The minimum requirements for information security are formulated in an understandable way and are designed in such a way that SMEs are not overburdened organisationally and financially. The VdS 10000 guidelines are based on the recognised standards ISO 27001 and BSI-Grundschutz. This is confirmed by the Federal Office for Information Security with the following recommendation:
The set of rules VdS 10000 "Information Security Management System for SMEs" represents a regulated process for the introduction of an ISMS, just like the basic assurance of basic IT protection. The fields of action described are also comparable, but differences arise in the specification of the individual requirements, which the VdS rules and regulations formulate less concretely in some fields of action. Thus, the requirements of VdS 10000 represent a subset of the basic coverage of basic IT protection and form a good basis for implementing an ISMS in accordance with basic IT protection or ISO 27001.
With about 20% of the effort compared to ISO 27001, SMEs can derive measures and processes from the VdS-guidelines with which they can achieve an appropriate level of protection in the IT area. In addition, the VdS-guidelines were designed to be upwardly compatible. This means that a certification in accordance with VdS 10000 can also be the entry into the ISO 27000 series at any time, in which companies can also be supported by VdS.
A VdS-certified information security system in accordance with VdS 10000 offers a number of advantages for SMEs:
- The VdS certificate confirms that the company has prepared itself organisationally, technically and preventively for the most important attack scenarios - and has suitable processes and protective measures in place.
- The VdS certificate generates a high level of confidence in the company's performance among suppliers, customers and insurers: Data is securely protected and the risks of limiting the company's ability to deliver have been minimised. Competitive advantages are the result.
- The company extends its risk management to include the aspect of information security. An indispensable must for corporate security.
- The risk transparency in the company is increased and thus relieves the management. The company can concentrate on its core processes again.
- Companies can transfer the - always remaining - residual risk to an insurer and thus build up a second line of defence for securing their existence.
- Insurers have a high level of confidence in VdS assessments, a system that has been functioning in fire protection for more than 100 years. The existence of a test certificate/certificate saves insurers from having to consider individual cases at the customer's premises.