VdS 10000 Certification Bodies

VdS 10000 Certification: Who Audits and Certifies?

VdS 10000 certification is conducted by VdS Schadenverhuetung GmbH, a subsidiary of the German Insurance Association (GDV). VdS is the primary and best-known certification body for this standard, with decades of experience in testing and certifying security standards. Unlike ISO 27001, where numerous accredited certification bodies compete, VdS 10000 certification is closely tied to VdS itself.

VdS Schadenverhuetung GmbH: The Primary Certification Body

VdS has been active in loss prevention for over 100 years and developed the VdS 10000 standard itself. This brings distinct advantages:

• Deep subject-matter expertise: Auditors know the standard in detail and understand the context in which the requirements were created.
• Pragmatic approach: VdS audits with SMEs in mind. Auditors understand that small and medium-sized businesses operate under different constraints than large corporations.
• Recognised certification mark: The VdS certificate is highly regarded by insurers, business partners, and regulatory authorities.
• Training and certification under one roof: In addition to certification, VdS offers training courses and preparatory seminars.

Accredited Auditors

Audits are performed by accredited VdS auditors who are specifically trained and approved for VdS 10000 assessments. These auditors have:

• Demonstrated expertise in information security and IT risk management
• Training and approval by VdS as an assessment body
• Regular continuing education and calibration by VdS
• Industry experience, often with a focus on SMEs

Additionally, recognised consulting firms can assist with audit preparation, although the actual certification assessment is conducted by VdS or VdS-approved auditors.

The Audit Process in Detail

VdS 10000 certification follows a clearly structured process in four phases:

Phase 1: Application

You submit a formal application to VdS, providing company details, the certification scope, and the desired timeframe. VdS then prepares a proposal with costs and schedule. Typically, the lead time between application and the first audit date is 4-8 weeks.

Phase 2: Document Review (Stage 1)

The auditor reviews your documentation in advance: policy, risk analysis, controls catalogue, training records, and other documents. The goal is to establish basic audit readiness. If significant gaps are found, the auditor may recommend postponing the on-site audit. Prepare optimally with our Audit Preparation page.

Phase 3: On-Site Audit (Stage 2)

During the on-site audit, the auditor verifies the actual implementation of documented measures. This includes:

• Interviews with key personnel: The auditor speaks with senior management, the Information Security Officer, IT staff, and employees to assess actual practice.
• Sampling and evidence review: Configurations, logs, and evidence are reviewed on a sample basis.
• Facility walkthrough: Physical security, server rooms, and workstations are inspected.
• Process verification: Incident management, risk management, change management, and training processes are tested for functionality.

The duration of the on-site audit depends on company size and scope. For a typical SME with 20-100 employees, expect 1-2 days.

Phase 4: Certificate Issuance

After a successful audit, you receive the VdS 10000 certificate. If non-conformities are identified, the auditor may require corrective actions to be implemented and evidenced within a defined period (typically 3 months). For major non-conformities, a follow-up audit is required.

Certification Costs

VdS 10000 certification is deliberately more affordable than ISO 27001, making it accessible for SMEs:

Exact costs depend on company size, scope, and IT landscape complexity. For detailed budget and timeline information, visit our Costs and Process page.

Certificate Validity and Surveillance Audits

The VdS 10000 certificate is valid for three years. During this period, annual surveillance audits take place to ensure ongoing conformity. These surveillance audits are less extensive than the initial certification audit, but they verify:

• Implementation of corrective actions from the previous audit
• Ongoing effectiveness of the information security management system
• Handling of security incidents since the last audit
• Currency of documentation and risk assessments
• Completion of planned training and awareness activities

Re-Certification After Three Years

After three years, re-certification is required. This involves a full audit where all VdS 10000 requirements are assessed again. The advantage: since you already have an established system, the effort for re-certification is typically lower than for initial certification. Plan re-certification at least 3 months before your certificate expires to ensure uninterrupted certification.

Selection Criteria: Choosing the Right Support

Since VdS is the primary certification body, the decision is less about choosing the certifier and more about choosing the right support for preparation. Look for the following criteria:

• VdS 10000 experience: Not every consulting firm knows the standard in detail. Ask for references and successful certification projects.
• SME understanding: VdS 10000 is an SME standard. Consultants who primarily manage large projects often transfer oversized processes.
• Tool-supported preparation: GRC tools like Kopexa with VdS 10000 templates significantly reduce manual effort and ensure completeness.
• Transparent cost structure: Reputable providers can give you a binding cost estimate before the project starts.
• Long-term support: Certification is not a one-time project. Choose partners who support you beyond initial certification.

Frequently Asked Questions

Can I achieve VdS 10000 without external consulting?

Yes, especially with GRC tooling and VdS's own preparatory seminars, certification without an external consultant is feasible. Organisations with existing IT security expertise can manage the preparation internally. Our Checklist helps ensure nothing is missed.

How does the VdS audit differ from an ISO 27001 audit?

The VdS audit is shorter, more pragmatic, and more focused on actual implementation. ISO 27001 audits place greater emphasis on process maturity and the management system. Both follow the Stage 1/Stage 2 approach with document review and on-site audit.

What happens if you fail?

If non-conformities are found, you receive a deadline for remediation (typically 3 months). After successful implementation of corrective actions, the certificate is issued. For major non-conformities, a follow-up audit is required, which incurs additional costs.

Next Steps

Prepare systematically for the VdS 10000 audit. Use our Audit Preparation page for the detailed process, our Costs and Process page for budget planning, and our Checklist for the full requirements overview.