Lesson 1, Topic 1
In Progress

Company analysis – where does the company stand?

In order to know which assets need to be protected according to the three goals: Confidentiality, Integrity and Availability, a list is needed that contains all relevant assets (values) of the company. For this purpose, we offer you the table template “Asset Inventory“. It already contains examples that give you an idea of how something like this should be structured. The list supports the highlighting of the existing assets in the company and which protection needs (low, medium or high) they have.

With the help of the asset inventory and the protection needs analysis, the critical IT resources can be identified, which then determine the measures to be implemented. Depending on the classification, there are four classes of measures, namely:

  • 91 basic requirements (marked G…)
  • 33 basic protection measures (marked B…)
  • 42 Additional measures for critical IT areas (marked Z…)
  • 68 VdS recommendations (marked with E…)

The basic requirements must be met and thus apply to all relevant processes, IT resources and departments. Furthermore, there are the basic protection measures, which should also be implemented if technically possible. If measures are rejected or are not technically feasible, then you must carry out a risk analysis and the appropriate risk treatment. The topic of risk treatment is discussed separately in a following unit. In addition to the basic requirements and basic protection, there are additional measures for the critical IT resources, which are intended to better protect the special resources. The last class of measures are recommendations, which are not mandatory, but are a recommendation of the Association of Property Insurers and can therefore be implemented.

In the GAP analysis, you look at the controls of VdS 10000 and check whether you already fulfil measures, if applicable, as well as which measures you cannot or do not want to implement. This gives you an overview of how much work is still ahead of you. You can use the “Statement of Applicability” template for this.