Vda Isa 5 1 en

INTERNAL #
Information Security Assessment
VDA ISA provides the basis for

- a self-assessment to determine the state of information security in an organization (e.g. company)
- audits performed by internal departments (e.g. Internal Audit, Information Security)
- a review in accordance with TISAX (Trusted Information Security Assessment Exchange, http://enx.com/tisax/)
VDA ISA consists of several tabs, the content and function of which are explained in the tab “Definitions”. The corresponding ac
requirements can be found in the tabs “Information Security”, “Data Protection” and “Prototype Protection”.
For Version 5, VDA ISA has been restructured with the requirements no longer presented in lines but in columns. Additionally, n
numbering has been introduced and topics have been combined. The numbering of ISA 4 has been retained in a separate colu
easier finding of control questions according to the previous structure or to facilitate rearrangement.
We recommend to gain an overview of the individual ISA tabs by using the “Definitions” tab. Then, commence with the
“Information Security” tab.
ENX WG ISA and the Working Group Information Security of the VDA wish you every success.
Publisher: VERBAND DER AUTOMOBILINDUSTRIE e. V. (VDA, German Association of the Automotive Industry); Behrenstr. 3
10117 Berlin; www.vda.de
© 2022 Verband der Automobilindustrie e.V., Berlin
INTERNAL#
Company / Organization:*
Address:*
Scope/TISAX Scope ID*
D&B D-U-N-S® No.*
Date of the assessment:*
Contact person:*
Telephone number:*
E-mail address:*
Creator:*
Signature:
Version: 5.1 | 04/27/2022

INTERNAL #

Maturity levels
The answer to the control questions is a maturity level in a generic maturity model used to quantify the maturity of the corresponding processes. Determination
of the maturity level requires that objective evidence of compliance with the requirements of the respective level is provided during the assessment. This is achieved, for
example, by means of work products resulting from the processes of the control questions or by means of interview statements by persons carrying out the process.
Maturity level 0 Maturity level 1 Maturity level 2

Name Incomplete Performed Managed
Principle A process does not exist, is not followed or not suitable to achieve the objective. A process is followed which is not or insufficiently documented (“informal A process achieving its objectives is followed. Process documentation and process
process”) and there is some evidence that it achieves its objective. implementation evidence are available.
Definition A process is not implemented or fails to achieve its process purpose. Little or no - The implemented process achieves its (process) purpose. Control of process implementation (PA 2.1):
evidence exists of any systematic achievement of the process purpose. - The intended base practices are verifiably performed. - Objectives for the performance of the process are identified.
- Implementation of the process is planned and monitored.
- Implementation of the process is adjusted to meet plans.
- Responsibilities and authorities for implementing the process are defined,
assigned and communicated.
- Resources and information necessary for implementing the process are
identified, made available, assigned and used.
- Interfaces between the involved parties are managed to ensure effective
communication and clear assignment of responsibilities.
Work Product Management (PA 2.2):

- Requirements for the work products of the process are defined
- Requirements for documentation and control of the work products are defined.
- Work products are appropriately identified, documented and controlled.
- Work products are reviewed in accordance with planned measures and adjusted
as necessary to meet requirements.
Possible evidence + Work products providing evidence of process outcomes. + Process documentation
(GWP) + Process plan
+ Quality plan/records
+ Process implementation records
INTERNAL #
Maturity level 3 Maturity level 4 Maturity level 5

Established Predictable Optimizing
A standard process integrated into the overall system is followed. Dependencies An established process is followed. The effectiveness of the process is continually A predictable process with continual improvement as a major objective is
on other processes are documented and suitable interfaces are created. Evidence monitored by collecting key figures. Limit values are defined at which the process followed. Improvement is actively advanced by means of dedicated resources.
exists that the process has been used sustainably and actively over an extended is considered to be insufficiently effective and requires adjustment. (Key
period. Performance Indicators)
Process Definition (PA 3.1): Process Measurement (PA 4.1): Process Innovation (PA 5.1)
- A standard process, including appropriately adapted requirements, is defined - Process information requirements in support of relevant defined business goals - Process improvement objectives are defined for the respective process that
which describes the essential elements a defined process must comprise. are established. supports the relevant business goals.
- The sequence and interaction of the standard process with other processes are - Process measurement objectives are derived from process information - Appropriate data are analyzed to identify the common causes of variations in
determined. requirements. process performance.
- Competencies and roles required for process implementation are identified as - Quantitative objectives for process performance in support of relevant defined - Appropriate data are analyzed to identify options for best practice and
part of the standard process. business goals are established. innovation.
- The infrastructure and work environment required for process implementation - Characteristic values and frequency of measurements are identified and defined - Improvement options derived from new technologies and new process concepts
are identified as part of the standard process. in line with process measurement objectives and quantitative objectives for are identified.
- Suitable methods for monitoring the effectiveness and suitability of the process process performance. - An implementation strategy is established to achieve the process improvement
are determined. - Results of measurement are collected, analyzed and reported in order to objectives.
monitor the extent to which the quantitative
Process Deployment (PA 3.2): objectives for process performance are met. Continuous optimization (PA 5.2):
- A defined process based on an appropriately selected and/or tailored standard - Measurement results are used to characterize process performance. - The impact of all proposed changes is assessed against the objectives of the
process is deployed. defined process and the standard process.
- Required roles, responsibilities and authorities for implementing the defined Process control (PA 4.2): - Implementation of all agreed changes is managed to ensure that any disruption
process are assigned and communicated. - Analysis and control techniques are determined and applied, as applicable. to the process performance is understood and addressed.
- Personnel performing the defined process are competent on the basis of - Variable control limits are established for normal process implementation. - Based on actual performance, effectiveness of process change is evaluated
appropriate education, training and experience. - Measurement data is analyzed for special variations. against the defined process requirements and process objectives to determine
- The necessary resources and information required for implementing the defined - Corrective actions are taken to address special variations. whether results are corresponding to common or special cases.
process are made available, allocated and used. - Control limits are re-established (as necessary) following corrective action.
- The necessary infrastructure and work environment required for implementing
the defined process are available, managed and maintained.
- Appropriate data is collected and analysed to gain a basic understanding of the
behaviour of the process, to demonstrate its suitability and effectiveness, and to
evaluate where continuous improvement of the process can be made.
+ Process documentation + Process documentation + Process improvement plan

+ Process plan + Process control plan + Process measurement plan
+ Quality records + Process improvement plan + Process implementation records
+ Policies and standards + Process measurement plan
+ Process implementation records + Process implementation records
INTERNAL #
Information Security Assessment -

Definitions
Tabs
Tab Description Intended use of tab
Welcome Welcome page. Information
Cover The cover contains boxes for information on the implementing organization, the scope of review, the auditor and For own use
the contact person of the organization under review.
VDA ISA intends the implementation to be assessed by means of a 5 step maturity model as defined in this tab. The
Maturity levels maturity levels comprise Incomplete, Performed, Managed, Established and Predictable. Information
With this VDA ISA version, the target maturity level for all control questions is consistently 3 (Established).
Under Definitions, the key terms of the requirements to be fulfilled are described. Requirements can be categorized
as MUST, SHOULD, additionally in case of HIGH protection needs and additionally in case of VERY HIGH protection
Definitions needs. This subdivision is necessary as information of high and very high protection needs requires special Information
protective measures.
Additionally, key terms and abbreviations are listed and explained in this tab.
The tab “Information Security” includes all basic controls based on the standard ISO/IEC 27001. The controls
themselves are formulated as questions. The objective of the respective control and the requirements for achieving
it are listed in accordingly designated columns.
Here, each control must invariably be assessed according to the degree to which the objective is achieved. The
Information Security assessment of the maturity levels (as described in the tab “Maturity levels”) of each control is recorded in the box Implementation requirements
(column E) and automatically transferred to the tab “Results”.
Additional columns give examples to support potential implementation.
Here, requirements always refer to the own company with respect to its organization, processes and infrastructure.
Requirements never refer to products put on the market by your company. Requirements for safe product
development are not part of this module.
Prototype protection includes vehicles, components and parts which are classified as requiring protection but have
not yet been presented to the public and/or published in adequate form by the OEM.
Prototype Protection The commissioning department of the OEM is responsible for classifying the protection need of vehicles, Implementation requirements
components and parts. The minimum requirements for prototype protection are to be applied for protection classes
High and Very high according to ISA.
Data Protection This tab is to be edited additionally in case of processing within the meaning of Art. 28 of the EU General Data Implementation requirements
Protection Regulation and contains controls requiring merely yes/no answers.
Here, the results of the individual tabs (review catalog pages) are summarized and presented in printing format. For
presentation purposes, the new simplified form according to ISA 5 is use.
The spider web diagram provides an overview of all controls. The list of all controls shows the target maturity levels
Results (ISA5) to be achieved. Presentation of results
When calculating the overall result, the results of controls overachieving their target maturity level are cutback and
averaged. This ensures that the requirements are comprehensively fulfilled and that there is no compensation of
overachieved and underachieved controls.
INTERNAL #
Here, the results of the individual tabs (review catalog pages) are summarized and presented in printing format in
the known form according to ISA 4.
The list of all controls shows the target maturity levels to be achieved.
Results (ISA4) When calculating the overall result, the results of controls overachieving their target maturity level are cutback and Presentation of results
averaged. This ensures that the requirements are comprehensively fulfilled and that there is no compensation of
overachieved and underachieved controls.
This tab shows examples of Key Performance Indicators (KPI) for measuring process results both for controls for
which the ISA has defined a target maturity level of 4 and for controls where a measurement appears useful. The tab
Examples KPI content provides support for identifying own suitable KPIs. It does not present mandatory requirements for Examples and support
achieving maturity level 4. For controls having a target maturity level of 3 or less, definition of KPIs is not mandatory,
but may be helpful for a central management of information security at many locations.
License License conditions under which the VDA ISA is published. Information
Change history List of changes over the VDA ISA lifecycle. Information
Key terms
Term Explanation Examples
Protection class “normal”, The potential damage to the organization is limited and manageable. Confidentiality classification “internal”
normal protection needs
Protection class “high”, The potential damage to the organization may be substantial. Confidentiality classification “confidential”
high protection needs
Protection class “very high”, The potential damage can reach a level of potentially threatening or disastrous impact on the organization’s
very high protection needs existence. Confidentiality classification “strictly confidential”
Requirements (must) The requirements indicated in this column are strict requirements without any exemptions.
Principally, the requirements indicated in this column must be implemented by the organization. In certain
Requirements (should) circumstances, however, there may be a valid justification for non-compliance with these requirements. In case of
any deviation, its effects must be understood by the organization and it must be plausibly justified.
Additional requirements in case of high The requirements indicated in this column must additionally be met if the tested subject has high protection needs.
protection needs
Additional requirements in case of very high The requirements indicated in this column must additionally be met if the tested subject has very high protection
protection needs needs.
In the result tabs ISA5 and ISA4 (spider web diagram), all results are presented as assessed. The line for the target
Result (Maturity level) maturity level does not consider controls marked “n.a”. When calculating the average, however, the maximum
achievable target maturity level is taken into account.
INTERNAL #
Glossary
Term Explanation Examples
Business Continuity Management (BCM) BCM is intended to ensure the functionality of business-critical processes within the organization during and after
any crisis situation.
An external service is the processing of company information outside the audit scope.
(e.g. ext. hosting, O365 cloud services, AWS, web services such as Kaspersky anti-virus dashboards on the web, SIEM
services provided by ext. companies, etc.)
Cloud/external IT services Important for rejecting non-relevant web services:
• Cloud service: Damage may have direct impact on the company (CIA)
• Data are externally processed in a confidential/strictly confidential manner (e.g. not by translating individual
words)
Non-disclosure agreements (NDA) Non-disclosure agreements provide legal protection of an organization’s information particularly where information
is exchanged beyond the boundaries of the organization.
Generic work product (GWP) Any work product resulting from the execution of a process.
Information Owner/Information Officer/Data Person or organizational body preparing data or making data available for use and being able to provide information
Owner on their protection needs.
The information security management system is a control mechanism used by the organization’s management to
Information security management system ensure that information security is the result of sustainable management rather than that of mere coincidence and
(ISMS) individual effort.
Information security risks Risks existing in the preparation and processing of information. These are based on potential events having negative
impact on achieving the protection goals of information security.
The information security risk management is required for an early detection, assessment and handling of risks in
Information security risk management (ISRM) order to achieve the protection goals of information security. Hence, it enables the organization to establish
adequate measures for the protection of its information assets while considering the associated chances and risks.
Supporting Asset Supporting assets (electronic and physical) are used for storing, processing and transporting information assets. Mobile data storage devices, IT systems, IT
services/IT service providers, paper documents
Information Asset Information of essential value to the organization. Business secrets, critical business processes, know-
how, patents
IT service Services in the field of information technology.
IT system Any type of system used for electronic information processing. Computer, server, cloud, communication systems,
video conference systems, smartphones, tablets
The value of the information for the organization is determined based on the relevant protection goals of
Classification of information information security (confidentiality, integrity and availability). Based on this, the information is classified according
to the classification scheme. This enables the organization to implement adequate protective measures.
Network service A network service is a service which is provided by an IT system and used by other IT systems to communicate with DHCP, DNS, https, STARTTLS
the system via a data network.
Original Equipment Manufacturer (OEM) Within the context of VDA ISA, this refers to an automobile manufacturer.
INTERNAL #
The term personal data is used for all information referring to an identified or identifiable person; a natural person
is considered to be identifiable if they can be directly or indirectly identified particularly by assignment to an
Personal data identifier, e.g. a name, to an identification number, to location data, to an online identification or to one or more
specific features describing the physical, physiological, genetic, psychological, economic, cultural or social identity of
this natural person.
Process Attributes (PA) A measurable characteristic for a process capability that is applicable to each process.
Prototype Prototypes are vehicles, components and parts which are classified as requiring protection but have not yet been
presented to the public and/or published in adequate form by the OEM.
INTERNAL #

Questionary
ISA ISA Maturity

Classic New level Control question Measures/recommendations
1 IS Policies and Organization

1.1 Information Security Policies
To what extent are information
security policies available?
05.1 1.1.1
1.2 Organization of Information Security

To what extent is information .
security managed within the
organization?
01.1 1.2.1

security responsibilities organized?
06.1 1.2.2
INTERNAL #

security requirements taken into
account in projects?
06.2 1.2.3
To what extent are the

responsibilities between external IT
service providers and the own
organization defined?
06.4 1.2.4
1.3 Asset Management

assets identified and recorded?
08.1 1.3.1

assets classified and managed in
terms of their protection needs?
08.2 1.3.2
To what extent is it ensured that

only evaluated and approved
external IT services are used for
processing the organization’s
information assets?
14.4 1.3.3
1.4 IS Risk Management

INTERNAL #

security risks managed?
01.2 1.4.1
1.5 Assessments
To what extent is compliance with
information security ensured in
procedures and processes?
18.4 1.5.1
To what extent is the ISMS

reviewed by an independent
authority?
18.3 1.5.2
1.6 Incident Management

INTERNAL #

security events processed?
16.1 1.6.1
2 Human Resources
To what extent is the qualification
of employees for sensitive work
fields ensured?
07.1.a 2.1.1
(new)
To what extent is all staff

contractually bound to comply with
information security policies?
07.1 2.1.2
INTERNAL #
To what extent is staff made aware

of and trained with respect to the
risks arising from the handling of
information?
07.2 2.1.3
To what extent is teleworking

regulated?
06.3.a
(new) 2.1.4
Physical Security and Business

3 Continuity
INTERNAL #
To what extent are security zones

managed to protect information
assets?
11.1 3.1.1
To what extent is information

security ensured in exceptional
situations?
17.1 3.1.2
To what extent is the handling of

supporting assets managed?
11.4 3.1.3
INTERNAL #
To what extent is the handling of

mobile IT devices and mobile data
storage devices managed?
06.3 3.1.4
4 Identity and Access Management

4.1 Identity Management
To what extent is the use of
identification means managed?
09.2.a 4.1.1
(new)
To what extent is the user access to

network services, IT systems and IT
applications secured?
09.1 4.1.2
INTERNAL #
To what extent are user accounts

and login information securely
managed and applied?
09.2 4.1.3
4.2 Access Management

To what extent are access rights
assigned and managed?
09.5 4.2.1
5 IT Security / Cyber Security

5.1 Cryptography
INTERNAL #
To what extent is the use of

cryptographic procedures
managed?
10.1 5.1.1

protected during transfer?
13.4 5.1.2
5.2 Operations Security

To what extent are changes
managed?
12.1 5.2.1
To what extent are development

and testing environments separated
from operational environments?
12.2 5.2.2
INTERNAL #
To what extent are IT systems

protected against malware?
12.3 5.2.3
To what extent are event logs

recorded and analyzed?
12.5 5.2.4
To what extent are vulnerabilities

identified and addressed?
12.7 5.2.5
INTERNAL #
To what extent are IT systems

technically checked (system audit)?
12.8 5.2.6
To what extent is the network of

the organization managed?
13.1 5.2.7
5.3 System acquisitions, requirement management and development

security considered in new or
further developed IT systems?
14.1 5.3.1
To what extent are requirements

for network services defined?
13.2 5.3.2
To what extent is the return and

secure removal of information
assets from external IT services
regulated?
08.4 5.3.3
INTERNAL #

protected in shared external IT
services?
09.6 5.3.4
6 Supplier Relationships
security ensured among contractors
and cooperation partners?
15.1 6.1.1
INTERNAL #
To what extent is non-disclosure

regarding the exchange of
information contractually agreed?
13.5 6.1.2
7 Compliance
To what extent is compliance with
regulatory and contractual
provisions ensured?
18.1 7.1.1
To what extent is the protection of

personally identifiable data taken
into account when implementing
information security?
18.2 7.1.2
01 ISMS
01.1 Release of an Information Security Management System (ISMS)
01.2 IS Risk Management
01.3 Effectiveness of the ISMS
Included in Question 01.1
01.3 na
05 Information Security Policies

05.1 Information Security Policy
INTERNAL #
06 Organization of Information Security

06.1 Assigning responsibility for information security
06.2 Information Security in projects
06.3 Mobile devices
06.4 Roles and responsibilities for external IT service providers
07 Human Resources Security
07.1 Contractual information security obligation of employees
07.2 Awareness and training of employees
08 Asset Management
08.1 Inventory of assets
08.2 Classification of information
08.3 Storage of information on mobile storage devices
08.3 na
08.4 Removal of externally stored information assets

09 Access Control
09.1 Access to networks and network services
09.2 User registration
09.3 Privileged user accounts
09.3 na
09.4 Confidentiality of authentication data

09.4 na
09.5 Access to information and applications

09.6 Separation of information in shared environments
10 Cryptography
10.1 Encryption
11 Physical and Environmental Security
11.1 Security zones
11.2 Protection against external influences and external threats
11.2 na
11.3 Protective measures in the delivery and shipping area

11.3 na
11.4 Use of equipment

12 Operations Security
12.1 Change Management
12.2 Separation of development, testing and operational environments
12.3 Protection against malware
12.4 Backup procedures
Included in questions 06.3 and 17.1
12.4 na
12.5 Event logging

12.6 Logging administration activities
12.6 na
12.7 Tracing of vulnerabilities (patch management)

12.8 Review of information systems
12.9 Consideration of critical administrative functions of cloud services
INTERNAL #
Question not applicable

12.9 na
13 Communications Security
13.1 Management of networks
13.2 Security requirements for networks/network services
13.3 Separation of networks (network segmentation)
13.3 na
13.4 Electronic exchange of information

13.5 Non-disclosure agreements for information exchange with third parties
14 System acquisition, development and
14.1 Requirements for the acquisition of information systems
14.2 Security in the software development process
14.2 na
14.3 Management of test data

14.3 na
14.4 Approval of external IT services

15 Supplier Relationships
15.1 Risk management in collaboration with suppliers
15.2 Review of service provision by suppliers
15.2 na
16 Information Security Incident Manag

16.1 Reporting system for information security incidents (incident management)
16.2 Processing of information security incidents
16.2 na
17 Information Security Aspects of Busi

17.1 Information Security Aspects of Business Continuity Management (BCM)
18 Compliance
18.1 Legal and contractual provisions
18.2 Confidentiality and protection of personally identifiable data
18.3 Audit of the ISMS by independent bodies
18.4 Effectiveness check
INTERNAL #
Further information
INTERNAL #
Contractual requirements include, for example, customer requirements

INTERNAL #
Focus point: Constructional and organizational measures

+ Security zone 1 (green): Area with constructional, technical or organizational or staff-related
security measures, not freely accessible, usually internal scopes
+ Security zone 2 (yellow): Area with additional protective measures, protection of information
assets with high protection needs, usually also confidential scopes (e.g. development know-
how)
+ Security zone 3 (red): Area of principally very high security requirements, protection of
information assets of very high protection needs, usually also strictly confidential scopes (e.g.
design)
Focus point image recording devices

Area 1 (green): Area with constructional, technical or organizational or personal security
measures, not freely accessible, usually internal scopes
Area 2 (yellow): Area with additional protective measures, protection of information assets
with high protection needs, usually also confidential scopes (e.g. development know-how)
Area 3 (red): Area with principally very high security requirements, protection of information
assets with very high protection needs, usually also strictly confidential scopes (e.g. design)
INTERNAL #
+ In case of externally operated IT infrastructure (e.g. server) and/or cloud solutions,

compliance with the encryption requirements according to control question 5.1.1 is ensured.
INTERNAL #
Within the context of VDA ISA, the term contractor includes both classic suppliers and
subcontractors but also classic service providers, freelancers or other partner companies. It also
includes cooperation partners (e.g. academic institutions, institutes).
The explanations below describe a possible procedure for fulfilling the requirements:
Identification of contractors and specification of protection needs and security requirements:
At first, all contractors must be identified (e.g. via the list of creditors of the accountants
department) in order to gain an initial overview.
For all contractors, the respective protection needs should be specified and the security
requirements derived according to their tasks and the relevance to own and customer’s
processes.
Generally, a large number of contractors is found not to require the assignment of relevant
protection needs and to be therefore not subject to security requirements (e.g. suppliers of
office stationary).
Ensuring implementation by the contractor:

In the next step, the applicable requirements must be made known to all security-relevant
contractors in a suitable manner and (contractually) fixed as being mandatory. Finally, a
decision should be made as to how the implementation of the security requirements can be
appropriately verified. For this purpose, adequate verification processes and procedures should
be defined according to the respective risk (and the associated protection needs). Their
purpose is to ensure that contractors implement the necessary requirements.
Establishment in standard processes:

The insights gained should be used to develop a comprehensible procedure and to integrate it
into the existing processes of the B2B / supplier management. This starts with the selection of
the contractor, where aspects of information security should already be taken into account
alongside criteria such as quality, adherence to delivery dates, credit rating etc. The
procurement process should be such that the relevance of information security has already
been taken into account beforehand (with respect to the procurement decision; contract
design; inspection requirements).
Furthermore, it is recommended to incorporate information security aspects into existing
processes for supplier evaluation which have already been established by e.g. an existing
quality management system.
Contractually specified deliverables (e.g. availability requirements) should be verified at regular
intervals. This can be done by e.g. regular analysis of service reports and SLAs.
INTERNAL #
Support:
Examples “Normal protection need”
INTERNAL #
Projects can be classified as follows

- CIAA (Confidentiality, Integrity, Availability, Authenticity)
- CIA (Confidentiality, Integrity, Availability)
It is not necessary to list all information assets individually; instead, categories can be
established (e.g. master data of employees – responsible body: Human Resources)
INTERNAL #
Security zone 1 (green)

Focus point: Constructional and organizational measures
Persons with access authorization (internal): According to the work task, each person within the
organization
Persons with access authorization (external): Written non-disclosure confirmation, non-
disclosure agreement with the partner company is in effect
Visitor policy: Registered visitors only, non-disclosure policy, unaccompanied presence in
designated areas permitted
Access control: Protection against unauthorized access
Visibility: Clean desk
Surveillance: If applicable, CCTV surveillance (criminal damage prevention)
Resistance values: Appropriate anti-intrusion measures, if possible, observe onion-shell
principle
Printer: No specific measures
Disposal of information: no specific measures

Carrying along:
Organization employee: Unsealed carrying permitted
Partner company employees/visitors: Unsealed carrying permitted
Use (e.g. photographing):
Organization employee: Use permitted
Partner company employees/visitors: Use not permitted
INTERNAL #
Desktop firewall, Linking to loopback interfaces

INTERNAL #
Possible measures:
- Use of security technologies such as firewall systems, intrusion detection and prevention
systems (IDS/IPS), network management tools, security software for networks for preventing
unintended data exchange.
INTERNAL #

It is crucial for this evaluation, whether the contractor’s work includes
1) gaining access to information or security zones of the company with normal protection
needs regarding confidentiality; or
2) providing or being able to modify relevant information with normal protection needs
regarding integrity; or
3) having relevant influence on processes or IT systems with normal protection needs regarding
availability (comp. to internal or customer-related SLAs).
Typical contractors with normal protection needs are e.g. cleaning services for general areas,
classic logistics companies or maintenance staff.
The minimum requirements for information security (in relation to the respective protection
goal) should be defined in a policy (e.g. information security policy for service providers). These
requirements can be based on the requirements of the ISA described herein in addition to the
company-specific requirements. This policy can be supplemented according to the specific
order.

The security requirements should be made known to the contractor, e.g. at procurement, in
briefings (project meetings) by corresponding documents (e.g. information security policy for
service providers) or when entering the premises (in case of contractors providing their services
on site). Compliance with the information security requirements should be contractually fixed.
At this point already, potential further subcontractors of the contractor should also be
considered, as relevant. This can be done by individual agreements such as general terms and
conditions of purchase, for example. In many cases, suppliers (e.g. IT service providers) already
assure compliance with security requirements in their standard contracts.
In order to ensure compliance with the requirements in a suitable manner, simple mechanisms
should be established. This may include, for example:
- The submission of at least a self-disclosure confirmed by the management (e.g. VDA ISA) or an
adequate attestation/certificate
- The right to and execution of irregular sampling and event-related inspections.
INTERNAL #
Corresponding provisions can be included in the following, for example:

- Author’s rights
- Cryptography
- Copyright
- Intellectual property
- Archiving
- Information security legislation
- Data protection
- Trade Secrets Act
- Contractually agreed provisions (GTC, terms and conditions of purchase, framework contracts,
individual contracts)
INTERNAL #
Support:
Examples “High protection need”
INTERNAL #
Security zone 2 (yellow)

Focus point: Constructional, technical and organizational measures
Stability of the outer skin (e.g. windows, doors, gates, walls, roof, floor) ensures basic
protection against intrusion attempts with simple tools such as screwdrivers, hammers, tongs
or wedges. Openable components in the outer skin are mechanically secured against
unauthorized opening (e.g. by means of lockable bolts, locks).
Evidence of adequate implementation must be provided by means of a corresponding risk
assessment under consideration of the determined risk class – Guidance for risk assessment:
Implementation of the requirement without minimum resistance time
Evidence of implementation can also be provided by means of acceptance protocols or
installation certificates according to resistance class standards such as RC 2 in accordance with
DIN EN 1627.
Persons with access authorization (internal): Limited circle of authorized persons, regular
verification of granted access rights, observation of need-to-know principle
Visitor policy: Registered visitors only, written non-disclosure confirmation, generally personal
escorting by own staff
Access control: Zone entrance is guarded by means of access controls (e.g. access reader,
locking system)
Visibility: Protective measures according to the risk assessment for the site or the IT systems
are established (e.g. local privacy screen/soundproofing)
Surveillance: if applicable, CCTV surveillance
Printer: PIN printing (print-to-me) or printer within the zone
Disposal of information within the zone according to control questions 3.1.3
Carrying along:
Organization employee: Unsealed carrying permitted
Partner company employees/visitors: Only sealed carrying permitted
Organization employee: Use at office workstations permitted, elsewhere only upon permission
Partner company employees/visitors: Use not permitted, use of organization-owned devices
upon permission
INTERNAL #
- e-mail encryption by means of TLS

- access to websites via https://
INTERNAL #

1) gaining access to information or security zones of the company with high protection needs
regarding confidentiality; or
2) providing or being able to modify relevant information with high protection needs regarding
integrity; or
3) having relevant influence on processes or IT systems with at least high protection needs
regarding availability (comp. to internal or customer-related SLAs).
Typical contractors with high protection needs are e.g. cleaning services autonomously cleaning
relevant security zones, IT service providers (e.g. data base administrators), consultants,
agencies and subcontractors (e.g. tool designers to whom project data need to be forwarded).
Obviously, contractors with high protection needs are subject to the minimum information
security requirements regarding the respective protection goal. These requirements should be
supplemented particularly by necessary general (see e.g. VDA ISA high protection needs) and
order-specific requirements.

Here, the procedure described for normal protection needs can be used for orientation.
Besides the obligation regarding implementation of an adequate information security level and
the non-disclosure obligation, a right to audit should be contractually fixed or appropriate
controls (regular auditing of the contractor) should be ensured. This may also include an
obligation to participate in TISAX.
- contractor requires TISAX label for high protection needs or equivalent (e.g. ISO 27001,
certificate of corresponding scope)
- right to and execution of regular sampling and event-related inspections.
INTERNAL #
Support:
Examples “Very high protection need”
INTERNAL #
Security zone 3 (red)

Focus point: Constructional, technical and organizational measures
Persons with access authorization (internal): Highly limited circle of authorized persons, regular
verification of granted access rights, observation of need-to-know principle
Visitor policy: Registered visitors only, written non-disclosure confirmation, permanent
escorting by own staff, inquiry whether any devices are carried along prior to entering the area
and corresponding device securing measures (see Table Optics)
Visibility: Protective measures according to the risk assessment for the site or the IT systems
are established (e.g. permanent privacy shielding/soundproofing)
Surveillance: if applicable, CCTV surveillance, if applicable, intrusion detection system
Resistance values: In the absence of enclosure, windows and doors in the outer skin designed
according to RC2 or equivalent depending on risk assessment
Printer:
PIN printing (print-to-me) or printer within the zone
Disposal of information within the zone according to control questions 3.1.3
Carrying along:
Organization employee: Only sealed carrying permitted
Partner company employees/visitors: Carrying generally prohibited
Organization employee: Use only upon permission
Partner company employees/visitors: Use generally prohibited
INTERNAL #
- e-mail encryption by means of S/MIME, PGP

- encrypted PDF files, encrypted ZIP files
INTERNAL #

1) gaining access to information or security zones of the company with very high protection
needs regarding confidentiality; or
2) providing or being able to modify relevant information with very high protection needs
regarding integrity; or
3) having relevant influence on processes or IT systems with at least very high protection needs
regarding availability (comp. to internal or customer-related SLAs).
Typical contractors with very high protection needs are IT service providers (e.g. domain
administrators), consultants, agencies, subcontractors (e.g. CAD designers to whom extensive
project data of very high protection needs need to be forwarded) and prototype
manufacturers.
Obviously, contractors with very high protection needs are subject to the minimum information
security requirements regarding the respective protection needs. These requirements should
be supplemented particularly by necessary general (see e.g. VDA ISA very high protection
needs) and order-specific requirements. The difference to high protection needs is essentially
the number and quality of the necessary additional requirements.

Here, the procedure described for high protection needs can be used for initial orientation.
Besides the obligation regarding implementation of an adequate information security level and
the non-disclosure obligation, a right to audit should be contractually fixed or appropriate
controls (regular auditing of the contractor) should be ensured. This should also include an
obligation to participate in TISAX.
- contractor requires TISAX label for very high protection needs
- right to and execution of regular and event-related thorough inspections (if applicable,
supplemented with supporting certificates).
INTERNAL #
Possible questions (examples, not mandatory)

INTERNAL #
+ Which contractors/service providers receive or process data in

need of protection?
+ Which contractors/service providers are granted access to security
zones?
+ Are any further contractual agreements regarding information
security other than the non-disclosure agreement in effect?
+ How is the compliance with contractual agreements by the
contractor/service provider verified?
+ At which points within the company are risk assessments regarding
the employment of contractors/service providers conducted?
+ Is an information security policy for contractors/service providers
in place?
+ How is the compliance with policies by the contractors/service
providers verified?
+ Which contractors/service providers have been/are reviewed?
+ How is the review documented?
+ Which criteria trigger an assessment process?
+ How are the services rendered by contractors/service providers
reviewed?
+ Are networks/IT systems maintained by contractors/service
providers?
+ How do you prevent that contractors/service providers can gain
unauthorized access to information of high/very high protection
needs?
INTERNAL #
Possible evidence (not mandatory)

INTERNAL #
+ Template NDA with contractor

+ Example of undersigned NDA
+ Example of risk assessment (Focus point: Information security aspects)
+ Information security policy for service providers/contractual terms and
conditions regarding information security
+ Process description B2B/supplier management (e.g. selection, evaluation,
qualification of suppliers)
+ Viewing of self-disclosures
+ Viewing of attestations/certificates of selected suppliers (e.g. TISAX label;
ISO 27001 certificate)
+ Example of conducted supplier evaluation (focus on information security
aspects)
+ Viewing of audit reports
+ List of approved contractors
+ Viewing of SLA Reporting
INTERNAL #
Information Security Assessment -

Additional prototype protection requirements
ISA ISA Maturity Control question

Classic New level
Prototype Protection
25 8
Physical and Environmental Security

25.1 8.1
To what extent is a security concept

available describing minimum
requirements regarding the physical and
environmental security for prototype
protection?
25.1.1 8.1.1
To what extent is perimeter security

existent preventing unauthorized access
25.1.2 8.1.2 to protected property objects?
To what extent is the outer skin of the

protected buildings constructed such as
to prevent removal or opening of outer-
25.1.3 8.1.3 skin components using standard tools?
To what extent is view and sight

25.1.4 8.1.4 protection ensured in defined security
areas?
To what extent is the protection against

unauthorized entry regulated in the
form of access control?
25.1.5 8.1.5
To what extent are the premises to be

secured monitored for intrusion?
25.1.6 8.1.6
INTERNAL #
To what extent is a documented visitor

management in place?
25.1.7 8.1.7
To what extent is on-site client

segregation existent?
25.1.8 8.1.8
Organizational Requirements
25.2 8.2
To what extent are non-disclosure

agreements/obligations existent
according to the valid contractual law?
25.2.1 8.2.1
To what extent are requirements for
commissioning subcontractors known
and fulfilled?
25.2.2 8.2.2
To what extent do employees and
project members evidently participate
in training and awareness measures
regarding the handling of prototypes?
25.2.3 8.2.3
INTERNAL #
To what extent are security

classifications of the project and the
resulting security measures known?
25.2.4 8.2.4
To what extent is a process defined for
granting access to security areas?
25.2.5 8.2.5
To what extent are regulations for
image recording and handling of created
image material existent?
25.2.6 8.2.6
To what extent is a process for carrying
along and using mobile video and
photography devices in(to) defined
security areas established?
25.2.7 8.2.7
Handling of vehicles, components and
parts
25.3 8.3
To what extent are transports of
vehicles, components or parts classified
as requiring protection arranged
according to the customer
requirements?
25.3.1 8.3.1
To what extent is it ensured that
vehicles, components and parts
classified as requiring protection are
parked/stored in accordance with
customer requirements?
25.3.2 8.3.2
Requirements for trial vehicles
25.4 8.4
To what extent are the predefined

camouflage regulations implemented by
the project members?
25.4.1 8.4.1
INTERNAL #
To what extent are measures for

protecting approved test and trial
grounds observed/implemented?
25.4.2 8.4.2
To what extent are protective measures
for approved test and trial drives in
public observed/implemented?
25.4.3 8.4.3
Requirements for events and shootings
25.5 8.5
To what extent are security
requirements for presentations and
events involving vehicles, components
or parts classified as requiring
25.5.1 8.5.1 protection known?
To what extent are the protective

measures for film and photo shootings
involving vehicles, components or parts
classified as requiring protection
known?
25.5.2 8.5.2
INTERNAL #
Objective
Prototype protection includes vehicles, components and parts which are

classified as requiring protection but have not yet been presented to the public
and/or published in adequate form by the OEM.
The commissioning OEM department is responsible for classifying the protection
need of vehicles, components and parts. The minimum requirements for
prototype protection for the protection classes high and very high must be
applied according to VDA ISA.
The requirements described in this clause apply to all companies which, on their
own properties, manufacture, store or are provided for use vehicles,
components or parts classified as requiring protection.
The necessary measures for prototype protection must be applied to and

implemented on properties and facilities of suppliers, development partners and
service providers. A security concept must be established by the respective
operator. Implementation and observation of the physical and environmental
security measures defined in the security concept must be ensured by the
responsible operator.
Unauthorized access to properties where vehicles, components or parts

classified as requiring protection are manufactured, processed or stored shall be
prevented.
Unauthorized access to buildings/security areas where vehicles, components or

parts classified as requiring protection are manufactured, processed or stored
shall be prevented.
It must be ensured that unauthorized viewing of vehicles, components or parts

classified as requiring protection is prevented.
It must be ensured that all points of access to security areas where vehicles,
components or parts classified as requiring protection are manufactured,
processed or stored are protected against unauthorized entry by adequate
measures.
It must be ensured that premises where vehicles, components or parts classified

as requiring protection are manufactured, processed or stored are monitored for
intrusion. Timely alarm processing is ensured.
INTERNAL #
Protection against unauthorized access to security areas where vehicles,

components or parts classified as requiring protection are manufactured,
processed or stored, including traceable documentation.
In order to ensure protection of the client-specific know-how at all times, a clear

segregation of clients must be ensured. This particularly involves protection
against unauthorized viewing and access to areas where vehicles, components or
parts classified as requiring protection are processed or stored.
The requirements described in this clause apply to all companies which

manufacture or are provided for use vehicles, components or parts classified as
requiring protection.
When transmitting information classified as requiring protection, it must be

ensured that external organizations are obliged to meet the information security
requirements and that the related necessary measures are implemented. The
necessary legal basis for this obligation is provided by non-disclosure
agreements. Hence, it must be ensured that information classified as requiring
protection is transmitted only if such a non-disclosure agreement has been
entered and is legally effective.
When involving subcontractors, the minimum requirements for prototype

protection must be met.
In trainings/awareness seminars on the subject of prototype protection,

employees must obtain the necessary knowledge and skills for a security-
conscious handling of vehicles, components and parts classified as requiring
protection.
INTERNAL #
It must be ensured that the security classification and requirements in relation to

the project progress are known to and observed by each project member.
A process is defined for the protection against unauthorized access to security

areas where vehicles, components or parts classified as requiring protection are
manufactured, processed or stored.
Regulations for recording images of vehicles, components or parts classified as

requiring protection must be defined in order to prevent unauthorized creation
or transmission of such image material.
A process is defined for carrying along and using mobile video and photography
devices in(to) security areas where vehicles, components or parts classified as
requiring protection are manufactured, processed or stored. Unauthorized
creation or transmission of image material must be prevented.
While being transported, vehicles, components and parts classified as requiring

protection must be protected against unauthorized viewing, unauthorized image
recording and access.
While being parked/stored, vehicles, components and parts classified as

requiring protection must be protected against unauthorized viewing,
unauthorized photography and access.
A process for obtaining customer-specific requirements for the handling of trial

vehicles classified as requiring protection is described and implemented. The
requirements described in this chapter are not relevant to components and
parts.
When using own properties, the controls described in Clauses 8.1, 8.2 and 8.3
must also be verified. When not using own properties, merely the requirements
of Clauses 8.2 and 8.3 must be met.
It must be ensured, that the camouflage regulations are known to each project
member and observed in order to guarantee adequate view protection of trial
vehicles.
INTERNAL #
In order to maintain an undisturbed and secured trial operation on test and trial
grounds, the respective protective measures defined by the customer must be
observed.
It must be ensured that the respective customer requirements for the operation
of trial vehicles classified as requiring protection on public roads are known and
observed.
Customer-specific security requirements for events and shootings involving

vehicles, components or parts classified as requiring protection are known to
each project member. This must be demonstrated by each company
commissioned with the planning, preparation or execution of events or
shootings.
When using own properties, the controls described in Clauses 8.1, 8.2 and 8.3
must also be verified. When not using own properties, merely the requirements
of Clauses 8.2 and 8.3 must be met.
It must be ensured that the respective customer-specific security requirements

for presentations and events involving vehicles, components or parts classified
as requiring protection are known.
It must be ensured that the respective customer-specific security requirements

for film and photo shootings involving vehicles, components or parts classified as
requiring protection are known.
INTERNAL #
Requirements
(must)
+ A security concept under consideration of the following aspects is

established:
- stability of outer skin,
- view and sight protection,
- protection against unauthorized entry and access control,
- intrusion monitoring,
- documented visitor management,
- client segregation.
+ Unauthorized access to properties is not possible.
+ Unauthorized access to buildings/security areas is not possible.
+ Unauthorized viewing of new developments needing high or very high

protection is not possible.
+ At least one of the following three requirements must be implemented:

- mechanical locks with documented key assignment,
- electronic access systems with documented authorization assignment,
- personal access control including documentation.
+ Intrusion monitoring of the premises to be secured is ensured:

- An intrusion detection system exists which complies with DIN EN 50131
or conforms to VDS or similar and functions with alarm tracking to a
certified security service or control unit (e.g. according to DIN 77200,
VdS 3138),
- or 24/7 guarding by a certified security service.
+ Alarm plans are available.
+ Timely alarm processing is ensured.
INTERNAL #
+ Registration obligation for all visitors.

+ Documented non-disclosure obligation prior to access.
+ Publication of security and visitor regulations.
+ Country-specific legal provisions regarding data protection are to be
observed.
+ Spatial separation by staff-related or technical measures is in effect

according to the following aspects:
- customers, and/or
- projects,
- where segregation is not in effect, explicit approval by the customer is
required.
+ A non-disclosure agreement:
- between contractor and customer (company level),
- with all employees and project members (personal obligation).
+ Country-specific legal provisions regarding data protection are to be
observed.
+ Approval by the original customer.

+ contractually valid non-disclosure agreement exists:
- between contractor and subcontractor (company level),
- with all employees and project members of the subcontractor (personal
obligation).
+ Ensuring compliance with the security requirements of the actual
customer (proof is obtained).
+ Proof of the subcontractor’s compliance with minimum requirements for
prototype protection (e.g. certificate, attestation) is provided.
+ Ensuring execution of trainings / awareness programs by the

management.
+ Training of employees and project members when joining the project
regarding the handling of prototypes.
+ Regular (at least annual) training of employees regarding the handling of
prototypes.
+ Ensuring knowledge among employees and project members regarding
the respective protection needs and the resulting measures within the
company.
+ Mandatory participation of each employee and project member in the
trainings and awareness measures.
+ The completed measures are to be documented.
+ The training concept for prototype protection is an integral part of the
general training concept (see also control question 2.1.3 Information
Security).
INTERNAL #
+ Ensuring that the security classification and requirements in relation to

the project progress are made known to each project member.
+ Consideration of step-by-step plans, measures for secrecy and
camouflage, development policies.
+ The requirements are considered as a requirement regarding the
information security of the project (see Controls 1.2.3 and 7.1.1 Information
Security).
+ Responsibilities for access authorization are clearly specified and

documented.
+ A process for new assignments, changes and revocations of access rights
is in place.
+ Code of conduct in case of the loss/theft of access control means.
+ Approval procedures for image recording.

+ Specification for classification/categorization of image material.
+ Secure storage of image material.
+ Secure deletion/disposal of image material no longer required.
+ Secured transmission/shipping of image material to authorized recipients
only.
+ Specification for carrying along (e.g. sealed/unsealed, etc.).

+ Specification for use (e.g. phone calls, photography, etc.).
+ A process for obtaining customer-specific requirements for the transport

of vehicles, components and parts classified as requiring protection is
described and implemented.
+ The security requirements defined by the customer are known and
observed.
+ The logistics/transport companies explicitly approved by the customer are
commissioned.
+ A process for reporting any security-relevant events to the customer is
+ The customer-specific requirements for parking/storage are verifiably

known and observed.
+ The requirements for using the respective camouflage are known to the
project members.
+ Any changes to the camouflage are made upon documented agreement
with the customer.
+ A process for the immediate reporting of any damages to the camouflage
is described and implemented.
INTERNAL #
+ A process for obtaining customer-specific requirements for the use of trial

vehicles classified as requiring protection on test and trial grounds is
+ The following aspects must be known to users of test and trial grounds:
- a current list of customer-approved test and trial grounds
- code of conduct for ensuring undisturbed trial operation
- customer-defined protective measures These are implemented.
+ A process for obtaining customer-specific requirements for the operation

of trial vehicles classified as requiring protection on public roads is
+ Protective measures defined by the customer are known and observed.
+ The code of conduct in case of special incidents (e.g. breakdown, accident,
theft...) is known and observed.
+ A process for obtaining customer-specific requirements for presentations

and events involving vehicles, components or parts classified as requiring
protection is described and implemented.
+ Established and customer-approved security concepts (organizationally,
technically,
staff-related).
+ Code of conduct in case of special incidents.
+ A process for obtaining customer-specific requirements for film and photo

shootings involving vehicles, components or parts classified as requiring
protection is described and implemented.
+ Proof of approval for the presumably used premises.
+ Established and customer-approved security concepts (organizationally,
technically,
staff-related).
+ Code of conduct in case of special incidents.
INTERNAL #
Requirements Additional requirements

(should) for vehicles classified as requiring protection
+ Perimeter security. None
+ Suitable barriers are in place such as: None

- artificial barriers (fence systems, walls),
- technical barriers (detection),
- natural barriers (growth, vegetation).
+ Solid construction (masonry, concrete, reinforced concrete or None

prestressed concrete).
+ Windows and doors in the outer skin are to be built in compliance
with RC2 or better.
+ Sight protection through relevant glass surfaces is ensured. + The spatial situation is also suitable for
+ View into defined security areas through open protecting vehicles classified as requiring
doors/gates/windows is prevented. protection against unauthorized view.
None + The spatial situation is also suitable for

protecting vehicles classified as requiring
protection against unauthorized access.
None None
INTERNAL #
None None
None + The spatial situation is also suitable for

implementing client segregation for vehicles
classified as requiring protection.
None None
None None
None None
INTERNAL #
None None
None None
None None
None None
None None
None None
None None
INTERNAL #
None None
None None
None None
None None
INTERNAL #
Usual person responsible

for process Reference to other Measures/recommendations
standards
implementation
.
INTERNAL #
Date of detection Date of completion Responsible

department
INTERNAL #
Contact
INTERNAL #
Further information
INTERNAL #
Support:
INTERNAL #
Support:
INTERNAL #
Support:
INTERNAL #
Possible questions (examples, not mandatory)

INTERNAL #
Possible evidence (not mandatory)

INTERNAL #
Column4
INTERNAL #

Additional questions regarding data protection for determining a service
ISA ISA Assessment Control question

Classic New
24 9 Data Protection
To what extent is the implementation of data protection

organized?
24.1 9.1
To what extent are organizational measures taken in order

to ensure that personally identifiable data is processed in
conformance with legislation?
24.2 9.2
To what extent is it ensured that the internal processes or

workflows are carried out according to the currently valid
data protection regulations and that these are regularly
subjected to a quality check?
24.3 9.3
INTERNAL #
To what extent are the relevant processing procedures

documented with regard to their admissibility according to
data protection law?
24.4 9.4
INTERNAL #
ction for determining a service provider’s basic suitability to act as a processor within
Requirements
+ Appointment of a data protection officer where legally required, otherwise appointment of a person responsible for data protection
+ Organizational implementation of data protection
- Integration of the data protection officer into the corporate structure
- Voluntary or obligatory appointment of a data protection officer
- Full-time or part-time data protection officer
- Internal or external data protection officer
- Support of the data protection officer by directly assigned employees (department “Data Protection”) depending on the company
- Support of the data protection officer by data protection coordinators in the company departments depending on the size of the c
(e.g. Marketing, Sales, Human Resources, Logistics, Development, etc.)
+ Specification of data protection principles (processing of personally identifiable data) in a documented company-internal data protec
(e.g. company-internal guideline).
+ Implementation of company-internal steering committees or responsibilities - in collaboration with the data protection officer - addr
topics relevant to data protection.
+ Implementation of a process which ensures the involvement of the data protection officer in any topics relevant to data protection (
context of a data protection impact assessment).
+ Documentation of work processes when processing personally identifiable data.
+ Documentation of statements and comments of the data protection officer regarding data protection law assessments.
+ Implementation of a process by means of which - in case a subcontracting processor is commissioned - the processor is by contractu
legal provisions subject to the same data protection obligations as specified by contract between the responsible person and the proce
+ Company-internal work instructions or manuals in specific task fields concerning the processing of personally identifiable data.
+ Employees’ (and, if applicable, subcontractors’) confidentiality obligation.
+ Implementation of technical and organizational measures for supporting the controller in handling data subject rights as far as feasib
appropriate for processing.
+ Implementation of reporting processes for immediately informing the customer, under consideration of any subcontractors, so the l
reporting deadlines for data protection incidents can be observed.
+ Documentation of subcontracting relationships including contractual regulations with relevant subcontractors, where any right to in
contractual regulation is in any case limited to the subcontractor’s obligations concerning data protection.
+ Implementation of a process for the documentation of instructions in terms of data protection legislation.
+ Ability to implement deletion concepts.
+ Implementation of a procedure for regular review, assessment and evaluation of TOM.
+ Proof of regular review and optimization of the data protection management system (e.g. certification).
+ Measures for observing confidentiality and integrity when transferring personally identifiable data.
+ Adequate protection mechanisms for reducing unauthorized access to personally identifiable data.
+ Obligatory training of employees entrusted with the processing of personally identifiable data of the customer (e.g. classroom trainin
+ Ensuring implementation of contracts and customer instructions.
INTERNAL #
+ Documentation of essential activities associated with the processing of personally identifiable data in accordance with legal requirem
+ Customer support for the execution of data protection impact assessments and the documentation of their results.
+ Informing the customer when detecting unlawful data processing, where applicable, under consideration of different national legisla
INTERNAL #
the meaning of Article 28 of the EU General Data Protection Regulation
Usual person responsible for process

implementation
INTERNAL #
ection Regulation
Measures/recommendations Date of detection

INTERNAL #
Date of completion Responsible department Contact

INTERNAL #
Further information
INTERNAL #
Support:
INTERNAL #
Support:
INTERNAL #
Support:
INTERNAL #
Possible questions (examples, not Possible evidence (not mandatory)

mandatory)
INTERNAL #

Results according to VDA ISA 5
Company: 0
Scope ID: 0
Date: 12/30/1899
Result with cutback to target
maturity level:
Maximum score: 3.00
Result per chapter (without cutback):

1 IS Policies and Organization
8 Prototypte Protection (na) 2 Human Resources

4
7 Compliance 0 3 Physical Security and Business Continuity
6 Supplier Relationships 4 Identity and Access Management

Result Target maturity level
5 IT Security/Cyber Security
Result per subchapter (without cutback):

1.1 Information Security Policies
8.5 Prototypte Protection - Requirements for events and shootings (na) 1.2 Organization of Information Security
5
8.4 Prototypte Protection - Requirements for trial vehicles (na) 1.3. Asset Management
4
8.3 Prototypte Protection - Handling of vehicles, components and parts (na) 1.4. IS Risk Management
3
8.2 Prototypte Protection - Organizational Requirements (na) 2 1.5 Assessments
8.1 Prototypte Protection - Physical and Environmental Security (na) 0 1.6 Incident Management
7.1 Compliance 2.1 Human Resources
6.1 Supplier Relationships 3.1 Physical Security and Business Continuity

5.3 System acquisitions, requirement management and development 4.1 Identity Management
5.2 Operations Security 4.2 Access Management

5.1 Cryptography
INTERNAL #

Results
maturity level:
Maximum score: 3.00
Details:
Target
No. Subject maturity Result
level
1.1.1 To what extent are information security policies available? 3
1.2.1 To what extent is information security managed within the organization? 3
1.2.2 To what extent are information security responsibilities organized? 3
1.2.3 To what extent are information security requirements taken into account in projects? 3
1.2.4 To what extent are the responsibilities between external IT service providers and the own organization 3
defined?
1.3.1 To what extent are information assets identified and recorded? 3
1.3.2 To what extent are information assets classified and managed in terms of their protection needs? 3
1.3.3 To what extent is it ensured that only evaluated and approved external IT services are used for 3
processing the organization’s information assets?
1.4.1 To what extent are information security risks managed? 3
1.5.1 To what extent is compliance with information security ensured in procedures and processes? 3
1.5.2 To what extent is the ISMS reviewed by an independent authority? 3
1.6.1 To what extent are information security events processed? 3
2.1.1 To what extent is the qualification of employees for sensitive work fields ensured? 3
2.1.2 To what extent is all staff contractually bound to comply with information security policies? 3
2.1.3 To what extent is staff made aware of and trained with respect to the risks arising from the handling of 3
information?
2.1.4 To what extent is teleworking regulated? 3
3.1.1 To what extent are security zones managed to protect information assets? 3
3.1.2 To what extent is information security ensured in exceptional situations? 3
3.1.3 To what extent is the handling of supporting assets managed? 3
3.1.4 To what extent is the handling of mobile IT devices and mobile data storage devices managed? 3
4.1.1 To what extent is the use of identification means managed? 3
4.1.2 To what extent is the user access to network services, IT systems and IT applications secured? 3
4.1.3 To what extent are user accounts and login information securely managed and applied? 3
4.2.1 To what extent are access rights assigned and managed? 3
5.1.1 To what extent is the use of cryptographic procedures managed? 3
5.1.2 To what extent is information protected during transfer? 3
5.2.1 To what extent are changes managed? 3
5.2.2 To what extent are development and testing environments separated from operational environments? 3
5.2.3 To what extent are IT systems protected against malware? 3

INTERNAL #
5.2.4 To what extent are event logs recorded and analyzed? 3
5.2.5 To what extent are vulnerabilities identified and addressed? 3
5.2.6 To what extent are IT systems technically checked (system audit)? 3
5.2.7 To what extent is the network of the organization managed? 3
5.3.1 To what extent is information security considered in new or further developed IT systems? 3
5.3.2 To what extent are requirements for network services defined? 3
5.3.3 To what extent is the return and secure removal of information assets from external IT services 3
regulated?
5.3.4 To what extent is information protected in shared external IT services? 3
6.1.1 To what extent is information security ensured among contractors and cooperation partners? 3
6.1.2 To what extent is non-disclosure regarding the exchange of information contractually agreed? 3
7.1.1 To what extent is compliance with regulatory and contractual provisions ensured? 3
7.1.2 To what extent is the protection of personally identifiable data taken into account when implementing 3
information security?
Method: - comparison of the top 41 security topics 3.00

- based on ISO 27001 controls
- evaluated according to SPICE ISO 15504
INTERNAL #

Results - Prototype Protection
maturity level:
Maximum score: 3.00
Details:
Target
level
8.1 Physical and Environmental Security
8.1.1 Security concept 3
8.1.2 Perimeter security 3
8.1.3 Stability of outer skin 3
8.1.4 View and sight protection 3
8.1.5 Protection against unauthorized entry and access control 3
8.1.6 Intrusion monitoring 3
8.1.7 Visitor management 3
8.1.8 Client segregation 3
8.2 Organizational Requirements
8.2.1 Non-disclosure obligations 3
8.2.2 Subcontractors 3
8.2.3 Awareness 3
8.2.4 Security classification 3
8.2.5 Access control 3
8.2.6 Film and photo regulations 3
8.2.7 Mobile video and photography devices 3
8.3 Handling of vehicles, components and parts
8.3.1 Transport 3
8.3.2 Parking and storage 3
8.4 Requirements for trial vehicles
8.4.1 Camouflage 3
8.4.2 Test and trial ground 3
8.4.3 Test and trial drives on public roads 3
8.5 Requirements for events and shootings
8.5.1 Presentations and events 3
8.5.2 Film and photo shootings 3
INTERNAL #

Results according to VDA ISA 4 (ISO 2700x)
Company: 0
Scope ID: 0
Date: 12/30/1899
maturity level:
Maximum score: 3.00
Result per chapter (without cutback):

1 ISMS
25 Prototype Protection (na) 5 Information Security Policies
5
18 Compliance 6 Organization of Information Security

4
3
17 Information Security Aspects of Business Continuity Management 7 Human Resources Security
2
16 Information Security Incident Management 0 8 Asset Management
15 Supplier Relationships 9 Access Control
14 System acquisition, development and maintenance 10 Cryptography
13 Communications Security 11 Physical and Environmental Security

12 Operations Security
INTERNAL #

Results
maturity level:
Maximum score: 3.00
Details:
Target
level
01.1 Release of an Information Security Management System (ISMS) 3
01.2 IS Risk Management 3
01.3 Effectiveness of the ISMS na na
05.1 Information Security Policy 3
06.1 Assigning responsibility for information security 3
06.2 Information Security in projects 3
06.3 Mobile devices 3
06.3.a (new) Teleworking 3
06.4 Roles and responsibilities
Contractual for external
information security IT service providers
obligation 3
07.1 of employees 3
07.1.a (new) Qualification of employee(s) 3
07.2 Awareness and training of employees 3
08.1 Inventory of assets 3
08.2 Classification of information 3
08.3 Storage of information on mobile data storage devices na na
08.4 Removal of externally stored information assets 3
09.1 Access to networks and network services 3
09.2 User registration 3
09.2.a (new) Handling of identification means 3
09.3 Privileged user accounts na na
09.4 Confidentiality of authentication data na na
09.5 Access to information and applications 3
09.6 Separation of information in shared environments 3
10.1 Encryption 3
11.1 Security zones 3
11.2 Protection against external influences and external threats na na
11.3 Protective measures in the delivery and shipping area na na
11.4 Use of equipment 3
12.1 Change Management 3
12.2 Separation of development, testing and operational environments 3
12.3 Protection against malware 3
12.4 Backup procedures na na
12.5 Event logging 3
12.6 Logging administration activities na na
12.7 Tracing of vulnerabilities (patch management) 3
12.8 Review of information systems 3
12.9 Consideration of critical administrative functions of cloud services na na
13.1 Management of networks 3
13.2 Security requirements for networks/services 3
13.3 Separation of networks (network segmentation) na na
13.4 Electronic exchange of information 3
13.5 Non-disclosure agreements for information exchange with third parties 3
14.1 Requirements for the acquisition of information systems 3
14.2 Security in the software development process na na
14.3 Management of test data na na
14.4 Approval of external IT services 3
15.1 Risk management in collaboration with suppliers 3
15.2 Review of service provision by suppliers na na
16.1 Reporting system for information security incidents (incident management) 3
16.2 Processing of information security incidents na na
17.1 Information Security Aspects of Business Continuity Management (BCM) 3
18.1 Legal and contractual provisions 3
18.2 Confidentiality and protection of personally identifiable data 3
18.3 Audit of the ISMS by independent bodies 3
18.4 Effectiveness check 3
Method: - comparison of the top 41 security topics 3.00
- based on ISO 27001 controls
- evaluated using SPICE ISO 15504
INTERNAL #

Results - Prototype Protection
maturity level:
Maximum score: 3.00
Details:
Target
No. Topic maturity Result
level
25.1 Physical and Environmental Security
25.1.1 Security concept 3
25.1.2 Perimeter security 3
25.1.3 Stability of outer skin 3
25.1.4 View and sight protection 3
25.1.5 Protection against unauthorized entry and access control 3
25.1.6 Intrusion monitoring 3
25.1.7 Visitor management 3
25.1.8 Client segregation 3
25.2 Organizational Requirements
25.2.1 Non-disclosure obligations 3
25.2.2 Subcontractors 3
25.2.3 Awareness 3
25.2.4 Security classification 3
25.2.5 Access control 3
25.2.6 Film and photo regulations 3
25.2.7 Mobile video and photography devices 3
25.3 Handling of vehicles, components and parts
25.3.1 Transport 3
25.3.2 Parking and storage 3
25.4 Requirements for trial vehicles
25.4.1 Camouflage 3
25.4.2 Test and trial ground 3
25.4.3 Test and trial drives on public roads 3
25.5 Requirements for events and shootings
25.5.1 Presentations and events 3
25.5.2 Film and photo shootings 3
INTERNAL #

Examples of KPIs
Control VDA ISA 5.0 2.1.3 To what extent is staff made aware of and trained with respect 4.1.3 To what extent are user accounts and login information securely managed and applied? 5.2.1 To what extent are changes controlled? 5.2.3 To what extent are IT systems protected against malware?
to the risks arising from the handling of information?
Control VDA ISA 4.1 7.2 Awareness and training of employees 9.2 User registration 12.1 Change Management 12.3 Protection against malware
Scope COVERAGE EFFECTIVENESS COVERAGE COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS
ID Coverage degree of awareness Effectiveness of awareness Coverage degree review “User Coverage degree review “Collective accounts” Coverage degree Change Change - error rate Coverage degree Endpoint Effectiveness of updating
measures measures accounts” “authorizations” Management Security Endpoint Security
Employees with raised awareness The contents of awareness Regular reviews of systems for Regular reviews of user accounts Collective accounts should
represent an important pillar for measures should consider unnecessary accounts are the for unnecessary authorizations principally not be used or used A comprehensive and consistently A high quality of the change A comprehensive Endpoint Current virus signatures are the
the information security in a outcomes of information security prerequisite for a consistent and are the prerequisite for a only in exceptional cases since an observed change management management process leads to Security provides a company with prerequisite for an effective
company. Awareness measures incidents. current user base according to the consistent and current explicit allocation of user activities process is the basis for secure lower error rates among the an essential protection against Endpoint Security. The KPI
Description should reach all employees, as far The KPI measures the need-to-know principle. The KPI authorization base according to is impeded. The KPI measures the operation. The KPI measures the performed changes and malware. The KPI measures the measures the target state and the
as possible. The KPI measures the effectiveness of awareness measures the coverage degree of the need-to-know principle. The number of used collective coverage degree of changes contributes to a secure operation. ratio of protected IT systems in actual state of virus definitions on
coverage degree of trainings such measures by recording (based on the measure “Regular user KPI measures the coverage accounts in consideration of complying with the policies. The KPI measures the error rate consideration of approved reporting deadline.
as e-learnings, classroom number or cost) security incidents degree of the measure “regular of changes. exceptions.
trainings. with human errors as a cause. review”. authorization review”. approved exceptions.
Objective (Vision) All employees are trained with No information security incidents All IT systems have valid user All authorizations comply with All collective accounts are All changes are made in Error-free performance of changes Comprehensive protection of all All IT systems have up-to-date
respect to information security with human error as a cause accounts only current needs reviewed for their necessity conformance to policies IT systems threatened by malware protection
Recipients Information Security; supervisors Information Security Information Security Information Security Information Security Information Security Information Security Local IT, Information Security Local IT, Information Security
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
Frequency (reporting) annually) annually) annually) annually) annually) annually) annually) annually) annually)
to be determined individually (0-

20 low, 20-50 medium, 50+ high) to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
to be determined individually (e.g. possible characteristic for Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, to be determined individually (e.g. to be determined individually (e.g. target: 100% after max. 30
Threshold levels Green: > 90%, Yellow: 70-90%, comparability of business units: in Red: < 70%, special case of IT Red: < 70%, special case of IT Number red: > 0, Green = 0 Red: < 70%, special case of IT Green: < 10%, Yellow: 10-30%, Green: > 90%, Yellow: 70-90%, minutes,
Red: < 70%) relation to the number of systems relevant to billing: target systems relevant to billing: target systems relevant to billing: target Red: > 30%) Red: < 70%) Green: > 90%, Yellow: 70-90%,
employees, e.g. unit: coverage = 100%) coverage = 100%) coverage = 100%) Red: < 70%)
incidents/100 employees
Assessment of training Quotient: number of approved Quotient: number of protected IT

management Determining the number of Quotient: number of performed Quotient: number of performed determining the number of and requested changes Quotient: number of reversed systems/total number of IT time comparison
Measurement Quotient: number of security incidents with human reviews/total number of IT reviews/total number of users in collective accounts (adjusted for changes/total number of average actual rollout state vs.
participants/total number of error as a cause systems in scope scope authorized exceptions) (RFC)/total number of performed performed changes systems (adjusted for authorized target state
changes exceptions)
employees
Frequency (measurement) to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) annually) annually) monthly) annually)
Interfaces HR - Training Department - IKS - Incident Management Data Owner, User Management, Data Owner, User Management, User Management IT Operations, Change IT Operations, Change AV Management, IT Operations AV Management, IT Operations
Internal Audit Department Supervisors Supervisors Management Management
E-learnings, classroom training, Incident Mgt. Tool, Ticket System, User registry, authorization User registry, authorization User registry, authorization Project Management, Change Project Management, Change
Components training plan, training register ISMS Tool management tool, IAM platform, management tool, IAM platform management tool, IAM platform Management Management AV console, CMDB AV console, CMDB
CMDB
Data archiving 5 years 5 years 10 years 10 years 5 years 10 years 5 years 5 years 5 years
INTERNAL #
3.1.2 To what extent is information security ensured in exceptional situations? 5.2.5 To what extent are vulnerabilities identified and addressed? 1.6.1 To what extent are information security events processed? 1.1.1 To what extent are information security policies available?
12.7 Detection of vulnerabilities

12.4 Backup (Patch management) 16.2 Processing of information security incidents 5.1 Information security policy
COVERAGE COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE COVERAGE
Coverage degree of backup Coverage degree of restoration Backup effectiveness Coverage degree Patch Effectiveness of patch installation Detection rate of information Timely processing of information Creation degree of required Actuality of required
tests Management security incidents security incidents policies/documentations policies/documentations
A regular and complete backup Regular restoration tests (e.g. by Backup quality must be ensured A comprehensive patch The timely installation of patches Information security incidents Information security incidents
provides protection against the restoring data or systems) is by correlating controls. Measures management protects the ensures the security of IT systems have to be detected and timely have to be adequately prioritized Under an ISMS, For the ISMS, the prepared
loss of data, e.g. in case of a essential to the availability of are e.g. data restore, system company against malware and and applications and therefore handled in order to protect the and handled according to their mandatory/voluntary policies/documentations must be
system failure or malware business information. restorations. exploits. The KPI measures the reduces the exploit windows for company from damages. The KPI criticality. The KPI measures the policies/documentations must be reviewed for their actuality.
infection of IT systems. The KPI measures the coverage The KPI measures the number of inclusion of IT systems and the company. The KPI measures measures the compliance of the appropriate timely handling of prepared.
The KPI measures the degree of degree of restoration tests. incorrect data restores. applications in the patch the recording of the target state incident reporting process information security incidents.
backup coverage. management process. and the actual state of patches. between the involved interfaces.
All information security incidents All information security incidents All necessary All necessary
All relevant data is adequately Regular restoration tests for all Correct backups All IT systems are involved in the All IT systems are at current patch will be detected, reported and will be handled within an policies/documentations are policies/documentations are
secured backed-up IT systems patch process level handled within the scope of the appropriate time frame present reviewed for actuality/content
incident management process
Local IT, Information Security, Local IT, Information Security, Local IT, Information Security, Local IT, Information Security Local IT, Information Security IT, Information Security, IT, Information Security, Information Security, Corporate Information Security, Corporate
service owner service owner service owner Compliance Compliance Security, IT Security, HR, Business Security, IT Security, HR, Business
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) annually) annually) Initial version annually)
to be determined individually (e.g.

according to the category
to be determined individually (e.g. to be determined individually (e.g. maximum periods for solution:
Green: = 100% (of IT systems to to be determined individually (e.g. to be determined individually (e.g. target: 100% after max. 10 days, -PRIO 1: Days to be determined individually to be determined individually
be secured), Yellow: 70-99%, Red: Green: > 90%, Yellow: 70-90%,
Red: < 70%)
Number red: > 0, Green = 0 Green: > 90%, Yellow: 70-90%,
Red: < 70%) Green: > 90%, Yellow: 70-90%, Number red: > 1, Green = 1 -PRIO 2: Weeks
-PRIO 3: Months (target coverage = 100 %) (target coverage = 100 %)
< 70%) Red: < 70%) unsolved incidents within a
period, e.g. Green: < 2%, Yellow:
2-5%, Red: > 5%)
Quotient: number of IT systems Quotient: number of IT systems Quotient: number of currently Quotient: number of information Quotient: number of policies
covered by backups/total number with tested restoration from Quotient: number of restorations patched IT systems/total number time comparison security incidents reported in the For each individual criticality level: Quotient: number of existing reviewed according to
with errors/total number of all average actual rollout state vs. incident management/total All unsolved incidents within policies/population of necessary
of IT systems (adjusted for backup/total number of all restoration tests of IT systems (adjusted for target state number of incidents (known to defined period/all incidents policies cycle/population of policies to be
authorized exceptions) backed-up IT systems authorized exceptions) reviewed
the surveying unit)
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) monthly) annually) monthly) monthly) annually) annually) annually) annually)
Backup process, IT Operations Backup process, IT Operations Backup process, IT Operations Patch/Change Management, IT Patch/Change Management, IT IT, CERT, Incident Management, IT, CERT, Incident Management, Information Security, Corporate Information Security, Corporate
Operations Operations Helpdesk, Service Management Helpdesk, Service Management Security, IT Security, HR, Business Security, IT Security, HR, Business
Contents derived from the Contents derived from the

Change Management Console, Change Management Console, Incident Management Incident Management Statement of Applicability (SoA) Statement of Applicability (SoA)
Backup software, CMDB Backup software, CMDB Backup software, CMDB Software Distribution Platform, Software Distribution Platform, System/Workflow System/Workflow and documented in accordance and documented in accordance
CMDB, WSUS CMDB, WSUS with ISO 27001 with ISO 27001
10 years 10 years 10 years 5 years 5 years 10 years 10 years 5 years 5 years

INTERNAL #
1.2.3 To what extent are information security requirements taken 3.1.4 To what extent is the handling of mobile IT devices and mobile 3.1.1 To what extent are security zones managed to protect information assets? 5.2.4 To what extent are event logs recorded and analyzed?
into account in projects? data storage devices managed?
11.3 Protective measures in the

6.2 Information security in projects 6.3 Mobile devices 11.1 Security zones delivery and shipping area 12.5 Event logging 12.6 Logging administrative activities
COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE COVERAGE EFFECTIVENESS COVERAGE
Effectiveness of implementation
Coverage degree of information Protective measures - Coverage degree of mobile device of mobile device security Implementation degree of zone Implementation of protective Coverage degree review “Access Coverage degree of event logs on Functioning log activity Coverage degree of admin logs on
security in projects implementation in projects security measures concept measures for zone concept authorizations” security-critical IT systems security-critical IT systems
Event logging enables traceability Admin logging allows traceability

A comprehensive and consistent Properties must be adequately of activities in a process or of administrator activities in a
protection of all relevant mobile A strong implementation of protected; this can be achieved by Regular verifications of access process step/on an IT system/in Results of logging activities must process or process step/on an IT
Information security topics shall Projects subject to information devices is the basis for their protective measures regarding implementation of a zone Zones must be adequately rights with respect to their an application. This functionality allow analysis. Reliable end-to- system/in an application. This
be addressed during projects. security requirements secure operation. The KPI relevant mobile devices reduces concept. The zone concept should protected according to criticality. necessity are an absolute helps to solve system end recording of the activities to functionality helps to solve
measures the coverage degree of vulnerabilities. be implemented prerequisite for a secure delivery failures/abnormalities. Logs be monitored is essential for abnormalities. Admin logs should
the defined protective measures. comprehensively. and shipping zone. should be activated in security- traceability, if required. be activated in security-critical IT
systems and protected against
critical IT systems. (admin) manipulations.
Information security Information security Security zones are protected All employees working in the All relevant IT systems and All relevant IT systems and
requirements are considered in all requirements are implemented in All relevant mobile devices are All relevant mobile devices are Zones are defined for all according to internal delivery and shipping area are applications are integrated into Completeness and correctness of applications are integrated into
projects all projects subject to protective measures subject to up-to-date protection properties specifications (see e.g. References subject to regular review of access event logging logs admin logging
“Security zones”) rights
Information Security, Corporate Information Security, Corporate IT Security, Information Security IT Security, Information Security, Information Security, Corporate Information Security, Corporate Corporate Security, Logistics, Local IT, Information Security, Local IT, Information Security, Local IT, Information Security,
Security, IT Security Security, IT Security Corporate Security Security Security authorities Compliance Compliance Compliance
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) annually) annually) annually) annually) annually)
to be determined individually (e.g. to be determined individually (e.g.

to be determined individually to be determined individually to be determined individually to be determined individually to be determined individually (e.g. to be determined individually Green: > 90%, Yellow: 70-90%, Number of incorrect logs Green: > 90%, Yellow: 70-90%,
(target coverage = 100 %) (target coverage = 100 %) (target coverage = 100 %) (target coverage = 100 %) Green: > 90%, Yellow: 70-90%, (target coverage = 100 %) Red: < 70%, special case of IT Red: < 70%, special case of IT
Red: < 70%) systems relevant to billing: target Red: > 0, Green = 0 systems relevant to billing: target
coverage = 100%) coverage = 100%)
Quotient: number of employees

Quotient: number of mobile working in the delivery and Quotient: number of logged Quotient: number of logged
Quotient: number of projects Quotient: number of projects Quotient: number of protected devices protected in a timely Quotient: number of properties Quotient: number of adequately shipping area who are subject to security-critical IT systems/total
considering security/total number considering security aspects/total mobile devices/total number of with zone concept/population of secured zones/population of all regular access rights number of incorrectly written logs security-critical IT systems/total
of relevant projects number of relevant projects mobile devices manner/total number of mobile properties zones reviews/population of employees number of security-critical IT number of security-critical IT
devices systems systems
working in the delivery and
shipping area
annually) annually) monthly) monthly) annually) quarterly) annually) annually) quarterly) annually)
Plant security, local security Plant security, local security
Project customer, Project Project customer, Project IT Operations, IT Security IT Operations, IT Security functions, specialized functions, specialized Logistics, Access Management IT, IT System Owner, Data Owner, IT, System Owner, Data Owner, IT, System Owner, Data Owner,
Management Office (PMO) Management Office (PMO) departments departments Risk Owner Risk Owner Risk Owner, User Management
Property plans, zone concept, Property plans, zone concept, Staff registry (internal/external),
Overview of projects per PMO Overview of projects per PMO Overview of mobile devices Overview of mobile devices information classification information classification access control system CMDB, Logging server CMDB, Logging server CMDB, Logging server, IAM
5 years 5 years 5 years 5 years 5 years 5 years 10 years to be defined individually (if to be defined individually (if to be defined individually (if
relevant to billing: 10 years) relevant to billing: 10 years) relevant to billing: 10 years)
INTERNAL #
6.1.2 To what extent is non-

orded and analyzed? 5.2.6 To what extent are IT systems technically checked (system 5.3.2 To what extent are requirements for network services defined? disclosure regarding the exchange 5.3.1 To what extent is information security considered in new or further developed IT systems? 1.5.1 To what extent is compliance with information security ensured
audit)? of information contractually in procedures and processes?
agreed?
14.1 Requirements for the

12.6 Logging administrative activities 12.8 System audits 13.2 Network services 13.5 Non-disclosure agreements acquisition of information 14.2 Security during the software development process 18.4 Effectiveness check
systems
EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE
Coverage degree of risk Coverage degree of activities to
Functioning log activity Coverage degree system audits Effectiveness of system audit Coverage degree review service Effectiveness of observing SLAs Coverage degree non-disclosure Effectiveness of risk handling in IT assessment in software Effectiveness of risk handling in eliminate vulnerabilities
implementation level agreements (SLA) agreements system acquisition processes development process development process determined during audits
Results of admin logging activities Information security risks Vulnerabilities identified in the
must allow analysis. Reliable and IT systems processing or storing Measures resulting from those Regular verifications of the SLAs The protection of information associated with the applications course of information security
manipulation-protected end-to- information of high or very high audits must be implemented in for network services ensure The agreed measures resulting confidentiality must be subject to Risks identified during the to be developed must be Risks identified in the process of audits (internal and external)
end recording of the admin protection needs must be time in order to eliminate any consideration of current security from the SLAs must be contractual agreement where at acquisition process are treated in identified as early as possible in software development are treated must be eliminated in a
activities to be monitored is subjected to audits at regular detected vulnerabilities. requirements at all times. implemented. least confidential information is a timely and effective manner. the process of software in a timely and effective manner. consequent and traceable
essential for traceability, if intervals. exchanged with external partners. development. manner. Findings must not
required. remain unhandled.
All relevant IT systems are Non-disclosure agreements have Security risks identified in Security risks are taken into Security risks are addressed in the All vulnerabilities identified in the
Completeness and integrity of subjected to audits at regular All measures are implemented in All SLAs include the current All requirements resulting from been entered with all external acquisition are handled in an account in the software development process in an course of audits are traced and
admin logs intervals time security requirements the SLAs are implemented partners effective manner development process effective manner assigned to activities
Local IT, Information Security, Local IT, Information Security Local IT, Information Security Local IT, Information Security Local IT, Information Security Acquisition, Information Security, Information Security, Local IT, Information Security, Local IT, Risk Information Security, Local IT, Risk Information Security, Corporate
Compliance specialized department Procurement Management Management Security, Local IT, Internal Audit
annually) annually) annually) annually) annually) annually) annually) annually) annually) annually)
Number of incorrect admin logs to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
Red: > 0, Green = 0 Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%,
Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%)
Quotient: number of measures Quotient: number of measures Quotient: number of orders with Quotient: number of software Quotient: number of findings
number of incorrectly written Quotient: number of audited IT implemented in time/number of Quotient: number of verified implemented/number of concluded non-disclosure Quotient: number of treated development projects that Quotient: number of treated
systems/total number of security- risks/population of risks identified underwent risk risks/population of risks identified subject to subsequent
admin logs critical IT systems measures still to be implemented SLAs/total number of SLAs measures agreed agreement/total number of in the acquisition process assessment/population of in the development process activities/population of identified
relevant orders findings
relevant development projects
quarterly) monthly) monthly) monthly) monthly) monthly) quarterly) quarterly) quarterly) quarterly)
Procurement, specialized Procurement, specialized Procurement, specialized Internal Auditors, Information
IT, System Owner, Data Owner, Audit Management, IT Audit Management, IT IT Operations, Information IT Operations, Information Acquisition, Information Security, departments (requisitioner), Local departments (requisitioner), Local departments (requisitioner), Local Security, Local IT, specialized
User Management Operations, System Owner Operations, System Owner Security Security specialized department IT IT IT departments (Auditees)
Acquisition register, ordering Development system, Development system, Audit data base, follow-up data
CMDB, Logging server, IAM CMDB CMDB, Audit system CMDB CMDB Acquisition system system development project data base development project data base base
to be defined individually (if 5 years 5 years 5 years 5 years 5 years 5 years 5 years 5 years 10 years
relevant to billing: 10 years)
INTERNAL #
what extent is compliance with information security ensured

in procedures and processes?
18.4 Effectiveness check
EFFECTIVENESS
Timely elimination of
vulnerabilities determined during
audits
Vulnerabilities identified in the

course of information security
audits (internal and external) are
eliminated within the deadlines
agreed (with the audited
departments).
Vulnerabilities identified in the

course of audits are eliminated
within the defined time and in an
effective manner
Information Security, Corporate

Security, Local IT, Internal Audit

annually)

Green: > 90%, Yellow: 70-90%,
Red: < 70%)
Quotient: number of activities for

eliminating vulnerabilities within
the defined period for
implementation/population of all
specified activities

quarterly)
Internal Auditors, Information
Security, Local IT, specialized
departments (Auditees)
Audit data base, follow-up data

base
10 years
INTERNAL #
INTERNAL #

License
This work has been licensed under Creative Commons Attribution - No Derivative Works 4.0 International Public License. In
addition, You are granted the right to distribute derivatives under certain terms. The complete and valid text of the license is to
be found in line 17ff.
You are free to:

· Share — copy and redistribute the material in any medium or format
· for any purpose, even commercially.
· The licensor cannot revoke these freedoms as long as you follow the license terms.
Under the following terms:
· Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may
do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
· Restricted derivatives — If you change or otherwise build directly upon the material, You may only distribute the modified
material if it is clearly marked as a derivative not approved by the licensor and if all logos and/or trademarks of the licensor have
been removed.
· No additional restrictions — You may not apply any additional legal terms or technological measures that legally restrict
others from doing anything the license permits.
Creative Commons Attribution-NoDerivatives 4.0 International Public License
By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative
Commons Attribution-NoDerivatives 4.0 International Public License ("Public License"). To the extent this Public License may be
interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and
conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed
Material available under these terms and conditions.
Section 1 – Definitions.
a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed
Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner
requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the
Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed
Material is synched in timed relation with a moving image.
b. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without
limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled
or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
c. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented
under laws fulfilling obligations within the meaning of Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996,
and/or similar international agreements.
d. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar
Rights that applies to Your use of the Licensed Material.
INTERNAL #
e. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public
License.
f. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited
to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.
g. Licensor means the individual(s) or entity(ies) granting rights under this Public License.
h. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights,
such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to
make material available to the public including in ways that members of the public may access the material from a place and at a
time individually chosen by them.
i. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament
and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other
essentially equivalent rights anywhere in the world.
j. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
Section 2 – Scope.
a. License grant.
1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-
sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
A. reproduce and Share the Licensed Material, in whole or in part; and
B. produce and reproduce, but not Share, Adapted Material.
2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public
License does not apply, and You do not need to comply with its terms and conditions.
3. Term. The term of this Public License is specified in Section 6(a).
4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all
media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The
Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to
exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For
purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
5. Downstream recipients.

A. Offer from the Licensor – Licensed Material. Each recipient of the Licensed Material will automatically receive an offer from
the Licensor to exercise the Licensed Rights under the terms of this Public License.
B. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any
Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of
the Licensed Material.
6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You
are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the
Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
b. Other rights.
1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other
similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held
by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
2. Patent and trademark rights are not licensed under this Public License.
3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights,
whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all
other cases the Licensor expressly reserves any right to collect such royalties.
Section 3 – License Conditions.
Your exercise of the Licensed Rights is expressly made subject to the following conditions.
a. Attribution.
1. If You Share the Licensed Material, You must:
INTERNAL #
A. retain the following if it is supplied by the Licensor with the Licensed Material:
i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable
manner requested by the Licensor (including by pseudonym if designated);
ii. a copyright notice;
iii. a notice that refers to this Public License;
iv. a notice that refers to the disclaimer of warranties;
v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this
Public License.
For the avoidance of doubt, You do not have permission under this Public License to Share Adapted Material.
2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in
which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or
hyperlink to a resource that includes the required information.
3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent
reasonably practicable.
Section 4 – Sui Generis Database Rights.
Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial
portion of the contents of the database, provided You do not Share Adapted Material;
b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database
Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material;
and
c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where
the Licensed Rights include other Copyright and Similar Rights.
Section 5 – Disclaimer of Warranties and Limitation of Liability.
a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material
as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether
express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a
particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors,
whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may
not apply to You.
b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation,
negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses,
costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been
advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in
part, this limitation may not apply to You.
c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent
possible, most closely approximates an absolute disclaimer and waiver of all liability.
Section 6 – Term and Termination.
a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with
this Public License, then Your rights under this Public License terminate automatically.
b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
2. upon express reinstatement by the Licensor.

For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations
of this Public License.
c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop
distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
INTERNAL #
d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.

Section 7 – Other Terms and Conditions.
a. The Licensor must not be bound by any additional or different terms or conditions communicated by You unless expressly
agreed.
b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and
independent of the terms and conditions of this Public License.
Section 8 – Interpretation.
a. For the avoidance of doubt, this Public License does not, and must not be interpreted to, reduce, limit, restrict, or impose
conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
b. To the extent possible, if any provision of this Public License is deemed unenforceable, it must be automatically reformed to
the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it must be severed from this Public
License without affecting the enforceability of the remaining terms and conditions.
c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to
by the Licensor.
d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and
immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
Section 9 – Distribution of Derivatives

a. In addition to those rights granted under Sections 2(a)(3), the Licensor grants You the right to distribute modified material
provided:
1. this material is clearly marked as a modified version not approved by the Licensor; and
2. any logos and/or trademarks of the Licensor have been removed.
INTERNAL #
INTERNAL #
1.0
1.1
1.2
1.3
2.0
2.0.1
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
3.0.2
INTERNAL #
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
5.0.0
5.0.2
5.0.3
INTERNAL #
5.0.4
5.1
INTERNAL #

Change history
First release (Initial version)
Changing open questions to solved questions

More precise level descriptions
Incorporating examples from practice
Spelling errors corrected
8.2 and 10.1 reference adjustment

10.2 change from production environment to productive environment
10.5 change from IDS/IPS to HIDS/HIPS
11.2 changes to the translation
11.3 and 11.4 restructuring of controls
11.4 add “IT” to systems

9.4 revision Maturity Level 2
Revision due to the new edition of ISO 27002:2013

Adjustment of the maturity levels
Fix for error in calculation and spider web diagram
Revision of the maturity levels, corrections of some controls
Release version 2.1
Print area adjusted
Spider web diagram shows results without cutback

Control 13.5 revised
Control 7.1 Maturity Level 1 revised
Controls 9.4 and 9.5 reference revised
Maturity Control changed from 12.4 to 4

Maturity Control changed from 16.3 to 3
Addition of KPIs
Spell checking in Maturity Level 3
Revision for TISAX

Module Connection of third parties included
Module Prototype Protection (25) included, derived from the Whitepaper of 06/10/2016
Module Data Protection (24) included, reference to 18.2 deleted, maturity levels removed from the module, references from
generated instead, reference included (ISMS, 18.2) showing that the data protection module will be used only in commissio
processing according to §11 BDSG, introduction of questions “fulfilled [yes/no]”
“Questions” renamed “ISMS”
Upon agreement with the data protection working group, Maturity Level “4” has been removed from Control 18.2 and set to
Control 10.21 Cryptography has been raised from “2” to “3”.
Introduction of the protection needs “normal”, “high” and “very high” to represent the protection goals “integrity”, “availability
“confidentiality”; mapping from “internal” to “normal”, from “confidential” to “high” and from “secret/strictly confidential” to “ve
Assignment of requirements within Maturity Level “1” in the different controls.
Including KPIs in controls with Maturity Levels “4”
INTERNAL #
Removal of KPI from Control 18.2

Introduction of references to several information security topics
Readability enhancement for information security controls

Categorizing the requirements of the individual controls into ‘must’, ‘should’ and ‘may’ in order to clarify the degree of obliga
Introduction of tab “Explanations”
Introduction of tab “Maturity levels”
Extension of tab “KPIs”
Extension of tab “Information Security” with additional controls to clarify requirements for usage of cloud services
KPI link at Control 12.2 has been deleted
Correction of the link of Control 14.4 on the results page, Level 3 adaptation: Established in tab “Maturity levels”
Tab Results: The results will only be indicated for controls that have been subject to processing.
Adaptation of Chapter 24 to DSGVO and minor modifications to those controls designated with 4.1.0
8.4, 13.3 correction in description of objective
9.1 addition of control and objective description
10.1, 11.1, 12.5, 12.6, 12.9 adaptation of requirements
18.2 and Data Protection (24) adaptation to DSGVO
References: 'secret' changed to 'strictly confidential' and classification levels supplemented to protection classes
Prototype Protection (25) revised
Topical restructuring of VDA ISA in the module Information Security

New table format in all modules for improved overview and easier export options
Deletion of the module Connection to third parties and transfer of its requirements to the module Information Security
Integration of Notes and Explanations into the module Information Security, consequently deletion of the tabs Notes and Ex
Revision of ally questions, objectives and requirements
Harmonization of the target maturity level across all controls to a target value of 3
Integration of Control 1.2 into the new Control 1.4.1
Integration of Controls 1.2 into the new Control 1.2.4
Integration of Control 12.4 into the new Controls 3.1.2 and 3.1.4
Integration of Controls 14.2 and 14.3 into the new Control 5.3.1
Deletion of Control 12.9
New Control “Teleworking” (2.1.4)
New Control “Qualification of employees” (2.1.1)
New Control “Handling of identification means” (4.1.1)
Change of the License to Creative Commons BY ND 4.0 + special terms and conditions for the distribution of derivatives
Correction of overall maturity level calculation

Input check of “Maturity level” column
Correction of change history
Renumbering in “Data Protection” module
Correction of diagram designations in “Results” module

INTERNAL #
Supplementation of print areas
Correction of orthography and expression

Correction of references ISO 27001
Correction of orthography and expression, linguistic clarification, elimination of ambiguities

Restructuring of "Welcome” tab, Definitions of tabs moved to “Definitions”
Supplementation of protection goals with respect to requirements for high and very high protection needs in the “Information
Deletion of column “Addressed protection goals” in “Information Security” and “Prototype Protection” tabs
Content deleted from column “Usual person responsible for process implementation” in the “Information Security” and “Prot
INTERNAL #
e Protection” tabs

Vda Isa 5 1 en

Uploaded by

Copyright:

Available Formats

You might also like

Vda Isa 5 1 en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vda Isa 5 1 en

Uploaded by

Copyright:

Available Formats

INTERNAL #

Information Security Assessment

VDA ISA provides the basis for

Information Security Assessment

Scope/TISAX Scope ID*

D&B D-U-N-S® No.*

Date of the assessment:*

Version: 5.1 | 04/27/2022

Information Security Assessment

Maturity level 0 Maturity level 1 Maturity level 2

Work Product Management (PA 2.2):

Maturity level 3 Maturity level 4 Maturity level 5

+ Process documentation + Process documentation + Process improvement plan

Information Security Assessment -

Information Security Assessment

ISA ISA Maturity

1 IS Policies and Organization

1.2 Organization of Information Security

To what extent are information

To what extent are information

To what extent are the

1.3 Asset Management

To what extent are information

To what extent is it ensured that

1.4 IS Risk Management

To what extent are information

To what extent is the ISMS

1.6 Incident Management

To what extent are information

To what extent is all staff

To what extent is staff made aware

To what extent is teleworking

Physical Security and Business

To what extent are security zones

To what extent is information

To what extent is the handling of

To what extent is the handling of

4 Identity and Access Management

To what extent is the user access to

To what extent are user accounts

4.2 Access Management

5 IT Security / Cyber Security

To what extent is the use of

To what extent is information

5.2 Operations Security

To what extent are development

To what extent are IT systems

To what extent are event logs

To what extent are vulnerabilities

To what extent are IT systems

To what extent is the network of

5.3 System acquisitions, requirement management and development

To what extent are requirements

To what extent is the return and

To what extent is information

To what extent is non-disclosure

To what extent is the protection of

05 Information Security Policies