New VdS guideline: Minimum requirements for SME information security
Even small companies use information processing systems for their business processes and are therefore subject to a wide range of cyber risks. They can hardly afford extensive protection. With VdS 10005, a guideline is now available with which systematic IT security with an independent VdS test certificate can be implemented.
Practical experience with the established cyber security standard VdS 10000 has shown: The formulated requirements and action guidelines are a practicable basis for SMEs to achieve an appropriate level of security in the area of information security. For small and micro enterprises, however, the specifications of VdS 10000 are still too complex, so that this customer group in particular still shies away from a systematic IT security approach. Against this background, VdS has developed the 10005 guidelines. The aim of the framework is to show companies with up to 20 employees a cost-effective way to secure their IT systems and to substantiate them with effective measures.
Web-based guide developed
"How can we make small and micro companies an offer that, on the one hand, scales the technical-organisational measures (TOMs) responsibly and still offers an appropriate level of protection, but on the other hand, does not lose sight of the resource situation and, last but not least, the willingness of the target group to invest? How much may information security cost today?", Markus Edel, VdS department head cyber security and management systems, explains the mental approach to the development of the guidelines VdS 10005. "By dividing the management system aspect out of the requirements. Because by embedding the TOMs in a management system that has the so-called continuous improvement process as a central component, it requires a number of measures that are resource-intensive," he continues.
A web-based guide was also developed for the VdS 10005 guidelines, which guides customers step by step through the requirements. In addition to the text of the guidelines, the guide provides valuable information on interpretation and shows concrete implementation examples from corporate practice. The guide is available at vds.de/guide-vds-10005 is available as an online tool in a chargeable, closed area and provides users with additional convenient features - for example, the ability to display the current implementation status of the VdS 10005 guideline in order to be able to precisely determine the test certificate capability.
No longer certifiable
With the overall package of guideline and guide, the goal of reducing the effort for micro-enterprises could be optimally achieved. Thus, VdS offers interested companies a procedure for less than 650 euros, which enables an adequate protection of their IT landscape, but is no longer certifiable due to the omission of the management system aspect. Instead, the guideline aims at a remote audit-based test certificate without mandatory, annual monitoring, so that cost-intensive on-site audits can be dispensed with. Furthermore, VdS 10005 represent a subset of VdS 10000 and are thus upwardly compatible. An interesting option if, for example, the requirements for information security also increase due to an increase in business or changes in the risk environment.
More info at: www.vds.de/cyber
Other topics:
New cyber insurance for the self-employed and SMEs