Kopie Von VDA-ISA - EN - 4-0-4 - 2018-09-24

Information Security Assessment
Welcome to
the Information Security Assessment (ISA) of the Verband der Automobilindustrie (Association of the German Automotive Industry,
VDA).
VDA ISA provides the basis for

- a self assessment to determine the state of information security in an organization (e.g. company)
- audits performed by internal departments (e.g. Internal Audit, IT-Audit, Information Security)
- a review in accordance with TISAX (Trusted Information Security Assessment Exchange, http://enx.com/tisax/)
VDA ISA consists of several tabs; the content and function of which are explained below:
Maturity levels:
VDA ISA provides assessment of the implementation by means of a maturity model defined in this table sheet.
A simplified sequence of the maturity levels is as follows:
Level 0: The implementation of requirements is incomplete. A process does not exist or the existing process does not achieve the required results.
Level 1: The requirements necessary for the respective information protection needs are performed. A process is in place and shows signs of its working. It
is, however, not completely documented. Therefore, its working at all times cannot be ensured.
Level 2: The process for achieving the objective is managed. It is documented and proof (e.g. documentations) is available.
Level 3: The process for achieving the objective is established, the processes are linked in order to show existing dependencies. The documentation is up
to date and maintained.
Level 4: Requirements from Level 3 and, in addition, results are measured (e.g. KPI) making the process predictable.
Level 5: Requirements from Level 4 and, moreover, additional resources (e.g. personnel and finances) are being implemented in an optimizing manner.
The process is subject to continuous improvement.
Explanation:
The explanation includes the definition of the terms “must”, “should” and “may” to provide different grades within the requirements in the questionnaires
below.
Minimum requirements are listed under “shall”. Without their implementation, the objective cannot be achieved.
Generally, implementation of the requirements defined under “should” is necessary in order to achieve the objective. However, the selection of adequate
measures may also be acceptable if they allow the objective to be achieved.
Depending on the size of a company and the case of application, it may be necessary to implement the requirements listed under “can” in order to achieve
the control objective.
Another specific feature are the additional requirements depending on the protection needs of the information. This is due to the fact that information of
high/very high protection requires specific measures. The protection needs are related to the essential protection objectives of information security, namely
confidentiality, availability and integrity.
Cover:
The cover contains boxes for information on the respective organization, the scope of the review, the auditor and the contact person of the organization
under review.
Results:
Here, the results of the single tab (review catalogue pages) are summarized and presented in printing format.
The spider diagram provides an overview of all controls.
The list of all controls shows the target maturity levels to be achieved.
Depending on the significance of the controls, the target maturity levels vary from Level 2 to Level 4.
When calculating the overall result, the results of controls overachieving their target maturity level are shortened and averaged. This ensures that
requirements are comprehensively fulfilled and that there is no compensation of overachieved and underachieved controls.
Information Security:
The tab “information security” includes all basic controls based on the standard ISO/IEC 27001. The controls themselves are formulated as questions. The
answer can be documented in the additional box “Implementation description” (marked by table extension “+”). Further boxes (“Reference documentation”,
“Findings” and “Measures”) allow extended documentation and are usually used to support the auditor.
The objective of the respective control and the requirements for achieving it are listed in accordingly designated boxes. Here, each control shall always be
assessed according to the degree to which the objective is achieved.
The assessment of the maturity levels (see tab “maturity levels” for description) of each control is recorded in the box (column B) by means of a drop-down
and then automatically transferred to the tab “Results”.
Connection to third parties (23):

The controls listed here include additional requirements for cases where employees access third party IT systems via network connections while on the
organization’s premises.
Prototype protection (25):

The tab “Prototype protection” contains physical and organizational requirements for the protection of vehicle prototypes and is applied where the
organization deals with vehicle prototypes.
Data protection (24):

This tab is to be additionally filled in for order data processing in accordance with §11 of the BDSG and includes controls to be answered merely with ‘yes’ or
‘no’.
KPIs:
This tab shows examples of Key Performance Indicators (KPI) for measuring process results both for controls for which VDA ISA has defined a target
maturity level of 4 and for controls where a measurement appears useful. The tab content provides support for identifying own suitable KPIs. It does not
present mandatory requirements for achieving maturity level 4. For controls having a target maturity level of 3 or less, definition of KPIs is not mandatory,
but may be helpful for a central management of information security at many locations.
400375344.xlsx /
Printed on: 10/26/2018 Page 1 of 98
Welcome
References:
This tab gives further information and definitions regarding the topics “Security zones”, “Optics”, “Personnel”, “Off-premises workplace” and “Protection
classes”. The topics listed on this tab may be considered examples of best practice.
Glossary:
The glossary describes abbreviations and other terms.
License:
License conditions under which the VDA ISA is published.
We recommend you to start with the table sheet “Information security” thereby gaining an overview of the state of your information security.
AG Audit of the Working Group Information Security of the VDA wishes you every success.
400375344.xlsx /
Welcome
Information Security Assessment -
Maturity level model
Explanation of the maturity level model
The maturity level assessment is carried out based on a generic process maturity level model. The maturity level model differentiates between six individual
levels:
- Level 0: Incomplete
- Level 1: Performed
- Level 2: Managed
- Level 3: Established
- Level 4: Predictable
- Level 5: Optimizing
Activities are assigned to the single levels which ensure that the results are systematically derived and will be available in the defined quality at the end of
the process.
During assessment, conformity with the requirements of the corresponding level shall be objectively demonstrated. This can be done, for example, by
means of work products resulting from the processes of the controls or by means of interview statements by persons carrying out the process.
Level 0: Incomplete
he process is not implemented or fails to achieve its process purpose. At this level, there is little or no evidence of any systematic achievement of the
process purpose.
Level 1: Performed
- The implemented process achieves its process purpose.
- There is evidence that the intent of the base practice is being performed.
- Work products are produced that provide evidence of process outcomes.
Level 2: Managed
Control of process implementation (PA 2.1):
- Objectives for the performance of the process are identified.
- Performance of the process is planned and monitored.
- Performance of the process is adjusted to meet plans.
- Responsibilities and authorities for performing the process are defined, assigned and communicated.
- Resources and information necessary for performing the process are identified, made available, allocated and used.
- Interfaces between the involved parties are managed to ensure effective communication and clear assignment
of responsibility.
Management of work products (PA 2.2):

- Requirements for the work products of the process are defined.
- Requirements for documentation and control of the work products are defined.
- Work products are appropriately identified, documented and controlled.
- Work products are reviewed in accordance with planned arrangements and adjusted as necessary to meet requirements.
This includes, among others, the following documents (GWP):

+ Process documentation
+ Process plan
+ Quality plan/records
+ Process implementation records
Level 3: Established
Process definition (PA 3.1):
- A standard process, including appropriate tailoring guidelines, is defined that describes the fundamental elements that
must be incorporated into a defined process.
- The sequence and interaction of the standard process with other processes are determined.
- Required competencies and roles for performing a process are identified as part of the standard process.
- Required infrastructure and work environment for performing a process are identified as part of the standard process.
- Suitable methods for monitoring the effectiveness and suitability of the process are determined.
Process deployment (PA 3.2):

- A defined process is deployed based on an appropriately selected and/or tailored standard process.
- Required roles, responsibilities and authorities for performing the defined process are assigned and communicated.
- Personnel performing the defined process are competent on the basis of appropriate education, training and experience.
- Required resources and information necessary for performing the defined process are made available, allocated and used.
- Required infrastructure and work environment for performing the defined process are made available, managed and
maintained.
- Appropriate data are collected and analysed as a basis for understanding the behaviour of the process, to demonstrate its
suitability and effectiveness, and to evaluate where continuous improvement of the process can be made.

+ Process plan
+ Quality records
+ Policies and standards
400375344.xlsx /
Maturity levels
Level 4: Predictable
Process measurement (PA 4.1):
- Process information needs in support of relevant defined business goals are established.
- Process measurement objectives are derived from process information needs.
- Quantitative objectives for process performance in support of relevant business goals are established.
- Measures and frequency of measurement are identified and defined in line with process measurement objectives and
quantitative objectives for process performance.
- Results of measurement are collected, analysed and reported in order to monitor the extent to which the quantitative
objectives for process performance are met.
- Measurement results are used to characterise process performance.
Process control (PA 4.2):

- Analysis and control techniques are determined and applied where applicable.
- Control limits of variation are established for normal process performance.
- Measurement data are analysed for special causes of variation.
- Corrective actions are taken to address special causes of variation.
- Control limits are re-established (as necessary) following corrective action.

+ Process control plan
+ Process improvement plan
+ Process measurement plan
Level 5: Optimizing
- Process improvement objectives for the process are defined that support the relevant business goals.
- Appropriate data are analysed to identify common causes of variations in process performance.
- Appropriate data are analysed to identify opportunities for best practice and innovation.
- Improvement opportunities derived from new technologies and process concepts are identified.
- An implementation strategy is established to achieve the process improvement objectives.
Continuous optimization (PA 5.2):

- Impact of all proposed changes is assessed against the objectives of the defined process and standard process.
- Implementation of all agreed changes is managed to ensure that any disruption to the process performance is understood
and acted on.
- Based on actual performance, effectiveness of process change is evaluated against the defined product requirements and
process objectives to determine whether results are due to common or special causes.

+ Process improvement plan
+ Process measurement plan
400375344.xlsx /
Maturity levels
Explanation of requirements
Requirement level
Different levels of protection needs and special characteristics of organizations are reflected by different requirements. For the purpose of describing the
requirements for the respective control, differences are made between the following five requirement types:
- This must include

- This should include
- This may include
- Additionally in case of high protection needs
- Additionally in case of very high protection needs
The interpretation of the respective requirement category is to be understood as follows.
“This must include”

Requirements of the category “This must include” are mandatory requirements without any exceptions.
“This should include”

Requirements of the category “This should include” are in general to be implemented by the organization in general. In certain circumstances, however,
there may be a valid justification for non-compliance with requirements of the category “This should include”. In case of any deviation, its effects shall be
understood by the organization and it shall be plausibly justified.
“This may include”

Requirements of the category “This may include” are optional. They show examples and possibilities to provide guidance for the implementation of a control.
“Additionally in case of high protection needs”

Requirements of the category “Additionally in case of high protection needs” must additionally be met where the assessment level incorporates high
protection needs.
“Additionally in case of very high protection needs”

Requirements of the category “Additionally in case of very high protection needs” must additionally be met where the assessment level incorporates very
high protection needs.
400375344.xlsx /
Definitions
Group:
Company:
Location:
Address:
Homepage:
Short description of the group

company:
Scope/TISAX Scope-ID
D&B D-U-N-S® No.
Date of the assessment:
Contact person:
Telephone number:
Email address:
Creator:
Telephone number:
Email address:
Managing Director:
Signature:
Version: 4.0.4 / 2018-09-24
400375344.xlsx /
Cover
Results
Company: 0
Location: 0
Date: 12/30/1899
Result with cutback to target
maturity levels:
Maximum score: 3.00
1 ISMS
18 Compliance 5 5 Information Security Policies
4
17 Information Security Aspects of Business Continuity Management 6 Organization of Information Security
3
2
16 Information Security Incident Management 1 7 Human Resources Security
15 Supplier Relationships 8 Asset Management
14 System acquisition, development and maintenance 9 Access Control
13 Communications Security 10 Cryptography

12 11
Operations
Physical and
Security
Environmental Security
Target maturity level Result
400375344.xlsx /
Results
Results
maturity level:
Maximum score: 3.00
Details:
Question Target maturity

Topics Result
No. level
1.1 Release of an Information Security Management System (ISMS) 3
1.2 IS Risk Management 3
1.3 Effectiveness of the ISMS 3
5.1 Information Security Policy 3
6.1 Assigning responsibility for information security 3
6.2 Information Security in projects 3
6.3 Mobile devices 3
6.4 Roles and responsibilities
Contractual for external
information security IT service providers
obligation
3
7.1 of employees 3
7.2 Awareness and training of employees 4
8.1 Inventory of assets 3
8.2 Classification of information 2
8.3 Storage of information on mobile storage devices 3
8.4 Removal of externally stored information assets 3
9.1 Access to networks and network services 3
9.2 User registration 4
9.3 Privileged user accounts 3
9.4 Confidentiality of authentication data 3
9.5 Access to information and applications 3
9.6 Separation of information in shared environments 3
10.1 Cryptography 3
11.1 Security zones 3
11.2 Protection against external influences and external threats 3
11.3 Protection measures in the delivery and shipping area 2
11.4 Use of equipment 2
12.1 Change management 4
12.2 Separation of development, test and operational environments 2
12.3 Protection against malware 4
12.4 Back-up procedures 4
12.5 Event logging 3
12.6 Logging administrational activities 2
12.7 Prosecution of vulnerability (patch management) 4
12.8 Review of information systems 2
12.9 Consideration of critical administrative functions of cloud services 3
13.1 Management of networks 3
13.2 Security requirements for networks/services 3
13.3 Separation of networks (network segmentation) 3
13.4 Electronic exchange of information 3
13.5 Non-disclosure agreements for information exchange with third parties 3
14.1 Requirements for the acquisition of information systems 3
14.2 Security along the software development process 3
14.3 Management of test data 2
14.4 Approval of external IT services 3
15.1 Risk management in collaboration with suppliers 3
15.2 Review of service provision by suppliers 3
16.1 Reporting system for information security incidents (incident management) 3
16.2 Processing of information security incidents 4
17.1 Information Security Aspects of Business Continuity Management (BCM) 3
18.1 Legal and contractual provisions 3
18.2 Confidentiality and protection of personally identifiable data 3
18.3 Audit of the ISMS by independent bodies 3
18.4 Efficiency test 3
Method: - comparison of the top 52 security topics 3.00
- based on ISO 27001 controls
- evaluated using SPICE ISO 15504
400375344.xlsx /
Results
Results -
Connection to third parties

maturity level:
Maximum score: 3.00
Details:

Topics Result
No. level
23.7.2 Awareness and training of employees #NAME? #NAME?
23.9.2 User registration #NAME? #NAME?
23.11.1 Security zones #NAME? #NAME?
23.13.3 Separation of networks (network segmentation) #NAME? #NAME?
3

Results - Prototype protection
maturity level:
Maximum score: 3.00
Details:

Topics Result
No. level
25.1.1 Security concept 3
25.1.2 Perimeter safety 3
25.1.3 Outer-skin protection 3
25.1.4 View and sight protection 3
25.1.5 Access control 3
25.1.6 Intrusion detection system 3
25.1.7 Documented visitor management 3
25.1.8 On-site client separation 3
25.2.1 Non-disclosure agreement 3
25.2.2 Relationships with subcontractors 3
25.2.3 Training and raising the awareness of employees 3
25.2.4 Security classification of the project 3
25.2.5 Process of allocation of access 3
25.2.6 Filming and photography 3
25.2.7 Bringing along image recording devices 3
25.3.1 Camouflage of prototypes 3
25.3.2 Transport of prototypes 3
25.3.3 Storage/parking of prototypes 3
25.3.4 Own test and trial ground 3
25.3.5 Test and trial ground in public area 3
25.3.6 Safety requirements for presentations and events 3
25.3.7 Safety requirements for film and photo shootings 3
400375344.xlsx /
Results
Information Security Assessment - Questions
based on ISO 27001:2013

Company: 0
Location: 0
Date: 12/30/1899
Maturity level
In case a question does not apply, please insert na (not applicable).
Level 0-5; na
1
1.1
Objective:
Requirements:
1.2
Objective:
400375344.xlsx /
Information security
Requirements:
1.3
Objective:
Requirements:
400375344.xlsx /
5.1
Objective:
Requirements:
6
6.1
Objective:
400375344.xlsx /
Requirements:
6.2
Objective:
Requirements:
6.3
Objective:
400375344.xlsx /
Requirements:
6.4
Objective:
400375344.xlsx /
Requirements:
7
7.1
Objective:
Requirements:
7.2
400375344.xlsx /
Objective:
Requirements:
8
8.1
Objective:
Requirements:
400375344.xlsx /
8.2
Objective:
Requirements:
8.3
Objective:
Requirements:
8.4
Objective:
400375344.xlsx /
Requirements:
9.1
Objective:
Requirements:
9.2
Objective:
400375344.xlsx /
Requirements:
9.3
Objective:
400375344.xlsx /
Requirements:
9.4
Objective:
Requirements:
400375344.xlsx /
9.5
Objective:
Requirements:
9.6
Objective:
400375344.xlsx /
Requirements:
10
10.1
Objective:
400375344.xlsx /
Requirements:
Requirements:
11
11.1
Objective:
400375344.xlsx /
Requirements:
11.2
Objective:
Requirements:
11.3
400375344.xlsx /
Objective:
Requirements:
11.4
Objective:
Requirements:
12
12.1
400375344.xlsx /
Objective:
Requirements:
12.2
Objective:
Requirements:
12.3
Objective:
400375344.xlsx /
Requirements:
12.4
Objective:
Requirements:
12.5
Objective:
400375344.xlsx /
Requirements:
12.6
Objective:
Requirements:
12.7
400375344.xlsx /
Objective:
Requirements:
12.8
Objective:
Requirements:
12.9
400375344.xlsx /
Objective:
Requirements:
13
13.1
Objective:
400375344.xlsx /
Requirements:
13.2
Objective:
Requirements:
13.3
Objective:
400375344.xlsx /
Requirements:
13.4
Objective:
Requirements:
13.5
Objective:
400375344.xlsx /
Requirements:
14
14.1
Objective:
Requirements:
14.2
400375344.xlsx /
Objective:
Requirements:
14.3
Objective:
Requirements:
400375344.xlsx /
14.4
Objective:
Requirements:
15
15.1
Objective:
400375344.xlsx /
Requirements:
15.2
Objective:
Requirements:
16
400375344.xlsx /
16.1
Objective:
Requirements:
16.2
Objective:
Requirements:
17
400375344.xlsx /
17.1
Objective:
Requirements:
18
18.1
Objective:
400375344.xlsx /
Requirements:
18.2
Objective:
Requirements:
18.3
Objective:
400375344.xlsx /
Requirements:
18.4
Objective:
Requirements:
400375344.xlsx /
urity Assessment - Questions
SO 27001:2013
e a question does not apply, please insert na (not applicable).
General aspects
To what extent is an Information Security Management System approved by the organization’s management and is its sco
(Reference to ISO 27001: 4 and 5.1)
Systematic control and review of information security within the specified scope is effected by means of the establishment, operatio
development of an Information Security Management System (ISMS) and the assignment of responsibilities. The ISMS must define
procedures in order to achieve the information security objectives with respect to adequate confidentiality, availability and integrity o
based on the security policy.
This must include:
+ The organization’s requirements for an ISMS are determined.
+ An ISMS approved by the organization’s management is established.
+ The scope of the ISMS is specified (e.g. organization in whole or in part).
+ A Statement of Applicability (SoA) is provided (e.g. filled-in VDA ISA catalogue).
This should include:

+ Criteria (e.g. characteristic values or quantities) for information security assessment are specified.
This may include:

+ Certification in accordance with ISO 27001:2013 (including Scope Statement and SoA).
Additionally in case of high protection needs:

None.
Additionally in case of very high protection needs:

None.
To what extent is a process for identifying, assessing and handling information security risks defined, documented and im
(Reference to ISO 27001: 8.2 and 6.1.2)
The objective of an organization-specific ISMS is an adequate balance between information security efforts and the assets to be pr
achieve this, the assets, their protection needs and threats shall be identified, analysed, assessed and documented by means of ris
of an information security risk assessment rises the danger that information security risks remain undetected leading to potential ha
400375344.xlsx /
This must include:
+ Risk assessments are carried out both at regular intervals and in case of events.
+ Information security risks are divided into levels according to their protection needs, e.g. normal, high and very high.
+ In case of changes to the environment (e.g. organizational structure, location, changes to regulations), reassessment is carried o

+ A process description indicating how to identify, assess and evaluate information security risks within the organization exists.
+ Criteria for the evaluation and handling as well as the acceptance of information security risks exists.
+ The identified information security risks, including cause, probability of occurrence, potential effects and their assessment are doc
+ Measures for handling risks and the corresponding responsible persons are specified and documented.
- A plan of measures or an overview of their state of implementation exists.
This may include:

+ An overview of the experts (risk owners) exists.

None.

None.
To what extent is the effectiveness of the ISMS ensured?

(Reference to ISO 27001: 8.1, 9.1, 10.1 and 10.2)
The ISMS must be reviewed at regular intervals (e.g. annually) with respect to its effectiveness. This includes verifying the achievem
the compliance with applicable requirements.
Only an ISMS adapted specifically to the organization’s requirements can fulfil its purpose. Since influencing factors such as organ
conditions may change, the effectiveness of the ISMS must be reviewed regularly.
This must include:

+ The effectiveness is reviewed regularly by the persons responsible for information security and management.
+ The results of the effectiveness inspection and the specified measures are documented.
+ A plan of measures or an overview of their state of implementation (including those resulting from previous reviews) is in place, th
those measures is monitored.
+ If any security related events occur, they are analysed.

The ISMS is regularly inspected for its adequacy and appropriateness.
+ The documentation is regularly reviewed and revised with respect to their actuality.
This may include:

None.

None.

None.
Information Security Policies
400375344.xlsx /
To what extent is an information security policy created, published or distributed and is it reviewed at regular intervals?
(Reference to ISO 27001: Control A.5.1.1 and A.5.1.2)
An organization must define a policy reflecting the importance and significance of information security to the organization. This mus
business strategy, regulations, legislation and potential threat situations regarding information security. It must be evident to all of th
information security is supported by the management of the organization, that it is of relevance to everyone and that requirements a
be met.
This must include:
+ The information security requirements adapted to the company’s objectives with respect to information protection are documente
approved by the management of the organization.
+ The policy includes objectives and significance of information security within the organization.

+ The information security requirements based on the strategy of the organization, legislation and contracts are taken into account
+ Responsibilities for implementation are defined.
+ The policy indicates consequences in case of non-conformance.
+ Further policies/regulations/standards regarding information security are prepared.
+ A process for regular review and revision of the policies is established.
+ The policies are made adequately available to employees.
+ These policies (or extracts thereof) are handed over to external business partners depending on the respective case.
This may include:

+ The policies are made available on the intranet.

None.

None.
Organization of Information Security

To what extent are responsibilities for information security defined and assigned?
(Reference to ISO 27001: Control A.6.1.1)
Successful implementation of an ISMS requires adequate assignment of information security responsibilities. This requires the defi
the tasks for achieving the protection objectives. Qualified employees who are known to the organization’s staff and, if appropriate,
must be required to fulfil those tasks.
400375344.xlsx /
This must include:
+ Responsibilities for the information security within the organization are defined, documented and assigned.
+ The responsible employees are defined and are qualified for their task.
+ The contact persons are known within the organization and to relevant business partners.

+ There is a definition and documentation of an adequate information security structure within the organization.
This may include:

+ Responsibilities and contact persons for information security are made known and available to employees and external business
required for fulfilling the assigned task(s).

+ An appropriate organizational separation of responsibilities should be established in order to avoid conflict of interests.

None.
To what extent are information security requirements taken into account in project work (irrespective of project type)?
The information security requirements must be taken into account irrespective of the project type (this includes non-IT projects). Th
handling of information security and information security risks in the organization’s project management methods.
This must include:

+ Projects are to be classified while taking into account the information security requirements.

+ The procedure and criteria for the classification of projects are documented.
+ In early project phases, risk assessments are carried out based on the defined procedures.
+ For identified information security risks (see Control 1.2), measures are derived and taken into account in the project.
This may include:

None.

+ The measures derived are reviewed regularly during the project and reassessed in case of changes to the assessment criteria.

None.
To what extent is a policy in place regarding the use of mobile devices and remote access to organization's data?
The handling of mobile devices, particularly in unprotected environments, is associated with increased risks (e.g. loss, theft, malwa
protect the information stored on the device, technical protective measures must be implemented. Additionally, employees must be
involved in the handling of mobile devices.
400375344.xlsx /
This must include:
+ The use of mobile devices (e.g. smartphones, notebooks) is subject to regulation.

+ A policy is prepared considering the following aspects:
- Registration of mobile devices
- Physical protection requirements (among others against theft, spying on information)
- Software installation restrictions
- Requirements for the versioning of software for mobile devices and the associated patch management
- Limitations of access to certain information services
- Encryption techniques
- Data backup
- Protection against malware
- Remote deletion methods
- Use of web services and web apps
- Procedure in case the mobile device is lost
+ Users sign an obligation declaration regarding the handling of particularities when working with mobile devices depending on the
anti-theft protection, software installation, prevention of visibility of information itself (view and sight protection), use of a protected e
enclosed space, non-public location), handling of authentication ressources.
This may include:

None.

None.

None.
To what extent are the roles and responsibilities defined which are shared between IT service providers (particularly cloud
own organization?
(Reference to ISO 27017: Control CLD.6.3.1)
When using IT services (particularly cloud services), the relationship between provider and the own organization is of particular sign
security due to the shared responsibilities for the implementation of requirements. The own organization must continue to independ
security requirements while other requirements are fulfilled in whole or in part by the provider. The exact allocation of responsibilitie
services used and cannot be generally answered.
If common understanding regarding the allocation of responsibilities is lacking among all parties involved, the security system may
rendered entirely ineffective. Therefore, the service user must ensure at all times that a mutual understanding regarding the allocat
given and that it is clarified for each requirement, that and by whom it is fulfilled.
400375344.xlsx /
This must include:
+ The security requirements relevant to the service are determined and documented:
- At least the applicability of the VDA ISA controls is verified and documented.
+ For each requirement, it is documented who is responsible to what extent for its implementation.
- For the applicable VDA ISA controls, it is documented who has the responsibility for implementation or how it is shared.
+ The own organization fulfils its responsibilities.
+ Proof is provided that the service provider fulfils his responsibility.

+ The service configuration is designed, implemented and documented according to the necessary security requirements.
+ The service configuration is included in the regular security assessments.
+ Integration into local protective measures (such as secure authentication mechanisms) is established and documented.
+ The staff is trained (e.g. with respect to safe operation and configuration, secure handling of data according to their classification,
handling of incidents).
This may include:

None.

None.

None.
Human Resources Security

To what extent are employees (internal and external) contractually bound to comply with information security policies?
Organizations are subject to legislation, regulations and internal rules. Already at the hiring of staff, it must be ensured that both inte
employees commit to compliance with the policies and are aware of the consequences of misconduct.
This must include:
+ A non-disclosure obligation is in effect - even beyond the employment contract or assignment.
+ An obligation to comply with the information security policies is in effect (see 5.1)

+ Information security aspects are considered in the employment contracts of employees.
+ Responsibilities and duties associated with the handling of sensitive information are part of the employment contract.
+ A procedure for handling violations of contractual specifications relevant to information security is described.
+ Employees are informed of policy changes.
This may include:

None.

None.

None.
To what extent is staff (internal and external) made aware of and trained about the risks arising from handling and process
(Reference to ISO 27002: Control 7.2.1 and 7.2.2)
400375344.xlsx /
Information security must be a natural and integral part of the work environment and must be adopted into the daily work of all emp
information security training, employees shall gain the necessary knowledge and competence for security-conscious behaviour. Th
aware of what is expected of them with respect to information security and how to react to security-critical situations.
This must include:

+ Employees are trained and made aware.

+ A concept for awareness and training of employees is prepared.
- Target groups for awareness and training measures (e.g. new employees, administrators) are defined and taken into account in t
+ The concept has been approved by the responsible management
- Resources required for implementation are released
+ Training and awareness measures are carried out both at regular intervals and in reaction to events.
+ Participation in training and awareness measures is documented.
+ Contact persons for information security are known to employees.
+ Suitable KPIs for training and awareness purposes are defined and analysed.
This may include:

+ Regular learning objectives tests are conducted for participants of completed awareness and training measures.
+ The learning success associated with awareness and training programs is reviewed quantitatively and qualitatively.

None.

None.
Asset Management
To what extent are directories existent for objects (assets) that contain information in different versions?
(Reference to ISO 27001: Control A.8.1.1, A.8.1.2, A.8.1.3 and A.8.1.4)
Beside the conventional inventory of physical objects, it is essential to obtain an overview of the information processed within the o
purpose, information assets are elements of information-related character such as documents, illustrations/phtographs, files, progra
facilities, vehicle prototypes, tools and equipment. An information owner takes on the role of responsible person for the respective i
This must include:

+ Each information asset is assigned to a responsible entity (individual or organizational unit).
+ Information assets are classified. (see also Control 8.2)
This should involve:

+ Information asset inventories are prepared and updated regularly.
+ The lifecycle of information assets is defined for the phases of preparation, processing, storage or retention, transfer and deletion
+ Regulations for returning information assets on leaving the organization or on contract termination are in effect.
This may include:

+ Regulations for acceptable use of information assets (“acceptable use policy”) exist.
+ Information assets may be grouped (e.g. workplace computer), if required.

+ A specification regarding the explicit approval of the use of an information asset is defined.

None.
400375344.xlsx /
To what extent is information classified according to its protection needs and are there regulations in place regarding labe
transport, storage, retention, deletion and disposal?
(Reference to ISO 27001: Control A.8.2.1, A.8.2.2 and A.8.2.3)
Information must be classified according to its value to an organization. During this assessment, the value of information to the orga
evaluated based on factors such as confidentiality, integrity and availability. The handling of information according to its classificatio
implemented by all employees.
This must include:
+ A consistent scheme for the classification of documents/information is in place and implemented.

+ Classification of information is done according to defined criteria, e.g. value, legal requirements, confidentiality, integrity and avail
+ A policy including requirements for classification of information as well as the respective protective measures for identification, ha
deletion and disposal is in place and implemented.
This may include:

None.

None.

None.
To what extent are appropriate procedures implemented for the management of information on mobile storage devices?
Information on mobile storage devices are generally exposed to increased risks. In order to prevent loss or theft of information in ca
device is lost, regulations to reduce these risks must be defined and measures must be taken.
This must include:
None.

+ Definition of regulations for handling information on mobile storage devices according to its classification. This includes the follow
transfer, disposal and protective measures.
+ Data on mobile storage devices are to be protected according to defined regulations according to its classification.
This may include:

+ The organization provides means to support the employee in observing the rules.

+ A procedure shall be established for the required reaction of employees to cases of loss.
+ Regulations for handling during (business) travels within the country and abroad, e.g. inspection by authorities

None.
To what extent is the secure removal of information assets from IT services (particularly cloud) ensured?
It must be ensured that it is known how the use of a service can be terminated in a controlled way. Particular consideration must be
can be securely removed from external systems (e.g. cloud systems).
400375344.xlsx /
This must include:
+ A withdrawal strategy (termination process) including the deletion and removal of assets from the cloud service is defined.
+ It is ensured that the provider will fulfil his responsibilities.

+ The fulfilment of the provider’s responsibilities is regulated by contract.
+ A description of the termination process is available and reviewed regularly.
+ The responsibilities provided in the process are documented and accepted by the provider.
This may include:

+ The responsibilities are derived from the service documentation made available by the provider and documented.

None.

None.
Access Control
To what extent are policies and procedures regarding the access to IT systems in place?
The identity of the user of a network service, an IT system or an IT application must be clearly verifiable to enable to a trace of actio
user. In order to ensure this, authentication (registration) procedures and mechanisms of IT systems or IT applications must be des
clearly identified and authenticated.
This must include:
+ The procedures applied for user authentication are deemed secure and comply with the current state of the art.
+ The procedures for user authentication have been selected based on a risk assessment. Possible attack scenarios have been ta
possibility of direct access from the internet).
+ Further interactions must only be possible after successful authentication.

+ A policy based on business and security-relevant requirements is created and documented.
+ Depending on the criticality of the information processed in IT systems or IT applications, suitable and secure authentication proc
applied.
This may include:

None.

+ Data of high protection needs is to be securedat leastby strong passwords, according to the state of the art.
+ Depending on the risk assessment, the authentication procedure has been enhanced by supplementary measures
(e.g. permanent access monitoring with respect to irregularities or use of strong authentication)

+ Data of very high protection needs is to be secured by means of strong authentication (e.g. two-factor authentication).
To what extent are procedures for user registration, change and de-registration implemented with the associated access r
the authentication information handled confidentially?
The use of unique and personalized user IDs (user accounts) ensures clear traceability of actions. The authentication information (
known to the authorized user only. Defined processes for the lifecycle of user accounts are in place. It is regularly reviewed whethe
are needed.
400375344.xlsx /
This must include:
+ The process of user ID management is documented and established.
+ The use of unique and personalized user accounts is specified.
+ The use of collective accounts is regulated (e.g. restricted to cases where proof of actions is dispensable).
+ User accounts are disabled immediately after the user has left the company (e.g. upon termination of the employment contract).
+ The authentication information is provided securely to the user.

+ A basic user account with minimum access rights and functionalities is existent and in use.
+ The allocation of basic access rights and the creating of user accounts is carried out or authorized by the responsible body.
+ Creating user accounts is subject to an approval process (four-eyes principle).
+ Disabling the user accounts of service providers after completion of the task.
+ Deadlines for disabling and deleting user accounts are defined.
+ Aligned change of user accounts after the reassignment of the user to another work field.
+ Secure processes are established for distribution of authentication credentials
This may include:

None.

None.

None.
To what extent is the allocation and use of privileged user and technical accounts regulated and is it subject to reviews?
The use of unique and personalized administrative user accounts ensures clear traceability of administrative actions. Administrators
account provided with privileged rights for administrative tasks only and must use their standard user account for all other activities
Thus, it must be ensured that only activities requiring privileged rights are actually carried out in this context.
400375344.xlsx /
This must include:
+ The use of unique and personalized administrative user accounts is regulated and established.
+ Distinction between user accounts (privileged user account, “office user account”) is ensured, e.g. by having two or more user ac
+ The management process (allocation/change/deletion) for privileged user IDs is documented and established.
+ Privileged rights are allocated upon approval only.
+ Secure authentication procedures are in use for privileged user accounts.
+ User accounts with privileged rights are documented and reviewed regularly.

+ Identification of the relevant or affected IT systems is completed and documented.
+ Rights are allocated on a need-to-use basis and according to the role and/or area of responsibility (observing the separation of fu
+ The following points shall be considered when reviewing the allocated privileged rights:
- Privileged access rights are reviewed regularly (adequate intervals, e.g. quarterly)
- The reviews are documented.
- Changes in responsibility are immediately taken into account
This may include:

None.

None.

None.
To what extent is the user subject to binding policies concerning creation and handling of secret authentication informatio
Where authentication information is used in an IT system or application, information security critically depends on the correct use o
passwords, PINs). Therefore,user awareness regarding the correct handling of this authentication information must be regularly rai
This must include:

+ Regulation of the handling of authentication information is created considering at least the following aspects:
- no disclosure of authentication information to third parties - not even persons of authority - under consideration of legal restriction
- no writing down or unencrypted storing of authentication information
- immediate changing of authentication information whenever potential compromise is suspected
- no use of identical authentication information for business and non-business purposes
- changing of temporary or initial authentication information following the 1st login
- requirements for the quality of authentication information (e.g. length of password, types of characters to be used).

+ Users are informed and made aware of the regulations (e.g. password rules).
+ The use of default passwords is technically prevented.
+ Where strong authentication is applied, the use of the medium (e.g. factor ownership) is secure.
This may include:

+ Means of secure retention of authentication information (e.g. password safe) are provided.

None.

None.
400375344.xlsx /
To what extent is access to information and applications restricted to authorized persons?
Authorization must ensure that only authorized users have access to information and IT applications. For this purpose, access righ
users. These access rights must be reviewed regularly.
This must include:
+ The requirements for access to information and applications are determined.
+ An authorization policy is created including at least the following aspects:
- procedures for request, review and approval
- application of authorization roles
- separation of functions
- application of the minimalistic (“need-to-know”) principle
+ The policy is binding to all users of information and applications.
+ The access rights allocated to users and technical accounts are reviewed regularly.

+ Authorization concepts of applications are created (e.g. ERP systems).
This may include:

None.

+ The access rights are released by the person responsible for information (internal).
+ Existing access rights are reviewed regularly. (at adequate intervals, e.g. quarterly)

+ Functions in application systems are restricted as far as possible. (e.g. export and print)
+ Encrypted data storage in order to prevent access and viewing by unauthorized persons/roles
(e.g. administrators) at least on file level.
To what extent is the separation of data within an environment shared with other organizations ensured?
(Reference to ISO 27017: Control CLD.9.5.1 and CLD.9.5.2)
Cloud solutions are characterized by enhanced standardization and a high level of virtualization on infrastructure the use of which i
customers. Such a collaborative environment enables numerous cloud customers to work. In order to protect own information at all
separation of data must be ensured.
400375344.xlsx /
This must include:
+ Effective separation prevents access to own information by unauthorized users of other organizations.

+ The provider’s concept of separation (e.g. separation of clients) is documented and reviewed regularly. This concept should at lea
- separation of data, applications, operating system, storage and network
- separation of clients area and internal administration area
- implementation of suitable separation measures for users of multitenant applications (in multitenant environments)
- risk assessment for the operation of external software within the shared environment (particularly for IaaS/PaaS services)
+ shared virtual machines and/or application instances are hardened accordingly
- adherence to the minimalistic principle (e.g. restriction of rights, ports, protocols, software)
- application of technical protective measures (e.g. anti-virus, logging).
This may include:

None.

None.

None.
Cryptography
To what extent are rules for encryption, including the management of cryptographic keys (complete lifecycle process) for
information during storage and transport existent and have they been implemented?
Protection of the confidentiality of information during both storage and transfer (e.g. when gaining physical access to data storage d
infrastructure) must be ensured. This is generally achieved by means of encryption. For handling encryption, it is essential that it pr
security characteristics at all times without simultaneously creating inadequately high availability risks. For this purpose, reliable ide
necessity of encryption must be ensured. Whenever such a need is identified, procedures deemed secure according to the scientifi
the art must be selected. Additionally, it must be ensured that the secrets (key material) are adequately protected against technical
to confidentiality as well as integrity and availability throughout the lifecycle.
400375344.xlsx /
This must include:
+ Any productively used encryption technologies shall be according to the technical state of the art.
+ The legal conditions for the use of encryption technologies are taken into account.

+ Creating regulations containing requirements for encryption in order to protect information according to its classification.
+ An concept for encryption is defined including at least the following specifications:
- the encryption strength
- the key management
- the cryptographic algorithms
- procedures for the complete lifecycle, such as generating, storing, archiving, retrieving, distributing, deactivating, renewing and d
keys
+ The encryption concept is established.
+ An emergency process for recovering key material is established.
This may include:

None.

+ The following aspects must be documented:
- description of the key authority
- authority regarding the management of key material in case of external processing (e.g. in the cloud)
+ information of high protection needs should be transported or transferred in encrypted form only.
+ Where encryption is not feasible, protection from risks must be provided by means of similarly effective measures.

+ Information of very high protection needs are stored in encrypted form.
+ The following must be ensured during external processing or transfer:
- obligatory end-to-end encryption (preferably using key material from company internal environment).
Physical and Environmental Security

To what extent are secure areas for the protection of sensitive or critical information and information processing facilities
monitored (entrance control)?
Processing of information assets outside the area affected by the measures intended for the target information security level must b
generally not possible to implement corresponding measures for all areas of the location, a zone concept should be applied definin
type of information may be processed.
400375344.xlsx /
This must include:
+ Requirements for the protection of affected assets are determined (see Control 8.1).
+ Security zones are specified under consideration of terrains/buildings/rooms and documented.
+ The concept of security zones is established and known to all persons handling sensitive information.
+ The security zones are secured by adequate protective measures according to the assigned risk level. (See notes for examples).

+ Procedures for allocation and revocation of access rights are established.
+ Regulations regarding visitor management including registration and accompanying visitors are defined.
+ The security zones are adequately monitored. (See notes for examples)
+ External property used for storing and processing information assets are considered within the scope of the security concept. (e.g
garages, workshops, test routes, data processing centres)
This may include:

+ The security zones are identified.

+ In case of externally located IT systems, e.g. external housing in an emergency data processing centre, direct access to the syste
the external service provider should be prevented (e.g. by means of locked racks).

None.
To what extent has the company taken measures against the effects of natural disasters, deliberate attacks or accidents?
Natural disasters, deliberate attacks or accidents can critically impair the availability of IT systems. It must be ensured that effects o
identified and assessed according to their criticality and that adequate protective measures have been defined and implemented.
This must include:

+ Natural threats, such as flooding, are identified.
+ Social threats such as political instability or accidents involving industrial plants are identified.
+ Potentially affected infrastructure, assets and IT systems are identified.

+ Adequate protective measures, such as fire detection system, fire protection, water detector, are implemented and reviewed regu
+ A redundant media supply (electric power, communication connections etc.) is provided.
+ Emergency plans are defined and reviewed regularly.
This may include:

None.

None.

None.
To what extent are protective measures taken to prevent access to delivery and shipping areas by unauthorized persons?
400375344.xlsx /
It must be ensured that all means of access to protected zones are protected against unauthorized access by means of adequate m
associated with specific requirements in delivery and shipping areas, particularly where those have to be designed for the delivery
objects (e.g. vehicles or large tools).
This must include:
+ The requirements for protecting the delivery and shipping areas are identified.
+ The shipping areas are integrated into the security concept.
+ Necessary protective measures are defined and implemented.
+ Access is permitted by identified and authorized personnel only.

+ Sensitive IT systems are separated from delivery and shipping areas.
This may include:

+ There is a separate security zone for delivery by suppliers who do not have access to any other areas of the organization.
+ A lock function is provided in the delivery and shipping area.
+ The supplied material is inspected for potential threats.

None.

None.
To what extent are policies and procedures regarding the use of assets, including off-site use, disposal and re-use in plac
Where assets (e.g. IT equipment, information) are taken off the premises of an organization, they are exposed to increased risks. F
exposed to the risk of theft or unauthorized viewing. As an adequate reaction to those risks, the security requirements associated w
identified. This also applies to the disposal or re-use of assets (e.g. notebooks).
This must include:

+ Security requirements for the use and off-premises use of assets are identified.
+ Policies and procedures for use and off-premises use of assets are defined and implemented.
+ IT devices containing sensitive data are deleted such as to prevent data recovery.

+ Information shall be protected by adequate measures according to the protection needs.
This may include:

None.

+ Disposal of data storage devices is conducted in accordance with one of the relevant standards (e.g. DIN 66399, Security Level 4

+ Disposal of data storage devices is conducted in accordance with one of the relevant standards (e.g. DIN 66399, Security Level 5
Operations Security
To what extent are changes to the organization, business processes, information processing facilities and systems contro
according to their security relevance?
400375344.xlsx /
In case of changes to the organization, business processes, information processing facilities and systems, aspects of information s
considered. The objective is to ensure that all changes are made under consideration and adherence of the information security req
This must include:

+ Security-relevant requirements regarding changes to the organization, business processes, information processing facilities and s
and implemented.

+ A formal approval procedure is defined.
+ Fall-back solutions for fault cases are established.
+ Changes affecting information security are planned and reviewed.
This may include:

None.

+ In case of changes, adherence of the information security requirements is verified.

None.
To what extent are development and testing environments kept separate from productive environments?
The objective of separating development and testing environments from productive environments is to prevent faults during develo
productive environment. A testing environment serves for example as an intermediate step for testing software developments with t
variables of a productive environment and for verifying the availability, reliability and integrity of their functions.
This must include:

+ The IT systems have been subjected to risk assessment in order to determine the necessity of their separation into development

+ The requirements for development and testing environments are determined, e.g.:
- Separation of development, testing and productive systems
- No development and system tools on productive systems (excluding those relevant to operation)
- Use of different user profiles for testing and productive systems
- Use of non-sensitive or anonymized test data if applicable
+ Specifications are defined for transferring software from the development and testing state to the productive state.
+ The identified requirements are implemented.
This may include:

None.

None.

None.
To what extent are protection controls (e.g. endpoint security) against malware (viruses, worms, Trojans, spyware, ...) imp
combined with appropriate user awareness?
Two aspects must be addressed since they are of particular importance for malware protection - The malware protection software o
awareness on the other. User training is particularly important since, despite all protective measures for hardware and software, ma
inadvertently by the actions of a user.
400375344.xlsx /
This must include:
+ Requirements for protection against malware are determined.
+ Technical and organizational measures for protection against malware are defined and implemented.

+ User accounts are not provided with administrative rights (see Control 9.3).
+ Malware protection software is installed and updated automatically at regular intervals. (e.g. virus scanner)
+ Received data and programs are automatically inspected for malware prior to their execution (on-access scan).
+ The entire data contents of all systems is regularly inspected for malware.
+ Data transferred by central gateways (e.g. e-mail, internet, third party networks) are automatically inspected using a protection so
encrypted connections).
+ Measures to prevent protection software from being deactivated or altered by users are defined and implemented.
+ Employee awareness is raised in reaction to events.
This may include:

+ Systems with a high level of self-protection (e.g. specific hardening, few services, no active users) can be operated without a viru

None.

None.
To what extent are backups created and tested regularly in accordance with an agreed backup policy?
The objective of a working backup strategy is to allow recovery of the functionality or availability of information within the required ti
failure or another type of data loss (e.g. ransomware). For this purpose, data backups must be created in compliance with a corres
regularly.
This must include:
+ Backup requirements are determined and include: the systems to be secured, associated backup intervals and the storage and tr
media.
+ Adequate protective measures, e.g. by means of encryption, taken during storage.
+ Backup media are stored in separate locations (different fire protection zones).
+ A backup concept is created and implemented.
+ An adequate backup verification is carried out.

None.
This may include:

None.

None.

+ In case of information of very high protection needs, suitable measures (e.g. encryption) must be taken to ensure that access is o
authorized group.
To what extent are event logs (which may contain e.g. user activities, exceptions, errors and security events) created, stor
protected against modification?
Event logs support the traceability of events in case of a security incident. This requires that events which are necessary for determ
be recorded and stored while being protected against modification.
400375344.xlsx /
This must include:
+ Information security requirements regarding the handling of event logs are determined.
+ Where externally operated services (in particular, cloud services) are used, information on monitoring options are obtained
- e.g. attack detection and report options (incident response)
+ Legal requirements such as storage durations and protection of personal rights are observed.
+ Rules and procedures for fulfilling the determined requirements are defined and implemented.

+ Event logs are protected against modification during storage.
This may include:

None.

+ Information security requirements relevant to the security during the handling of event logs, e.g. contractual requirements, are de
implemented.

None.
To what extent are the activities of system administrators and system operators logged, the logs protected against modifi
reviewed?
System administrators and operators can use their comprehensive access rights to modify IT systems significantly. Logging and an
accordance with valid legislation (such as Data Protection and Works Constitution Act) are required to enable determining who has
systems in case of information security events.
This must include:
+ Security-relevant requirements regarding the logging of activities of system administrators and operators are determined and imp
+ The IT systems used are assessed regarding the necessity of logging.
+ Where externally operated services (in particular, cloud services) are used, information on monitoring options are obtained and ta
assessment.
- e.g. audit logs for configuration changes and use of/access to e-discovery functions or backup.
+ Procedures for handling violations of regulations are defined.
+ Logs are regularly reviewed for violation of rules in accordance with permissible legal and operational provisions.
+ The type of logging with respect to time, activity level and storage durations is defined and implemented.

+ A process to report violations to the authorized body (e.g. CERT) is established.
+ The log files are protected against modifications. (e.g. by means of a dedicated environment)
This may include:

None.

+ Cases of access to external services during connection and disconnection (e.g. remote maintenance) are logged.

+ Logging of all cases of access
- as far as technically feasible
- to data of very high protection needs.
To what extent is information regarding technical vulnerabilities of IT systems acquired at an early stage, evaluated and ar
measures taken (e.g. patch management)?
400375344.xlsx /
Known weaknesses increase the risk that IT systems can no longer fulfil the requirements for confidentiality, availability and integrit
access to the IT system or compromise the stability of the system.
This must include:
+ Information on technical weaknesses of the used assets are collected and assessed.
+ Potentially affected systems and software (assets) are identified. (e.g. manufacturer, version, installation site)

+ An adequate patch management is defined and implemented. (e.g. patch testing and installation)
+ Where required, risk mitigating measures should be implemented. This includes e.g.:
- Separation of affected systems
- shut-down of the affected service
- adjustment of access options, e.g. firewalls
- adjustment of monitoring
- increasing user awareness
This may include:

None.

None.

None.
To what extent are audit requirements and activities for reviewing IT systems planned, coordinated, aligned and are those
subsequently subjected to technical review (system audit)?
(Reference to ISO 27001: Control A.12.7.1, A.18.2.3)
During audits (particularly technical audits), problems with the stability of the IT systems under review may occur. Audit activities inv
systems must be planned and agreed in order to avoid disturbances of the corresponding processes.
This must include:
+ Requirements for auditing IT systems are determined.
+ The scope of the audit is specified in a timely manner.
+ System audits are coordinated with the operator and users of IT systems.
+ The results of system audits are stored in a traceable manner and reported to the relevant management.
+ Measures are derived from the results.
+ The derived measures are traced under the ISMS.

+ System audits are carried out by trained experts.
+ For deviations, measures to be taken within an adequate period of time shall be defined and coordinated.
+ The audit report shall have been prepared and coordinated within an adequate period of time.
This may include:

None.

None.

None.
To what extent have effects due to critical administrative functions of external IT services (particularly cloud services) bee
400375344.xlsx /
Many cloud services provide functions which may lead to major changes to services in operative use. These functions may jeopard
information, be irreversible or reversible only with significant effort which then may impair availability or integrity. These functions ar
administrative users via an easy-to-use automated configuration interface. When an administrative user executes such functions, s
out without further human supervision.
It must be ensured that such functions can neither inadvertently nor by a wilful administrator be used without particular effort to cau
confidentiality, availability or integrity.
This must include:

+ Critical functions of all relevant services are identified and assessed.

+ Critical functions of all relevant services are documented together with their associated risk. Here, among others, the following as
have been considered:
- installation, modification or deletion of virtual resources (e.g. virtual servers, virtual networks and virtual storage)
- termination of services (cancellation)
- authorization of more users
- release and publication functions
- backup and recovery functions
+ The options to counteract by means of configuration and allocation of rights are known and documented.
+ The resulting risks are minimized by means of configuration and allocation of rights.
- Critical non-administrative functions have been restricted as far as reasonable.
- Access to non-administrative and administrative functions is, as far as possible, restricted to a minimum number of persons.
- As far as possible, both technically and without any restriction of the desired functionality that would be inadequate in relation to t
non-administrative and administrative functions have been deactivated.
+ An emergency concept describing the handling of harm scenarios exists and is tested.
This may include:

+ Application of the several-eyes principle for critical functions.
+ Contractually agreed restriction of functionality by the provider (e.g. by means of suitable framework contracts)

None.

None.
Communications Security
To what extent are networks managed and controlled to protect information in IT systems and applications?
The protection of information in networks, IT systems and IT applications must be ensured. For this purpose, measures ensuring pr
unauthorized access must be implemented. This includes taking suitable control measures supported by means of monitoring the n
IT applications.
400375344.xlsx /
This must include:
+ Procedures for management and control of networks are defined.

+ Requirements for control and management of networks are determined and implemented. This includes e.g.:
- Restrictions for connection of IT systems to the network
- Special protective measures in case of network connections via potentially unsecured networks (e.g. encryption)
- Adequate monitoring and recording of activities on a network that are relevant to information security
- Use of auxiliary means such as firewall systems, intrusion detection and prevention systems (IDS/IPS), network management to
networks
- When using externally operated network services that are accessible via the internet (cloud services), the resulting increased ris
addressed in the applications.
This may include:

None.

+ Extended requirements for the control and management of networks must be determined and implemented.
This includes e.g.:
- Authentication of IT systems within the network

None.
To what extent are requirements for security mechanisms and service levels and also management requirements for netw
and documented in service level agreements?
Security mechanisms, quality of service provision and requirements for the management of all network services must be determine
agreements (Service Level Agreements, SLAs) for both internal and external networks.
This must include:
+ Requirements regarding the information security of network services are determined and implemented.

+ Procedures for securing and using network services are defined and implemented.
+ SLAs are defined and implemented for internally and externally operated network services.
+ Adequate redundancy solutions are implemented.
This may include:

None.

+ Procedures for monitoring the network (e.g. traffic flow analyses, availability measurements) are defined and carried out.

+ Out-of-band management is applied.
To what extent are groups of information services, users and information systems segregated on networks?
IT systems on the network usually have different protection needs. Thus, IT systems directly connected to the internet are generally
threats than IT systems on the office network. In order to detect and prevent undesired data exchange between IT systems of differ
corresponding groups must be formed on the network and then segregated from other groups.
400375344.xlsx /
This must include:
+ Requirements regarding network segmentation are determined.
- Where cloud services are used, the possibilities of (virtual) network separation is considered

+ Rules and procedures for network segmentation are defined and implemented.
This may include:

None.

None.

None.
To what extent is information protected during exchange or transfer?

During exchange and transfer of information, the information security requirements must be considered. For this purpose, it must b
within the organization may be used for which type of data and which protective measures are to be taken when using those servic
This must include:

+ The services (e.g. email, EDI, voice over IP) used for transfer are identified.
+ Rules and procedures in accordance with the classification for the use of services are defined and implemented.
+ Measures for the protection of transferred contents against unauthorized access are implemented.

+ Measures for ensuring correct addresses and correct transport of the message are implemented.
+ A process for approving the use of external services (e.g. instant messaging, web meeting, webmail) is established.
+ Electronic data exchange is carried out according to the classification by means of content encryption and/or via encrypted transm
encrypted connections (HTTPS, SFTP, TLS)).
This may include:

+ Digital signatures are used in accordance with legal provisions.

+ Emails are transmitted by means of transport encryption (e.g. TLS).
+ A suitable encryption is in use during data transfers to externally hosted IT systems (see Controls 10.1, 15.1).

+ Emails are transmitted by means of end-to-end encryption (e.g. PGP, S/MIME, ZIP encryption).
To what extent are non-disclosure agreements applied prior to an information exchange and are the requirements or need
information documented and regularly reviewed?
Even where sensitive information is passed on outside the organization, it must be ensured that external organizations are obliged
security requirements and to implement the required measures. Non-disclosure agreements provide the necessary legal basis for t
it must be ensured that sensitive information is only passed on if a corresponding non-disclosure agreement has been entered and
400375344.xlsx /
This must include:
+ All service providers and employees working with sensitive information have entered valid non-disclosure agreements.
+ Rules and procedures for applying non-disclosure agreements are defined and made known to all persons passing on sensitive i
+ The requirements, rules and procedures for applying non-disclosure agreements are reviewed regularly.

+ Non-disclosure agreement templates are available and checked for legal applicability.
+ The templates include clear indications of:
- the involved persons/companies
- the type of information covered by the agreement,
- the subject of the agreement
- the duration of validity of the agreement (temporary or permanent)
- the responsibilities of the obligated party
+ The templates contain specifications of the rights of use for information beyond the contractual relationship.
+ Options of proving compliance with specifications (e.g. review by an independent third party or audit rights) are defined.
+ A process for monitoring the duration of validity of temporary agreements and initiating an extension in due time is defined and im
This may include:

None.

None.

None.
System Acquisition, Development and Maintenance

To what extent are security specific requirements taken into account for new IT systems (incl. publically accessible system
to existing IT systems?
Information security must be an integral part of the entire lifecycle of IT systems. This includes in particular that information security
into account in the development, acquisition and maintenance of IT systems.
This must include:
+ The information security requirements associated with the acquisition or extension of IT systems are determined.

+ Requirement specifications are reviewed with respect to information security policies.
+ The IT system is reviewed for compliance with specifications prior to productive use.
This may include:

None.

None.

None.
To what extent are security-relevant aspects considered in the software development process (incl. change management)
(Reference to ISO 27001: Control A.14.2.1 - A.14.2.9)
400375344.xlsx /
Information security requirements must be taken into account in the development process of software and IT systems. They must b
requirements and milestones into the respective process model.
This must include:
None.

+ A policy for the development of software and IT systems is created and includes at least the following aspects:
- information security requirements regarding the development environment
- information security requirements during the software development lifecycle
- information security requirements during the design phase
- information security review points related to project milestones
- information security during version control and repositories
- knowledge about information security of application systems
- requirements for developers regarding the creation of systems/applications under consideration of information security aspects (
elimination of weaknesses)
+ Information security requirements are taken into account in change management.
+ Defined engineering principles for secure system development are defined and implemented.
+ Secure development processes are also defined for cases where systems are created by third parties.
+ System approval tests are carried out under consideration of the information security requirements.
This may include:

None.

None.

None.
To what extent are test data created, protected and used in a careful and controlled manner?
Test data is often required for testing purposes in the course of software development or change management. Testing is conducte
the access to which is often controlled less strictly and often allocated to persons (e.g. service providers or developers) who do not
productive data. It must be ensured that the test environment does not increase the risk of loss or disclosure of productive data.
This must include:

None.

+ The use of productive data for testing purposes is avoided as far as possible.
+ Where productive data are used for testing purposes, the following shall be ensured:
- Anonymization or pseudonymization of productive data is carried out in accordance with legal regulations
- Identical access controls are applied both for the test system and for the productive system
+ Case-specific requirements for the generation of test data are defined.
This may include:

None.

+ Copying of information from the productive environment must require prior approval by means of a defined process.
+ Immediately after completion of testing, operation-relevant information must be removed from the test system.
+ The process of copying and the use of the organization-relevant information as test data must be recorded for later review (audit

None.
400375344.xlsx /
To what extent is it ensured that only evaluated and approved external IT services (particularly cloud services) are used fo
data?
-
Particularly cloud services, whose use is often related to little or no cost, present an enhanced risk that established acquisition proc
also leading to acquisition and commissioning without adequate compliance with technical and contractual information security req
cannot be ensured in cases where external IT services are used without considering security requirements.
Therefore, it must be ensured that external IT services will not be commissioned unless the intended processes are completed and
security processes and provisions are met prior to commissioning.
This must include:

+ All persons having access to sensitive information are aware that the use of external IT services is not permitted without explicit a
implementation of the information security requirements.
- This also includes external IT services which can be used free of charge.

+ Requirements for the acquisition, commissioning and approval of use of external IT services are established.
+ The commissioning and use of external IT services is regulated by an instruction binding to all employees.
+ All employees are made aware of this in regular trainings.
- e.g. during information security trainings held at regular intervals.
+ Observation of the instruction is verified regularly.
+ The approved IT services and their acceptable use are catalogued outlined in catalogues.
This may include:

+ Framework contracts with essential cloud service providers are entered allowing the use only in suitable and assessed configurat
responsible persons within the organization.
+ Catalogues of authorized IT services are provided to the respective specialized departments.

+ Internal audits are held regularly in order to verify that no unauthorized IT services are used.

None.
Supplier Relationships
To what extent are information security requirements contractually agreed with suppliers to mitigate risks when suppliers
corporate assets (particularly information and communication services and in case such assets are used by subcontracto
In collaboration with external companies (e.g. subcontractors), the requirements regarding the protection needs of transferred infor
considered. Therefore, relevant risks and requirements regarding information security must be addressed in the contracts.
400375344.xlsx /
This must include:
+ External companies/third parties (e.g. subcontractors) shall be subjected to an information security assessment.
+ Contractual agreements with external companies regarding measures for protecting information (e.g. non-disclosure agreements
+ Requirements for other subcontractors of the supplier are taken into account in procurement.

None.
This may include:

+ Information security certification (e.g. ISO/IEC 27001, NIST).

+ A risk assessment is conducted for each commissioning of an external company and additional information security measures are
+ The supplier provides proof of information security (e.g. certificate, testimony).
+ Where a commissioned supplier also gains access to customer information, contractual obligations shall be observed. This can b
- Explicit approval of the passing-on, processing and storage of information by the information owner (e.g. customer)
- measures for procurement control with respect to personally identifiable data (processing ordered by the customer, handling by s
deletion/disabling etc.)
- The requirements for the protection of data during transfer, processing and storage (e.g. encryption)
- Provisions for the reaction to information security events are known to the external companies/third parties
+ In case of externally operated IT infrastructure (e.g. networks, server) and/or cloud solutions, it is ensured that:
- external administrators do not have access to data content
- The requirements for encryption according to Control 10.1 are met

None.
To what extent are the services performed by a supplier or subcontractor monitored, reviewed and audited on a regular ba
The provision of services by service providers shall be monitored regularly by an organization. By means of monitoring and verifyin
must be ensured that the conditions of an agreement regarding information security are fulfilled.
This must include:

+ Compliance with contractual agreements is monitored and verified.

+ A process for monitoring and verifying service providers is defined and established.
+ Third party service reports and documents are monitored and verified.
This may include:

None.

+ Information security or compliance with security policies among business partners is adequately ensured by means of suitable ve

None.
Information Security Incident Management
400375344.xlsx /
To what extent are responsibilities, procedures, reporting channels and criticality levels established to ensure an effective
information security incidents or weaknesses?
Detection of and defence against security events generally require an effective and consistent approach. For this purpose, the resp
procedures for handling information security events must be specified in order to ensure a prompt reaction to those events. Suitabl
awareness of all employees are essential elements of these procedures and must be considered.
This must include:

+ A policy for reporting information security events or weaknesses is created including at least the following requirements:
- reaction to information security events according to defined levels of criticality
- report form
- reporting channel
- processing organization
- specifications for feedback procedure
- indication of technical and organizational measures (such as disciplinary measures)

None.
This may include:

None.

+ Requirements resulting from business relations (e.g. obligations of reporting to customers) are determined and implemented.

None.
To what extend is the handling on security events performed?

Information security events must be assessed. There shall be an adequate reaction to information security events based on defined
aftermath of information security events, findings must be used to reduce the probability of future events occurring.
This must include:

+ Procedures are established and documented in order to ensure verifiability in case of Information security events/weaknesses.
+ Information security events/ weaknesses are assessed and documented in order to ensure verifiability.
+ An adequate reaction to information security events/ weaknesses is given.

+ Information security events/weaknesses (problem management) are analysed.
+ Measures to prevent further occurrence of similar information security events are defined and implemented.
This may include:

None.

None.

None.
Information Security Aspects of Business Continuity Management
400375344.xlsx /
To what extent are information security requirements (including redundancy of corresponding facilities) and the continuity
event of a crisis defined, implemented, verified and evaluated?
(Reference to ISO 27001: Control A.17.1.1 - A.17.1.3 and A.17.2.1)
In events of crisis, information security is particularly at risk. Therefore, it must be ensured that even in those cases the defined ISM
provide effective protection or previously defined supplementary measures must be taken.
This must include:

+ Potentially affected IT systems and software are identified.
+ For events of crisis, methods, processes and procedures relevant to information security are taken into account.

+ Taking information security into account in the BCM (Business Continuity Management) or the disaster recovery process, where a
+ Information security measures for events of crisis are reviewed regularly.
This may include:

+ The persons responsible for information security (see Control 6.1) are part of the crisis management team.
+ The redundancy in the field of IT facilities and IT systems (availability aspects) is ensured.

None.

None.
Compliance
To what extent is compliance to relevant legal (country-specific) regulations and contractual requirements ensured (e.g. p
property rights, use of encryption technology and protection of records)?
(Reference to ISO 27001: Control A.18.1.1, A.18.1.2, A.18.1.3, A.18.1.5)
An essential aspect of compliance is the adherence of legal, regulatory, contractual and business-related requirements and specific
must know relevant requirements and specifications and meet them. This also includes consideration of intellectual property rights.
requirements for records regarding their protection against loss, destruction, forgery, unauthorized access and unauthorized disclos
additionally cryptographic measures shall be implemented while taking the relevant agreements, legislation and provisions into acc
400375344.xlsx /
This must include:
+ Legal, regulatory and contractual requirements and specifications of relevance to information security, such as e.g. in relation to c
regularly.
+ Regulations regarding the compliance with legal, regulatory and contractual requirements are defined, implemented and commun
persons.

+ Measures for fulfilling the requirements regarding intellectual property rights and the use of software products protected by copyri
license management) are defined and implemented.
+ Staff awareness measures with respect to compliance topics associated with information security are carried out regularly.
+ The integrity of records in accordance with legal, regulatory and contractual obligations and business requirements as well as cla
protection, storage) is taken into account.
This may include:

None.

None.

None.
To what extent is confidentiality and the protection of personally identifiable information ensured (according to national le
Privacy and protection of personally identifiable information must be ensured as required in relevant legislation and regulation wher
purpose, processes and procedures ensuring adequate protection of personally identifiable information shall be implemented.
This must include:

+ Legal and contractual requirements regarding the procedures and processes in the processing of personally identifiable informati
+ Information assets are classified according to personally identifiable information.
+ Regulations regarding the compliance with legal and contractual requirements for the protection of personally identifiable informa
communicated to the entrusted persons.
+ Processes and procedures for the protection of personally identifiable information are implemented.

None.
This may include:

None.

None.

None.
To what extent is the ISMS reviewed by an independent third party at regular intervals or in case of significant changes?
Assessing the effectiveness of the ISMS only from an internal point of view is not sufficient to serve as an essential control tool. Ins
and therefore objective assessment must be obtained at regular intervals and in case of significant changes.
400375344.xlsx /
This must include:
+ Information security reviews are carried out by an independent and competent body at regular intervals and in case of significant
+ Measures for correcting potential deviations are initiated and pursued.

+ The results of the conducted tests are recorded and retained.
+ The results of the conducted tests are reported to the management of the organization.
This may include:

None.

None.

None.
To what extent is the compliance of procedures and processes with policies, regulations and other relevant information se
ensured?
(Reference to ISO 27001: Control A.18.2.2, A.18.2.3)
The effectiveness of policies, regulations and relevant information security standards must be ensured continuously. For this purpo
applicable security policies and standards must be verified at regular intervals. This also includes verification of compliance with tec
the information security policies. The results of the conducted tests must be recorded and the records must be retained.
This must include:

+ Compliance with policies, regulations and information security standards is monitored.
+ Information security regulations and procedures are reviewed throughout the organization at regular intervals.
+ Measures for correcting potential non-conformities (deviations) are initiated and pursued.

+ The results of the conducted tests are recorded and retained.
+ A plan for content and framework conditions (time schedule, extent, controls) of the tests to be conducted is provided.
This may include:

None.

None.

None.
400375344.xlsx /
Additional requirements for connection to third parties
based on ISO 27002:2013
Company: 0
Location: 0
Date: 12/30/1899
Maturity level
In case a question does not apply, please insert n.a. (not applicable).
Level 0-5; n.a.
23
23.7
23.7.2
Objective:
Requirements:
23.9
23.9.2
Objective:
400375344.xlsx /
Connection to 3rd parties (23)
Requirements:
23.11
23.11.1
Objective:
Requirements:
23.13
23.13.3
400375344.xlsx /
Objective:
Requirements:
400375344.xlsx /
rity Assessment -
ements for connection to third parties
O 27002:2013
a question does not apply, please insert n.a. (not applicable).
Additional requirements for connection to third parties

Human Resources Security
To what extent is staff (internal and external) made aware of and trained about the risks associated with handling and pro
Information security must be a natural and integral part of the work environment and adopted in the daily work of all employees. By
security training, employees must gain the necessary knowledge and competence for security-conscious behaviour. They must be
is expected of them with respect to information security and how to react to security-critical situations.
This must include:

+ Employees having access to customer networks have received the necessary training and awareness for handling the associate

None.
This may include:

None.

None.

None.
Access Control
To what extent are procedures for the registration, modification and deletion of users with the corresponding access right
particular is the authentication information handled confidentially?
The identity of the user of an IT system or an IT application must be clearly verifiable to allow the assignment of actions. In order to
authentication (registration) procedures and mechanisms of IT systems or IT applications must be designed such that users are cle
authenticated.
400375344.xlsx /
This must include:
+ User related access to customer systems shall not be used by multiple users.
+ Changes to the employment contract or the authority of an employee shall be reported to the system operator immediately or use
adapted accordingly.

None.
This may include:

None.

None.
None.
To what extent are security zones for the protection of sensitive or critical information and information processing facilitie
and monitored (access control)?
Processing of information assets outside the area affected by the measures intended for achieving the target information security le
Since it is generally not possible to implement corresponding measures for all areas of the location, a zone concept must be applie
which type of information may be processed.
This must include:
None.

None.
This may include:

None.

+ Separate zones are established for the respective projects.
+ Work place computers (e.g. PCs, CAD work stations) should be installed in locked rooms.
+ Rooms accommodating servers should be alarm-monitored.
+ Protective measures against simple eavesdropping and viewing shall be implemented.
+ Access restricted to authorized persons (e.g. access system, own locking system).
+ Creating of print-outs only within the respective zone or by personally printing (e.g. print-to-me with PIN).
+ Destruction of (phyiscal) files within those zones (e.g. by using shredders).
+ Where rooms have several users (e.g. server rooms), direct access to systems by external persons shall be prevented.
+ Physically securing the property or project rooms (e.g. locking system).

+ Physically securing the property or project rooms outside the hours of operation (e.g. fence security system/video surveillance wi
function, not recording only, intrusion detection system with motion sensors, glass breakage detectors, cameras and image recogn
+ Immediate response to alarm messages according to alarm plan.
+ Permanent surveillance of escape doors.
Communications Security
To what extent are groups of information services, users and information systems segmented within the network?
400375344.xlsx /
IT systems on the network have different protection needs. Thus, IT systems directly connected to the internet are generally expos
than IT systems on the office net. In order to detect and prevent undesired data exchange between IT systems of different protectio
groups must be designed on the network and these must be segregated from other groups.
This must include:

+ Requirements regarding network segmentation are defined.
+ Rules and procedures for network segmentation are defined and implemented.

None.
This may include:

None.

+ Physical and/or logical separation of supplier/vendor network and customer network.
+ No access to the project office from outside.

None.
400375344.xlsx /
400375344.xlsx /
Zusatzanforderungen Prototypenschutz
Company: 0
Location: 0
Date: 12/30/1899
Maturity level
Level 0-5; n.a.
25
25.1
25.1.1
Requirements:
25.1.2
Requirements:
25.1.3
Requirements:
25.1.4
Requirements:
400375344.xlsx /
Prototype protection (25)
Company: 0
Location: 0
Date: 12/30/1899
Maturity level
Level 0-5; n.a.
25.1.5
Requirements:
25.1.6
Requirements:
25.1.7
Requirements:
25.1.8
Requirements:
25.2
25.2.1
Requirements:
400375344.xlsx /
Company: 0
Location: 0
Date: 12/30/1899
Maturity level
Level 0-5; n.a.
25.2.2
Requirements:
25.2.3
Requirements:
25.2.4
Requirements:
25.2.5
Requirements:
400375344.xlsx /
Company: 0
Location: 0
Date: 12/30/1899
Maturity level
Level 0-5; n.a.
25.2.6
Requirements:
25.2.7
Requirements:
25.3
25.3.1
Requirements:
25.3.2
Requirements:
400375344.xlsx /
Company: 0
Location: 0
Date: 12/30/1899
Maturity level
Level 0-5; n.a.
25.3.3
Requirements:
25.3.4
Requirements:
25.3.5
Requirements:
25.3.6
Requirements:
25.3.7
Requirements:
400375344.xlsx /
urity Assessment -
ngen Prototypenschutz
e a question does not apply, please insert n.a. (not applicable).
Prototype Protection

To what extent is a security concept available describing minimum requirements regarding object security for prototype p
(PT module; no reference to ISO 27001)
This includes e.g.:

+ perimeter security
+ stability of outer skin
+ view and sight protection
+ protection against unauthorized access and access control
+ intrusion detection system
+ documented visitor management
+ client separation.
To what extent is perimeter security existent preventing unauthorized access to protected objects of the properties?
This includes e.g.:

+ artificial barriers (fence systems, walls)
+ natural barriers (growth, vegetation)
+ technical barriers (detection).
To what extent is the outer skin of protected buildings constructed such as to prevent removal or opening of outer-skin co
standard tools?
This includes e.g.:

+ massive construction (stone, concrete, steel metal).
To what extent is a view and sight protection ensured in defined protection areas?
This includes e.g.:

+ protection against sight through relevant glass surfaces
+ prevention of sight through open doors/gates/windows.
400375344.xlsx /
urity Assessment -
To what extent is the protection against unauthorized entry regulated in the form of an access control?
This includes e.g.:

+ mechanical locks with documented distribution of keys
+ electronic access systems with documented authorization assignment
+ personal access control with documentation.
To what extent is a functioning intrusion detection system implemented on the premises to be secured?
This includes e.g.: + use

accordance with DIN EN 50131, complying with VDS or similar and functional
+ preparation of alarm plans
+ alarm tracing to a certified security service or control centre (e.g. according to DIN 77200, VdS 3138).
To what extent is a documented visitor management in place?

This includes e.g.:

+ mandatory registration for all visitors
+ documented non-disclosure obligation prior to entry
+ publication of security and visitor regulations.
To what extent is on-site client separation existent?

This includes e.g.:

+ spatial separation of different
- customers and/or
- projects.
Organizational Requirements
To what extent are non-disclosure agreements/obligations existent according to the valid contractual law?
This includes a non-disclosure agreement e.g.:

+ between contractor and customer (companies)
+ with all employees and project members (personal obligation).
400375344.xlsx /
urity Assessment -
To what extent are requirements for commissioning subcontractors known and fulfilled?
This includes e.g.:

+ approval by initial customer
+ valid non-disclosure agreement according to contractual law
- between customer and subcontractor (companies)
- with all employees and project members of the subcontractor (personal obligation)
+ demonstration of compliance with security requirements of the initial customer.
To what extent are the employees and project members evidently trained for and made aware of risks associated with han
This includes e.g.:

+ ensuring by the management training/awareness programs are carried out
+ training of employees and project members in the handling of prototypes on entering the project
+ regular (at least annual) training of employees in handling prototypes
+ ensuring the awareness among employees and project members of the respective protection needs and the resulting company-in
+ obligation of employees and project members to attend training and awareness measures.
To what extent are security classifications of the project and the resulting measures for protection known?
This includes e.g.:

+ ensuring that all project members have been made aware of the security levels and security requirements according to the progr
+ consideration of level plans, measures for non-disclosure and camouflage, development policies.
To what extent is a process defined for allocation of access to defined security areas?
This includes e.g.:

+ responsibilities for the allocation of access are clearly regulated and documented
+ consideration of new allocations, changes and deletions
+ rules of conduct for reacting to loss/theft of locking means.
400375344.xlsx /
urity Assessment -
To what extent are regulations for image recording and handling of created image material existent?
This includes e.g.:

+ approval procedure for image recording
+ regulation for classification of image material
+ secure storage of image material
+ secure deletion/disposal of unrequired image material
+ secured passing-on/transfer of image material to authorized recipients only.
To what extent is a process for carrying along and using mobile video and photography devices in(to) defined security are
This includes e.g.:

+ approval procedure for image recording
+ regulation for classification of image material
+ secure storage of image material
+ secure deletion/disposal of unrequired image material
+ secured passing-on/transfer of image material to authorized recipients only
+ regulation for carrying along.
Handling Prototypes
To what extent are the predefined regulations for camouflage implemented by the project members?
This includes e.g.:

+ project members are aware of the requirements for use of the respective camouflage
+ agreement on changes to the camouflage with the customer
+ prompt reporting of damages to the camouflage.
To what extent are transports in need of protection arranged according to the specifications of the customer?
This includes e.g.:

+ that those logistics/transport companies specifically approved by the customer are used
+ that the loading and unloading requirements specified by the customer are known and met
+ that any security-relevant incidents are reported to the customer.
400375344.xlsx /
urity Assessment -
To what extent is it ensured that vehicles, components or parts which require confidentiality are parked/stored in accorda
requirements?
This includes e.g.:

+ the customer-specific parking/storage requirements are evidently known.
To what extent are security requirements of approved test and trial grounds observed/implemented?
This includes e.g.:

+ an up-to-date listing of customer-approved test and trial grounds
+ rules of conduct for ensuring trouble-free testing
+ protective measures defined by the customer.
To what extent are security requirements for approved test and trial drives in public observed/implemented?
This includes e.g.: .

+ protective measures defined by the customer.
+ rules of conduct in case of unusual events (e.g. incident, accident, theft...).
To what extent are security requirements for presentations and events with scope/contents subject to confidentiality impl
This includes e.g.: .

+ created security concepts agreed with and approved by the customer (organizational, technical,staff-related)
+ rules of conduct in case of unusual events
To what extent are security requirements for film and photo shootings with scope/contents subject to confidentiality imple
This includes e.g.:

+ proof of approval of the premises expected to be used
+ created security concepts agreed with and approved by the customer (organizational, technical, staff-related)
+ rules of conduct in case of unusual events
400375344.xlsx /
Control 7.2 Awareness and training of employees 9.2 User registration 12.1 Change management
VDA ISA target maturity

4 4 4
level
Scope COVERAGE EFFEKTIVENESS COVERAGE COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS
Coverage degree of Effectiveness of awareness Coverage degree review “user Coverage degree review Coverage degree Change
ID Collective accounts Change - error rate
awareness measures measures accounts” “authorizations” Management
Employees with raised awareness The contents of awareness Regular reviews of user accounts Collective accounts should
Regular reviews of systems for
represent an important pillar for the measures should consider for unnecessary authorizations is a principally not be used or used only A comprehensive and consistently A high quality of the change
unnecessary accounts is a
information security in a company. outcomes of information security prerequisite for a consistent and in exceptional cases since an adhered change management management process leads to
prerequisite for a consistent and
Awareness measures should reach incidents. The KPI measures the current authorization basis explicit allocation of user activities process is the basis for secure lower error rates of the performed
Description all employees, as far as possible. effectiveness of awareness
current user basis according to the
according to the need-to-know is impeded. The KPI measures the operation. The KPI measures the changes and contributes to secure
need-to-know principle. The KPI
The KPI measures the coverage measures by collection (number or principle. The KPI measures the number of used collection accounts coverage degree of changes that operation. The KPI measures the
measures the coverage degree of
degree of trainings such as e- cost based) of security incidents coverage degree of the measure in consideration of approved are compliant with the guidelines. error rate of changes.
the measure “regular user review”
learnings, classroom trainings. with human errors as a cause. “regular authorization review”. exceptions.
All employees are trained with No information security incidents All systems have valid user All authorizations comply with All collective accounts are reviewed Guidelines-compliant performance
Objective (Vision) respect to information security with human error as a cause accounts only current needs for their need of all changes
Error-free performance of changes
Recipient Information Security; supervisors Information Security Information Security Information Security Information Security Information Security Information Security
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
Frequency (reporting) annually) annually) annually) annually) annually) annually) annually)
to be determined individually (0-

20…low, 20-50 medium, 50+ high) to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
to be determined individually (e.g. possible characteristic for Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, to be determined individually (e.g.
Threshold levels Green: > 90%, Yellow: 70-90%, comparability of business units: in Red: < 70%, special case of Red: < 70%, special case of Number red: > 0,Green = 0 Red: < 70%, special case of Green: < 10%, Yellow: 10-30%,
Red: < 70%) relation to the number of systems relevant to financial systems relevant to financial systems relevant to financial Red: > 30%)
employees e.g. unit: incidents/100 reporting: target coverage reporting: target coverage reporting: target coverage 100%
employees
Analysis training management

Determining the number of security Quotient: number of performed Quotient: number of performed collecting the number of collective Quotient: number of approved and Quotient: number of reversed
Quotient: number of
Measurement participants/total number of
incidents with human error as a reviews/total number of systems in reviews/total number of users in accounts (adjusted for authorized requested changes (RFC)/total changes/total number of performed
cause scope scope exceptions) number of performed changes changes
employees
Frequency (measurement) annually) annually) annually) annually) annually) annually) annually)
HR - Training Department - IKS - Data Owner, User Management, Data Owner, User Management, IT Operations, Change IT Operations, Change
Interfaces Internal Audit Department
Incident Management
supervisors supervisors
User Management
Management Management
User directory, authorization

E-learnings, classroom training, Incident Mgt. Tool, Ticket System, User directory, authorization User directory, authorization Project Management, Change Project Management, Change
Components training plan, training register ISMS Tool
management tool, IAM platform,
management tool, IAM platform management tool, IAM platform Management Management
CMDB
Data archiving 5 years 5 years 10 years 10 years 5 years 10 years 5 years
400375344.xlsx /
KPIs
12.7 Detection of vulnerabilities
12.3 Protection against malware 12.4 Backup 16.2 Processing of information security incidents
(Patch management)
4 4 4 4
COVERAGE EFFEKTIVENESS COVERAGE COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE
Coverage degree Endpoint Effectiveness of updating Degree of restoration test Coverage degree Patch Effectiveness of patch Detection rate of information
Degree of backup coverage Backup effectiveness
Security Endpoint Security coverage Management installation security incidents
A comprehensive patch The contemporary installation of Information security incidents have

A comprehensive Endpoint Security Current virus signatures are the A regular and complete backup A regular review of backup Backup quality must be ensured by
management protects the company patches ensures the security of to be detected and timely handled
provides a company with an prerequisite for an effective provides protection against the loss functionality (e.g. by restoring data correlating controls. Measures are
against the impacts of malware and systems and applications and in order to protect the company
essential protection against Endpoint Security. The KPI of data, e.g. in case of a system or systems) is essential for the e.g. data restore, system
exploits. The KPI measures the therefore reduces the window of from damages. The KPI measures
malware. The KPI measures the measures the target and the actual failure or malware infection. availability of business information. restoration.
inclusion of systems and vulnerability for the company. The the compliance of the incident
ratio of protected systems taking state of virus definitions on The KPI measures the degree of The KPI measures the degree of The KPI measures the number of
applications in the Patch KPI measures recording of the reporting process between the
approved exceptions into account. reporting deadline. backup coverage. the restore test coverage. incorrect data restores.
Management process. target and actual state of Patches. involved interfaces.
All information security incidents

Comprehensive protection of all All systems have up-to-date Regular restore tests for all backed- All systems are involved in the All systems are at up-to-date patch will be detected, reported and
All data is adequately protected Correct backups
system threatened by malware protection up systems patch process level handled within the framework of the
incident management process
Local IT, Information Security, Local IT, Information Security, Local IT, Information Security, Local IT, Information Security,
Local IT, Information Security Local IT, Information Security Local IT, Information Security Local IT, Information Security
service owner service owner service owner Compliance
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) annually) annually) annually)
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.

to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
target: 100% after max. 30 minutes, Green: = 100% (of systems to be target: 100% after max. 10 days,
Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Number Red: > 0,Green = 0 Green: > 90%, Yellow: 70-90%, Number Red: < 1,Green = 1
Green: > 90%, Yellow: 70-90%, secured), Yellow: 70-99%, Red: < Green: > 90%, Yellow: 70-90%,
Red: < 70%) Red: < 70%) Red: < 70%)
Red: < 70%) 70%) Red: < 70%)
Quotient: number of protected Quotient: number of systems Quotient: number of currently Quotient: number of information
time comparison Quotient: number of systems with Quotient: number of restorations time comparison
systems/total number of systems covered with backups/total number patched systems/total number of security incidents reported in the
average actual rollout state vs. tested restoration from backup/total with errors/total number of all average actual rollout state vs.
(adjusted for authorized of systems (adjusted for authorized systems (adjusted for authorized incident management/number of all
target state number of all systems with backup restoration tests target state
exceptions) exceptions) exceptions) incidents (of the surveying unit)
monthly) annually) annually) monthly) annually) monthly) monthly) annually)
Patch/Change Management, IT Patch/Change Management, IT IT, CERT, Incident Management,

AV Management, IT Operations AV Management, IT Operations Backup process, IT Operations Backup process, IT Operations Backup process, IT Operations
Operations Operations Helpdesk, Service Management
Change Management console, Change Management console,

Incident Management
AV console, CMDB AV console, CMDB Backup software, CMDB Backup software, CMDB Backup software, CMDB software distribution platform, software distribution platform,
System/Workflow
CMDB, WSUS CMDB, WSUS
5 years 5 years 10 years 10 years 10 years 5 years 5 years 10 years
400375344.xlsx /
KPIs
.2 Processing of information security incidents 5.1 Information security policy 6.2 Information security in projects 6.3 Mobile devices 11.1 Security zones
4 3 3 3 3
EFFEKTIVENESS COVERAGE COVERAGE COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE
Coverage degree of Effectiveness of

Timely processing of Creation degree of required Actuality of required Protective measures - Coverage degree of mobile Implementation degree of
information security in implementation of mobile
information security incidents policies/documentations policies/documentations implementation in projects device security zone concept
projects device security measures
Information security incidents have A comprehensive and consistent

Under an ISMS, Properties shall be adequately
to be prioritized and handled For the ISMS, the prepared protection of all relevant mobile A strong implementation of
mandatory/voluntary Information security topics shall be protected, this can be achieved by
accordingly depending on their policies/documentations shall be Projects subject to information devices is the basis for their secure protective measures regarding
policies/documentations shall be addressed during projects. implementation of a zone concept.
criticality. The KPI measures the reviewed for their actuality. security requirements operation. The KPI measures the relevant mobile devices reduces
prepared. The zone concept should be
appropriate timely handling of coverage degree of the defined weaknesses.
implemented comprehensively.
information security incidents. protective measures.
All information security incidents All necessary All necessary

Information security requirements Information security requirements All relevant mobile devices are All relevant mobile devices are
will be handled within an policies/documentations are policies/documentations are Zones are defined for all properties
are considered in all projects are implemented in all projects subject to protective measures subject to up-to-date protection
appropriate time frame present. reviewed for actuality/content
Local IT, Information Security, Information Security, Corporate Information Security, Corporate Information Security, Corporate Information Security, Corporate IT Security, Information Security, Information Security, Corporate
IT Security, Information Security
Compliance Security, IT Security, HR, Business Security, IT Security, HR, Business Security, IT Security Security, IT Security Corporate Security Security
Initial creation
annually) annually) annually) annually) annually) annually) annually)
to be determined individually (e.g.

according to category maximum
periods for solution:
-PRIO 1: days to be determined individually (e.g.
to be determined individually (target to be determined individually (target to be determined individually (target to be determined individually (target to be determined individually (target to be determined individually (target
-PRIO 2: weeks Green: > 90%, Yellow: 70-90%,
coverage = 100 %) coverage = 100 %) coverage = 100 %) coverage = 100 %) coverage = 100 %) coverage = 100 %)
-PRIO 3: months Red: < 70%)
unsolved incidents within period,
e.g. Green: < 2%, Yellow: 2-5%,
Red: > 5%)
Quotient: number of policies

For each individual criticality level: Quotient: number of existing Quotient: number of projects Quotient: number of projects Quotient: number of protected Quotient: number of mobile devices Quotient: number of properties with
reviewed according to
all unsolved incidents within policies/population of necessary considering security/total number of considering security aspects/total mobile devices/total number of protected in a timely manner/total zone concept/population of
cycle/population of policies to be
defined period/all incidents policies relevant projects number of relevant projects mobile devices number of mobile devices properties
reviewed
annually) annually) annually) annually) annually) monthly) monthly) annually)
IT, CERT, Incident Management, Information Security, Corporate Information Security, Corporate Project customer, project Project customer, project Plant security, local security
IT operation, IT Security IT operation, IT Security
Helpdesk, Service Management Security, IT Security, HR, Business Security, IT Security, HR, Business management office (PMO) management office (PMO) functions, specialized departments
Contents derived from the Contents derived from the

Incident Management Statement of Applicability (SoA) Statement of Applicability (SoA) Property plans, zone concept,
Overview of projects per PMO Overview of projects per PMO Overview of mobile devices Overview of mobile devices
System/Workflow and documented in accordance and documented in accordance information classification
with ISO 27001 with ISO 27001
400375344.xlsx /
KPIs
11.3 Protection measures in the
11.1 Security zones 12.5 Event logging 12.6 Logging administrative activities 12.8 System audits
delivery and shipping area
3 2 3 2 2
EFFEKTIVENESS COVERAGE COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS
Coverage degree of event Coverage degree of admin

Implementation of protective Coverage degree review Coverage degree system Effectivity of system audit
logs on security-critical Functioning log activity logs on security-critical Functioning log activity
measures for zone concept “Authorizations” audits implementation
systems systems
Admin logging allows traceability of

Event logging enables traceability administrator activities in a process
Results of admin logging activities
of activities in a process or process Results of logging activities shall or process step/on a system/in an
Regular verifications of access shall allow their analysis. Reliable IT systems processing or storing
Zones shall be protected step/on a system/in an application. allow their analysis. Reliable end- application. This functionality helps Measures resulting from those
rights with respect to their need and manipulation-protected end-to- information of high or very high
adequately according to the This functionality helps to solve to-end recording of the activities to to solve abnormalities. audits shall be implemented in time
are a prerequisite for a secure end recording of the admin protection needs shall be subjected
criticality. system failures/abnormalities. Logs be monitored is essential for Administrator logs should be in order to eliminate vulnerabilities.
delivery and shipping zone. activities to be monitored is to audits at regular intervals.
should be activated in security- traceability, if required. activated in security-critical systems
essential for traceability, if required.
critical systems. and protected against (admin)
manipulations.
Security zones are protected All employees working in the

All relevant systems and All relevant systems and
according to internal specifications delivery and shipping area are Completeness and correctness of Completeness and integrity of All relevant systems are subject to All measures are implemented in
applications are integrated into applications are integrated into
(see e.g. References “Security subject to regular review of access logs admin logs audits at regular intervals time
event logging admin logging
zones”). rights
Information Security, Corporate Corporate Security, Logistics, Local IT, Information Security, Local IT, Information Security, Local IT, Information Security, Local IT, Information Security,
Local IT, Information Security Local IT, Information Security
Security authorities Compliance Compliance Compliance Compliance
to be determined individually (e.g. to be determined individually (e.g.

Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, to be determined individually (e.g. to be determined individually (e.g.
to be determined individually (target Number of incorrect logs Number of incorrect admin logs
Red: < 70%, special case of Red: < 70%, special case of Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%,
coverage = 100 %) Red: > 0,Green = 0 Red: > 0,Green = 0
systems relevant to billing: target systems relevant to billing: target Red: < 70%) Red: < 70%)
coverage coverage
Quotient: number of employees

working in the delivery and shipping Quotient: number of measures
Quotient: number of adequately Quotient: number of logged Quotient: number of logged Quotient: number of audited
area who are subject to regular number of incorrectly written admin implemented in time/number of
secured zones/population of all security-critical systems/total number of incorrectly written logs security-critical systems/total systems/total number of security-
access rights reviews/population of logs measures still to be implemented
zones number of security-critical systems number of security-critical systems critical systems
employees working in the delivery
and shipping area
quarterly) annually) annually) quarterly) annually) quarterly) monthly) monthly)
Plant security, local security IT, System Owner, Data Owner, IT, System Owner, Data Owner, IT, System Owner, Data Owner, IT, System Owner, Data Owner, Audit Management, IT Operation, Audit Management, IT Operation,
Logistics, Access Management
functions, specialized departments Risk Owner Risk Owner Risk Owner, User Management Risk Owner, User Management System Owner System Owner
Property plans, zone concept, Staff directory (internal/external),

CMDB, Logging server CMDB, Logging server CMDB, Logging server, IAM CMDB, Logging server, IAM CMDB CMDB, Audit system
information classification access control system
to be defined individually (if to be defined individually (if to be defined individually (if to be defined individually (if
5 years 10 years 5 years 5 years
relevant to billing: 10 years) relevant to billing: 10 years) relevant to billing: 10 years) relevant to billing: 10 years)
400375344.xlsx /
KPIs
14.1 Requirements for the
13.2 Network services 13.5 Non-disclosure agreements 14.2 Security during the software development process 18.4 Effectiveness review
acquisition of information systems
3 3 3 3 3
COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS
Coverage degree review Effectiveness of risk handling Coverage degree of risk Coverage degree of activities Timely elimination of
Effectiveness of observing Coverage degree non- Effectiveness of risk handling
service level agreements in information service assessment in software to eliminate vulnerabilities vulnerabilities determined
SLAs disclosure agreements in development process
(SLA) acquisition processes development process determined during audits during audits
Weaknesses identified in the Weaknesses identified in the

The protection of information Information security risks
Regular verifications of the SLAs course of information security course of information security
confidentiality shall be subject to Risks identified during the associated with the applications to Risks identified in the process of
for network services ensure The agreed measures resulting audits (internal and external) shall audits (internal and external) are
contractual agreement where at acquisition process are treated in a be developed shall be identified as software development are treated
consideration of current security from SLAs shall be implemented. be eliminated in a consequent and eliminated within the deadlines
least confidential information is timely and effective manner. early as possible in the process of in a timely and effective manner.
requirements at all times. traceable manner. Findings shall agreed (with the audited
exchanged with external partners. software development.
not remain unaddressed. departments).
Weaknesses identified in the

A non-disclosure agreement has Security risks are taken into Security risks are addressed in the All weaknesses identified in the
All SLAs include the current All requirements resulting from the Risks identified in acquisition are course of audits are eliminated
been entered with all external account in the software development process in an course of audits are traced and
security requirements SLAs are implemented handled in an effective manner within the defined time and in an
partners development process effective manner assigned to activities
effective manner
Acquisition, Information Security, Information Security, Local IT, Information Security, Local IT, Risk Information Security, Local IT, Risk Information Security, Corporate Information Security, Corporate
Local IT, Information Security Local IT, Information Security
specialized department Procurement Management Management Security, Local IT, Internal Audit Security, Local IT, Internal Audit
Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%,
Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%)
Quotient: number of software Quotient: number of activities for

Quotient: number of measures Quotient: number of orders with Quotient: number of findings
Quotient: number of treated development projects that Quotient: number of treated eliminating vulnerabilities within the
Quotient: number of verified implemented/number of measures concluded non-disclosure subject to subsequent
risks/population of risks identified in underwent risk risks/population of risks identified in defined period for
SLAs/total number of SLAs agreed agreement/total number of relevant activities/population of identified
the acquisition process assessment/population of relevant the development process implementation/population of all
orders findings
development projects specified activities
monthly) monthly) monthly) quarterly) quarterly) quarterly) quarterly) quarterly)
Internal Auditors, Information Internal Auditors, Information
Acquisition, Information Security, Procurement, specialized Procurement, specialized Procurement, specialized
Local IT, Information Security Local IT, Information Security Security, IT, specialized Security, IT, specialized
specialized department departments (requisitioner), IT departments (requisitioner), IT departments (requisitioner), IT
departments (Auditees) departments (Auditees)
Acquisition register, ordering Development system, development Development system, development Audit data base, follow-up data Audit data base, follow-up data
CMDB CMDB Acquisition system
system project data base project data base base base
400375344.xlsx /
KPIs
Security zones
Zone White (public) Green (controlled zone) Yellow (restricted zone) Red (high risk zone)
Explanation Areas of public character, which are permanently or temporarily accessible to everyone. Areas with low risk Area with technical or organizationally controlled safety measures, not freely accessible, Area with additional safety measures, restrictive, protection of special scopes, limited Area with the highest security requirements, protection of sensitive values strictly
without particularly sensitive values. None or only preventive safety requirements. Domestic authority exists. usually internal scopes number of persons, usually confidential scopes as well. regulated access rights, usually secret scopes.
(e.g. visitors' parking space, connecting routes)
Aspect
Accessibility No special requirements Values cannot be viewed freely, Clean Desk Temporary measures (according to the risk analysis) for sight protection/noise reduction Permanent sight protection/noise reduction
Visitor requirements Appropriate signs Only registered visitors, explicit reference to confidentiality/non-disclosure Restricted group of visitors, written confirmation of the non-disclosure, in permanent Only in exceptional cases: additionally to “Yellow” four-eyes principle, householder’s
personal escort by own staff consent
Driving on/parking Permitted Vehicles are allowed to drive on/park only after registration. Special restrictions Special restrictions
Access control and protection None Area must be protected against unauthorized access (personnel or technical measures) Monitoring the entering/exiting of the zones via online access reader, compensating Monitoring the entering/exiting of the zones via online access reader
locking system with limited circle
Monitorings If required, camera surveillance (prevention of damage to property) Camera surveillance and/or patrolling (prevention of unauthorized penetration) Camera surveillance, motion detection at least in the access areas or easily accessible Camera surveillance, glass breakage detector, windows with sight protection, double
areas (e.g., ground floor windows) illumination with motion detectors, central circuit, intrusion detection system installed by
professionals
Resistance values . Fences 2.2m with anti-climbing protection and undermine protection/building shell At least RC 2 or compensating measures At least RC 2 (resistance time 5 minutes) with additional measures
consisting of windows, doors, walls, roofs
Response time (alarm to visual . 30 minutes 10 minutes 5 minutes
inspection and acknowledgment)
Photography/use of optics . No internal information, otherwise only using business devices No use of private devices, business devices only in case of professional assignment No private devices, business devices in exceptional cases only Four-eyes principle,
approval by company management
Optics
Zone Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Explanation Areas of public character, which are permanently or temporarily accessible to everyone. Areas with low risk Area with technical or organizationally controlled security measures, not freely Area with additional security measures, restrictive, protection of special scopes, limited Area with the highest security requirements, protection of sensitive values strictly
without particularly sensitive values. None or only preventive safety requirements. Subject to householders accessible, usually internal scopes number of persons, usually confidential scopes as well. regulated access rights, usually secret scopes.
rights (e.g. visitors' parking space, connecting routes)
Aspect “carrying along” Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Company owned devices No special requirements Carrying along unsealed devices allowed Carrying along unsealed devices allowed Carrying along sealed devices allowed
(independent from Mobile Device Carrying along unsealed devices forbidden
Management (MDM))
Private devices of company No special requirements Carrying along unsealed devices allowed Carrying along unsealed devices allowed Carrying along sealed devices allowed
employees (wearables with Carrying along unsealed devices forbidden
optics as well)
Devices of contractors and No special requirements Carrying along unsealed devices allowed Carrying along sealed devices allowed Carrying along even sealed devices forbidden
visitors (wearables with optics as Carrying along unsealed devices forbidden
well)
Aspect “use” Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Video telephony/video No special requirements Allowed in all areas Allowed in office workplaces and meeting rooms, otherwise upon approval In defined meeting rooms with permanently installed equipment, otherwise upon approval
conferencing (without recording)
Photography/video recordings No special requirements - No use of private devices or devices of contractors/visitors - No use of private devices or devices of contractors/visitors - No use of private devices or devices of contractors/visitors
- Allowed with company owned devices allowed with company owned devices upon approval - Allowed in exceptional cases upon approval (e.g. four-eyes principles, consent of the
management)
Recording of persons and sound Declaration of consent required Declaration of consent required Declaration of consent required - Allowed only in exceptional cases upon approval
recording with company owned - Declaration of consent required
devices
Personnel
Type of employment
Standard validation Certificate of good conduct/criminal record certificate Intensive verifications of the CV, references Validation of certificates, diplomas and vocational training
relationship
X
Ordinary employee/worker
Head of department X X
IT department employees
with special access rights
Department Manager X X X
General Manager, Directors, X X X X

Executive Assistants,
Security Manager
Contractors & suppliers X

Contractors & suppliers for
critical infrastructure X X
components
Off-Premises workplace
400375344.xlsx /
References
temporary working environment (e.g. hotel) regular alternative working environment (in particular home office)
Confidentiality of the
information
Highest protection class Paper: principally not Paper: principally not
“secret”
Local data storage: principally not Local data storage: principally not
Remote Access: principally not Remote Access: principally not
Medium protection class Paper: continuously under personal control Paper: principally only temporarily
“confidential”
Local data storage: strongly encrypted or Mobile Device Management (MDM) active (remote deletion Local data storage: strongly encrypted or Mobile Device Management (MDM)
on demand) active (remote deletion on demand)
Remote Access: strongly authenticated & strongly transport encrypted, integrity of the access device Remote Access: strongly authenticated & strongly transport encrypted, integrity
ensured, data “non-permanent” of the access device ensured, data “non-permanent”
Lowest protection class Paper: under personal control Paper: in office furniture with special closing
“internal”
Local data storage: encrypted or Mobile Device Management (MDM) active (remote deletion on Local data storage: encrypted or Mobile Device Management (MDM) active
demand) (remote deletion on demand)
Remote Access: strongly authenticated & strongly transport encrypted, integrity of the access device Remote Access: strongly authenticated & strongly transport encrypted, integrity
ensured, data “non-permanent” of the access device ensured, data “non-permanent”
Protection classes
Description
Normal The potential damage is marginal, short-term nature, and limited to a single entity.
High The potential damage is significant or medium-term nature or is not limited to a single entity.
Very high The potential damage threatens the existence of the company or long-term nature or is not limited to
a single entity.
400375344.xlsx /
References
Glossary
GWP = Generic Work Product = a general result that arises from the execution of the process
PA = Process Attributes = a measurable characteristic to a process capability that is applicable for each process.
Evaluation basis:
Cutback result
In the “Result with cutback to target level”, the cutback of achieved results to the target maturity level ensures that
“overachieved” controls do not compensate underachieved controls in the overall result.
Maximum score:
The variations in the maximum score arise when individual controls are marked with “n.a.” (not applicable) and
therefore the average value of the target maturity levels changes.
Spider diagram:
All results are shown without cutback. The line for the target maturity level considers controls that were marked as n.a.
400375344.xlsx /
Gedruckt am: 10/26/2018 Seite 96 von 98
Glossar
Author:
Study group Information Security of the
German Association of the Automotive Industry
License:
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
400375344.xlsx /
License
1.0 First release (Initial build)
1.1 Change open questions to enclosed questions

More precise level descriptions
Inserting examples from practises
Spelling errors corrected
1.2 8.2 and 10.1 reference adjustment

10.2 change from production to productive environment
10.5 change from IDS/IPS to HIDS/HIPS
11.2 change of the translation
11.3 and 11.4 restructuring of controls
1.3 11.4 add “IT systems”

9.4 revise Maturity Level 2
2.0 Revision due to the new edition of ISO 27002:2013

Adjustment of the maturity levels
2.0.1 Fix for error in calculation and spider diagram
2.1.0 Revision of the maturity levels, corrections of some controls
2.1.1 Release version 2.1
2.1.2 Print area adjusted
2.1.3 Spider diagram shows result without cutback to target maturity levels
Control 13.5 revised
Control 7.1 maturity level 1 revised
Controls 9.4 and 9.5 reference revised
2.1.4 Maturity Control changed from 12.4 into 4

Maturity Control changed from 16.3 into 3
Addition of KPIs
Spell checking in maturity level 3
3.0.2 Revision for TISAX

Module Connection of third parties included
Module Prototype protection (25) included, derived from the Whitepaper from 6.10.2016
Module Data Protection (24) included, reference to 18.2 removed, maturity levels removed from the module,
references from the Level 1 generated instead. Reference included (ISMS, 18.2) showing that the Data
Protection module will be used only once in a commissioned data processing according to §11 BDSG,
implementation of questions “fulfilled [yes/no]”
400375344.xlsx /
Change history

Kopie Von VDA-ISA - EN - 4-0-4 - 2018-09-24

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kopie Von VDA-ISA - EN - 4-0-4 - 2018-09-24

Uploaded by

Copyright:

Available Formats

Information Security Assessment

VDA ISA provides the basis for

Connection to third parties (23):

Prototype protection (25):

Data protection (24):

Management of work products (PA 2.2):

This includes, among others, the following documents (GWP):

Process deployment (PA 3.2):

This includes, among others, the following documents (GWP):

Process control (PA 4.2):

This includes, among others, the following documents (GWP):

Continuous optimization (PA 5.2):

This includes, among others, the following documents (GWP):

- This must include

The interpretation of the respective requirement category is to be understood as follows.

“This must include”

“This should include”

“This may include”

“Additionally in case of high protection needs”

“Additionally in case of very high protection needs”

Short description of the group

D&B D-U-N-S® No.

Date of the assessment:

Version: 4.0.4 / 2018-09-24

15 Supplier Relationships 8 Asset Management

14 System acquisition, development and maintenance 9 Access Control

13 Communications Security 10 Cryptography

Question Target maturity

Result with cutback to target

Question Target maturity

Information Security Assessment

Question Target maturity

based on ISO 27001:2013

e a question does not apply, please insert na (not applicable).

(Reference to ISO 27001: 4 and 5.1)

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

(Reference to ISO 27001: 8.2 and 6.1.2)

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

To what extent is the effectiveness of the ISMS ensured?

This must include:

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

Information Security Policies

(Reference to ISO 27001: Control A.5.1.1 and A.5.1.2)

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

Organization of Information Security

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

This must include:

This should include: