VDA ISA (ver. 5.0.

4) question / requirement

1.1.1 To what extent are information security policies available?

1.3.1 To what extent are information assets identified and recorded?

1.3.2 To what extent are information assets classified and managed in terms
of their protection needs?

1.4.1 To what extent are information security risks managed?

1.6.1 To what extent are information security events processed?

2.1.1 To what extent is the suitability of employees for sensitive work fields
ensured?

3.1.1 To what extent are security zones managed to protect information

assets?
 4.2.1 To what extent are access rights assigned and managed?

5.2.6 To what extent are IT systems technically checked (system audit)?

6.1.1 To what extent is information security ensured among suppliers and

cooperation partners?
 Document / process Prepared?

Information Security Policy ❒

Information Assets repository / register ❒

Information classification ❒

Information security risk assessment process ❒

Process of managing information security

incidents ❒

Evidence of competence (from HR) ❒

Security zones concept ❒

 Access Control Policy /
Access Control Procedure ❒

IT audit program / programs.

Evidence of the implementation of the audit ❒
program (s) and documented audit results.

Processes necessary to meet information

security requirements.
List of outsourced processes. ❒
List of approved suppliers, vendors or
cooperation partners.
 Comments

Current and periodically reviewed information security policy adopted in a company.

Up-to-date and periodically reviewed register, database or other repository of registered

information resources (critical and supportive) with assigned responsible assets owners.

Documented in the form of an up-to-date and periodically reviewed internal regulation on

information classification - document must mentions information assets management and
classification, methods and criteria for assessing resources, handling information and
information assets, and protecting their integrity and availability.

Up-to-date and periodically reviewed procedure for identifying, analyzing and evaluating risk
in the ISMS.

Up-to-date and periodically reviewed information security risk register.

Up-to-date and periodically reviewed ISMS incident management procedure.

Up-to-date and periodically reviewed information security risk register.

Evidence of the competence of the staff involved in the management of the ISMS.

The content of the document must contain:

☒ security zones map (area / buildings / rooms / parking and parking for test or prototype
cars) based on the risk analysis for the location,
☒ adequate protection measures: rules for granting / withdrawing access rights, behavior in
zones, bringing in and using portable IT mobile devices,
☒ people, who are in individual security zones are aware of the rules for use and behavior.
Documented in the form of an up-to-date and periodically reviewed internal regulation of the
company on the management of access rights, access control, applicable rules, the method of
requesting, processing and approving access rights, roles and responsibilities in this process.
Documents confirming the cyclical nature of the process together with the results of the last
completed access rights review for regular, privileged and technical accounts.

Additionally, a technical vulnerability assessment procedure / process description can be

prepared.

Additionally, the following should be taken into account:

☒ A detailed description of the risk analysis process of the company's suppliers and partners,
or a description of the due diligence process (if it includes an information security risk
analysis).
☒ Sample contract with sample suppliers.
☒ Risk analysis, selection, verification, approval and implementation of external vendors and
partners.
☒ Documented provision of guidelines on the adopted principles of maintaining information
security for partners and suppliers.