Professional Documents
Culture Documents
Vda Isa 5 1 en
Vda Isa 5 1 en
Vda Isa 5 1 en
VDA ISA consists of several tabs, the content and function of which are explained in the tab “Definitions”. The corresponding ac
requirements can be found in the tabs “Information Security”, “Data Protection” and “Prototype Protection”.
For Version 5, VDA ISA has been restructured with the requirements no longer presented in lines but in columns. Additionally, n
numbering has been introduced and topics have been combined. The numbering of ISA 4 has been retained in a separate colu
easier finding of control questions according to the previous structure or to facilitate rearrangement.
We recommend to gain an overview of the individual ISA tabs by using the “Definitions” tab. Then, commence with the
“Information Security” tab.
ENX WG ISA and the Working Group Information Security of the VDA wish you every success.
Publisher: VERBAND DER AUTOMOBILINDUSTRIE e. V. (VDA, German Association of the Automotive Industry); Behrenstr. 3
10117 Berlin; www.vda.de
© 2022 Verband der Automobilindustrie e.V., Berlin
INTERNAL#
Company / Organization:*
Address:*
Contact person:*
Telephone number:*
E-mail address:*
Creator:*
Signature:
Definition A process is not implemented or fails to achieve its process purpose. Little or no - The implemented process achieves its (process) purpose. Control of process implementation (PA 2.1):
evidence exists of any systematic achievement of the process purpose. - The intended base practices are verifiably performed. - Objectives for the performance of the process are identified.
- Implementation of the process is planned and monitored.
- Implementation of the process is adjusted to meet plans.
- Responsibilities and authorities for implementing the process are defined,
assigned and communicated.
- Resources and information necessary for implementing the process are
identified, made available, assigned and used.
- Interfaces between the involved parties are managed to ensure effective
communication and clear assignment of responsibilities.
Possible evidence + Work products providing evidence of process outcomes. + Process documentation
(GWP) + Process plan
+ Quality plan/records
+ Process implementation records
INTERNAL #
Process Definition (PA 3.1): Process Measurement (PA 4.1): Process Innovation (PA 5.1)
- A standard process, including appropriately adapted requirements, is defined - Process information requirements in support of relevant defined business goals - Process improvement objectives are defined for the respective process that
which describes the essential elements a defined process must comprise. are established. supports the relevant business goals.
- The sequence and interaction of the standard process with other processes are - Process measurement objectives are derived from process information - Appropriate data are analyzed to identify the common causes of variations in
determined. requirements. process performance.
- Competencies and roles required for process implementation are identified as - Quantitative objectives for process performance in support of relevant defined - Appropriate data are analyzed to identify options for best practice and
part of the standard process. business goals are established. innovation.
- The infrastructure and work environment required for process implementation - Characteristic values and frequency of measurements are identified and defined - Improvement options derived from new technologies and new process concepts
are identified as part of the standard process. in line with process measurement objectives and quantitative objectives for are identified.
- Suitable methods for monitoring the effectiveness and suitability of the process process performance. - An implementation strategy is established to achieve the process improvement
are determined. - Results of measurement are collected, analyzed and reported in order to objectives.
monitor the extent to which the quantitative
Process Deployment (PA 3.2): objectives for process performance are met. Continuous optimization (PA 5.2):
- A defined process based on an appropriately selected and/or tailored standard - Measurement results are used to characterize process performance. - The impact of all proposed changes is assessed against the objectives of the
process is deployed. defined process and the standard process.
- Required roles, responsibilities and authorities for implementing the defined Process control (PA 4.2): - Implementation of all agreed changes is managed to ensure that any disruption
process are assigned and communicated. - Analysis and control techniques are determined and applied, as applicable. to the process performance is understood and addressed.
- Personnel performing the defined process are competent on the basis of - Variable control limits are established for normal process implementation. - Based on actual performance, effectiveness of process change is evaluated
appropriate education, training and experience. - Measurement data is analyzed for special variations. against the defined process requirements and process objectives to determine
- The necessary resources and information required for implementing the defined - Corrective actions are taken to address special variations. whether results are corresponding to common or special cases.
process are made available, allocated and used. - Control limits are re-established (as necessary) following corrective action.
- The necessary infrastructure and work environment required for implementing
the defined process are available, managed and maintained.
- Appropriate data is collected and analysed to gain a basic understanding of the
behaviour of the process, to demonstrate its suitability and effectiveness, and to
evaluate where continuous improvement of the process can be made.
Tabs
Tab Description Intended use of tab
Welcome Welcome page. Information
Cover The cover contains boxes for information on the implementing organization, the scope of review, the auditor and For own use
the contact person of the organization under review.
VDA ISA intends the implementation to be assessed by means of a 5 step maturity model as defined in this tab. The
Maturity levels maturity levels comprise Incomplete, Performed, Managed, Established and Predictable. Information
With this VDA ISA version, the target maturity level for all control questions is consistently 3 (Established).
Under Definitions, the key terms of the requirements to be fulfilled are described. Requirements can be categorized
as MUST, SHOULD, additionally in case of HIGH protection needs and additionally in case of VERY HIGH protection
Definitions needs. This subdivision is necessary as information of high and very high protection needs requires special Information
protective measures.
Additionally, key terms and abbreviations are listed and explained in this tab.
The tab “Information Security” includes all basic controls based on the standard ISO/IEC 27001. The controls
themselves are formulated as questions. The objective of the respective control and the requirements for achieving
it are listed in accordingly designated columns.
Here, each control must invariably be assessed according to the degree to which the objective is achieved. The
Information Security assessment of the maturity levels (as described in the tab “Maturity levels”) of each control is recorded in the box Implementation requirements
(column E) and automatically transferred to the tab “Results”.
Additional columns give examples to support potential implementation.
Here, requirements always refer to the own company with respect to its organization, processes and infrastructure.
Requirements never refer to products put on the market by your company. Requirements for safe product
development are not part of this module.
Prototype protection includes vehicles, components and parts which are classified as requiring protection but have
not yet been presented to the public and/or published in adequate form by the OEM.
Prototype Protection The commissioning department of the OEM is responsible for classifying the protection need of vehicles, Implementation requirements
components and parts. The minimum requirements for prototype protection are to be applied for protection classes
High and Very high according to ISA.
Data Protection This tab is to be edited additionally in case of processing within the meaning of Art. 28 of the EU General Data Implementation requirements
Protection Regulation and contains controls requiring merely yes/no answers.
Here, the results of the individual tabs (review catalog pages) are summarized and presented in printing format. For
presentation purposes, the new simplified form according to ISA 5 is use.
The spider web diagram provides an overview of all controls. The list of all controls shows the target maturity levels
Results (ISA5) to be achieved. Presentation of results
When calculating the overall result, the results of controls overachieving their target maturity level are cutback and
averaged. This ensures that the requirements are comprehensively fulfilled and that there is no compensation of
overachieved and underachieved controls.
INTERNAL #
Here, the results of the individual tabs (review catalog pages) are summarized and presented in printing format in
the known form according to ISA 4.
The list of all controls shows the target maturity levels to be achieved.
Results (ISA4) When calculating the overall result, the results of controls overachieving their target maturity level are cutback and Presentation of results
averaged. This ensures that the requirements are comprehensively fulfilled and that there is no compensation of
overachieved and underachieved controls.
This tab shows examples of Key Performance Indicators (KPI) for measuring process results both for controls for
which the ISA has defined a target maturity level of 4 and for controls where a measurement appears useful. The tab
Examples KPI content provides support for identifying own suitable KPIs. It does not present mandatory requirements for Examples and support
achieving maturity level 4. For controls having a target maturity level of 3 or less, definition of KPIs is not mandatory,
but may be helpful for a central management of information security at many locations.
License License conditions under which the VDA ISA is published. Information
Change history List of changes over the VDA ISA lifecycle. Information
Key terms
Term Explanation Examples
Protection class “normal”, The potential damage to the organization is limited and manageable. Confidentiality classification “internal”
normal protection needs
Protection class “high”, The potential damage to the organization may be substantial. Confidentiality classification “confidential”
high protection needs
Protection class “very high”, The potential damage can reach a level of potentially threatening or disastrous impact on the organization’s
very high protection needs existence. Confidentiality classification “strictly confidential”
Requirements (must) The requirements indicated in this column are strict requirements without any exemptions.
Principally, the requirements indicated in this column must be implemented by the organization. In certain
Requirements (should) circumstances, however, there may be a valid justification for non-compliance with these requirements. In case of
any deviation, its effects must be understood by the organization and it must be plausibly justified.
Additional requirements in case of high The requirements indicated in this column must additionally be met if the tested subject has high protection needs.
protection needs
Additional requirements in case of very high The requirements indicated in this column must additionally be met if the tested subject has very high protection
protection needs needs.
In the result tabs ISA5 and ISA4 (spider web diagram), all results are presented as assessed. The line for the target
Result (Maturity level) maturity level does not consider controls marked “n.a”. When calculating the average, however, the maximum
achievable target maturity level is taken into account.
INTERNAL #
Glossary
Term Explanation Examples
Business Continuity Management (BCM) BCM is intended to ensure the functionality of business-critical processes within the organization during and after
any crisis situation.
An external service is the processing of company information outside the audit scope.
(e.g. ext. hosting, O365 cloud services, AWS, web services such as Kaspersky anti-virus dashboards on the web, SIEM
services provided by ext. companies, etc.)
Cloud/external IT services Important for rejecting non-relevant web services:
• Cloud service: Damage may have direct impact on the company (CIA)
• Data are externally processed in a confidential/strictly confidential manner (e.g. not by translating individual
words)
Non-disclosure agreements (NDA) Non-disclosure agreements provide legal protection of an organization’s information particularly where information
is exchanged beyond the boundaries of the organization.
Generic work product (GWP) Any work product resulting from the execution of a process.
Information Owner/Information Officer/Data Person or organizational body preparing data or making data available for use and being able to provide information
Owner on their protection needs.
The information security management system is a control mechanism used by the organization’s management to
Information security management system ensure that information security is the result of sustainable management rather than that of mere coincidence and
(ISMS) individual effort.
Information security risks Risks existing in the preparation and processing of information. These are based on potential events having negative
impact on achieving the protection goals of information security.
The information security risk management is required for an early detection, assessment and handling of risks in
Information security risk management (ISRM) order to achieve the protection goals of information security. Hence, it enables the organization to establish
adequate measures for the protection of its information assets while considering the associated chances and risks.
Supporting Asset Supporting assets (electronic and physical) are used for storing, processing and transporting information assets. Mobile data storage devices, IT systems, IT
services/IT service providers, paper documents
Information Asset Information of essential value to the organization. Business secrets, critical business processes, know-
how, patents
IT service Services in the field of information technology.
IT system Any type of system used for electronic information processing. Computer, server, cloud, communication systems,
video conference systems, smartphones, tablets
The value of the information for the organization is determined based on the relevant protection goals of
Classification of information information security (confidentiality, integrity and availability). Based on this, the information is classified according
to the classification scheme. This enables the organization to implement adequate protective measures.
Network service A network service is a service which is provided by an IT system and used by other IT systems to communicate with DHCP, DNS, https, STARTTLS
the system via a data network.
Original Equipment Manufacturer (OEM) Within the context of VDA ISA, this refers to an automobile manufacturer.
INTERNAL #
The term personal data is used for all information referring to an identified or identifiable person; a natural person
is considered to be identifiable if they can be directly or indirectly identified particularly by assignment to an
Personal data identifier, e.g. a name, to an identification number, to location data, to an online identification or to one or more
specific features describing the physical, physiological, genetic, psychological, economic, cultural or social identity of
this natural person.
Process Attributes (PA) A measurable characteristic for a process capability that is applicable to each process.
Prototype Prototypes are vehicles, components and parts which are classified as requiring protection but have not yet been
presented to the public and/or published in adequate form by the OEM.
INTERNAL #
05.1 1.1.1
01.1 1.2.1
06.1 1.2.2
INTERNAL #
06.2 1.2.3
06.4 1.2.4
08.1 1.3.1
08.2 1.3.2
14.4 1.3.3
01.2 1.4.1
1.5 Assessments
To what extent is compliance with
information security ensured in
procedures and processes?
18.4 1.5.1
16.1 1.6.1
2 Human Resources
To what extent is the qualification
of employees for sensitive work
fields ensured?
07.1.a 2.1.1
(new)
07.2 2.1.3
06.3.a
(new) 2.1.4
11.1 3.1.1
17.1 3.1.2
06.3 3.1.4
09.2.a 4.1.1
(new)
09.1 4.1.2
INTERNAL #
09.2 4.1.3
09.5 4.2.1
10.1 5.1.1
13.4 5.1.2
12.1 5.2.1
12.2 5.2.2
INTERNAL #
12.3 5.2.3
12.5 5.2.4
12.7 5.2.5
INTERNAL #
12.8 5.2.6
13.1 5.2.7
14.1 5.3.1
09.6 5.3.4
6 Supplier Relationships
To what extent is information
security ensured among contractors
and cooperation partners?
15.1 6.1.1
INTERNAL #
13.5 6.1.2
7 Compliance
To what extent is compliance with
regulatory and contractual
provisions ensured?
18.1 7.1.1
18.2 7.1.2
01 ISMS
01.1 Release of an Information Security Management System (ISMS)
01.2 IS Risk Management
01.3 Effectiveness of the ISMS
Included in Question 01.1
01.3 na
13 Communications Security
13.1 Management of networks
13.2 Security requirements for networks/network services
13.3 Separation of networks (network segmentation)
Included in Question 13.1
13.3 na
Further information
INTERNAL #
+ Security zone 3 (red): Area of principally very high security requirements, protection of
information assets of very high protection needs, usually also strictly confidential scopes (e.g.
design)
Area 2 (yellow): Area with additional protective measures, protection of information assets
with high protection needs, usually also confidential scopes (e.g. development know-how)
Area 3 (red): Area with principally very high security requirements, protection of information
assets with very high protection needs, usually also strictly confidential scopes (e.g. design)
INTERNAL #
Within the context of VDA ISA, the term contractor includes both classic suppliers and
subcontractors but also classic service providers, freelancers or other partner companies. It also
includes cooperation partners (e.g. academic institutions, institutes).
The explanations below describe a possible procedure for fulfilling the requirements:
Identification of contractors and specification of protection needs and security requirements:
At first, all contractors must be identified (e.g. via the list of creditors of the accountants
department) in order to gain an initial overview.
For all contractors, the respective protection needs should be specified and the security
requirements derived according to their tasks and the relevance to own and customer’s
processes.
Generally, a large number of contractors is found not to require the assignment of relevant
protection needs and to be therefore not subject to security requirements (e.g. suppliers of
office stationary).
Support:
Examples “Normal protection need”
INTERNAL #
It is not necessary to list all information assets individually; instead, categories can be
established (e.g. master data of employees – responsible body: Human Resources)
INTERNAL #
Possible measures:
- Use of security technologies such as firewall systems, intrusion detection and prevention
systems (IDS/IPS), network management tools, security software for networks for preventing
unintended data exchange.
INTERNAL #
Support:
Examples “High protection need”
INTERNAL #
Obviously, contractors with high protection needs are subject to the minimum information
security requirements regarding the respective protection goal. These requirements should be
supplemented particularly by necessary general (see e.g. VDA ISA high protection needs) and
order-specific requirements.
In order to ensure compliance with the requirements in a suitable manner, simple mechanisms
should be established. This may include, for example:
- contractor requires TISAX label for high protection needs or equivalent (e.g. ISO 27001,
certificate of corresponding scope)
- right to and execution of regular sampling and event-related inspections.
INTERNAL #
Support:
Examples “Very high protection need”
INTERNAL #
Obviously, contractors with very high protection needs are subject to the minimum information
security requirements regarding the respective protection needs. These requirements should
be supplemented particularly by necessary general (see e.g. VDA ISA very high protection
needs) and order-specific requirements. The difference to high protection needs is essentially
the number and quality of the necessary additional requirements.
Prototype Protection
25 8
25.1.6 8.1.6
INTERNAL #
25.1.8 8.1.8
Organizational Requirements
25.2 8.2
25.2.1 8.2.1
To what extent are requirements for
commissioning subcontractors known
and fulfilled?
25.2.2 8.2.2
To what extent do employees and
project members evidently participate
in training and awareness measures
regarding the handling of prototypes?
25.2.3 8.2.3
INTERNAL #
25.2.4 8.2.4
To what extent is a process defined for
granting access to security areas?
25.2.5 8.2.5
To what extent are regulations for
image recording and handling of created
image material existent?
25.2.6 8.2.6
To what extent is a process for carrying
along and using mobile video and
photography devices in(to) defined
security areas established?
25.2.7 8.2.7
Handling of vehicles, components and
parts
25.3 8.3
To what extent are transports of
vehicles, components or parts classified
as requiring protection arranged
according to the customer
requirements?
25.3.1 8.3.1
To what extent is it ensured that
vehicles, components and parts
classified as requiring protection are
parked/stored in accordance with
customer requirements?
25.3.2 8.3.2
Requirements for trial vehicles
25.4 8.4
25.4.1 8.4.1
INTERNAL #
25.4.2 8.4.2
To what extent are protective measures
for approved test and trial drives in
public observed/implemented?
25.4.3 8.4.3
Requirements for events and shootings
25.5 8.5
To what extent are security
requirements for presentations and
events involving vehicles, components
or parts classified as requiring
25.5.1 8.5.1 protection known?
Objective
The requirements described in this clause apply to all companies which, on their
own properties, manufacture, store or are provided for use vehicles,
components or parts classified as requiring protection.
It must be ensured that all points of access to security areas where vehicles,
components or parts classified as requiring protection are manufactured,
processed or stored are protected against unauthorized entry by adequate
measures.
A process is defined for carrying along and using mobile video and photography
devices in(to) security areas where vehicles, components or parts classified as
requiring protection are manufactured, processed or stored. Unauthorized
creation or transmission of image material must be prevented.
It must be ensured, that the camouflage regulations are known to each project
member and observed in order to guarantee adequate view protection of trial
vehicles.
INTERNAL #
In order to maintain an undisturbed and secured trial operation on test and trial
grounds, the respective protective measures defined by the customer must be
observed.
It must be ensured that the respective customer requirements for the operation
of trial vehicles classified as requiring protection on public roads are known and
observed.
Requirements
(must)
+ A non-disclosure agreement:
- between contractor and customer (company level),
- with all employees and project members (personal obligation).
+ Country-specific legal provisions regarding data protection are to be
observed.
+ The requirements for using the respective camouflage are known to the
project members.
+ Any changes to the camouflage are made upon documented agreement
with the customer.
+ A process for the immediate reporting of any damages to the camouflage
is described and implemented.
INTERNAL #
+ Sight protection through relevant glass surfaces is ensured. + The spatial situation is also suitable for
+ View into defined security areas through open protecting vehicles classified as requiring
doors/gates/windows is prevented. protection against unauthorized view.
None None
INTERNAL #
None None
None None
None None
None None
INTERNAL #
None None
None None
None None
None None
None None
None None
None None
INTERNAL #
None None
None None
None None
None None
INTERNAL #
.
INTERNAL #
Contact
INTERNAL #
Further information
INTERNAL #
Support:
Examples “Normal protection need”
INTERNAL #
Support:
Examples “High protection need”
INTERNAL #
Support:
Examples “Very high protection need”
INTERNAL #
Column4
INTERNAL #
24.1 9.1
24.2 9.2
24.4 9.4
INTERNAL #
ction for determining a service provider’s basic suitability to act as a processor within
Requirements
+ Appointment of a data protection officer where legally required, otherwise appointment of a person responsible for data protection
+ Organizational implementation of data protection
- Integration of the data protection officer into the corporate structure
- Voluntary or obligatory appointment of a data protection officer
- Full-time or part-time data protection officer
- Internal or external data protection officer
- Support of the data protection officer by directly assigned employees (department “Data Protection”) depending on the company
- Support of the data protection officer by data protection coordinators in the company departments depending on the size of the c
(e.g. Marketing, Sales, Human Resources, Logistics, Development, etc.)
+ Specification of data protection principles (processing of personally identifiable data) in a documented company-internal data protec
(e.g. company-internal guideline).
+ Implementation of company-internal steering committees or responsibilities - in collaboration with the data protection officer - addr
topics relevant to data protection.
+ Implementation of a process which ensures the involvement of the data protection officer in any topics relevant to data protection (
context of a data protection impact assessment).
+ Documentation of work processes when processing personally identifiable data.
+ Documentation of statements and comments of the data protection officer regarding data protection law assessments.
+ Implementation of a process by means of which - in case a subcontracting processor is commissioned - the processor is by contractu
legal provisions subject to the same data protection obligations as specified by contract between the responsible person and the proce
+ Company-internal work instructions or manuals in specific task fields concerning the processing of personally identifiable data.
+ Employees’ (and, if applicable, subcontractors’) confidentiality obligation.
+ Implementation of technical and organizational measures for supporting the controller in handling data subject rights as far as feasib
appropriate for processing.
+ Implementation of reporting processes for immediately informing the customer, under consideration of any subcontractors, so the l
reporting deadlines for data protection incidents can be observed.
+ Documentation of subcontracting relationships including contractual regulations with relevant subcontractors, where any right to in
contractual regulation is in any case limited to the subcontractor’s obligations concerning data protection.
+ Implementation of a process for the documentation of instructions in terms of data protection legislation.
+ Ability to implement deletion concepts.
+ Implementation of a procedure for regular review, assessment and evaluation of TOM.
+ Proof of regular review and optimization of the data protection management system (e.g. certification).
+ Measures for observing confidentiality and integrity when transferring personally identifiable data.
+ Adequate protection mechanisms for reducing unauthorized access to personally identifiable data.
+ Obligatory training of employees entrusted with the processing of personally identifiable data of the customer (e.g. classroom trainin
+ Ensuring implementation of contracts and customer instructions.
INTERNAL #
+ Documentation of essential activities associated with the processing of personally identifiable data in accordance with legal requirem
+ Customer support for the execution of data protection impact assessments and the documentation of their results.
+ Informing the customer when detecting unlawful data processing, where applicable, under consideration of different national legisla
INTERNAL #
ection Regulation
Further information
INTERNAL #
Support:
Examples “Normal protection need”
INTERNAL #
Support:
Examples “High protection need”
INTERNAL #
Support:
Examples “Very high protection need”
INTERNAL #
Company: 0
Scope ID: 0
Date: 12/30/1899
Result with cutback to target
maturity level:
Maximum score: 3.00
5 IT Security/Cyber Security
4
8.3 Prototypte Protection - Handling of vehicles, components and parts (na) 1.4. IS Risk Management
3
8.1 Prototypte Protection - Physical and Environmental Security (na) 0 1.6 Incident Management
Details:
Target
No. Subject maturity Result
level
1.1.1 To what extent are information security policies available? 3
1.2.3 To what extent are information security requirements taken into account in projects? 3
1.2.4 To what extent are the responsibilities between external IT service providers and the own organization 3
defined?
1.3.2 To what extent are information assets classified and managed in terms of their protection needs? 3
1.3.3 To what extent is it ensured that only evaluated and approved external IT services are used for 3
processing the organization’s information assets?
1.5.1 To what extent is compliance with information security ensured in procedures and processes? 3
2.1.1 To what extent is the qualification of employees for sensitive work fields ensured? 3
2.1.2 To what extent is all staff contractually bound to comply with information security policies? 3
2.1.3 To what extent is staff made aware of and trained with respect to the risks arising from the handling of 3
information?
3.1.1 To what extent are security zones managed to protect information assets? 3
3.1.4 To what extent is the handling of mobile IT devices and mobile data storage devices managed? 3
4.1.2 To what extent is the user access to network services, IT systems and IT applications secured? 3
4.1.3 To what extent are user accounts and login information securely managed and applied? 3
5.2.2 To what extent are development and testing environments separated from operational environments? 3
5.3.1 To what extent is information security considered in new or further developed IT systems? 3
5.3.3 To what extent is the return and secure removal of information assets from external IT services 3
regulated?
6.1.1 To what extent is information security ensured among contractors and cooperation partners? 3
6.1.2 To what extent is non-disclosure regarding the exchange of information contractually agreed? 3
7.1.1 To what extent is compliance with regulatory and contractual provisions ensured? 3
7.1.2 To what extent is the protection of personally identifiable data taken into account when implementing 3
information security?
Details:
Target
No. Subject maturity Result
level
8.1 Physical and Environmental Security
8.1.1 Security concept 3
8.1.2 Perimeter security 3
8.1.3 Stability of outer skin 3
8.1.4 View and sight protection 3
8.1.5 Protection against unauthorized entry and access control 3
8.1.6 Intrusion monitoring 3
8.1.7 Visitor management 3
8.1.8 Client segregation 3
8.2 Organizational Requirements
8.2.1 Non-disclosure obligations 3
8.2.2 Subcontractors 3
8.2.3 Awareness 3
8.2.4 Security classification 3
8.2.5 Access control 3
8.2.6 Film and photo regulations 3
8.2.7 Mobile video and photography devices 3
8.3 Handling of vehicles, components and parts
8.3.1 Transport 3
8.3.2 Parking and storage 3
8.4 Requirements for trial vehicles
8.4.1 Camouflage 3
8.4.2 Test and trial ground 3
8.4.3 Test and trial drives on public roads 3
8.5 Requirements for events and shootings
8.5.1 Presentations and events 3
8.5.2 Film and photo shootings 3
INTERNAL #
Company: 0
Scope ID: 0
Date: 12/30/1899
Result with cutback to target
maturity level:
Maximum score: 3.00
3
17 Information Security Aspects of Business Continuity Management 7 Human Resources Security
2
Details:
Target
No. Subject maturity Result
level
01.1 Release of an Information Security Management System (ISMS) 3
01.2 IS Risk Management 3
01.3 Effectiveness of the ISMS na na
05.1 Information Security Policy 3
06.1 Assigning responsibility for information security 3
06.2 Information Security in projects 3
06.3 Mobile devices 3
06.3.a (new) Teleworking 3
06.4 Roles and responsibilities
Contractual for external
information security IT service providers
obligation 3
07.1 of employees 3
07.1.a (new) Qualification of employee(s) 3
07.2 Awareness and training of employees 3
08.1 Inventory of assets 3
08.2 Classification of information 3
08.3 Storage of information on mobile data storage devices na na
08.4 Removal of externally stored information assets 3
09.1 Access to networks and network services 3
09.2 User registration 3
09.2.a (new) Handling of identification means 3
09.3 Privileged user accounts na na
09.4 Confidentiality of authentication data na na
09.5 Access to information and applications 3
09.6 Separation of information in shared environments 3
10.1 Encryption 3
11.1 Security zones 3
11.2 Protection against external influences and external threats na na
11.3 Protective measures in the delivery and shipping area na na
11.4 Use of equipment 3
12.1 Change Management 3
12.2 Separation of development, testing and operational environments 3
12.3 Protection against malware 3
12.4 Backup procedures na na
12.5 Event logging 3
12.6 Logging administration activities na na
12.7 Tracing of vulnerabilities (patch management) 3
12.8 Review of information systems 3
12.9 Consideration of critical administrative functions of cloud services na na
13.1 Management of networks 3
13.2 Security requirements for networks/services 3
13.3 Separation of networks (network segmentation) na na
13.4 Electronic exchange of information 3
13.5 Non-disclosure agreements for information exchange with third parties 3
14.1 Requirements for the acquisition of information systems 3
14.2 Security in the software development process na na
14.3 Management of test data na na
14.4 Approval of external IT services 3
15.1 Risk management in collaboration with suppliers 3
15.2 Review of service provision by suppliers na na
16.1 Reporting system for information security incidents (incident management) 3
16.2 Processing of information security incidents na na
17.1 Information Security Aspects of Business Continuity Management (BCM) 3
18.1 Legal and contractual provisions 3
18.2 Confidentiality and protection of personally identifiable data 3
18.3 Audit of the ISMS by independent bodies 3
18.4 Effectiveness check 3
Method: - comparison of the top 41 security topics 3.00
- based on ISO 27001 controls
- evaluated using SPICE ISO 15504
INTERNAL #
Details:
Target
No. Topic maturity Result
level
25.1 Physical and Environmental Security
25.1.1 Security concept 3
25.1.2 Perimeter security 3
25.1.3 Stability of outer skin 3
25.1.4 View and sight protection 3
25.1.5 Protection against unauthorized entry and access control 3
25.1.6 Intrusion monitoring 3
25.1.7 Visitor management 3
25.1.8 Client segregation 3
25.2 Organizational Requirements
25.2.1 Non-disclosure obligations 3
25.2.2 Subcontractors 3
25.2.3 Awareness 3
25.2.4 Security classification 3
25.2.5 Access control 3
25.2.6 Film and photo regulations 3
25.2.7 Mobile video and photography devices 3
25.3 Handling of vehicles, components and parts
25.3.1 Transport 3
25.3.2 Parking and storage 3
25.4 Requirements for trial vehicles
25.4.1 Camouflage 3
25.4.2 Test and trial ground 3
25.4.3 Test and trial drives on public roads 3
25.5 Requirements for events and shootings
25.5.1 Presentations and events 3
25.5.2 Film and photo shootings 3
INTERNAL #
Control VDA ISA 5.0 2.1.3 To what extent is staff made aware of and trained with respect 4.1.3 To what extent are user accounts and login information securely managed and applied? 5.2.1 To what extent are changes controlled? 5.2.3 To what extent are IT systems protected against malware?
to the risks arising from the handling of information?
Control VDA ISA 4.1 7.2 Awareness and training of employees 9.2 User registration 12.1 Change Management 12.3 Protection against malware
Scope COVERAGE EFFECTIVENESS COVERAGE COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS
ID Coverage degree of awareness Effectiveness of awareness Coverage degree review “User Coverage degree review “Collective accounts” Coverage degree Change Change - error rate Coverage degree Endpoint Effectiveness of updating
measures measures accounts” “authorizations” Management Security Endpoint Security
Employees with raised awareness The contents of awareness Regular reviews of systems for Regular reviews of user accounts Collective accounts should
represent an important pillar for measures should consider unnecessary accounts are the for unnecessary authorizations principally not be used or used A comprehensive and consistently A high quality of the change A comprehensive Endpoint Current virus signatures are the
the information security in a outcomes of information security prerequisite for a consistent and are the prerequisite for a only in exceptional cases since an observed change management management process leads to Security provides a company with prerequisite for an effective
company. Awareness measures incidents. current user base according to the consistent and current explicit allocation of user activities process is the basis for secure lower error rates among the an essential protection against Endpoint Security. The KPI
Description should reach all employees, as far The KPI measures the need-to-know principle. The KPI authorization base according to is impeded. The KPI measures the operation. The KPI measures the performed changes and malware. The KPI measures the measures the target state and the
as possible. The KPI measures the effectiveness of awareness measures the coverage degree of the need-to-know principle. The number of used collective coverage degree of changes contributes to a secure operation. ratio of protected IT systems in actual state of virus definitions on
coverage degree of trainings such measures by recording (based on the measure “Regular user KPI measures the coverage accounts in consideration of complying with the policies. The KPI measures the error rate consideration of approved reporting deadline.
as e-learnings, classroom number or cost) security incidents degree of the measure “regular of changes. exceptions.
trainings. with human errors as a cause. review”. authorization review”. approved exceptions.
Objective (Vision) All employees are trained with No information security incidents All IT systems have valid user All authorizations comply with All collective accounts are All changes are made in Error-free performance of changes Comprehensive protection of all All IT systems have up-to-date
respect to information security with human error as a cause accounts only current needs reviewed for their necessity conformance to policies IT systems threatened by malware protection
Recipients Information Security; supervisors Information Security Information Security Information Security Information Security Information Security Information Security Local IT, Information Security Local IT, Information Security
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
Frequency (reporting) annually) annually) annually) annually) annually) annually) annually) annually) annually)
Frequency (measurement) to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) annually) annually) monthly) annually)
Interfaces HR - Training Department - IKS - Incident Management Data Owner, User Management, Data Owner, User Management, User Management IT Operations, Change IT Operations, Change AV Management, IT Operations AV Management, IT Operations
Internal Audit Department Supervisors Supervisors Management Management
E-learnings, classroom training, Incident Mgt. Tool, Ticket System, User registry, authorization User registry, authorization User registry, authorization Project Management, Change Project Management, Change
Components training plan, training register ISMS Tool management tool, IAM platform, management tool, IAM platform management tool, IAM platform Management Management AV console, CMDB AV console, CMDB
CMDB
Data archiving 5 years 5 years 10 years 10 years 5 years 10 years 5 years 5 years 5 years
INTERNAL #
3.1.2 To what extent is information security ensured in exceptional situations? 5.2.5 To what extent are vulnerabilities identified and addressed? 1.6.1 To what extent are information security events processed? 1.1.1 To what extent are information security policies available?
Coverage degree of backup Coverage degree of restoration Backup effectiveness Coverage degree Patch Effectiveness of patch installation Detection rate of information Timely processing of information Creation degree of required Actuality of required
tests Management security incidents security incidents policies/documentations policies/documentations
A regular and complete backup Regular restoration tests (e.g. by Backup quality must be ensured A comprehensive patch The timely installation of patches Information security incidents Information security incidents
provides protection against the restoring data or systems) is by correlating controls. Measures management protects the ensures the security of IT systems have to be detected and timely have to be adequately prioritized Under an ISMS, For the ISMS, the prepared
loss of data, e.g. in case of a essential to the availability of are e.g. data restore, system company against malware and and applications and therefore handled in order to protect the and handled according to their mandatory/voluntary policies/documentations must be
system failure or malware business information. restorations. exploits. The KPI measures the reduces the exploit windows for company from damages. The KPI criticality. The KPI measures the policies/documentations must be reviewed for their actuality.
infection of IT systems. The KPI measures the coverage The KPI measures the number of inclusion of IT systems and the company. The KPI measures measures the compliance of the appropriate timely handling of prepared.
The KPI measures the degree of degree of restoration tests. incorrect data restores. applications in the patch the recording of the target state incident reporting process information security incidents.
backup coverage. management process. and the actual state of patches. between the involved interfaces.
All information security incidents All information security incidents All necessary All necessary
All relevant data is adequately Regular restoration tests for all Correct backups All IT systems are involved in the All IT systems are at current patch will be detected, reported and will be handled within an policies/documentations are policies/documentations are
secured backed-up IT systems patch process level handled within the scope of the appropriate time frame present reviewed for actuality/content
incident management process
Local IT, Information Security, Local IT, Information Security, Local IT, Information Security, Local IT, Information Security Local IT, Information Security IT, Information Security, IT, Information Security, Information Security, Corporate Information Security, Corporate
service owner service owner service owner Compliance Compliance Security, IT Security, HR, Business Security, IT Security, HR, Business
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) annually) annually) Initial version annually)
Quotient: number of IT systems Quotient: number of IT systems Quotient: number of currently Quotient: number of information Quotient: number of policies
covered by backups/total number with tested restoration from Quotient: number of restorations patched IT systems/total number time comparison security incidents reported in the For each individual criticality level: Quotient: number of existing reviewed according to
with errors/total number of all average actual rollout state vs. incident management/total All unsolved incidents within policies/population of necessary
of IT systems (adjusted for backup/total number of all restoration tests of IT systems (adjusted for target state number of incidents (known to defined period/all incidents policies cycle/population of policies to be
authorized exceptions) backed-up IT systems authorized exceptions) reviewed
the surveying unit)
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) monthly) annually) monthly) monthly) annually) annually) annually) annually)
Backup process, IT Operations Backup process, IT Operations Backup process, IT Operations Patch/Change Management, IT Patch/Change Management, IT IT, CERT, Incident Management, IT, CERT, Incident Management, Information Security, Corporate Information Security, Corporate
Operations Operations Helpdesk, Service Management Helpdesk, Service Management Security, IT Security, HR, Business Security, IT Security, HR, Business
1.2.3 To what extent are information security requirements taken 3.1.4 To what extent is the handling of mobile IT devices and mobile 3.1.1 To what extent are security zones managed to protect information assets? 5.2.4 To what extent are event logs recorded and analyzed?
into account in projects? data storage devices managed?
COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE COVERAGE EFFECTIVENESS COVERAGE
Effectiveness of implementation
Coverage degree of information Protective measures - Coverage degree of mobile device of mobile device security Implementation degree of zone Implementation of protective Coverage degree review “Access Coverage degree of event logs on Functioning log activity Coverage degree of admin logs on
security in projects implementation in projects security measures concept measures for zone concept authorizations” security-critical IT systems security-critical IT systems
Information security Information security Security zones are protected All employees working in the All relevant IT systems and All relevant IT systems and
requirements are considered in all requirements are implemented in All relevant mobile devices are All relevant mobile devices are Zones are defined for all according to internal delivery and shipping area are applications are integrated into Completeness and correctness of applications are integrated into
projects all projects subject to protective measures subject to up-to-date protection properties specifications (see e.g. References subject to regular review of access event logging logs admin logging
“Security zones”) rights
Information Security, Corporate Information Security, Corporate IT Security, Information Security IT Security, Information Security, Information Security, Corporate Information Security, Corporate Corporate Security, Logistics, Local IT, Information Security, Local IT, Information Security, Local IT, Information Security,
Security, IT Security Security, IT Security Corporate Security Security Security authorities Compliance Compliance Compliance
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) annually) annually) annually) annually) annually)
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) monthly) monthly) annually) quarterly) annually) annually) quarterly) annually)
Plant security, local security Plant security, local security
Project customer, Project Project customer, Project IT Operations, IT Security IT Operations, IT Security functions, specialized functions, specialized Logistics, Access Management IT, IT System Owner, Data Owner, IT, System Owner, Data Owner, IT, System Owner, Data Owner,
Management Office (PMO) Management Office (PMO) departments departments Risk Owner Risk Owner Risk Owner, User Management
Property plans, zone concept, Property plans, zone concept, Staff registry (internal/external),
Overview of projects per PMO Overview of projects per PMO Overview of mobile devices Overview of mobile devices information classification information classification access control system CMDB, Logging server CMDB, Logging server CMDB, Logging server, IAM
5 years 5 years 5 years 5 years 5 years 5 years 10 years to be defined individually (if to be defined individually (if to be defined individually (if
relevant to billing: 10 years) relevant to billing: 10 years) relevant to billing: 10 years)
INTERNAL #
Results of admin logging activities Information security risks Vulnerabilities identified in the
must allow analysis. Reliable and IT systems processing or storing Measures resulting from those Regular verifications of the SLAs The protection of information associated with the applications course of information security
manipulation-protected end-to- information of high or very high audits must be implemented in for network services ensure The agreed measures resulting confidentiality must be subject to Risks identified during the to be developed must be Risks identified in the process of audits (internal and external)
end recording of the admin protection needs must be time in order to eliminate any consideration of current security from the SLAs must be contractual agreement where at acquisition process are treated in identified as early as possible in software development are treated must be eliminated in a
activities to be monitored is subjected to audits at regular detected vulnerabilities. requirements at all times. implemented. least confidential information is a timely and effective manner. the process of software in a timely and effective manner. consequent and traceable
essential for traceability, if intervals. exchanged with external partners. development. manner. Findings must not
required. remain unhandled.
All relevant IT systems are Non-disclosure agreements have Security risks identified in Security risks are taken into Security risks are addressed in the All vulnerabilities identified in the
Completeness and integrity of subjected to audits at regular All measures are implemented in All SLAs include the current All requirements resulting from been entered with all external acquisition are handled in an account in the software development process in an course of audits are traced and
admin logs intervals time security requirements the SLAs are implemented partners effective manner development process effective manner assigned to activities
Local IT, Information Security, Local IT, Information Security Local IT, Information Security Local IT, Information Security Local IT, Information Security Acquisition, Information Security, Information Security, Local IT, Information Security, Local IT, Risk Information Security, Local IT, Risk Information Security, Corporate
Compliance specialized department Procurement Management Management Security, Local IT, Internal Audit
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) annually) annually) annually) annually) annually)
Number of incorrect admin logs to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
Red: > 0, Green = 0 Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%,
Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%)
Quotient: number of measures Quotient: number of measures Quotient: number of orders with Quotient: number of software Quotient: number of findings
number of incorrectly written Quotient: number of audited IT implemented in time/number of Quotient: number of verified implemented/number of concluded non-disclosure Quotient: number of treated development projects that Quotient: number of treated
systems/total number of security- risks/population of risks identified underwent risk risks/population of risks identified subject to subsequent
admin logs critical IT systems measures still to be implemented SLAs/total number of SLAs measures agreed agreement/total number of in the acquisition process assessment/population of in the development process activities/population of identified
relevant orders findings
relevant development projects
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
quarterly) monthly) monthly) monthly) monthly) monthly) quarterly) quarterly) quarterly) quarterly)
Procurement, specialized Procurement, specialized Procurement, specialized Internal Auditors, Information
IT, System Owner, Data Owner, Audit Management, IT Audit Management, IT IT Operations, Information IT Operations, Information Acquisition, Information Security, departments (requisitioner), Local departments (requisitioner), Local departments (requisitioner), Local Security, Local IT, specialized
User Management Operations, System Owner Operations, System Owner Security Security specialized department IT IT IT departments (Auditees)
Acquisition register, ordering Development system, Development system, Audit data base, follow-up data
CMDB, Logging server, IAM CMDB CMDB, Audit system CMDB CMDB Acquisition system system development project data base development project data base base
to be defined individually (if 5 years 5 years 5 years 5 years 5 years 5 years 5 years 5 years 10 years
relevant to billing: 10 years)
INTERNAL #
EFFECTIVENESS
Timely elimination of
vulnerabilities determined during
audits
10 years
INTERNAL #
INTERNAL #
This work has been licensed under Creative Commons Attribution - No Derivative Works 4.0 International Public License. In
addition, You are granted the right to distribute derivatives under certain terms. The complete and valid text of the license is to
be found in line 17ff.
By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative
Commons Attribution-NoDerivatives 4.0 International Public License ("Public License"). To the extent this Public License may be
interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and
conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed
Material available under these terms and conditions.
Section 1 – Definitions.
a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed
Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner
requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the
Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed
Material is synched in timed relation with a moving image.
b. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without
limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled
or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
c. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented
under laws fulfilling obligations within the meaning of Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996,
and/or similar international agreements.
d. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar
Rights that applies to Your use of the Licensed Material.
INTERNAL #
e. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public
License.
f. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited
to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.
g. Licensor means the individual(s) or entity(ies) granting rights under this Public License.
h. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights,
such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to
make material available to the public including in ways that members of the public may access the material from a place and at a
time individually chosen by them.
i. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament
and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other
essentially equivalent rights anywhere in the world.
j. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
Section 2 – Scope.
a. License grant.
1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-
sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
A. reproduce and Share the Licensed Material, in whole or in part; and
B. produce and reproduce, but not Share, Adapted Material.
2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public
License does not apply, and You do not need to comply with its terms and conditions.
3. Term. The term of this Public License is specified in Section 6(a).
4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all
media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The
Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to
exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For
purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You
are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the
Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
b. Other rights.
1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other
similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held
by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
2. Patent and trademark rights are not licensed under this Public License.
3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights,
whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all
other cases the Licensor expressly reserves any right to collect such royalties.
Section 3 – License Conditions.
Your exercise of the Licensed Rights is expressly made subject to the following conditions.
a. Attribution.
1. If You Share the Licensed Material, You must:
INTERNAL #
A. retain the following if it is supplied by the Licensor with the Licensed Material:
i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable
manner requested by the Licensor (including by pseudonym if designated);
ii. a copyright notice;
iii. a notice that refers to this Public License;
iv. a notice that refers to the disclaimer of warranties;
v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this
Public License.
For the avoidance of doubt, You do not have permission under this Public License to Share Adapted Material.
2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in
which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or
hyperlink to a resource that includes the required information.
3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent
reasonably practicable.
Section 4 – Sui Generis Database Rights.
Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial
portion of the contents of the database, provided You do not Share Adapted Material;
b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database
Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material;
and
c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where
the Licensed Rights include other Copyright and Similar Rights.
Section 5 – Disclaimer of Warranties and Limitation of Liability.
a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material
as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether
express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a
particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors,
whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may
not apply to You.
b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation,
negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses,
costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been
advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in
part, this limitation may not apply to You.
c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent
possible, most closely approximates an absolute disclaimer and waiver of all liability.
Section 6 – Term and Termination.
a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with
this Public License, then Your rights under this Public License terminate automatically.
b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
a. For the avoidance of doubt, this Public License does not, and must not be interpreted to, reduce, limit, restrict, or impose
conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
b. To the extent possible, if any provision of this Public License is deemed unenforceable, it must be automatically reformed to
the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it must be severed from this Public
License without affecting the enforceability of the remaining terms and conditions.
c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to
by the Licensor.
d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and
immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
1.0
1.1
1.2
1.3
2.0
2.0.1
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
3.0.2
INTERNAL #
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
5.0.0
5.0.2
5.0.3
INTERNAL #
5.0.4
5.1
INTERNAL #
Correction of the link of Control 14.4 on the results page, Level 3 adaptation: Established in tab “Maturity levels”
Tab Results: The results will only be indicated for controls that have been subject to processing.
Adaptation of Chapter 24 to DSGVO and minor modifications to those controls designated with 4.1.0
8.4, 13.3 correction in description of objective
9.1 addition of control and objective description
10.1, 11.1, 12.5, 12.6, 12.9 adaptation of requirements
18.2 and Data Protection (24) adaptation to DSGVO
References: 'secret' changed to 'strictly confidential' and classification levels supplemented to protection classes
Prototype Protection (25) revised
e Protection” tabs