SME environment:

• Missing or outdated security patches
• Weak or reused passwords
• Lack of network segmentation
• Insufficient backup concepts
• Low security awareness among employees
• Missing access controls for sensitive data

The specific technical and organizational VdS 10000 measures help you systematically address these vulnerabilities.

Risk Assessment: The Risk Matrix

The actual risk assessment combines likelihood of occurrence and severity of impact into an overall risk rating. VdS 10000 recommends a risk matrix with typically three to five levels per dimension.

The result of the risk assessment determines the priority with which measures must be implemented. Critical and high risks require immediate treatment, while low risks can be documented and reviewed during the next regular assessment cycle.

Risk Treatment: Four Strategies

For each identified risk, you must define a treatment strategy. VdS 10000 defines four options:

1. Risk Avoidance

The risk-triggering activity is discontinued entirely. Example: an insecure cloud service is shut down and replaced with a secure alternative. This strategy is appropriate when the benefit of the activity does not justify the risk.

2. Risk Reduction

Technical or organizational measures reduce the likelihood or impact. This is the most common treatment option. Examples include implementing firewalls, encrypting sensitive data, establishing regular backups, and conducting employee training. The complete list can be found in the VdS 10000 measures.

3. Risk Transfer

The financial risk is transferred to a third party, typically through cyber insurance. Important: operational responsibility remains with you. Insurance does not replace security measures; it only covers financial damages.

4. Risk Acceptance

A residual risk is consciously accepted when the cost of mitigation exceeds the potential damage, or when the risk has already been reduced to an acceptable level. Risk acceptance must be documented and approved by senior management.

Risk Management Documentation

VdS 10000 requires complete documentation of the entire risk management process. The following documents are required at minimum:

• Asset inventory: complete list of all information assets with classification and responsibilities
• Risk register: all identified risks with assessment, treatment strategy, and implementation status
• Risk assessment reports: results of each risk analysis with methodology and assumptions
• Treatment plan: mapping of measures to risks, responsibilities, and deadlines
• Risk acceptance statements: residual risks approved by senior management

A GRC tool like Kopexa automates much of this documentation. Instead of maintaining hundreds of pages in spreadsheets, you capture information assets, risks, and measures on a centralized platform. Documentation is generated automatically and is always audit-ready. Use the VdS 10000 checklist as a guide for complete implementation.

Regular Review and Updates

Risk management is not a one-time project but a continuous process. VdS 10000 requires the risk analysis to be repeated at least annually and whenever significant changes occur. Significant changes include:

• Introduction of new IT systems or cloud services
• Changes in organizational structure
• New or modified business processes
• Security incidents or near-misses
• Changes in the threat landscape (new attack vectors, industry trends)
• Changes in regulatory requirements

Each review is documented, and the results flow into updates of the risk register and treatment plan. Senior management is informed about the current risk status and approves the updates.

Risk Management Process: Summary