Vda Isa 5.0.4 - en

INTERNAL #
Information Security Assessment
The ISA provides the basis for

- a self assessment to determine the state of information security within the organization (e.g. company)
- audits performed by internal departments (e.g. Internal Audit, Information Security)
- a review in accordance with TISAX (Trusted Information Security Assessment Exchange, http://enx.com/tisax/)
The ISA consists of several tabs, the content and function of which are explained below. You will find actual requirements in the
Information Security, Data Protection and Prototype Protection.
With Version 5, the ISA structures requirements no longerin lines, but in columns. Additionally, it has introduced new numbering
combined topics. It retains the numbering of ISA 4 for easier finding of control questions according to the previous structure or t
rearrangement.
Maturity levels:
ISA provides assessment of the implementation by means of a six-level maturity model as defined in this tab. The maturity leve
comprise Incomplete, Performed, Managed, Established, Predictable and Optimizing.
With this ISA version, the target maturity level for all control questions is 3 (Established).
Definitions:
Under Definitions, the key terms of the requirements to be fulfilled are described. The associated requirements can be assigned
categories MUST and SHOULD, Additionally in case of HIGH protection needs and Additionally in case of VERY HIGH protecti
This subdivision is necessary as information of high and very high protection needs requires special protective measures.
Additionally, key terms and abbreviations are listed and explained in this tab.
Cover:
The cover contains boxes for information on the implementing organization, the scope of the assessment, the auditor and the c
person of the assessed organization.
Information Security:
The tab “Information Security” includes all basic controls based on the standard ISO/IEC 27001. The control questions themsel
formulated as questions. The objective of the respective control and the requirements for achieving it are listed in accordingly d
columns.
You must assess each control according to the degree to which the objective is achieved. You can record the assessed maturit
(as described in the tab “Maturity levels”) of each control in column E. The maturity levels will be automatically transferred to the
“Results”.
Additional columns give examples to support potential implementation.
Prototype Protection:
Prototype protection includes vehicles, components and parts which are classified as requiring protection but have not yet been
to the public and/or published in adequate form by the OEM.
The commissioning OEM department is responsible for classifying the protection needs of vehicles, components and parts. The
requirements for prototype protection are to be applied for protection classes High and Very high according to ISA.
Data Protection:
Use this tab only if you are processing personal data within the meaning of Art. 28 of the EU General Data Protection Regulatio
contains controls requiring merely yes/no answers.
INTERNAL #
Results (ISA5):
This tab will summarize and present the results of the individual tabs (assessment catalogue pages) in printing format in the ne
simplified structure of ISA 5.
The spider web diagram provides an overview of all controls. The list of all controls shows the target maturity levels to be achie
When calculating the overall result, the results of controls overachieving their target maturity level are cutback and averaged. T
ensures that the requirements are comprehensively fulfilled and that there is no compensation of overachieved and underachie
controls.
Results (ISA4):
This tab will summarize and present the results of the individual tabs (assessment catalogue pages) in printing format in the cla
structure of ISA 4.
The spider web diagram provides an overview of all controls. The list of all controls shows the target maturity levels to be achie
When calculating the overall result, the results of controls overachieving their target maturity level are cutback and averaged. T
ensures that the requirements are comprehensively fulfilled and that there is no compensation of overachieved and underachie
controls.
Examples KPI:
This tab shows examples of Key Performance Indicators (KPI) for measuring process results both for controls for which the ISA
defined a target maturity level of 4 and for controls where a measurement appears useful. The tab content provides support for
own suitable KPIs. It does not present mandatory requirements for achieving maturity level 4. In many cases, the definition of K
mandatory, but may be helpful for a central management of information security at many locations.
License:
License conditions under which the ISA is published.
Change history:
List of changes during the ISA lifecycle.
We recommend you to start with the tab “Information Security” thereby gaining an overview of the state of your information secu
ENX WG ISA and the VDA Working Group Information Security wish you every success.
INTERNAL#
Company / Organization:*
Address:*
Scope/TISAX Scope ID*
D&B D-U-N-S® No.
Date of the assessment:*
Contact person:*
Telephone number:*
E-mail address:*
Creator:*
Signature:
Version: 5.0 | Revision 4 | 2021-04-16

INTERNAL #

Maturity levels
The answer to the control questions is a maturity level in a generic maturity model used to quantify the maturity of the corresponding processes. Determination of the maturity
level requires that objective evidence of compliance with the requirements of the respective level is provided during the assessment. This can be done, for example, by
means of work products resulting from the processes of the controls or by means of interview statements by persons carrying out the process.
Maturity level 0 Maturity level 1 Maturity level 2

Name Incomplete Performed Managed
Informal description A process is not available, not followed or not suitable for achieving its objective. An undocumented or incompletely documented (a. k. a. informal) process is A process achieving its objectives is followed. Process documentation and process
followed and indicators exist that it achieves its objective. implementation evidence are available.
Definition A process is not implemented or fails to achieve its process purpose. Little or no - The implemented process achieves its (process) purpose. Control of process implementation (PA 2.1):
evidence exists of any systematic achievement of the process purpose. - There is evidence that the intended base practices are implemented. - Objectives for the performance of the process are identified.
- Implementation of the process is planned and monitored.
- Implementation of the process is adjusted to meet plans.
- Responsibilities and authorities for implementing the process are defined,
assigned and communicated.
- Resources and information necessary for implementing the process are
identified, made available, assigned and used.
- Interfaces between the involved parties are managed to ensure effective
communication and clear assignment of responsibilities.
Work Product Management (PA 2.2):
- Requirements for the work products of the process are defined
- Requirements for documentation and control of the work products are defined.
- Work products are appropriately identified, documented and controlled.
- Work products are reviewed in accordance with planned measures and adjusted
as necessary to meet requirements.
Possible evidence + Work products providing evidence of process outcomes. + Process documentation
(GWP) + Process plan
+ Quality plan/records
+ Process implementation records
INTERNAL #
Maturity level 3 Maturity level 4 Maturity level 5

Established
Predictable Optimizing
A standard process integrated into the overall system is followed. Dependencies An established process is followed. The effectiveness of the process is continually A predictable process with continual improvement as a major objective is
on other processes are documented and suitable interfaces are created. Evidence monitored by collecting key figures. Limit values are defined at which the process followed. Improvement is actively advanced by dedicated resources.
exists that the process has been used sustainably and actively over an extended is considered to be insufficiently effective and requires adjustment. (Key
period. Performance Indicators)
Process Definition (PA 3.1): Process Measurement (PA 4.1): Process Innovation (PA 5.1)
- A standard process, including appropriately adapted requirements, is defined - Process information requirements in support of relevant defined business goals - Process improvement objectives are defined for the respective process that
which describes the essential elements a defined process must comprise. are established. supports the relevant business goals.
- The sequence and interaction of the standard process with other processes are - Process measurement objectives are derived from process information - Appropriate data are analyzed to identify the common causes of variations in
determined. requirements. process performance.
- Competencies and roles required for process implementation are identified as - Quantitative objectives for process performance in support of relevant defined - Appropriate data are analyzed to identify options for best practice and
part of the standard process. business goals are established. innovation.
- The infrastructure and work environment required for process implementation - Characteristic values and frequency of measurements are identified and defined - Improvement options derived from new technologies and new process concepts
are identified as part of the standard process. in line with process measurement objectives and quantitative objectives for are identified.
- Suitable methods for monitoring the effectiveness and suitability of the process process performance. - An implementation strategy is established to achieve the process improvement
are determined. - Results of measurement are collected, analyzed and reported in order to objectives.
monitor the extent to which the quantitative
Process Deployment (PA 3.2): objectives for process performance are met. Continuous Optimization (PA 5.2):
- A defined process based on an appropriately selected and/or tailored standard - Measurement results are used to characterize process performance. - Impact of all proposed changes is assessed against the objectives of the defined
process is deployed. process and the standard process.
- Required roles, responsibilities and authorities for implementing the defined Process Control (PA 4.2): - Implementation of all agreed changes is managed to ensure that any disruption
process are assigned and communicated. - Analysis and control techniques are determined and applied, as applicable. to the process performance is understood and addressed.
- Staff performing the defined process are competent on the basis of appropriate - Variable control limits are established for normal process implementation. - Based on actual performance, effectiveness of process change is evaluated
education, training and experience. - Measurement data is analyzed for special variations. against the defined process requirements and process objectives to determine
- The necessary resources and information required for implementing the defined - Corrective actions are taken to address special variations. whether results are corresponding to common or special cases.
process are made available, allocated and used. - Control limits are re-established (as necessary) following corrective action.
- The necessary infrastructure and work environment required for implementing
the defined process are available, managed and maintained.
- Suitable data is collected and analyzed as a basis for understanding the
behaviour of the process, to demonstrate its suitability and effectiveness, and to
evaluate where continual process improvement (CPI) can be made.
+ Process documentation + Process documentation + Process improvement plan

+ Process plan + Process control plan + Process measurement plan
+ Quality records + Process improvement plan + Process implementation records
+ Policies and standards + Process measurement plan
+ Process implementation records + Process implementation records
INTERNAL #

Key terms
Term Explanation Examples
Protection class “normal”, The potential damage to the organization is limited and manageable. Confidentiality classification “internal”
normal protection needs
Protection class “high”, The potential damage to the organization may be substantial. Confidentiality classification “confidential”
high protection needs
Protection class “very high”, The potential damage to the organization may reach an existentially threatening, catastrophic extent. Confidentiality classification “strictly confidential”
very high protection needs
Requirements (must) The requirements indicated in this column are strict requirements without any exemptions.
Requirements (should) The requirements indicated in this column are principally to be implemented by the organization. In certain
circumstances, however, there may be a valid justification for non-compliance with these requirements. In case of
any deviation, its effects must be understood by the organization and it must be plausibly justified.
Additional requirements in case of high The requirements indicated in this column must be additionally fulfilled where the assesed object requires high
protection needs protection needs.
Additional requirements in case of very high The requirements indicated in this column must be additionally fulfilled where the assessed object requires very
protection needs high protection needs.
Result (Maturity level) The result tabs ISA5 and ISA4 show all results as originally selected. The ltarget maturity level line does not include
controls that are set to not applicable (n/a). However, the calculation of the averege maturity level does calculate
the maturtiy level only up to the maximum of the target maturity level of each control.
INTERNAL #
Glossary
Term Abbreviation Explanation Examples
Information Asset Information representing an essential asset for the organization and therefore requiring a protection need.
Business secrets, critical business processes, know-how,
patents
Supporting Asset Supporting assets (electronic and physical) are used for storing, processing and transporting information assets.
Mobile data storage devices, IT systems, IT services/IT
service providers, paper documents
Classification of information The value of the information for the organization is determined based on the relevant protection objectives of
information security (confidentiality, integrity and availability). This enables the organization to take adequate
protective measures.
Information security risk management ISRM Information security risk management is intended for the timely detection, evaluation and addressing of risks in
order to achieve the protection objectives of information security. This enables the organization to establish
adequate measures for the protection of its information assets under consideration of prospects and risks.
Information security risks Risks existing in the preparation and processing of information. These are based on potential events having negative
impact on achieving the protection objectives of information security.
Non-disclosure agreements NDA Non-disclosure agreements provide legal protection of an organization’s information particularly where information
is exchanged beyond the boundaries of the organization.
IT system Any type of system used for electronic information processing.
Computer, server, cloud, communication systems, video
conference systems, smartphones, tablets
An application or service run on an IT-system used by other IT-systems for communication via a data network.
Network service
IT services Services in the field of information technology.
Business Continuity Management BCM The Business Continuity Management should ensure that critical business processes can be provided during and
after crises situations
IT Service Continuity Management ITSCM The IT Service Continuitiy Management should ensure that business critical IT Services can be provided during and
after crises situations.
Prototype Prototypes are vehicles, components and parts which are classified as requiring protection but have not yet been
presented to the public and/or published in adequate form by the OEM.
Information security management system ISMS The information security management system is a control mechanism used by the organization’s management to
ensure that information security is the result of sustainable management rather than merely coincidence and
individual effort.
Security zones Security zones provide physical protection of information assets. The more sensitive the information assets to be Storage spaces, garages, workshops, test tracks, data
processed are, the more protective measures are required. processing centers, development areas
‘personal data’ means any information relating to an identified or identifiable natural person; an identifiable natural
person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name,
an identification number, location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data
Measurement for the “maturity” of the overall ISMS or parts thereof. This is the degree of structuring and
systematic management of the overall process or parts thereof. For the maturity levels used in this document, the
requirements listed under the tab “Maturity levels” apply.
Maturity level
OEM Car/automobile manufacturer
Original Equipment Manufacturer
INTERNAL #
GWP A arbitrary result arising from the implementation of a process.

Generic Work Product
PA A measurable characteristic regarding a process capability that is applicable to each process.
Process Attributes
INTERNAL #

Questionary
ISA ISA Maturity
Classic New level Control question
1 IS Policies and Organization

1.1 Information Security Policies
To what extent are information
security policies available?
05.1 1.1.1
1.2 Organization of Information Security

To what extent is information
security managed within the
organization?
01.1 1.2.1

security responsibilities organized?
06.1 1.2.2

security requirements taken into
account in projects?
06.2 1.2.3
INTERNAL #
To what extent are responsibilities

between external IT service
providers and the own organization
defined?
06.4 1.2.4
1.3 Asset Management

assets identified and recorded?
08.1 1.3.1

assets classified and managed in
terms of their protection needs?
08.2 1.3.2
To what extent is it ensured that

only evaluated and approved
external IT services are used for
processing the organization’s
information assets?
14.4 1.3.3
1.4 IS Risk Management

INTERNAL #

security risks managed?
01.2 1.4.1
1.5 Assessments
To what extent is compliance with
information security ensured in
procedures and processes?
18.4 1.5.1
To what extent is the ISMS

reviewed by an independent entity?
18.3 1.5.2
1.6 Incident Management

INTERNAL #

security events processed?
16.1 1.6.1
2 Human Resources
To what extent is the suitability of
employees for sensitive work fields
ensured?
07.1.a
(new) 2.1.1
To what extent is all staff

contractually bound to comply with
information security policies?
07.1 2.1.2
INTERNAL #
To what extent is staff made aware

of and trained with respect to the
risks arising from the handling of
information?
07.2 2.1.3
To what extent is teleworking

regulated?
06.3.a
(new) 2.1.4
Physical Security and Business

3 Continuity
INTERNAL #
To what extent are security zones

managed to protect information
assets?
11.1 3.1.1

security ensured in exceptional
situations?
17.1 3.1.2
To what extent is the handling of

supporting assets managed?
11.4 3.1.3
INTERNAL #
To what extent is the handling of

mobile IT devices and mobile data
storage devices managed?
06.3 3.1.4
4 Identity and Access Management

4.1 Identity Management
To what extent is the use of
identification means managed?
09.2.a 4.1.1
(new)
To what extent is the user access to

network services, IT systems and IT
applications secured?
09.1 4.1.2
To what extent are user accounts

and login information securely
managed and applied?
09.2 4.1.3
4.2 Access Management

INTERNAL #
To what extent are access rights

assigned and managed?
09.5 4.2.1
5 IT Security/Cyber Security
5.1 Cryptography
To what extent is the use of
cryptographic procedures
managed?
10.1 5.1.1

protected during transport?
13.4 5.1.2
5.2 Operations Security

To what extent are changes
managed?
12.1 5.2.1
To what extent are development

and testing environments separated
from operational environments?
12.2 5.2.2
INTERNAL #
To what extent are IT systems

protected against malware?
12.3 5.2.3
To what extent are event logs

recorded and analyzed?
12.5 5.2.4
To what extent are vulnerabilities

identified and addressed?
12.7 5.2.5
To what extent are IT systems

technically checked (system audit)?
12.8 5.2.6
INTERNAL #
To what extent is the network of

the organization managed?
13.1 5.2.7
5.3 System acquisitions, requirement management and development

security considered in new or
further development of IT systems?
14.1 5.3.1
To what extent are requirements

for network services defined?
13.2 5.3.2
To what extent is the return and

secure removal of information
assets from external IT services
08.4 5.3.3 regulated?

protected in shared external IT
services?
09.6 5.3.4
6 Supplier Relationships
INTERNAL #

security ensured among suppliers
and cooperation partners?
15.1 6.1.1
To what extent is non-disclosure

regarding the exchange of
information contractually agreed?
13.5 6.1.2
7 Compliance
INTERNAL #
To what extent is compliance with

regulatory and contractual
provisions ensured?
18.1 7.1.1
To what extent is the protection of

personal data taken into account
when implementing information
security?
18.2 7.1.2
01 ISMS
01.1 Release of an Information Security Management System (ISMS)
01.2 IS Risk Management
01.3 Effectiveness of the ISMS
Included in Question 01.1
01.3
05 Information Security Policies
05.1 Information Security Policy
06 Organization of Information Security
06.1 Assigning responsibility for information security
06.2 Information Security in projects
06.3 Mobile devices
06.4 Roles and responsibilities for external IT service providers
07 Human Resources Security
07.1 Contractual information security obligation of employees
07.2 Awareness and training of employees
08 Asset Management
08.1 Inventory of assets
08.2 Classification of information
08.3 Storage of information on mobile storage devices
08.3
08.4 Removal of externally stored information assets
09 Access Control
09.1 Access to networks and network services
09.2 User registration
09.3 Privileged user accounts
09.3
09.4 Confidentiality of authentication data
09.4
09.5 Access to information and applications
09.6 Separation of information in shared environments
10 Cryptography
10.1 Encryption
11 Physical and Environmental Security
INTERNAL #
11.1 Security zones

11.2 Protection against external influences and external threats
11.2
11.3 Protective measures in the delivery and shipping area
11.3
11.4 Use of equipment
12 Operations Security
12.1 Change management
12.2 Separation of development, testing and operational environments
12.3 Protection against malware
12.4 Backup procedures
Included in questions 06.3 and 17.1
12.4
12.5 Event logging
12.6 Logging administration activities
12.6
12.7 Tracing of vulnerabilities (patch management)
12.8 Review of information systems
12.9 Consideration of critical administrative functions of cloud services
Question not applicable
12.9
13 Communications Security
13.1 Management of networks
13.2 Security requirements for networks/network services
13.3 Separation of networks (network segmentation)
13.3
13.4 Electronic exchange of information
13.5 Non-disclosure agreements for information exchange with third parties
14 System acquisition, development and
14.1 Requirements for the acquisition of information systems
14.2 Security in the software development process
14.2
14.3 Management of test data
14.3 n.a.
14.4 Approval of external IT services
15 Supplier Relationships
15.1 Risk management in collaboration with suppliers
15.2 Review of service provision by suppliers
15.2 n.a.
16 Information Security Incident Manag
16.1 Reporting system for information security incidents (incident management)
16.2 Processing of information security incidents
16.2 n.a.
17 Information Security Aspects of Busi
17.1 Information Security Aspects of Business Continuity Management (BCM)
18 Compliance
18.1 Legal and contractual provisions
18.2 Confidentiality and protection of personally identifiable data
INTERNAL #
18.3 Audit of the ISMS by independent bodies

18.4 Effectiveness check
INTERNAL #
Assessment
Measures/recommendations
tion Security
.
INTERNAL #
uirement management and development

INTERNAL #
n Security Management System (ISMS)
or information security
s for external IT service providers
security obligation of employees

of employees
n mobile storage devices
ored information assets
network services
tication data
d applications
n in shared environments
INTERNAL #
nal influences and external threats
he delivery and shipping area
ent, testing and operational environments
(patch management)
administrative functions of cloud services
r networks/network services
network segmentation)
nts for information exchange with third parties
quisition of information systems

development process
aboration with suppliers

on by suppliers
ormation security incidents (incident management)

n security incidents
ects of Business Continuity Management (BCM)
ection of personally identifiable data

INTERNAL #
ependent bodies
INTERNAL #
Further information
INTERNAL #
Contractual requirements include, for example, customer requirements

INTERNAL #
Focus point: Constructional and organizational measures

+ Security zone 1 (green): Area with constructional, technical or organizational or staff-related
security measures, not freely accessible, usually internal scopes
+ Security zone 2 (yellow): Area with additional protective measures, protection of information
assets with high protection needs, usually also confidential scopes (e.g. development know-
how)
+ Security zone 3 (red): Area with principally very high security requirements, protection of
information assets with very high protection needs, usually also strictly confidential scopes (e.g.
design)
Focus point image recording devices

Area 1 (green): Area with constructional, technical or organizational or personal security
measures, not freely accessible, usually internal scopes
Area 1 (yellow): Area with additional protective measures, protection of information assets
with high protection needs, usually also confidential scopes (e.g. development know-how)
Area 3 (red): Area with principally very high security requirements, protection of information
assets with very high protection needs, usually also strictly confidential scopes (e.g. design)
INTERNAL #
For the purposes of ISA, the term supplier includes classic suppliers and contractors as well as
classic service providers, freelancers or other partner organizations. The control also includes
cooperation partners (e.g. academic institutions).
The explanations below describe a possible procedure for fulfilling the requirements:
Identification of suppliers and specification of protection needs and security requirements:

At first, all suppliers should be identified (e.g. via the list of creditors of the accountants
department) in order to gain an initial overview.
For all contractors, the respective protection needs should be specified and the security
requirements derived according to their tasks and the relevance to own and customer’s
processes.
Generally, a large number of suppliers will be found to not require the assignment of relevant
protection needs and to be therefore not subject to security requirements (e.g. suppliers of
office supplies).
Ensuring implementation by the contractor:

In the next step, the applicable requirements should be made known to all security-relevant
suppliers in a suitable manner and (contractually) agreed on as being mandatory. Finally, a
decision should be made as to how the implementation of the security requirements can be
appropriately verified. For this purpose, adequate verification processes and procedures should
be defined according to the respective risk (and the associated protection needs). Their
purpose is to ensure that suppliers implement the necessary requirements.
Establishment in standard processes:

Based on the gathered findings, a reasonable procedure should be developed and incorporated
into the existing processes of the B2B/supplier management. This starts with the selection of
the supplier, where aspects of information security should already be taken into account
alongside criteria such as quality, adherence to delivery dates, credit rating etc. The
procurement process should be such that the relevance of information security has already
been taken into account beforehand (with respect to the procurement decision; contract
design; inspection requirements).
Furthermore, it is recommended to incorporate information security aspects into existing
processes for supplier evaluation which have already been established by e.g. an existing
quality management system.
Contractually specified deliverables (e.g. availability requirements) should be verified at regular
intervals. This can be done by e.g. regular analysis of service reports and SLAs.
INTERNAL #
Support:
Examples “Normal protection need”
Classification of projects can be conducted e.g. as follows

- VIVA (Confidentiality, Integrity, Availability, Authenticity)
- CIA (Confidentiality, Integrity, Availability)
INTERNAL #
It is not necessary to list all information, it is also possible to form categories instead (e.g. core
data of employees – responsible department: Human Resources)
INTERNAL #
Security zone 1 (green)

Focus point: Constructional and organizational measures
Persons with access authorization (internal): According to the work task, each person within the
organization
Persons with access authorization (external): Written non-disclosure confirmation, non-
disclosure agreement with the partner company is in effect
Visitor policy: Registered visitors only, non-disclosure policy, unaccompanied presence in
designated areas permitted
Access control: Protection against unauthorized access
Visibility: Clean desk
Surveillance: If applicable, CCTV surveillance (criminal damage prevention)
Resistance values: Appropriate anti-intrusion measures, if possible, observe onion-shell
principle
Printer: No specific measures
Disposal of information: no specific measures

Carrying along:
Organization employee: Unsealed carrying permitted
Partner company employees/visitors: Unsealed carrying permitted
Use (e.g. photographing):
Organization employee: Use permitted
Partner company employees/visitors: Use not permitted
INTERNAL #
Desktop firewall, Linking to loopback interfaces

INTERNAL #
Possible measures:
- Use of security technologies such as firewall systems, intrusion detection and prevention
systems (IDS/IPS), network management tools, security software for networks for preventing
unintended data exchange.
INTERNAL #

Critical questions of this evaluation are whether suppliers, while fulfilling their tasks
1) are granted access to or insight of information or security zones of the company rated with
normal protection needs regarding confidentiality, or
2) provide or can relevant information with normal protection needs regarding integrity, or
3) can have relevant impact on processes or IT systems with normal protection needs regarding
availability (cf. internal or customer-related SLAs).
Typical suppliers with normal protection needs are e.g. cleaning services for general areas,
classic logistics companies or maintenance staff.
The minimum requirements for information security (in relation to the respective protection
objective) should be defined in a policy (e.g. information security policy for service providers).
These requirements can be based on the requirements of the ISA described herein in addition
to the company-specific requirements. This policy can be supplemented according to the
specific order.

The security requirements should be made known to the contractor, e.g. at procurement, in
briefings (project meetings) by corresponding documents (e.g. information security policy for
service providers) or when entering the premises (in case of contractors providing their services
on site). Compliance with the information security requirements should be contractually fixed.
At this point already, potential further subcontractors of the contractor should also be
considered, as relevant. This can be done by individual agreements such as general terms and
conditions of purchase, for example. In many cases, suppliers (e.g. IT service providers) already
assure compliance with security requirements in their standard contracts.
In order to ensure compliance with the requirements in a suitable manner, simple mechanisms
should be established. This may include, for example:
- as a minimum, submission of a management-confirmed self-disclosure (e.g. ISA) or a suitable
attestation/certificate
- right to and execution of irregular sampling and event-related inspections.
INTERNAL #
Relevant requirements might result from requirements such as:

- Author’s rights
- Cryptography
- Copyright
- Intellectual property
- Archiving
- Information security legislation
- Data protection
- Business Secret Protection Act
INTERNAL #
Support:
Examples “High protection need”
INTERNAL #
Security zone 2 (yellow)

Focus point: Constructional, technical and organisational measures
Stability of the outer skin (e.g. windows, doors, gates, walls, roof, floor) ensures basic
protection against intrusion attempts with simple tools such as screwdrivers, hammers, tongs
or wedges. Openable components in the outer skin are mechanically secured against
unauthorized opening (e.g. by means of lockable bolts, locks).
Evidence of adequate implementation must be provided by means of a corresponding risk
assessment under consideration of the determined risk class – Guidance for risk assessment:
Implementation of the requirement without minimum resistance time
Evidence of implementation can also be provided by means of acceptance protocols or
installation certificates according to resistance class standards such as RC 2 in accordance with
DIN EN 1627.
Persons with access authorization (internal): Limited circle of authorized persons, regular
verification of granted access rights, observation of need-to-know principle
Visitor policy: Registered visitors only, written non-disclosure confirmation, generally personal
escorting by own staff
Access control: Zone entrance is guarded by means of access controls (e.g. access reader,
locking system)
Visibility: Protective measures according to the risk assessment for the site or the IT systems
are established (e.g. local privacy screen/soundproofing)
Surveillance: if applicable, CCTV surveillance
Printer: PIN printing (print-to-me) or printer within the zone
Disposal of information: Data protection waste container or P4 shredder within the zone
Carrying along:
Organization employee: Unsealed carrying permitted
Partner company employees/visitors: Only sealed carrying permitted
Organization employee: Use at office workstations permitted, elsewhere only upon permission
Partner company employees/visitors: Use not permitted, use of organization-owned devices
upon permission
INTERNAL #
- e-mail encryption by means of TLS

- access to websites via https://
INTERNAL #

high protection needs regarding confidentiality, or
2) provide or can alter relevant information with high protection needs regarding integrity, or
3) can have relevant impact on processes or IT systems with high protection needs regarding
availability (cf. internal or customer-related SLAs).
Typical suppliers with high protection needs are e.g. cleaning services autonomously cleaning
relevant security zones, IT service providers (e.g. data base administrators), consultants,
agencies and contractors (e.g. tool designers to whom project data need to be forwarded).
Obviously, suppliers with high protection needs are subject to the minimum information
security requirements regarding the respective protection objective. These requirements
should be individually supplemented with necessary general requirements (e.g. see ISA, high
protection needs) and order-specific requirements.
Ensuring implementation by the supplier:

The procedure described for normal protection needs can be used as a starting point.
Besides the obligation regarding implementation of an adequate information security level and
the non-disclosure obligation, a right to audit or appropriate controls (regular auditing of the
contractor) should be should be contractually agreed on. This may also include an obligation to
participate in TISAX.
- supplier requires TISAX label for high protection needs or equivalent (e.g. ISO 27001,
certificate of corresponding scope)
- right to and execution of regular sampling and event-related inspections.
INTERNAL #
Support:
Examples “Very high protection need”
INTERNAL #
Security zone 3 (red)

Focus point: Constructional, technical and organisational measures
Persons with access authorization (internal): Highly limited circle of authorized persons, regular
verification of granted access rights, observation of need-to-know principle
Visitor policy: Registered visitors only, written non-disclosure confirmation, permanent
escorting by own staff, inquiry whether any devices are carried along prior to entering the area
and corresponding device securing measures (see Table Optics)
Visibility: Protective measures according to the risk assessment for the site or the IT systems
are established (e.g. permanent privacy shielding/soundproofing)
Surveillance: if applicable, CCTV surveillance, if applicable, intrusion detection system
Resistance values: In the absence of enclosure, windows and doors in the outer skin designed
according to RC2 or equivalent depending on risk assessment
Printer:
PIN printing (print-to-me) or printer within the zone
Disposal of information: Data protection waste container or P5 shredder within the zone
Carrying along:
Organization employee: Only sealed carrying permitted
Partner company employees/visitors: Carrying generally prohibited
Organization employee: Use only upon permission
Partner company employees/visitors: Use generally prohibited
INTERNAL #
- e-mail encryption by means of S/MIME, PGP

- encrypted PDF files, encrypted ZIP files
INTERNAL #
Identification of controls and specification of protection needs and security requirements:

very high protection needs regarding confidentiality, or
2) provide or can alter relevant information with very high protection needs regarding integrity,
or
3) can have relevant impact on processes or IT systems with very high protection needs
regarding availability (cf. internal or customer-related SLAs).
Typical suppliers with very high protection needs are IT service providers (e.g. domain
administrators), consultants, agencies, subcontractors (e.g. CAD designers to whom extensive
project data of very high protection needs need to be forwarded) and prototype
manufacturers.
Obviously, suppliers with very high protection needs are subject to the minimum information
security requirements regarding the respective protection needs. These requirements should
be individually supplemented with necessary general requirements (e.g. see ISA, very high
protection needs) and order-specific requirements. The difference to high protection needs is
essentially the number and quality of the necessary additional requirements.
Here, the procedure described for high protection needs can be used as a starting point.
Besides the obligation regarding implementation of an adequate information security level and
the non-disclosure obligation, a right to audit and/or appropriate controls (regular auditing of
the contractor) should be contractually agreed on . This should also include an obligation to
participate in TISAX.
- supplier requires TISAX label for very high protection needs
- right to and execution of regular and event-related thorough inspections (if applicable,
supplemented with supporting certificates).
INTERNAL #
Possible questions (examples, not mandatory)

INTERNAL #
+ Which suppliersreceive or process data in need of protection?

+ Which suppliers are granted access to security zones?
+ Are any further contractual agreements regarding information
security other than the non-disclosure agreement in effect?
+ How is the compliance with contractual agreements by the
supplier verified?
+ At which points within the company are risk assessments regarding
the employment of suppliers conducted?
+ Is an information security policy for suppliers in place?
+ How is the compliance with policies by the suppliers verified?
+ Which suppliers have been/are reviewed?
+ How is the review documented?
+ Which criteria trigger an assessment process?
+ How are the services rendered by suppliers reviewed?
+ Are networks/IT systems maintained by contractors/service
providers?
+ How do you prevent that suppliers can gain unauthorized access to
information of high/very high protection needs?
INTERNAL #
Possible evidence (not mandatory)

INTERNAL #
+ Template NDA with supplier

+ Example of signed NDA
+ Example of risk assessment (Focus point: information security aspects)
+ Information security policy for suppliers terms and conditions regarding
information security
+ Process description B2B/supplier management (e.g. selection, evaluation,
qualification of suppliers)
+ Viewing of self-disclosures
+ Viewing of attestations/certificates of selected suppliers (e.g. TISAX label;
ISO 27001 certificate)
+ Example of conducted supplier evaluation (focus on information security
aspects)
+ Viewing of audit reports
+ List of approved suppliers
+ Viewing of SLA Reporting
INTERNAL #

Additional prototype protection requirements
ISA ISA Maturity
Classic New level Control question
Prototype Protection
25 8
Physical and Environmental Security

25.1 8.1
To what extent is a security concept

available describing minimum
requirements regarding the physical and
environmental security for prototype
25.1.1 8.1.1 protection?
To what extent is perimeter security

existent preventing unauthorized access
25.1.2 8.1.2 to protected property objects?
To what extent is the outer skin of the

protected buildings constructed such as
to prevent removal or opening of outer-
25.1.3 8.1.3 skin components using standard tools?
To what extent is view and sight

25.1.4 8.1.4 protection ensured in defined security
areas?
To what extent is the protection against
unauthorized entry regulated in the
form of access control?
25.1.5 8.1.5
To what extent are the premises to be

secured monitored for intrusion?
25.1.6 8.1.6
To what extent is a documented visitor

management in place?
25.1.7 8.1.7
INTERNAL #
To what extent is on-site client

segregation existent?
25.1.8 8.1.8
Organizational Requirements
25.2 8.2
To what extent are non-disclosure

agreements/obligations existent
according to the valid contractual law?
25.2.1 8.2.1
To what extent are requirements for
commissioning subcontractors known
and fulfilled?
25.2.2 8.2.2
To what extent do employees and
project members evidently participate
in training and awareness measures
regarding the handling of prototypes?
25.2.3 8.2.3
To what extent are security
classifications of the project and the
resulting security measures known?
25.2.4 8.2.4
To what extent is a process defined for
granting access to security areas?
25.2.5 8.2.5
INTERNAL #
To what extent are regulations for

image recording and handling of created
image material existent?
25.2.6 8.2.6
To what extent is a process for carrying
along and using mobile video and
photography devices in(to) defined
security areas established?
25.2.7 8.2.7
Handling of vehicles, components and
25.3 8.3 parts
To what extent are transports of
vehicles, components or parts classified
as requiring protection arranged
according to the customer
requirements?
25.3.1 8.3.1
To what extent is it ensured that
vehicles, components and parts
classified as requiring protection are
parked/stored in accordance with
customer requirements?
25.3.2 8.3.2
Requirements for trial vehicles
25.4 8.4
To what extent are the predefined

camouflage regulations implemented by
the project members?
25.4.1 8.4.1
To what extent are measures for
protecting approved test and trial
grounds observed/implemented?
25.4.2 8.4.2
To what extent are protective measures
for approved test and trial drives in
public observed/implemented?
25.4.3 8.4.3
INTERNAL #
Requirements for events and shootings
25.5 8.5
To what extent are security
requirements for presentations and
events involving vehicles, components
or parts classified as requiring
25.5.1 8.5.1 protection known?
To what extent are the protective

measures for film and photo shootings
involving vehicles, components or parts
classified as requiring protection
25.5.2 8.5.2 known?
INTERNAL #
ment
irements
Objective
Prototype protection includes vehicles, components and parts which are

classified as requiring protection but have not yet been presented to the public
and/or published in adequate form by the OEM.
The commissioning OEM department is responsible for classifying the protection
need of vehicles, components and parts. The minimum requirements for
prototype protection for the protection classes high and very high must be
applied according to ISA.
The requirements described in this clause apply to all companies which, on their
own properties, manufacture, store or are provided for use vehicles,
components or parts classified as requiring protection.
The necessary measures for prototype protection must be applied to and
implemented on properties and facilities of suppliers, development partners and
service providers. A security concept must be established by the respective
operator. Implementation and observation of the physical and environmental
security measures defined in the security concept must be ensured by the
responsible operator.
Unauthorized access to properties where vehicles, components or parts

classified as requiring protection are manufactured, processed or stored must be
prevented.
Unauthorized access to buildings/security areas where vehicles, components or

parts classified as requiring protection are manufactured, processed or stored
must be prevented.
It must be ensured that unauthorized viewing of vehicles, components or parts

classified as requiring protection is prevented.
It must be ensured that all points of access to security areas where vehicles,
components or parts classified as requiring protection are manufactured,
processed or stored are protected against unauthorized entry by adequate
measures.
It must be ensured that premises where vehicles, components or parts classified

as requiring protection are manufactured, processed or stored are monitored for
intrusion. Timely alarm processing is ensured.
Protection against unauthorized access to security areas where vehicles,

components or parts classified as requiring protection are manufactured,
processed or stored, including traceable documentation.
INTERNAL #
In order to ensure protection of the client-specific know-how at all times, a clear

segregation of clients must be guaranteed. This particularly involves protection
against unauthorized viewing and access to areas where vehicles, components
or parts classified as requiring protection are processed or stored.
The requirements described in this clause apply to all companies which

manufacture or are provided for use vehicles, components or parts classified as
requiring protection.
When transmitting information classified as requiring protection, it must be ensur
When involving subcontractors, the minimum requirements for prototype

protection must be met.
In trainings/awareness seminars on the subject of prototype protection,

employees must obtain the necessary knowledge and skills for a security-
conscious handling of vehicles, components and parts classified as requiring
protection.
It must be ensured that the security classification and requirements in relation to

the project progress are known to and observed by each project member.
A process is defined for the protection against unauthorized access to security

areas where vehicles, components or parts classified as requiring protection are
manufactured, processed or stored.
INTERNAL #
Regulations for recording images of vehicles, components or parts classified as

requiring protection must be defined in order to prevent unauthorized creation
or transmission of such image material.
A process is defined for carrying along and using mobile video and photography
devices in(to) security areas where vehicles, components or parts classified as
requiring protection are manufactured, processed or stored. Unauthorized
creation or transmission of image material must be prevented.
While being transported, vehicles, components and parts classified as requiring

protection must be protected against unauthorized viewing, unauthorized image
recording and access.
While being parked/stored, vehicles, components and parts classified as

requiring protection must be protected against unauthorized viewing,
unauthorized photography and access.
A process for obtaining customer-specific requirements for the handling of trial

vehicles classified as requiring protection is described and implemented. The
requirements described in this chapter are not relevant to components and parts.
When using own properties, the controls described in Clauses 8.1, 8.2 and 8.3
must also be verified. When not using own properties, merely the requirements of
Clauses 8.2 and 8.3 must be met.
It must be ensured, that the camouflage regulations are known to each project
member and observed in order to guarantee adequate view protection of trial
vehicles.
In order to maintain an undisturbed and secured trial operation on test and trial
grounds, the respective protective measures defined by the customer must be
observed.
It must be ensured that the respective customer requirements for the operation
of trial vehicles classified as requiring protection on public roads are known and
observed.
INTERNAL #
Customer-specific security requirements for events and shootings involving

vehicles, components or parts classified as requiring protection are known to
each project member. This must be demonstrated by each company
commissioned with the planning, preparation or execution of events or
shootings.
When using own properties, the controls described in Clauses 8.1, 8.2 and 8.3
must also be verified. When not using own properties, merely the requirements
of Clauses 8.2 and 8.3 must be met.
It must be ensured that the respective customer-specific security requirements

for presentations and events involving vehicles, components or parts classified
as requiring protection are known.
It must be ensured that the respective customer-specific security requirements

for film and photo shootings involving vehicles, components or parts classified as
requiring protection are known.
INTERNAL #
Requirements
(must)
+ A security concept under consideration of the following aspects is

established:
- stability of outer skin
- view and sight protection
- protection against unauthorized entry and access control
- intrusion monitoring
- documented visitor management
- client segregation
+ Unauthorized access to properties is not possible.
+ Unauthorized access to buildings/security areas is not possible.
+ Unauthorized viewing of new developments needing high or very high

protection is not possible.
+ At least one of the following three requirements must be implemented:

- mechanical locks with documented key assignment
- electronic access systems with documented authorization assignment
- personal access control with documentation.
+ Intrusion monitoring of the premises to be secured is ensured:

- an intrusion detection system exists complying with DIN EN 50131 or
conforming to VDS or similar and functioning with alarm tracking to a
certified security service or control unit (e.g. according to DIN 77200,
VdS 3138).
- or 24/7 guarding by a certified security service.
+ Alarm plans are available.
+ Timely alarm processing is ensured.
+ Compulsory registration for all visitors

+ Documented non-disclosure obligation prior to access
+ Publication of security and visitor regulations
+ National legislation regarding data protection must be observed.
INTERNAL #
+ Spatial separation by staff-related or technical measures is in effect

according to the following aspects:
- customers and/or
- projects
- where segregation is not in effect, explicit approval by the customer is
required.
+ A non-disclosure agreement:
- between contractor and customer (on a company level)
- by all employees and project members (personal obligation)
+ National legislation regarding data protection must be observed.
+ Approval by the original customer.

+ Non-disclosure agreement is effective according to the valid contractual
law
- between contractor and subcontractor (on company level)
- by all employees and project members of the subcontractor (personal
obligation)
+ Compliance with the security specifications by the original customer is
ensured (proof is obtained).
+ Proof of the subcontractor’s compliance with minimum requirements for
prototype protection (e.g. certificate, attestation) is provided.
+ Ensuring that trainings/awareness programs are conducted by the

management
+ Training of employees and project members in the handling of prototypes
when entering the project
+ Regular (min. annual) training of employees in the handling of prototypes
+ Ensuring the knowledge among employees and project members
regarding the respective protection needs and the resulting company-
internal measures
+ Compulsory participation in the trainings and awareness measures for
each employee and project member
+ Execution must be documented.
+ The training concept regarding prototype protection is an integral part of
the general training concept (see also Control 2.1.3 Information Security)
+ Ensuring that the security classification and requirements in relation to

the project progress are made known to each project member.
+ Consideration of step-by-step plans, measures for secrecy and
camouflage, development policies.
+ The requirements are considered as a project-related information security
requirement (see Controls 1.2.3 and 7.1.1 Information Security).
+ Responsibilities for access authorization are clearly specified and

documented.
+ A process for new assignments, changes and revocations of access rights
is in place.
+ Code of conduct in case of the loss/theft of access control means.
INTERNAL #
+ Approval procedures for image recording.

+ Specification for classification/categorization of image material.
+ Secure storage of image material.
+ Secure deletion/disposal of image material no longer required.
+ Secured transmission/shipping of image material to authorized recipients
only.
+ Specification for carrying along (e.g. sealed/unsealed, etc.).

+ Specification for use (e.g. phone calls, photography, etc.).
+ A process for obtaining customer-specific requirements for the transport

of vehicles, components and parts classified as requiring protection is
described and implemented.
+ The security requirements defined by the customer are known and
observed.
+ The logistics/transport companies explicitly approved by the customer are
commissioned.
+ A process for reporting any security-relevant events to the customer is
+ The customer-specific requirements for parking/storage are evidently

known and observed.
+ The requirements for using the respective camouflage are known to the
project members.
+ Any changes to the camouflage are made upon documented agreement
with the customer.
+ A process for the immediate reporting of any damages to the camouflage
is described and implemented.
+ A process for obtaining customer-specific requirements for the use of trial

vehicles classified as requiring protection on test and trial grounds is
+ The following aspects must be known to users of test and trial grounds:
- a current list of customer-approved test and trial grounds
- code of conduct for ensuring undisturbed trial operation
- customer-defined protective measures These are implemented.
+ A process for obtaining customer-specific requirements for the operation

of trial vehicles classified as requiring protection on public roads is
+ Protective measures defined by the customer are known and observed.
+ Code of conduct in case of special incidents (e.g. breakdown, accident,
theft ...).
INTERNAL #
+ A process for obtaining customer-specific requirements for presentations

and events involving vehicles, components or parts classified as requiring
protection is described and implemented.
+ Established and customer-approved security concepts (organizationally,
technically,
staff-related).
+ Code of conduct in case of special incidents.
+ A process for obtaining customer-specific requirements for film and photo

shootings involving vehicles, components or parts classified as requiring
protection is described and implemented.
+ Proof of approval for the presumably used premises.
+ Established and customer-approved security concepts (organizationally,
technically,
staff-related).
+ Code of conduct in case of special incidents.
INTERNAL #
Requirements Additional requirements

(should) for vehicles classified as requiring protection
+ Perimeter security None
+ Suitable barriers are in place such as: None

- artificial barriers (fence systems, walls)
- technical barriers (detection)
- natural barriers (plant cover, vegetation).
+ Solid construction (stone, concrete, steel/metal). None

+ Windows and doors in the outer skin are to be built in compliance
with RC2 or better.
+ Sight protection through relevant glass surfaces is ensured. + The spatial situation is also suitable for
+ View into defined security areas through open protecting vehicles classified as requiring
doors/gates/windows is prevented. protection against unauthorized view.
None + The spatial situation is also suitable for
protecting vehicles classified as requiring
protection against unauthorized access.
None None
None None
INTERNAL #
None + The spatial situation is also suitable for

implementing client segregation for vehicles
classified as requiring protection.
None None
None None
None None
None None
None None
INTERNAL #
None None
None None
None None
None None
None None
None None
None None
INTERNAL #
None None
None None
INTERNAL #
Usual person responsible

Addressed protection Reference to other
objectives for process standards
implementation
Confidentiality, Integrity, Operating Mgr.

Availability

Availability

Availability

Availability
Confidentiality, Integrity, Project Mgr.

Availability
Confidentiality, Integrity, IT
Availability
Confidentiality Operating Mgr.

INTERNAL #

Availability
Operating Mgr.
Confidentiality

Availability
Confidentiality, Integrity,
Availability

Availability
Availability
INTERNAL #

Availability
Availability
Operating Mgr.

Availability
Availability
Operating Mgr.

Availability
Availability

Availability
INTERNAL #

Availability

Availability
INTERNAL #
Measures/recommendations Date of detection Date of completion
.
INTERNAL #
Responsible
department Contact
INTERNAL #
Further information
INTERNAL #
Support:
INTERNAL #
Support:
INTERNAL #
Support:
INTERNAL #
Possible questions (examples, not mandatory)

INTERNAL #
Possible evidence (not mandatory)

INTERNAL #
Column4
INTERNAL #

Additional questions regarding data protection for determining a service
ISA ISA Assessment Control question

Classic New
24 9 Data protection
To what extent is the implementation of data protection

organized?
24.1 9.1
To what extent are organizational measures taken in order

to ensure that personally identifiable data is processed in
conformance with legislation?
24.2 9.2
To what extent is it ensured that the internal processes or

workflows are carried out according to the currently valid
data protection regulations and that these are regularly
24.3 9.3 subjected to a quality check?
To what extent are the relevant processing procedures

documented with regard to their admissibility according to
24.4 9.4 data protection law?
INTERNAL #
ction for determining a service provider’s basic suitability to act as a processor within
Requirements
+ Appointment of a data protection officer where legally required, otherwise appointment of a person responsible for data protection
+ Organizational implementation of data protection
- Integration of the data protection officer into the corporate structure
- Voluntary or obligatory appointment of a data protection officer
- Full-time or part-time data protection officer
- Internal or external data protection officer
- Support of the data protection officer by directly assigned employees (department “Data Protection”) depending on the company
- Support of the data protection officer by data protection coordinators in the company departments depending on the size of the c
(e.g. Marketing, Sales, Human Resources, Logistics, Development, etc.)
+ Specification of data protection principles (processing of personally identifiable data) in a documented company-internal data protec
strategy (e.g. company-internal policy).
+ Implementation of company-internal steering committees or responsibilities - in collaboration with the data protection officer - addr
topics relevant to data protection.
+ Implementation of a process which ensures the involvement of the data protection officer in any topics relevant to data protection (
context of a data protection impact assessment).
+ Documentation of work processes when processing personally identifiable data.
+ Documentation of statements and comments of the data protection officer regarding data protection law assessments.
+ Implementation of a process by means of which - in case a subcontracting processor is commissioned - the processor is contractually
otherwise legally obliged to comply with the same data protection requirements as specified by contract between the controller and t
processor.
+ Company-internal work instructions or manuals in specific task fields concerning the processing of personally identifiable data.
+ Employees’ (and, if applicable, subcontractors’) confidentiality obligation.
+ Implementation of technical and organizational measures for supporting the controller in handling data subject rights as far as feasib
appropriate for processing.
+ Implementation of reporting processes for immediately informing the customer, under consideration of any subcontractors, so the l
reporting deadlines for data protection incidents can be observed.
+ Documentation of subcontracting relationships including contractual regulations with relevant subcontractors, where any right to in
contractual regulation is in any case limited to the subcontractor’s obligations concerning data protection.
+ Implementation of a process for documenting data protection provisions.
+ Capability of implementing data clearing concepts.
+ Implementation of a procedure for regular checking, assessment and evaluation of TOMs.
+ Demonstration of regular checks and optimizations of the data protection management system (e.g. certification).
+ Measures for maintaining confidentiality and integrity when transferring personally identifiable data.
+ Adequate protection mechanisms for reducing unauthorized access to personally identifiable data.
+ Obligatory training of employees entrusted with the processing of personally identifiable data of the customer (e.g. classroom trainin
+ Ensuring implementation of contracts and provisions of the customer.
+ Documentation of essential tasks regarding the processing of personally identifiable data in compliance with legal requirements.
+ Supporting customers in conducting data protection impact assessments and documenting the results thereof.
+ Informing the customer when detecting unlawful data processing, where applicable, under consideration of different national legisla
INTERNAL #
the meaning of Article 28 of the EU General Data Protection Regulation
Usual person responsible for process

implementation
Operating Mgr.
Operating Mgr.
Operating Mgr.
Operating Mgr.
INTERNAL #
ection Regulation
Measures/recommendations Date of detection

INTERNAL #
Date of completion Responsible department Contact

INTERNAL #
Further information
INTERNAL #
Support:
INTERNAL #
Support:
INTERNAL #
Support:
INTERNAL #
Possible questions (examples, not Possible evidence (not mandatory)

mandatory)
INTERNAL #

Results according to VDA ISA 5
Company: 0
Location: 0
Date: 1/1/2020
Result with cutback to target
maturity level:
Maximum score: 3.00
Result per chapter (without cutback):

1 IS Policies and Organization
8 Prototype Protection (na) 2 Human Resources

4
7 Compliance 0 3 Physical Security and Business Continuity
6 Supplier Relationships 4 Identity and Access Management
Target maturity level Result

5 IT Security/Cyber Security
Result per subchapter (without cutback):

1.1 Information Security Policies
1.2 Organization of Information Security
5
8.4 Prototype Protection - Requirements for trial vehicles (na) 1.3. Asset Management
4
8.3 Prototype Protection - Handling of vehicles, components and parts (na) 1.4. IS Risk Management
3
2
8.2 Prototype Protection - Organizational Requirements (na) 1.5 Assessments
8.1 Prototype Protection - Physical and Environmental Security (na) 0 1.6 Incident Management
7.1 Compliance 2.1 Human Resources
6.1 Supplier Relationships 3.1 Physical Security and Business Continuity
5.3 System acquisitions, requirement management and development 4.1 Identity Management
5.2 Operations Security4.2 Access Management Target maturity level Result

5.1 Cryptography
INTERNAL #

Results
maturity level:
Maximum score: 3.00
Details:
Target
No. Subject maturity Result
level
1.1.1 To what extent are information security policies available? 3
1.2.1 To what extent is information security managed within the organization? 3
1.2.2 To what extent are information security responsibilities organized? 3
1.2.3 To what extent are information security requirements taken into account in projects? 3
1.2.4 To what extent are responsibilities between external IT service providers and the own organization 3
defined?
1.3.1 To what extent are information assets identified and recorded? 3
1.3.2 To what extent are information assets classified and managed in terms of their protection needs? 3
1.3.3 To what extent is it ensured that only evaluated and approved external IT services are used for 3
processing the organization’s information assets?
1.4.1 To what extent are information security risks managed? 3
1.5.1 To what extent is compliance with information security ensured in procedures and processes? 3
1.5.2 To what extent is the ISMS reviewed by an independent entity? 3
1.6.1 To what extent are information security events processed? 3
2.1.1 To what extent is the suitability of employees for sensitive work fields ensured? 3
2.1.2 To what extent is all staff contractually bound to comply with information security policies? 3
2.1.3 To what extent is staff made aware of and trained with respect to the risks arising from the handling of 3
information?
2.1.4 To what extent is teleworking regulated? 3
3.1.1 To what extent are security zones managed to protect information assets? 3
3.1.2 To what extent is information security ensured in exceptional situations? 3
3.1.3 To what extent is the handling of supporting assets managed? 3
3.1.4 To what extent is the handling of mobile IT devices and mobile data storage devices managed? 3
4.1.1 To what extent is the use of identification means managed? 3
4.1.2 To what extent is the user access to network services, IT systems and IT applications secured? 3
4.1.3 To what extent are user accounts and login information securely managed and applied? 3
4.2.1 To what extent are access rights assigned and managed? 3
5.1.1 To what extent is the use of cryptographic procedures managed? 3
5.1.2 To what extent is information protected during transport? 3
5.2.1 To what extent are changes managed? 3
5.2.2 To what extent are development and testing environments separated from operational environments? 3
5.2.3 To what extent are IT systems protected against malware? 3
5.2.4 To what extent are event logs recorded and analyzed? 3

INTERNAL #
5.2.5 To what extent are vulnerabilities identified and addressed? 3
5.2.6 To what extent are IT systems technically checked (system audit)? 3
5.2.7 To what extent is the network of the organization managed? 3
5.3.1 To what extent is information security considered in new or further development of IT systems? 3
5.3.2 To what extent are requirements for network services defined? 3
5.3.3 To what extent is the return and secure removal of information assets from external IT services 3
regulated?
5.3.4 To what extent is information protected in shared external IT services? 3
6.1.1 To what extent is information security ensured among suppliers and cooperation partners? 3
6.1.2 To what extent is non-disclosure regarding the exchange of information contractually agreed? 3
7.1.1 To what extent is compliance with regulatory and contractual provisions ensured? 3
7.1.2 To what extent is the protection of personal data taken into account when implementing information 3
security?
Method: - comparison of the top 41 security topics 3.00

- based on ISO 27001 controls
- evaluated according to SPICE ISO 15504
INTERNAL #

Results - Prototype Protection
maturity level:
Maximum score: 3.00
Details:
Target
level
8.1 Physical and Environmental Security
8.1.1 Security concept 3
8.1.2 Perimeter security 3
8.1.3 Stability of outer skin 3
8.1.4 View and sight protection 3
8.1.5 Protection against unauthorized entry and access control 3
8.1.6 Intrusion monitoring 3
8.1.7 Visitor management 3
8.1.8 Client segregation 3
8.2 Organizational Requirements
8.2.1 Non-disclosure obligations 3
8.2.2 Subcontractors 3
8.2.3 Awareness 3
8.2.4 Security classification 3
8.2.5 Access control 3
8.2.6 Film and photo regulations 3
8.2.7 Mobile video and photography devices 3
8.3 Handling of vehicles, components and parts
8.3.1 Transport 3
8.3.2 Parking and storage 3
8.4 Requirements for trial vehicles
8.4.1 Camouflage 3
8.4.2 Test and trial ground 3
8.4.3 Test and trial drives on public roads 3
8.5 Requirements for events and shootings
8.5.1 Presentations and events 3
8.5.2 Film and photo shootings 3
INTERNAL #

Results according to VDA ISA 4 (ISO 2700x)
Company: 0
Location: 0
Date: 1/1/2020
maturity level: 3.00 Maximum score: 3.00
Result per chapter (without cutback):

1 ISMS
25 Prototype Protection (na) 5 Information Security Policies
5
18 Compliance 6 Organization of Information Security

4
3
17 Information Security Aspects of Business Continuity Management
2 7 Human Resources Security
16 Information Security Incident Management 0 8 Asset Management
15 Supplier Relationships 9 Access Control
14 System acquisition, development and maintenance 10 Cryptography
13 Communications Security 11 Physical and Environmental Security

12 Operations Security
Target maturity level Result
INTERNAL #

Results
maturity level: 3.00 Maximum score: 3.00
Details:
Target
level
01.1 Release of an Information Security Management System (ISMS) 3
01.2 IS Risk Management 3
01.3 Effectiveness of the ISMS 3
05.1 Information Security Policy 3
06.1 Assigning responsibility for information security 3
06.2 Information Security in projects 3
06.3 Mobile devices 3
06.3.a (new) Teleworking 3
06.4 Roles and responsibilities for external IT service providers 3
Contractual information security obligation
07.1 of employees 3
07.1.a (new) Qualification of employee(s) 3
07.2 Awareness and training of employees 3
08.1 Inventory of assets 3
08.2 Classification of information 3
08.3 Storage of information on mobile data storage devices 3
08.4 Removal of externally stored information assets 3
09.1 Access to networks and network services 3
09.2 User registration 3
09.2.a (new) Handling of identification means 3
09.3 Privileged user accounts 3
09.4 Confidentiality of authentication data 3
09.5 Access to information and applications 3
09.6 Separation of information in shared environments 3
10.1 Encryption 3
11.1 Security zones 3
11.2 Protection against external influences and external threats 3
11.3 Protective measures in the delivery and shipping area 3
11.4 Use of equipment 3
12.1 Change Management 3
12.2 Separation of development, testing and operational environments 3
12.3 Protection against malware 3
12.4 Backup procedures 3
12.5 Event logging 3
12.6 Logging administration activities 3
12.7 Tracing of vulnerabilities (patch management) 3
12.8 Review of information systems 3
12.9 Consideration of critical administrative functions of cloud services 3
13.1 Management of networks 3
13.2 Security requirements for networks/services 3
13.3 Separation of networks (network segmentation) 3
13.4 Electronic exchange of information 3
13.5 Non-disclosure agreements for information exchange with third parties 3
14.1 Requirements for the acquisition of information systems 3
14.2 Security in the software development process 3
14.3 Management of test data 3 n.a.
14.4 Approval of external IT services 3
15.1 Risk management in collaboration with suppliers 3
15.2 Review of service provision by suppliers 3 n.a.
16.1 Reporting system for information security incidents (incident management) 3
16.2 Processing of information security incidents 3 n.a.
17.1 Information Security Aspects of Business Continuity Management (BCM) 3
18.1 Legal and contractual provisions 3
18.2 Confidentiality and protection of personally identifiable data 3
18.3 Audit of the ISMS by independent bodies 3
18.4 Effectiveness check 3
Method: - comparison of the top 41 security topics 3.00
INTERNAL #
- based on ISO 27001 controls

- evaluated using SPICE ISO 15504

Results - Prototype Protection
maturity level:
Maximum score: 3.00
Details:
Target
No. Topic maturity Result
level
25.1 Physical and Environmental Security
25.1.1 Security concept 3
25.1.2 Perimeter security 3
25.1.3 Stability of outer skin 3
25.1.4 View and sight protection 3
25.1.5 Protection against unauthorized entry and access control 3
25.1.6 Intrusion monitoring 3
25.1.7 Visitor management 3
25.1.8 Client segregation 3
25.2 Organizational Requirements
25.2.1 Non-disclosure obligations 3
25.2.2 Subcontractors 3
25.2.3 Awareness 3
25.2.4 Security classification 3
25.2.5 Access control 3
25.2.6 Film and photo regulations 3
25.2.7 Mobile video and photography devices 3
25.3 Handling of vehicles, components and parts
25.3.1 Transport 3
25.3.2 Parking and storage 3
25.4 Requirements for trial vehicles
25.4.1 Camouflage 3
25.4.2 Test and trial ground 3
25.4.3 Test and trial drives on public roads 3
25.5 Requirements for events and shootings
25.5.1 Presentations and events 3
25.5.2 Film and photo shootings 3
INTERNAL #

Examples of KPIs
Control ISA 5.0 2.1.2 To what extent is staff made aware of and trained with respect 4.1.1 To what extent are user accounts and login information securely managed and applied? 5.2.1 To what extent are changes controlled? 5.2.3 To what extent are IT systems protected against ma
to the risks arising from the handling of information? (Change Management)
Control-ISA-4.1 7.2 Awareness and training of employees 9.2 User registration 12.1 Change management 12.3 Protection against malware
Scope COVERAGE EFFECTIVENESS COVERAGE COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE

Coverage degree of awareness Effectiveness of awareness Coverage degree review “user Coverage degree review Coverage degree Change Coverage degree Endpoint
ID measures measures accounts” “authorizations” Collective accounts Management Change - error rate Security
Employees with raised awareness The contents of awareness Regular reviews of user accounts
represent an important pillar for measures should consider Regular reviewing of systems for for unnecessary authorizations Collective accounts should A high quality of the change A comprehensive Endpoint
unnecessary accounts is a principally not be used or used A comprehensive and consistently Security provides a company with
the information security in a outcomes of information security prerequisite for a consistent and are the prerequisite for a only in exceptional cases since an observed change management management process leads to
company. Awareness measures incidents. The KPI measures the an essential protection against
Description should reach all employees, as far effectiveness of awareness current user base according to the consistent and current
authorization base according to explicit allocation of user activities process is the basis for secure lower error rates among the
performed changes and malware. The KPI measures the
as possible. The KPI measures the measures by collection (based on need-to-know principle. The KPI the need-to-know principle. The is impeded. The KPI measures the operation. The KPI measures the contributes to secure operation. ratio of protected systems
coverage degree of trainings such number or cost) of security measures the coverage degree of KPI measures the coverage degree number of used collective coverage degree of changes The KPI measures the error rate of taking into account approved
the measure “regular user accounts in consideration of complying with the policies.
as e-learnings, classroom incidents with human errors as a review”. of the measure “regular approved exceptions. changes. exceptions.
trainings. cause. authorization review”.
All employees are trained with No information security incidents All systems have valid user All authorizations comply with All collective accounts are All changes are made in Error-free performance of Comprehensive protection of all
Objective (Vision) respect to information security with human error as a cause accounts only current needs reviewed for their necessity conformance to policies changes systems threatened by malware
Recipients Information Security; supervisors Information Security Information Security Information Security Information Security Information Security Information Security Local IT, Information Security
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
Frequency (reporting) annually) annually) annually) annually) annually) annually) annually) annually)
to be determined individually (0-

20 low, 20-50 medium, 50+ high) to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
to be determined individually (e.g. possible characteristic for Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, to be determined individually (e.g. to be determined individually (e.g.
Threshold levels Green: > 90%, Yellow: 70-90%, comparability of business units: in Red: < 70%, special case of Red: < 70%, special case of Number red: > 0, Green = 0 Red: < 70%, special case of Green: < 10%, Yellow: 10-30%, Green: > 90%, Yellow: 70-90%,
Red: < 70%) relation to the number of systems relevant to billing: target systems relevant to billing: target systems relevant to billing: target Red: > 30%) Red: < 70%)
employees, e.g. unit: coverage = 100%) coverage = 100%) coverage = 100%)
incidents/100 employees
Assessment of training Quotient: number of approved Quotient: number of protected

management Determining the number of Quotient: number of performed Quotient: number of performed determining the number of and requested changes Quotient: number of reversed systems/total number of systems
Measurement Quotient: number of security incidents with human reviews/total number of systems reviews/total number of users in collective accounts (adjusted for (RFC)/total number of performed changes/total number of (adjusted for authorized
participants/total number of error as a cause in scope scope authorized exceptions) performed changes
employees changes exceptions)
Frequency (measurement) to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) annually) annually) monthly)
Interfaces HR - Training Department - IKS - Incident Management Data Owner, User Management, Data Owner, User Management, User Management IT Operations, Change IT Operations, Change AV Management, IT Operations
Internal Audit Department supervisors supervisors Management Management
E-learnings, classroom training, Incident Mgt. Tool, Ticket System, User registry, authorization User registry, authorization User registry, authorization Project Management, Change Project Management, Change
Components training plan, training register ISMS Tool management tool, IAM platform, management tool, IAM platform management tool, IAM platform Management Management AV console, CMDB
CMDB
INTERNAL #
Data archiving 5 years 5 years 10 years 10 years 5 years 10 years 5 years 5 years
INTERNAL #
IT systems protected against malware? 7.1.1 To what extent is information security ensured in exceptional situations? 5.2.5 To what extent are vulnerabilities identified and addressed? 1.6.1 To what extent are information security events processed? 1.1.1 To what extent are information se
(Patch Management)
tection against malware 12.4 Backup 12.7 Detection of vulnerabilities 16.2 Processing of information security incidents 5.1 Information securit
(Patch management)
EFFECTIVENESS COVERAGE COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE
Effectiveness of updating Coverage degree of restoration Coverage degree Patch Detection rate of information Timely processing of information Creation degree of required
Endpoint Security Coverage degree of backup tests Backup effectiveness Management Effectiveness of patch installation security incidents security incidents policies/documentations
A regular and complete backup A comprehensive patch The contemporary installation of Information security incidents
Current virus signatures are the Regular restoration tests (e.g. by Backup quality must be ensured patches ensures the security of Information security incidents
prerequisite for an effective provides protection against the restoring data or systems) is by correlating controls. Measures management protects the systems and applications and have to be detected and timely have to be adequately prioritized Under an ISMS,
Endpoint Security. The KPI loss of data, e.g. in case of a essential to the availability of are e.g. data restore, system company against malware and therefore reduces the exploit handled in order to protect the and handled according to their mandatory/voluntary
system failure or malware exploits. The KPI measures the company from damages. The KPI policies/documentations must be
measures the target state and the infection. business information. restorations. inclusion of systems and windows for the company. The measures the compliance of the criticality. The KPI measures the prepared.
actual state of virus definitions on The KPI measures the degree of The KPI measures the coverage The KPI measures the number of applications in the Patch KPI measures the recording of the incident reporting process appropriate timely handling of
reporting deadline. degree of restoration tests. incorrect data restores. target state and the actual state information security incidents.
backup coverage. Management process. of patches. between the involved interfaces.
All information security incidents All information security incidents All necessary
All systems have up-to-date All relevant data is adequately Regular restoration tests for all All systems are involved in the All systems are at up-to-date will be detected, reported and
protection secured backed-up systems Correct backups patch process patch level handled within the scope of the will be handled within an policies/documentations are
appropriate time frame present
incident management process
Local IT, Information Security, Local IT, Information Security, Local IT, Information Security, Local IT, Information Security, Local IT, Information Security, Information Security, Corporate
Local IT, Information Security service owner service owner service owner Local IT, Information Security Local IT, Information Security Compliance Compliance Security, IT Security, HR, Business
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually) annually) annually) annually) annually) Initial version
to be determined individually (e.g.

according to category, maximum
to be determined individually (e.g. to be determined individually (e.g. periods for solution:
target: 100% after max. 30 to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. -PRIO 1: Days
minutes, Green: = 100% (of systems to be Green: > 90%, Yellow: 70-90%, Number red: > 0, Green = 0 Green: > 90%, Yellow: 70-90%, target: 100% after max. 10 days, Number red: < 1, Green = 1 -PRIO 2: Weeks to be determined individually
Green: > 90%, Yellow: 70-90%, secured), Yellow: 70-99%, Red: < Red: < 70%) Red: < 70%) Green: > 90%, Yellow: 70-90%, -PRIO 3: Months (target coverage = 100 %)
70%) Red: < 70%)
Red: < 70%) unsolved incidents within time
frame, e.g. Green: < 2%, Yellow: 2-
5%, Red: > 5%)
Quotient: number of systems Quotient: number of systems with Quotient: number of currently Quotient: number of information
time comparison covered by backups/total number tested restoration from Quotient: number of restorations patched systems/total number of time comparison security incidents reported in the For each individual criticality level: Quotient: number of existing
average actual rollout state vs. of systems (adjusted for backup/total number of all with errors/total number of all systems (adjusted for authorized average actual rollout state vs. incident management/total All incidents unsolved within policies/population of necessary
target state restoration tests target state number of incidents (known to defined time frame/ all incidents policies
authorized exceptions) systems with backup exceptions) the surveying unit)
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) monthly) annually) monthly) monthly) annually) annually) annually)
AV Management, IT Operations Backup process, IT Operations Backup process, IT Operations Backup process, IT Operations Patch/Change Management, IT Patch/Change Management, IT IT, CERT, Incident Management, IT, CERT, Incident Management, Information Security, Corporate
Operations Operations Helpdesk, Service Management Helpdesk, Service Management Security, IT Security, HR, Business
Change Management console, Change Management console, Contents derived from the
Incident Management Incident Management Statement of Applicability (SoA)
AV console, CMDB Backup software, CMDB Backup software, CMDB Backup software, CMDB software distribution platform, software distribution platform, System/Workflow System/Workflow and documented in accordance
CMDB, WSUS CMDB, WSUS with ISO 27001
INTERNAL #
5 years 10 years 10 years 10 years 5 years 5 years 10 years 10 years 5 years

INTERNAL #
information security policies available? 1.2.3 To what extent are information security requirements taken 3.1.4 To what extent is the handling of mobile IT devices and mobile 3.1.1 To what extent are security zones managed to protect information assets? 5.2.4 To what ex
into account in projects? data storage devices managed?
rmation security policy 6.2 Information security in projects 6.3 Mobile devices 11.1 Security zones 11.3 Protective measures in the 12.5 Event logging
delivery and shipping area
COVERAGE COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE COVERAGE
Actuality of required Coverage degree of information Protective measures - Coverage degree of mobile device Effectiveness of implementation Implementation degree of zone Implementation of protective Coverage degree review “Access Coverage degree of event logs on
policies/documentations security in projects implementation in projects security of mobile device security concept measures for zone concept authorizations” security-critical systems
measures
Event logging enables traceability

A comprehensive and consistent Properties must be adequately of activities in a process or
For the ISMS, the prepared protection of all relevant mobile A strong implementation of protected; this can be achieved by Regular verifications of access process step/on a system/in an
policies/documentations must be Information security topics must
be addressed during projects. Projects subject to information devices is the basis for their protective measures regarding implementation of a zone Zones must be adequately rights with respect to their
necessity are an absolute application. This functionality
reviewed for their actuality. security requirements secure operation. The KPI relevant mobile devices reduces concept. The zone concept should protected according to criticality. prerequisite for a secure delivery helps to solve system
measures the coverage degree of vulnerabilities. be implemented and shipping zone. failures/abnormalities. Logs
the defined protective measures. comprehensively. should be activated in security-
critical systems.
All necessary Security zones are protected All employees working in the All relevant systems and
Information security requirements Information security requirements All relevant mobile devices are All relevant mobile devices are Zones are defined for all according to internal delivery and shipping area are
policies/documentations are are considered in all projects are implemented in all projects subject to protective measures subject to up-to-date protection properties specifications (see e.g. References subject to regular review of access applications are integrated into
reviewed for actuality/content event logging
“Security zones”) rights
Information Security, Corporate Information Security, Corporate Information Security, Corporate IT Security, Information Security, Information Security, Corporate Information Security, Corporate Corporate Security, Logistics, Local IT, Information Security,
Security, IT Security, HR, Business Security, IT Security Security, IT Security IT Security, Information Security Corporate Security Security Security authorities Compliance
annually) annually) annually) annually) annually) annually) annually) annually) annually)

to be determined individually (e.g. Green: > 90%, Yellow: 70-90%,
to be determined individually to be determined individually to be determined individually to be determined individually to be determined individually Green: > 90%, Yellow: 70-90%, to be determined individually Red: < 70%, special case of
(target coverage = 100 %) (target coverage = 100 %) (target coverage = 100 %) (target coverage = 100 %) (target coverage = 100 %) Red: < 70%) (target coverage = 100 %) systems relevant to billing: target
coverage = 100%)
Quotient: number of employees

Quotient: number of policies Quotient: number of mobile working in the delivery and Quotient: number of logged
reviewed according to Quotient: number of projects Quotient: number of projects Quotient: number of protected devices protected in a timely Quotient: number of properties Quotient: number of adequately shipping area who are subject to security-critical systems/total
cycle/population of policies to be considering security/total number considering security aspects/total mobile devices/total number of
of relevant projects number of relevant projects mobile devices manner/total number of mobile with zone concept/population of secured zones/population of all
properties zones
regular access rights
reviews/population of employees number of security-critical
reviewed devices working in the delivery and systems
shipping area
annually) annually) annually) monthly) monthly) annually) quarterly) annually) annually)
Plant security, local security Plant security, local security
Information Security, Corporate Project customer, Project Project customer, Project IT Operations, IT Security IT Operations, IT Security functions, specialized functions, specialized Logistics, Access Management Local IT, System Owner, Data
Security, IT Security, HR, Business Management Office (PMO) Management Office (PMO) departments departments Owner, Risk Owner
Contents derived from the

Statement of Applicability (SoA) Property plans, zone concept, Property plans, zone concept, Staff registry (internal/external),
and documented in accordance Overview of projects per PMO Overview of projects per PMO Overview of mobile devices Overview of mobile devices information classification information classification access control system CMDB, Logging server
with ISO 27001
INTERNAL #
5 years 5 years 5 years 5 years 5 years 5 years 5 years 10 years to be defined individually (if
relevant to billing: 10 years)
INTERNAL #
6.1.2 To what extent is non-

5.2.4 To what extent are activities of user accounts logged? 5.2.6 To what extent are IT systems technically checked (system 5.5.2 To what extent are requirements for network services defined? disclosure regarding the exchange 5.3.1 To what extent is information security consider
audit)? of information contractually
agreed?
2.5 Event logging 12.6 Logging administrative activities 12.8 System audits 13.2 Network services 13.5 Non-disclosure agreements 14.1 Requirements for the
acquisition of information systems
EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS
Coverage degree of admin logs on Effectiveness of system audit Coverage degree review service Coverage degree non-disclosure Effectiveness of risk handling in
Functioning log activity security-critical systems Functioning log activity Coverage degree system audits implementation level agreements (SLA) Effectiveness of observing SLAs agreements information system acquisition
processes
Admin logging allows traceability

of administrator activities in a Results of admin logging activities
Results of logging activities must process or process step/on a must allow analysis. Reliable and IT systems processing or storing Measures resulting from those Regular verifications of the SLAs The protection of information
allow analysis. Reliable end-to- system/in an application. This manipulation-protected end-to- information of high or very high audits must be implemented in for network services ensure The agreed measures resulting confidentiality must be subject to Risks identified during the
end recording of the activities to functionality helps to solve end recording of the admin protection needs must be from the SLAs must be contractual agreement where at acquisition process are treated in
be monitored is essential for abnormalities. Administrator logs activities to be monitored is subjected to audits at regular time in order to eliminate any consideration of current security implemented. least confidential information is a timely and effective manner.
traceability, if required. should be activated in security- essential for traceability, if intervals. detected vulnerabilities. requirements at all times. exchanged with external partners.
critical systems and protected required.
against (admin) manipulations.
Completeness and correctness of All relevant systems and Completeness and integrity of All relevant systems are subject to All measures are implemented in All SLAs include the current All requirements resulting from Non-disclosure agreements have Security risks identified in
logs applications are integrated into admin logs audits at regular intervals time security requirements the SLAs are implemented been entered with all external acquisition are handled in an
admin logging partners effective manner
Local IT, Information Security, Local IT, Information Security, Local IT, Information Security, Acquisition, Information Security, Information Security, Local IT,
Compliance Compliance Compliance Local IT, Information Security Local IT, Information Security Local IT, Information Security Local IT, Information Security specialized department Procurement
annually) annually) annually) annually) annually) annually) annually) annually) annually)

Green: > 90%, Yellow: 70-90%, to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
Number of incorrect logs Red: < 70%, special case of Number of incorrect admin logs Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%,
Red: > 0, Green = 0 systems relevant to billing: target Red: > 0, Green = 0 Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%)
coverage = 100%)
Quotient: number of logged Quotient: number of measures Quotient: number of measures Quotient: number of orders with
security-critical systems/total number of incorrectly written Quotient: number of audited implemented in time/number of Quotient: number of verified implemented/number of concluded non-disclosure Quotient: number of treated
number of incorrectly written logs number of security-critical admin logs systems/total number of security- measures still to be implemented SLAs/total number of SLAs measures agreed agreement/total number of risks/population of risks identified
critical systems in the acquisition process
systems relevant orders
quarterly) annually) quarterly) monthly) monthly) monthly) monthly) monthly) quarterly)
Local IT, System Owner, Data Procurement, specialized
Local IT, System Owner, Data Owner, Risk Owner, User IT, System Owner, Data Owner, Audit Management, IT Audit Management, IT IT Operations, Information IT Operations, Information Acquisition, Information Security, departments (requisitioner), Local
Owner, Risk Owner Management Risk Owner, User Management Operations, System Owner Operations, System Owner Security Security specialized department IT
Acquisition register, ordering

CMDB, Logging server CMDB, Logging server, IAM CMDB, Logging server, IAM CMDB CMDB, Audit system CMDB CMDB Acquisition system system
INTERNAL #
to be defined individually (if to be defined individually (if to be defined individually (if 5 years 5 years 5 years 5 years 5 years 5 years
relevant to billing: 10 years) relevant to billing: 10 years) relevant to billing: 10 years)
INTERNAL #
information security considered in new or further developed IT systems? 1.5.1 To what extent is compliance with information security ensured
in procedures and processes?
14.2 Security during the software development process 18.4 Effectiveness check
COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS

Coverage degree of risk Effectiveness of risk handling in Coverage degree of activities to Timely elimination of
assessment in software development process eliminate vulnerabilities vulnerabilities determined during
development process determined during audits audits
Information security risks Vulnerabilities identified in the Vulnerabilities identified in the

associated with the applications course of information security course of information security
to be developed must be Risks identified in the process of audits (internal and external) audits (internal and external) are
software development are treated must be eliminated in a
identified as early as possible in in a timely and effective manner. consequent and traceable eliminated within the deadlines
the process of software manner. Findings must not remain agreed (with the audited
development. departments).
unhandled.
Security risks are taken into Security risks are addressed in the All vulnerabilities identified in the Vulnerabilities identified in the
course of audits are eliminated
account in the software development process in an course of audits are traced and within the defined time and in an
development process effective manner assigned to activities
effective manner
Information Security, Local IT, Risk Information Security, Local IT, Risk Information Security, Corporate Information Security, Corporate
Management Management Security, Local IT, Internal Audit Security, Local IT, Internal Audit
to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g. to be determined individually (e.g.
annually) annually) annually) annually)
Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%, Green: > 90%, Yellow: 70-90%,
Red: < 70%) Red: < 70%) Red: < 70%) Red: < 70%)
Quotient: number of software Quotient: number of findings Quotient: number of activities for
development projects that Quotient: number of treated subject to subsequent eliminating vulnerabilities within
underwent risk risks/population of risks identified activities/population of identified the defined period for
assessment/population of in the development process implementation/population of all
relevant development projects findings specified activities
quarterly) quarterly) quarterly) quarterly)
Procurement, specialized Procurement, specialized Internal Auditors, Information Internal Auditors, Information
departments (requisitioner), Local departments (requisitioner), Local Security, Local IT, specialized Security, Local IT, specialized
IT IT departments (Auditees) departments (Auditees)
Development system, Development system, Audit data base, follow-up data Audit data base, follow-up data
development project data base development project data base base base
INTERNAL #
5 years 5 years 10 years 10 years

INTERNAL #
INTERNAL #

License
This work has been licensed under the Creative Commons Attribution - NoDerivs 4.0 International
Public License. In addition, You are granted the right to distribute derivatives under certain terms. The
complete and valid text of the license is to be found in line 17ff.
You are free to:

· Share — copy and redistribute the material in any medium or format
for any purpose, even commercially.
· The licensor cannot revoke these freedoms as long as you follow the license
terms.
Under the following terms:
· Attribution — You must give appropriate credit, provide a link to the license,
and indicate if changes were made. You may do so in any reasonable manner,
but not in any way that suggests the licensor endorses you or your use.
· Restricted derivatives — If you change or otherwise build directly upon the
material, You may only distribute the modified material if it is clearly marked as
a derivative not approved by the licensor and if all logos and/or trademarks of
the licensor have been removed.
· No additional restrictions — You may not apply any additional legal terms or
technological measures that legally restrict others from doing anything the
license permits.
INTERNAL #
Creative Commons Attribution - NoDerivs

4.0 International Public License
By exercising the Licensed Rights (defined below), You accept and agree to be bound
by the terms and conditions of this Creative Commons Attribution-NoDerivatives 4.0
International Public License ("Public License"). To the extent this Public License may be
interpreted as a contract, You are granted the Licensed Rights in consideration of Your
acceptance of these terms and conditions, and the Licensor grants You such rights in
consideration of benefits the Licensor receives from making the Licensed Material
available under these terms and conditions.
Section 1 – Definitions.
a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or
based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged,
transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar
Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a
musical work, performance, or sound recording, Adapted Material is always produced where the
Licensed Material is synched in timed relation with a moving image.
b. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright
including, without limitation, performance, broadcast, sound recording, and Sui Generis Database
Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License,
the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
c. Effective Technological Measures means those measures that, in the absence of proper authority,
may not be circumvented under laws fulfilling obligations within the meaning of Article 11 of the
WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.
d. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation
to Copyright and Similar Rights that applies to Your use of the Licensed Material.
e. Licensed Material means the artistic or literary work, database, or other material to which the
Licensor applied this Public License.
f. Licensed Rights means the rights granted to You subject to the terms and conditions of this
Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the
Licensed Material and that the Licensor has authority to license.
g. Licensor means the individual(s) or entity(ies) granting rights under this Public License.
h. Share means to provide material to the public by any means or process that requires permission
under the Licensed Rights, such as reproduction, public display, public performance, distribution,
dissemination, communication, or importation, and to make material available to the public including
in ways that members of the public may access the material from a place and at a time individually
chosen by them.
INTERNAL #
i. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC
of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases,
as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
j. You means the individual or entity exercising the Licensed Rights under this Public License. Your
has a corresponding meaning.
Section 2 – Scope.
a. License grant.
1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a
worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed
Rights in the Licensed Material to:
A. reproduce and Share the Licensed Material, in whole or in part; and
B. produce and reproduce, but not Share, Adapted Material.
2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply
to Your use, this Public License does not apply, and You do not need to comply with its terms and
conditions.
3. Term. The term of this Public License is specified in Section 6(a).
4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the
Licensed Rights in all media and formats whether now known or hereafter created, and to make
technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right
or authority to forbid You from making technical modifications necessary to exercise the Licensed
Rights, including technical modifications necessary to circumvent Effective Technological Measures.
For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4)
never produces Adapted Material.
5. Downstream recipients.

A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material
automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and
conditions of this Public License
B. No downstream restrictions. You may not offer or impose any additional or different terms or
conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so
restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to
assert or imply that You are, or that Your use of the Licensed Material is, connected with, or
sponsored, endorsed, or granted official status by, the Licensor or others designated to receive
attribution as provided in Section 3(a)(1)(A)(i).
b. Other rights.
1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are
publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor
waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary
to allow You to exercise the Licensed Rights, but not otherwise.
2. Patent and trademark rights are not licensed under this Public License.
3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise
of the Licensed Rights, whether directly or through a collecting society under any voluntary or
waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves
any right to collect such royalties.
INTERNAL #
Section 3 – License Conditions.

Your exercise of the Licensed Rights is expressly made subject to the following conditions.
a. Attribution.
1. If You Share the Licensed Material, You must:
A. retain the following if it is supplied by the Licensor with the Licensed Material:
i. identification of the creator(s) of the Licensed Material and any others designated to receive
attribution, in any reasonable manner requested by the Licensor (including by pseudonym if
designated);
ii. a copyright notice;
iii. a notice that refers to this Public License;
iv. a notice that refers to the disclaimer of warranties;
v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
B. indicate if You modified the Licensed Material and retain an indication of any previous
modifications; and
C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the
URI or hyperlink to, this Public License.
For the avoidance of doubt, You do not have permission under this Public License to Share Adapted
Material.
2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium,
means, and context in which You Share the Licensed Material. For example, it may be reasonable to
satisfy the conditions by providing a URI or hyperlink to a resource that includes the required
information.
3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)
(A) to the extent reasonably practicable.
Section 4 – Sui Generis Database Rights.
Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed
Material:
a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and
Share all or a substantial portion of the contents of the database and provided You do not Share
Adapted Material;
b. if You include all or a substantial portion of the database contents in a database in which You have
Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but
not its individual contents) is Adapted Material; and
c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the
contents of the database.
For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under
this Public License where the Licensed Rights include other Copyright and Similar Rights.
Section 5 – Disclaimer of Warranties and Limitation of Liability.
a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor
offers the Licensed Material as-is and as-available, and makes no representations or warranties of
any kind concerning the Licensed Material, whether express, implied, statutory, or other. This
includes, without limitation, warranties of title, merchantability, fitness for a particular purpose,
non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors,
whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in
part, this disclaimer may not apply to You.
INTERNAL #
b. To the extent possible, in no event will the Licensor be liable to You on any legal theory
(including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental,
consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this
Public License or use of the Licensed Material, even if the Licensor has been advised of the
possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not
allowed in full or in part, this limitation may not apply to You.
c. The disclaimer of warranties and limitation of liability provided above must be interpreted in a
manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of
all liability.
Section 6 – Term and Termination.
a. This Public License applies for the term of the Copyright and Similar Rights licensed here.
However, if You fail to comply with this Public License, then Your rights under this Public License
terminate automatically.
b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your
discovery of the violation; or
2. upon express reinstatement by the Licensor.
For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek
remedies for Your violations of this Public License.
c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate
terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not
terminate this Public License.
d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
Section 7 – Other Terms and Conditions.
a. The Licensor shall not be bound by any additional or different terms or conditions communicated
by You unless expressly agreed.
b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated
herein are separate from and independent of the terms and conditions of this Public License.
Section 8 – Interpretation.
a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce,
limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made
without permission under this Public License.
b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be
automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot
be reformed, it shall be severed from this Public License without affecting the enforceability of the
remaining terms and conditions.
c. No term or condition of this Public License will be waived and no failure to comply consented to
unless expressly agreed to by the Licensor.
d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of,
any privileges and immunities that apply to the Licensor or You, including from the legal processes of
any jurisdiction or authority.
Section 9 – Distribution of Derivatives

a. In addition to those rights granted under Sections 2(a)(3), the Licensor grants You the right to
distribute modified material provided:
INTERNAL #
1. this material is clearly marked as a modified version not approved by the Licensor; and
2. any logos and/or trademarks of the Licensor have been removed.
INTERNAL #
INTERNAL #
1.0
1.1
1.2
1.3
2.0
2.0.1
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
3.0.2
INTERNAL #
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
5.0.0
5.0.2
5.0.3
5.0.4
INTERNAL #

Change history
First release (Initial version)
Changing open questions to solved questions

More precise level descriptions
Incorporating examples from practice
Spelling errors corrected
8.2 and 10.1 reference adjustment

10.2 change from production environment to productive environment
10.5 change from IDS/IPS to HIDS/HIPS
11.2 changes to the translation
11.3 and 11.4 restructuring of controls
11.4 add “IT” to systems

9.4 revision Maturity Level 2
Revision due to the new edition of ISO 27002:2013

Adjustment of the maturity levels
Fix for error in calculation and spider web diagram
Revision of the maturity levels, corrections of some controls
Release version 2.1
Print area adjusted
Spider web diagram shows results without cutback

Control 13.5 revised
Control 7.1 Maturity Level 1 revised
Controls 9.4 and 9.5 reference revised
Maturity Control changed from 12.4 to 4

Maturity Control changed from 16.3 to 3
Addition of KPIs
Spell checking in Maturity Level 3
Revision for TISAX

Module Connection of third parties included
Module Prototype Protection (25) included, derived from the Whitepaper of 06/10/2016
Module Data Protection (24) included, reference to 18.2 deleted, maturity levels removed from the module, references from
generated instead, reference included (ISMS, 18.2) showing that the data protection module will be used only in commissio
processing according to §11 BDSG, introduction of questions “fulfilled [yes/no]”
“Questions” renamed “ISMS”
Upon agreement with the data protection working group, Maturity Level “4” has been removed from Control 18.2 and set to
Control 10.21 Cryptography has been raised from “2” to “3”.
Introduction of the protection needs “normal”, “high” and “very high” to show the protection objectives “integrity”, “availability
“confidentiality”; Mapped from “internal” to “normal”, “confidential” to “high” and “secret/strictly confidential” to “very high”. As
requirements within Maturity Level “1” in the different controls.
Including KPIs in controls with Maturity Levels “4”
Removal of KPI from Control 18.2
INTERNAL #
Introduction of references to several information security topics
Readability enhancement for information security controls

Categorizing the requirements of the individual controls into ‘must’, ‘should’ and ‘may’ in order to clarify the degree of obliga
Introduction of tab “Explanations”
Introduction of tab “Maturity levels”
Extension of tab “KPIs”
Extension of tab “Information Security” with additional controls to clarify requirements for usage of cloud services
KPI link at Control 12.2 has been deleted
Correction of the link of Control 14.4 on the results page, Level 3 adaptation: Established in tab “Maturity levels”
Tab Results: The results will only be indicated for controls that have been subject to processing.
Adaptation of Chapter 24 to DSGVO and minor modifications to those controls designated with 4.1.0
8.4, 13.3 correction in description of objective
9.1 addition of control and objective description
10.1, 11.1, 12.5, 12.6, 12.9 adaptation of requirements
18.2 and Data Protection (24) adaptation to DSGVO
References: 'secret' changed to 'strictly confidential' and classification levels supplemented to protection classes
Prototype Protection (25) revised
Topical restructuring of ISA in the module Information Security

New table format in all modules for improved overview and easier export options
Deletion of the module Connection to third parties and transfer of its requirements to the module Information Security
Integration of Notes and Explanations into the module Information Security, consequently deletion of the tabs Notes and Ex
Revision of ally questions, objectives and requirements
Harmonization of the target maturity level across all controls to a target value of 3
Integration of Control 1.2 into the new Control 1.4.1
Integration of Control 12.4 into the new Controls 3.1.2 and 3.1.4
Integration of Control 14.2 and 14.3 into the new Control 5.3.1
Deletion of Control 12.9
New Control “Teleworking” (2.1.4)
New Control “Qualification of employees” (2.1.1)
New Control “Handling of identification means” (4.1.1)
Change of the License to Creative Commons BY ND 4.0 + special terms and conditions for the distribution of derivatives
Bug fixed in overall maturity level calculation

Addition of input check in column "Maturity level"
Bug fixed in change history
Change of nummeration in module "Data Protection"
Correction of diagram names in the module "Results"

Addition of print ranges
Review of references to ISO 27001

INTERNAL #
Correction of typo and formatting

Vda Isa 5.0.4 - en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vda Isa 5.0.4 - en

Uploaded by

Copyright:

Available Formats

INTERNAL #

Information Security Assessment

The ISA provides the basis for

Information Security Assessment

Scope/TISAX Scope ID*

D&B D-U-N-S® No.

Date of the assessment:*

Version: 5.0 | Revision 4 | 2021-04-16

Information Security Assessment

Maturity level 0 Maturity level 1 Maturity level 2

Maturity level 3 Maturity level 4 Maturity level 5

+ Process documentation + Process documentation + Process improvement plan

Information Security Assessment

GWP A arbitrary result arising from the implementation of a process.

Information Security Assessment

1 IS Policies and Organization

1.2 Organization of Information Security

To what extent are information

To what extent are information

To what extent are responsibilities

1.3 Asset Management

To what extent are information

To what extent is it ensured that

1.4 IS Risk Management

To what extent are information

To what extent is the ISMS

1.6 Incident Management

To what extent are information

To what extent is all staff

To what extent is staff made aware

To what extent is teleworking

Physical Security and Business

To what extent are security zones

To what extent is information

To what extent is the handling of

To what extent is the handling of

4 Identity and Access Management

To what extent is the user access to

To what extent are user accounts

4.2 Access Management

To what extent are access rights

To what extent is information

5.2 Operations Security

To what extent are development

To what extent are IT systems

To what extent are event logs

To what extent are vulnerabilities

To what extent are IT systems

To what extent is the network of

5.3 System acquisitions, requirement management and development

To what extent are requirements

To what extent is the return and

To what extent is information

To what extent is information

To what extent is non-disclosure

To what extent is compliance with

To what extent is the protection of

11.1 Security zones

18.3 Audit of the ISMS by independent bodies

uirement management and development

n Security Management System (ISMS)

s for external IT service providers

security obligation of employees