Questions and Answers

Certain questions reach us repeatedly. Answers to the most frequently asked questions can be found here.

The origin of all certifications, recognitions, and attestations are the VdS guidelines. These are developed by an expert team consisting of members from various interested parties. In the case of the VdS guidelines for information security and data protection, this includes IT specialists with extensive experience, employees from system houses, insurance companies, authorities, associations, consulting firms, and, of course, VdS Loss Prevention itself. This ensures that the expectations and needs of all organizations are taken into account.

We differentiate between requirement guidelines and procedural guidelines.

The requirement guidelines describe the criteria that must be met to achieve a qualification (e.g., certificate, attestation, recognition). Divided into various sections, they contain the specific requirements that need to be implemented in the organization. Some guidelines differentiate between MUST and SHOULD requirements, with the latter not being part of the assessment of the actual state during an audit but having a recommendatory character. You can recognize the requirement guidelines for cyber-security by their five-digit number ending in a zero or five.

The procedural guidelines describe the process of how to obtain proof of qualification, i.e., the practical process from ordering to the actual examination/audit to the issuance of the respective certificate. These guidelines are created internally by the responsible department at VdS and are provided free of charge.

Yes and no.
The requirement guidelines of the VdS 10000 series are subject to charges and can be purchased through our VdS Guidelines Shop. The associated procedural guidelines are free of charge.

The VdS 10000 guidelines set out the minimum requirements for information security and describe an information security management system (ISMS) tailored to small and medium-sized enterprises (SMEs). VdS 10000 certification does not meet the legal requirements for critical infrastructure companies (KRITIS).

The scope is a clear definition that specifies the areas and processes or services to which the defined standards and requirements of a norm or guideline apply. It determines which processes, products, services, or organizational units fall under the responsibility of the respective norm or guideline and are therefore subject to specific requirements. This means which value-added processes, products, or services of the company are covered by the protective measures and requirements.

Furthermore, the scope helps various interest groups, such as customers or suppliers, to understand which processes the respective guidelines apply to and the extent to which compliance with these requirements is required.

Defining the scope is an important step in the implementation of norms and standards. It ensures clarity about which parts of the company are affected by the requirements and ensures that the relevant requirements are met.

To define the scope, you should follow these steps:

  • Identify the core processes in your company that directly contribute to added value.
  • Consider which information in these value-added processes is highly significant. This can be sensitive data, intellectual property, or other important resources.
  • Analyze which of this information is particularly in need of protection. Which information or resources must not be lost, altered, or made inaccessible under any circumstances?


A look at the company's commercial register entry can also be helpful. The object of the company provides information about the focus of the business activity, which can often also be used as the scope, especially if the scope is intended to cover the entire company.


Examples for defining the scope:

  • The development, provision, and maintenance of software solutions for customers in various industries, including the management of customer data, contracts, and marketing strategies.
  • The provision of logistics services for external customers, including the planning, control, and monitoring of transportation, warehousing, and customs processing.
  • The provision of educational services in the form of training, courses and workshops in the areas of health, safety and environmental protection for companies and individuals.
  • The production and assembly of electronic components and circuit boards for the automotive industry, including testing, quality assurance and just-in-time delivery.


Due to the principle of separation of functions, our auditors are not allowed to provide consulting services, as an auditor should never audit their own work. We recommend relying on our network of consultants when implementing a management system: