VdS 10000 Content Hub
From VdS 3473 to VdS 10000
What changes from VdS 3473 to VdS 10000? New requirements, mapping, and migration tips.
VdS 3473 to VdS 10000: What Changed
The VdS 3473 guideline was the predecessor to today's VdS 10000 and was specifically designed for small and medium-sized enterprises (SMEs) seeking a pragmatic entry into information security. In 2018, VdS 3473 was replaced by the significantly more comprehensive VdS 10000. The new standard expands the scope, introduces new topic areas, and increases the level of detail in its requirements. If your organisation still operates based on VdS 3473, now is the right time to migrate.
Why Was VdS 3473 Replaced?
VdS 3473 was designed as an entry-level standard and intentionally kept lean. With the evolving threat landscape and growing regulatory requirements (GDPR, NIS2, German IT Security Act 2.0), its requirements were no longer sufficient. VdS 10000 closes these gaps and offers a standard that:
- Broader topic coverage: New chapters on incident management, business continuity, and supplier management
- Stronger process orientation: Covers not only technical measures but also management processes and governance
- Better upgrade path: VdS 10000 is designed as a stepping stone to ISO 27001, facilitating a later transition
- International recognition: Due to its proximity to ISO 27001, VdS 10000 is understood beyond Germany as well
New Areas in VdS 10000
VdS 10000 extends VdS 3473 with several significant topic areas that were absent or only marginally addressed in the old guideline:
Incident Management
VdS 3473 contained only rudimentary requirements for handling security incidents. VdS 10000 demands a structured incident management process with incident classification, escalation levels, documentation requirements, and lessons-learned procedures. Organisations must demonstrate that they can detect, analyse, and learn from incidents.
Business Continuity Management
VdS 3473 addressed data backup and recovery only at a technical level. VdS 10000 requires more comprehensive business continuity management (BCM) with business impact analysis, emergency plans, recovery scenarios, and regular testing of emergency procedures.
Supplier Management
In VdS 3473, dealing with external service providers was only briefly described. VdS 10000 requires a systematic assessment of information security at suppliers and service providers, contractual security requirements, and regular reviews. This applies particularly to cloud providers, IT service providers, and data processors.
Extended Governance Requirements
VdS 10000 sets higher requirements for organisational structure: clearly defined roles and responsibilities, an Information Security Officer (ISO), management review, and the involvement of senior management are now explicitly required.
Mapping: VdS 3473 to VdS 10000
The following table shows how VdS 3473 chapters map to VdS 10000 requirements:
| VdS 3473 | VdS 10000 | Change |
|---|---|---|
| IS Organisation | Ch. 4-5: Organisation and Responsibilities | ISO role and management review added |
| IT Security Policy | Ch. 5: Policy and Documentation | More detailed content and approval requirements |
| Risk Assessment | Ch. 6: Risk Management | Structured risk analysis with rating scales required |
| Personnel | Ch. 7: Personnel and Awareness | Annual training requirement and effectiveness measurement new |
| IT Systems and Networks | Ch. 8-12: Technical Measures | Extended with network segmentation, monitoring, cryptography |
| Access Control | Ch. 9: Access Control | MFA recommendation, least-privilege principle more emphasised |
| Data Backup | Ch. 13-14: BCM and Recovery | Business impact analysis and emergency plans new |
| (Not present) | Ch. 15: Incident Management | Entirely new chapter |
| (Not present) | Ch. 16: Supplier Management | Entirely new chapter |
| (Not present) | Ch. 17-19: Compliance, Audit, Improvement | Internal audits and continual improvement newly required |
For a detailed overview of all 19 chapters, visit our VdS 10000 Requirements page.
What Stays the Same
Good news for organisations with VdS 3473 certification: many fundamentals remain intact and can be carried over directly:
- Core information security principles: Confidentiality, integrity, and availability remain the protection objectives.
- Basic technical measures: Firewall, antivirus, patch management, and data backup are still required.
- Password policies and access control: The fundamental requirements for authentication and authorisation remain comparable.
- Documentation obligation: Both guidelines require traceable documentation of security measures.
- SME suitability: VdS 10000 remains fundamentally tailored to the needs of SMEs, even though the scope has increased.
Migration Strategy: Step by Step
For organisations transitioning from VdS 3473 to VdS 10000, we recommend a structured approach in four phases:
Phase 1: Gap Analysis (2-4 Weeks)
Compare your existing VdS 3473 documentation against VdS 10000 requirements. Identify all gaps, especially in the new chapters (incident management, BCM, supplier management). Use our VdS 10000 Checklist as a starting point for the gap analysis.
Phase 2: Prioritisation (1-2 Weeks)
Rank identified gaps by risk and effort. Start with the areas that pose the greatest risk or are mandatory for certification:
- Highest priority: Appoint an Information Security Officer, update the policy, formalise risk management
- High priority: Build an incident management process, create emergency plans
- Medium priority: Introduce supplier assessment, expand training programme
- Long-term: Establish an internal audit programme, embed continual improvement
Phase 3: Implementation (2-6 Months)
Implement the identified measures in the defined order. Document every step from the start to avoid having to retrospectively produce evidence for the audit. Especially important: establish new processes (incident management, BCM) not just on paper but run them in practice and test them.
Phase 4: Validation and Audit Preparation (2-4 Weeks)
Conduct an internal audit to verify the completeness of your implementation. Ensure all documentation is current and accessible. Prepare for the external VdS audit.
Timeline: How Long Does Migration Take?
The migration duration depends on the maturity level of your existing information security:
| Starting Point | Estimated Duration | Typical Challenges |
|---|---|---|
| VdS 3473 certified, well maintained | 3-4 months | Build new chapters, extend documentation |
| VdS 3473 certified, outdated documentation | 4-6 months | Update documentation, tighten processes |
| VdS 3473 aligned, not certified | 5-8 months | Formalise processes, close gaps |
With GRC tooling like Kopexa, migration time can typically be reduced by 30-40 percent, as templates, mappings, and documentation tools lower the effort.
Common Pitfalls During Migration
- Underestimating new chapters: Incident management and BCM require not just documentation but lived processes. Allow enough time for practical exercises and tests.
- Documentation not migrated: Existing VdS 3473 documents must be adapted to the new structure. Simply renaming them is not sufficient.
- Risk management too superficial: VdS 10000 expects a structured risk analysis with rating scales. A simple list of risks is no longer sufficient.
- Forgetting suppliers: Many organisations overlook the new supplier management chapter. Start supplier assessments early.
- No internal audit before certification: VdS 10000 requires internal audits. Conduct at least one internal audit before applying for the external certification audit.
- Missing training records: The extended training requirements demand complete documentation. Start recording immediately.
VdS 10000 as a Stepping Stone to ISO 27001
One advantage of migrating to VdS 10000: you are already building structures that will make a later transition to ISO 27001 easier. VdS 10000 covers many ISO 27001 requirements, though at a lower level of detail. Our comparison VdS 10000 vs. ISO 27001 shows you where the differences lie and what additional effort the upgrade requires. VdS 10000 certification costs start from EUR 3,599, while ISO 27001 starts from approximately EUR 15,000.
Next Steps
Start with a gap analysis against the VdS 10000 Requirements. Use our Checklist for a structured overview and assess whether a later upgrade to ISO 27001 makes sense for your organisation.
VdS 3473 to VdS 10000 migration with Kopexa
Kopexa supports both VdS 3473 and VdS 10000. The integrated mapping instantly shows which existing measures already cover the new requirements and where action is needed. Start your migration with a clear overview instead of spreadsheet chaos.
Start your migration nowMore VdS 10000 Topics
VdS 10000 Overview
Pillar page and complete overview
Requirements
All VdS 10000 requirements at a glance
VdS 10000 vs. ISO 27001
Differences, commonalities, and upgrade path
Checklist
Step-by-step to VdS 10000 compliance
Measures
Technical and organizational measures
Costs & Process
Timeline, budget, and certification process
Audit Preparation
Optimally prepared for the VdS audit
Risk Management
Risk assessment and treatment according to VdS 10000
SME Guide
Practical guide for small and medium-sized enterprises
IT Security
Technical security measures according to VdS 10000
Employee Awareness
Awareness and training programs
Certification Bodies
Accredited auditors and audit process
Let’s assess where you stand together
Free & non-binding