ISMS Analysis

Information Security Assessment
Welcome to
the Information Security Assessment (ISA) of the Verband der Automobilindustrie (Association of the
German Automotive Industry, VDA).
VDA ISA provides the basis for

- a self assessment to determine the state of information security in an organization (e.g. company)
- audits performed by internal departments (e.g. Internal Audit, IT-Audit, Information Security)
- a review in accordance with TISAX (Trusted Information Security Assessment Exchange, http://enx.com/tisax/)
VDA ISA consists of several tabs; the content and function of which are explained below:
Maturity levels:
VDA ISA provides assessment of the implementation by means of a maturity model defined in this table sheet.
A simplified sequence of the maturity levels is as follows:
Level 0: The implementation of requirements is incomplete. A process does not exist or the existing process does not
achieve the required results.
Level 1: The requirements necessary for the respective information protection needs are performed. A process is in place
and shows signs of its working. It is, however, not completely documented. Therefore, its working at all times cannot be
ensured.
Level 2: The process for achieving the objective is managed. It is documented and proof (e.g. documentations) is
available.
Level 3: The process for achieving the objective is established, the processes are linked in order to show existing
dependencies. The documentation is up to date and maintained.
Level 4: Requirements from Level 3 and, in addition, results are measured (e.g. KPI) making the process predictable.
Level 5: Requirements from Level 4 and, moreover, additional resources (e.g. personnel and finances) are being
implemented in an optimizing manner. The process is subject to continuous improvement.
Explanation:
The explanation includes the definition of the terms “must”, “should” and “may” to provide different grades within the
requirements in the questionnaires below.
Minimum requirements are listed under “shall”. Without their implementation, the objective cannot be achieved.
Generally, implementation of the requirements defined under “should” is necessary in order to achieve the objective.
However, the selection of adequate measures may also be acceptable if they allow the objective to be achieved.
Depending on the size of a company and the case of application, it may be necessary to implement the requirements listed
under “can” in order to achieve the control objective.
Another specific feature are the additional requirements depending on the protection needs of the information. This is due to
the fact that information of high/very high protection requires specific measures. The protection needs are related to the
essential protection objectives of information security, namely confidentiality, availability and integrity.
Cover:
The cover contains boxes for information on the respective organization, the scope of the review, the auditor and the
contact person of the organization under review.
Results:
Here, the results of the single tab (review catalogue pages) are summarized and presented in printing format.
The spider diagram provides an overview of all controls.
The list of all controls shows the target maturity levels to be achieved.
Depending on the significance of the controls, the target maturity levels vary from Level 2 to Level 4.
When calculating the overall result, the results of controls overachieving their target maturity level are shortened and
averaged. This ensures that requirements are comprehensively fulfilled and that there is no compensation of overachieved
and underachieved controls.
Information Security:
The tab “information security” includes all basic controls based on the standard ISO/IEC 27001. The controls themselves
are formulated as questions. The answer can be documented in the additional box “Implementation description” (marked by
table extension “+”). Further boxes (“Reference documentation”, “Findings” and “Measures”) allow extended documentation
and are usually used to support the auditor.
The objective of the respective control and the requirements for achieving it are listed in accordingly designated boxes.
Here, each control shall always be assessed according to the degree to which the objective is achieved.
The assessment of the maturity levels (see tab “maturity levels” for description) of each control is recorded in the box
(column B) by means of a drop-down and then automatically transferred to the tab “Results”.
547235404.xlsx /
Gedruckt am: 10/06/2021_x000D_ [Public] Seite 1 von 44
Welcome
#
Group:
Company:
Location:
Address:
Homepage:
Short description of the

group company:
Scope/TISAX Scope-ID
D&B D-U-N-S® No.
Date of the assessment:
Contact person:
Telephone number:
Email address:
Creator:
Telephone number:
Email address:
Managing Director:
Signature:
Version: 4.1.0 / 2018-12-13
547235404.xlsx /
Printed on: 10/06/2021_x000D_ [Public] Page 2 of 44
Cover
#
Results
Company: 0
Location: 0
Date: 12/30/1899
Result with cutback to target
maturity level:
Maximum score: 3.00
1 ISMS
25 Prototype protection
5 Information Security Policies
5
23 Connection to 3rd parties 6 Organization of Information Security
4
18 Compliance 3 7 Human Resources Security

2
1
17 Information Security Aspects of Business Continuity Management 8 Asset Management
0
16 Information Security Incident Management 9 Access Control
15 Supplier Relationships 10 Cryptography
14 System acquisition, development and maintenance 11 Physical and Environmental Security

13 Communications
12 Operations
SecuritySecurity
Target maturity level Result
547235404.xlsx /
Results
#
Results
maturity level:
Maximum score: 3.00
Details:
Target
No. Subject maturity Result
level
1.1 Release of an Information Security Management System (ISMS) 3
1.2 IS Risk Management 3
1.3 Effectiveness of the ISMS 3
5.1 Information Security Policy 3
6.1 Assigning responsibility for information security 3
6.2 Information Security in projects 3
6.3 Mobile devices 3
6.4 Roles and responsibilities
Contractual for external
information security IT service providers
obligation 3
7.1 of employees 3
7.2 Awareness and training of employees 4
8.1 Inventory of assets 3
8.2 Classification of information 2
8.3 Storage of information on mobile storage devices 3
8.4 Removal of externally stored information assets 3
9.1 Access to networks and network services 3
9.2 User registration 4
9.3 Privileged user accounts 3
9.4 Confidentiality of authentication data 3
9.5 Access to information and applications 3
9.6 Separation of information in shared environments 3
10.1 Cryptography 3
11.1 Security zones 3
11.2 Protection against external influences and external threats 3
11.3 Protection measures in the delivery and shipping area 2
11.4 Use of equipment 2
12.1 Change management 4
12.2 Separation of development, test and operational environments 2
12.3 Protection against malware 4
12.4 Back-up procedures 4
12.5 Event logging 3
12.6 Logging administrational activities 2
12.7 Prosecution of vulnerability (patch management) 4
12.8 Review of information systems 2
12.9 Consideration of critical administrative functions of cloud services 3
13.1 Management of networks 3
13.2 Security requirements for networks/services 3
13.3 Separation of networks (network segmentation) 3
13.4 Electronic exchange of information 3
13.5 Non-disclosure agreements for information exchange with third parties 3
14.1 Requirements for the acquisition of information systems 3
14.2 Security along the software development process 3
14.3 Management of test data 2
14.4 Approval of external IT services 3
15.1 Risk management in collaboration with suppliers 3
15.2 Review of service provision by suppliers 3
547235404.xlsx /
Results
#
16.1 Reporting system for information security incidents (incident management) 3
16.2 Processing of information security incidents 4
17.1 Information Security Aspects of Business Continuity Management (BCM) 3
18.1 Legal and contractual provisions 3
18.2 Confidentiality and protection of personally identifiable data 3
18.3 Audit of the ISMS by independent bodies 3
18.4 Efficiency test 3
Method: - comparison of the top 52 security topics 3.00
- based on ISO 27001 controls
- evaluated using SPICE ISO 15504
547235404.xlsx /
Results
#
Results -
Connection to third parties

maturity level:
Maximum score: 3.00
Details:
Target
level
23.7.2 Awareness and training of employees 3
23.9.2 User registration 3
23.11.1 Security zones 3
23.13.3 Separation of networks (network segmentation) 3

Results - Prototype protection
maturity level:
Maximum score: 3.00
Details:
Target
level
25.1 Physical and Environmental Security
25.1.1 Security concept 3
25.1.2 Perimeter safety 3
25.1.3 Stability of outer skin 3
25.1.4 View and sight protection 3
25.1.5 Protection against unauthorized entry and access control 3
25.1.6 Intrusion monitoring 3
25.1.7 Documented visitor management 3
25.1.8 Client separation 3
25.2 Organizational Requirements
25.2.1 Non-disclosure obligations 3
25.2.2 Subcontractors 3
25.2.3 Awareness 3
25.2.4 Security classification 3
25.2.5 Access control 3
25.2.6 Film and photo regulations 3
25.2.7 Mobile video and photography devices 3
25.3 Handling of vehicles, components and parts
25.3.1 Transport 3
25.3.2 Parking and storage 3
25.4 Requirements for trial vehicles
25.4.1 Camouflage 3
25.4.2 Test and trial ground 3
25.4.3 Test and trial drives on public roads 3
547235404.xlsx /
Results
#
25.5 Requirements for events and shootings
25.5.1 Presentations and events 3
25.5.2 Film and photo shootings 3
547235404.xlsx /
Results
#
Information Security Assessment -
Questions
based on ISO 27001:2013
Firma: 0
Ort: 0
Datum: 12/30/1899
Reifegrad
Level 0-5; Trifft eine Frage nicht zu, so ist na (not applicable) einzutragen.
na
1 General Aspects
1.1 To what extent is an Information Security Management System approved by the organization’s management and is
its scope documented?
(Reference to ISO 27001: 4 and 5.1)
Objective: Systematic control and review of information security within the specified scope is achieved by means of the establishment,
operation and further development of an Information Security Management System (ISMS) and the assignment of
responsibilities. The ISMS defines processes and procedures in order to achieve the information security objectives with
respect to adequate confidentiality, availability and integrity of the company assets based on the security policy.
Requirements: This must include:
+ The organization’s requirements for an ISMS are determined.
+ An ISMS approved by the organization’s management is established.
+ The scope of the ISMS is specified (e.g. organization in whole or in part).
+ A Statement of Applicability (SoA) is provided (e.g. filled-in VDA ISA catalog).
This should include:

None.
This may include:

+ Certification in accordance with ISO 27001:2013 (including Scope Statement and SoA).
Additionally in case of high protection needs:

None.
Additionally in case of very high protection needs:

None.
1.2 To what extent is a process for identifying, assessing and handling information security risks defined, documented
and implemented?
(Reference to ISO 27001: 8.2 and 6.1.2)
Objective: The objective of an organization-specific ISMS is an adequate balance between information security efforts and the assets
to be protected. In order to achieve this, the assets, their protection needs and threats shall be identified, analyzed,
assessed and documented by means of risk assessment. In absence of an information security risk assessment, the danger
arises that information security risks remain undetected leading to potential harm.
+ Risk assessments are carried out both at regular intervals and in case of events.
+ Information security risks are classified according to their effects and probability of occurrence.
+ In case of changes to the environment (e.g. organizational structure, location, changes to regulations), reassessment is
carried out in a timely manner.

+ A process description indicating how to identify, assess and evaluate information security risks within the organization
exists.
+ Criteria for the evaluation and handling as well as the acceptance of information security risks exist.
+ The identified information security risks, including cause, probability of occurrence, potential effects and their assessment
are documented.
+ Measures for handling risks and the associated responsible persons are specified and documented.
- A plan of measures or an overview of their state of implementation exists.
This may include:

+ An overview of the experts (risk owners) exists.

None.

None.
1.3 To what extent is the effectiveness of the ISMS ensured?

(Reference to ISO 27001: 8.1, 9.1, 10.1 and 10.2)
Objective: The ISMS must be reviewed at regular intervals (e.g. annually) with respect to its effectiveness. This includes verifying the
achievement of objectives and the compliance with applicable requirements.
Only an ISMS adapted specifically to the organization’s requirements can fulfil its purpose. Since influencing factors such as
organizational structure or local conditions may change, the effectiveness of the ISMS must be reviewed regularly.
Gedruckt am: 10/06/2021_x000D_ [Public] 547235404.xlsx /

Seite 8 von 44
Information Security
#
+ The effectiveness is reviewed regularly by the persons responsible for information security and the management.
+ The results of the effectiveness inspection and the specified measures are documented.
+ A plan of measures or an overview of their state of implementation (including those resulting from previous reviews) is in
place, the implementation of those measures is monitored.
+ If any security-related events occur, they are analyzed.

+ The ISMS is regularly inspected for its adequacy and appropriateness.
+ The documentation is regularly reviewed and revised with respect to its actuality.
This may include:

None.

None.

None.
5 Information Security Policies

5.1 To what extent is an information security policy created, published or distributed and is it reviewed at regular
intervals?
(Reference to ISO 27001: Control A.5.1.1 and A.5.1.2)
Objective: The organization must define a policy reflecting the importance and significance of information security to the organization.
This must be adapted to the business strategy, regulations, legislation and potential threat situations regarding information
security. It must be evident to all of the involved parties that information security is supported by the management of the
organization, that it is of relevance to everyone and that requirements and rules apply which must be met.
+ The information security requirements adapted to the company’s objectives with respect to information protection are
documented in a policy and are approved by the management of the organization.
+ The policy includes objectives and the significance of information security within the organization.

+ The information security requirements based on the strategy of the organization, legislation and contracts are taken into
account in the policy.
+ Responsibilities for implementation are defined.
+ The policy indicates consequences in case of non-conformance.
+ Further policies/regulations/standards regarding information security are prepared.
+ A process for regular review and revision of the policies is established.
+ The policies are made adequately available to employees.
+ These policies (or extracts thereof) are provided to external business partners depending on the respective case.
This may include:

+ The policies are made available on the intranet.

None.

None.
6 Organization of Information Security

6.1 To what extent are responsibilities for information security defined and assigned?
(Reference to ISO 27001: Control A.6.1.1)
Objective: Successful implementation of an ISMS requires adequate assignment of information security responsibilities. This requires
the definition of roles fulfilling the tasks for achieving the protection objectives. Qualified employees who are known to the
organization’s staff and, if appropriate, also to business partners are required to fulfil those tasks.
+ Responsibilities for the information security within the organization are defined, documented and assigned.
+ The responsible employees are defined and qualified for their task.
+ The contact persons are known within the organization and to relevant business partners.

+ There is a definition and documentation of an adequate information security structure within the organization.
+ The necessary resources for information security are determined and provided to the responsible employees.
This may include:

+ Responsibilities and contact persons for information security are made known and available to employees and external
business partners, as far as required for fulfilling the assigned task(s).

+ An appropriate organizational separation of responsibilities should be established in order to avoid conflict of interests.

None.
6.2 To what extent are information security requirements taken into account in project work (irrespective of project
type)?

Seite 9 von 44
#
Objective: The information security requirements must be taken into account irrespective of the project type (this includes non-IT
projects). This also includes the handling of information security and information security risks in the organization’s project
management methods.
+ Projects are to be classified while taking into account the information security requirements.

+ The procedure and criteria for the classification of projects are documented.
+ In early project phases, risk assessments are carried out based on the defined procedures.
+ For identified information security risks (see Control 1.2), measures are derived and taken into account in the project.
This may include:

None.

+ The measures derived are reviewed regularly during the project and reassessed in case of changes to the assessment
criteria.

None.
6.3 To what extent is a policy in place regarding the use of mobile devices and remote access to the organization's
data?
Objective: The handling of mobile devices, particularly in unprotected environments, is associated with increased risks (e.g. loss, theft,
malware infection). In order to protect the information stored on the device, technical protective measures must be
implemented. Additionally, employees must be made aware of the risks involved in the handling of mobile devices.
+ The use of mobile devices (e.g. smartphones, notebooks) is subject to regulation.

+ A policy is prepared considering the following aspects:
- Registration of mobile devices
- Physical protection requirements (among others against theft, spying on information)
- Software installation restrictions
- Requirements for the versioning of software for mobile devices and the associated patch management
- Limitations of access to certain information services
- Encryption techniques
- Data backup
- Protection against malware
- Remote deletion methods
- Use of web services and web apps
- Procedure in case the mobile device is lost
+ Users sign an obligation declaration regarding the handling of particularities when working with mobile devices depending
on the protection needs, e.g. anti-theft protection, software installation, prevention of visibility of information itself (view and
sight protection), use of a protected environment (e.g. enclosed space, non-public location), handling of authentication
means.
This may include:

None.

None.

None.
6.4 To what extent are the roles and responsibilities defined which are shared between IT service providers (e.g. cloud
providers) and the own organization?
(Reference to ISO 27017: Control CLD.6.3.1)
Objective: When using services and IT services (e.g. cloud services), the relationship between provider and the own organization is of
particular significance to information security due to the shared responsibilities for the implementation of requirements. The
own organization must continue to independently fulfil parts of the security requirements while other requirements are
fulfilled in whole or in part by the service provider. The exact allocation of responsibilities always depends on the IT service
or the service used and cannot be generally indicated.
If common understanding regarding the allocation of responsibilities is lacking among all parties involved, the security
system may be weakened or rendered entirely ineffective. Therefore, the user of services and IT services must ensure at all
times that a mutual understanding regarding the allocation of responsibilities is given and that it is clarified for each
requirement, that and by whom it is fulfilled.

Seite 10 von 44
#
+ The concerned services and IT services used are identified.
+ The security requirements relevant to the service are determined and documented:
- At least the applicability of the VDA ISA controls is verified and documented.
+ For each requirement, it is documented who is responsible to what extent for its implementation.
- For the applicable VDA ISA controls, it is documented who has the responsibility for implementation or how it is shared.
+ The own organization fulfils its responsibilities.
+ Proof is provided that the service provider fulfils his responsibility.

+ A list of concerned services and IT services exists.
+ The service configuration for IT services has been conceived, implemented and documented based on the necessary
security requirements.
+ The service configuration is included in the regular security assessments.
+ Integration into local protective measures (such as secure authentication mechanisms) is established and documented.
+ The staff is trained (e.g. with respect to safe operation and configuration, secure handling of data according to their
classification, danger awareness, handling of incidents).
This may include:

None.

None.

None.
7 Human Resources Security
7.1 To what extent is staff (internal and external) contractually bound to comply with information security policies?
Objective: Organizations are subject to legislation, regulations and internal rules. Already at the hiring of staff, it must be ensured that
both internal and external employees commit to compliance with the policies and are aware of the consequences of
misconduct.
+ A non-disclosure obligation is in effect.
+ An obligation to comply with the information security policies is in effect (see 5.1)

+ A non-disclosure obligation beyond the employment contract or order is in effect.
+ Information security aspects are considered in the employment contracts of the staff.
+ Responsibilities and duties associated with the handling of sensitive information are specified in the employment contract.
+ A procedure for handling violations of contractual specifications relevant to information security is described.
+ Employees are informed of policy changes.
This may include:

None.

None.

None.
7.2 To what extent is staff (internal and external) made aware of and trained about the risks arising from handling and
processing information?
(Reference to ISO 27002: Control 7.2.1 and 7.2.2)
Objective: Information security must be a natural and integral part of the work environment and adopted in the daily work of all
employees. By means of information security training, employees must gain the necessary knowledge and competence for
security-conscious behaviour. They must be particularly aware of what is expected of them with respect to information
security and how to respond to security-critical situations.
+ Employees are trained and made aware.

+ A concept for awareness and training of employees is prepared.
- Target groups for awareness and training measures (e.g. new employees, administrators) are defined and taken into
account in the training concept.
+ The concept has been approved by the responsible management
- Resources required for implementation are released
+ Training and awareness measures are carried out both at regular intervals and in response to events.
+ Participation in training and awareness measures is documented.
+ Contact persons for information security are known to employees.
+ Suitable KPIs for training and awareness purposes are defined and analyzed.
This may include:

+ Regular learning objectives tests are conducted for participants of completed awareness and training measures.
+ The learning success with respect to with awareness and training programs is reviewed quantitatively and qualitatively.

None.

None.

Seite 11 von 44
#
8 Asset Management
8.1 To what extent are inventories existent for objects (assets) that contain information in different versions?
(Reference to ISO 27001: Control A.8.1.1, A.8.1.2, A.8.1.3 and A.8.1.4)
Objective: Beside the conventional inventory of physical objects, it is essential to obtain an overview of the information processed
within the organization. For this purpose, information assets are elements of information-related character such as
documents, illustrations, files, programs, servers, networks, facilities, vehicle prototypes, design-relevant or shaping tools
and equipment. An information owner takes on the role of responsible person for individual information assets.
+ The information assets of the following categories are identified:
- IT hardware and applications
- IT-supporting infrastructure
- information in electronic form, in paper form and physical form
- individual and groups of persons holding relevant information
- outsourced services (see also Control 6.4)
+ Each information asset is assigned to a responsible entity (individual or organizational unit).
+ Information assets are classified. (see also Control 8.2)
This should involve:

+ Information asset inventories are prepared and updated regularly.
+ The lifecycle of information assets in its phases such as preparation, processing, storage or retention, transfer and
deletion or destruction is defined.
+ Regulations for returning information assets on leaving the organization or on contract termination are in effect.
This may include:

+ Regulations for acceptable use of information assets (“acceptable use policy”) exist.
+ Information assets may be grouped (e.g. workplace computer), if required.

+ A specification regarding the explicit approval of the use of an information asset is defined.

None.
8.2 To what extent is information classified according to its protection needs and are there regulations in place
regarding labelling, handling, transport, storage, retention, deletion and disposal?
(Reference to ISO 27001: Control A.8.2.1, A.8.2.2 and A.8.2.3)
Objective: Information shall be classified according to its value to an organization (classification). For this classification, the value of
information to the organization shall be evaluated based on factors such as confidentiality, integrity and availability. The
handling of information according to its classification shall be defined and implemented by the employees.
+ A consistent scheme for the classification of documents/information is in place and implemented.

Classification of information is done according to defined criteria, e.g. value, legal requirements, customer requirements,
confidentiality, integrity and availability.
+ A policy including requirements for classification of information as well as the respective protective measures for
identification, handling, transfer, storage, deletion and disposal is in place and implemented.
This may include:

None.

None.

None.
8.3 To what extent are appropriate procedures implemented for the management of information on mobile storage
devices?
Objective: Information on mobile storage devices is generally exposed to increased risks. In order to prevent loss of information in
case a mobile storage device is lost or stolen, regulations to reduce these risks shall be defined and measures shall be
taken.
None.

+ Definition of regulations for handling information on mobile storage devices according to its classification. This includes
the following aspects: transport, deletion, transfer, disposal and protective measures.
+ Data on mobile storage devices shall be protected according to defined regulations according to the classification.
This may include:

+ The organization provides means to support the employee in observing the rules.

+ A procedure shall be established for the required reaction of employees to cases of loss.
+ Regulations for handling during (business) travels within the country and abroad, e.g. when being viewed by authorities.
+ Information on mobile mobile storage devices should be transported in encrypted form.
- Where encryption is not feasible, information shall be protected by similarly effective measures.

None.

Seite 12 von 44
#
8.4 To what extent is the secure removal of information assets from IT services (particularly cloud) ensured?
Objective: It shall be known how to terminate the use of a service in a controlled manner. Particular consideration shall be given to
how information can be securely removed again from external systems (e.g. cloud systems).
+ A withdrawal strategy (termination process) including the deletion and removal of assets from the cloud service is defined.
+ It is ensured that the provider will fulfil his responsibilities.

+ The fulfilment of the provider’s responsibilities is regulated by contract.
+ A description of the termination process is available and will be adapted to any changes.
+ The responsibilities provided in the process are documented and accepted by the provider.
This may include:

+ The responsibilities are derived from the service documentation made available by the provider and documented.

None.

None.
9 Access Control
9.1 To what extent are policies and procedures regarding the user access to network services, IT systems and IT
applications in place?
Objective: The identity of the user of a network service, an IT system or an IT application shall be clearly verifiable in order to enable
the unambiguous tracing of actions to the user. In order to ensure this, authentication (registration) procedures and
mechanisms of network services, IT systems or IT applications shall be designed such that users are clearly identified and
authenticated.
+ The procedures applied for user authentication are deemed secure and comply with the current state of the art.
+ The procedures for user authentication have been selected based on a risk assessment. Possible attack scenarios have
been taken into account (e.g. possibility of direct access from the internet)
+ Further interactions shall only be possible upon successful authentication.

+ A policy based on business and security-relevant requirements is created and documented.
+ Depending on the classification of information processed in IT systems or IT applications, suitable and secure
authentication procedures are required and applied.
This may include:

None.

+ Prior to gaining access to data of high protection needs, users shall be authenticated at least by means of strong
passwords according to the state of the art.
+ Depending on the risk assessment, the authentication procedure has been enhanced by supplementary measures
(e.g. permanent access monitoring with respect to irregularities or use of strong authentication)

+ Prior to gaining access to data of very high protection needs, users shall be authenticated at least by means of strong
authentication (e.g. two-factor authentication) according to the state of the art.
9.2 To what extent are procedures for user registration, change and de-registration implemented and is particularly the
authentication information handled confidentially?
Objective: The use of unique and personalized user IDs (user accounts) ensures clear traceability of actions. The authentication
information (e.g. passwords) shall be known to the authorized user only. Defined processes for the lifecycle of user
accounts are in place. It is regularly reviewed whether existing user accounts are needed.

Seite 13 von 44
#
+ The process of user ID management is documented and established.
+ The use of unique and personalized user accounts is specified.
+ The use of “collective accounts” is regulated (e.g. restricted to cases where traceability of actions is dispensable).
+ User accounts are disabled immediately after the user has left the company (e.g. upon termination of the employment
contract).
+ The authentication information is provided securely to the user.
+ User accounts are regularly reviewed.

+ A basic user account with minimum access rights and functionalities is existent and used.
+ User accounts are created or authorized by the responsible body.
+ Creating user accounts is subject to an approval process (four-eyes policy).
+ Disabling the user accounts of service providers after completion of the task.
+ Deadlines for disabling and deleting user accounts are defined.
+ Aligned change of user accounts after the reassignment of the user to another work field.
+ Secure processes are established for the transfer of authentication information.
This may include:

None.

None.

None.
9.3 To what extent is the allocation and use of privileged user and technical accounts regulated and is it subject to
reviews?
Objective: The use of unique and personalized administrative user accounts ensures clear traceability of administrative actions.
Administrators shall use the user account provided with privileged rights exclusively for administrative tasks and their
standard user account for all other activities (e.g. E-mail, internet). Thus, it shall be ensured that only activities requiring
privileged rights are actually carried out in this context.
+ The use of unique and personalized administrative user accounts is regulated and established.
+ Distinction between user accounts (privileged user account, office user account) is ensured, e.g. by having two or more
user accounts.
+ The management process (allocation/change/deletion) for privileged user IDs is documented and established.
+ Privileged rights are allocated upon approval only.
+ Secure authentication procedures are implemented for privileged user accounts.
+ User accounts with privileged rights are documented and reviewed at regular intervals.

+ Identification of the relevant or affected IT systems is completed and documented.
+ Rights are allocated on a need-to-use basis and according to the role and/or area of responsibility (observing the
segregation of functions).
+ The following points shall be considered when reviewing the allocated privileged rights:
- Privileged access rights are reviewed regularly (at adequate intervals, e.g. quarterly)
- The reviews are documented.
- Task field changes are immediately taken into account
This may include:

None.

None.

None.
9.4 To what extent is the user subject to binding policies concerning the creation and handling of confidential
authentication information?
Objective: Where authentication information is used in an IT system or application, information security critically depends on the
correct use of this information (e.g. passwords, PINs). Therefore, it is essential to regularly raise user awareness regarding
the correct handling of this authentication information.

Seite 14 von 44
#
+ Regulation of the handling of authentication information is created considering at least the following aspects:
- No disclosure of authentication information to third parties - not even persons of authority - under consideration of
legal parameters
- no writing down or unencrypted storing of authentication information
- immediate changing of authentication information whenever potential compromise is suspected
- no use of identical authentication information for business and non-business purposes
- changing of temporary or initial authentication information following the 1st login
- requirements for the quality of authentication information (e.g. length of password, types of characters to be used).

+ Users are informed and made aware of the regulations (e.g. password rules).
+ The use of default passwords is technically prevented.
+ Where strong authentication is applied, the use of the medium (e.g. factor ownership) is secure.
This may include:

+ Means of secure retention of authentication information (e.g. password safe) are provided.

None.

None.
9.5 To what extent is access to information and applications restricted to authorized persons?
Objective: Authorization shall ensure that only authorized users have access to information and IT applications. For this purpose,
access rights are allocated to the user and reviewed at regular intervals.
+ The requirements for access to information and applications are determined.
+ An authorization policy is created including at least the following aspects:
- procedures for request, review and approval
- application of authorization roles
- segregation of functions
- application of the minimalistic (“need-to-know”) principle
+ The policy is binding to all users of information and applications.
+ The access rights allocated to users and technical accounts are regularly reviewed.

+ Authorization concepts of applications are created (e.g. ERP systems).
This may include:

None.

+ The access rights are released by the person responsible for information (internal).
+ Existing access rights are regularly reviewed (at adequate intervals, e.g. quarterly).
+ Functions in application systems are restricted as far as possible (e.g. export and printing).
+ Prevention of access and viewing by unauthorized persons/roles (e.g. administrators) at least on file level (e.g. encrypted
data storage).
9.6 To what extent is the separation of data within an environment shared with other organizations ensured?
(Reference to ISO 27017: Control CLD.9.5.1 and CLD.9.5.2)
Objective: Cloud solutions, in particular, are characterized by enhanced standardization and a high level of virtualization on
infrastructure the use of which is shared by various customers. Such a collaborative environment enables numerous cloud
customers to work. In order to protect own information at all times, a clear segregation of data shall be ensured.
+ Effective segregation prevents access to own information by unauthorized users of other organizations.

+ The provider’s concept of segregation (e.g. segregation of clients) is documented and adapted to any changes. This
concept should at least include the following:
- separation of data, applications, operating system, storage and network
- segregation of clients area and internal administration area
- implementation of suitable security measures for multiple tenants (in multi-tenant environments)
- risk assessment for the operation of external software within the shared environment (particularly for IaaS/PaaS services)
+ Shared virtual machines and/or application instances are hardened accordingly
- observation of the minimalistic principle (e.g. restriction of rights, ports, protocols, software)
- application of technical protective measures (e.g. AV, logging)
This may include:

None.

None.

None.
10 Cryptography

Seite 15 von 44
#
10.1 To what extent are rules for encryption, including the management of cryptographic keys (complete lifecycle
process) for the protection of information during storage and transport existent and have they been implemented?
Objective: Protection of the confidentiality of information during both storage and transfer (e.g. when gaining physical access to data
storage devices or data transfer infrastructure) shall be ensured. This is generally achieved by means of encryption. For
handling encryption, it is essential that it provides the expected security characteristics at all times without simultaneously
creating inadequately high availability risks. For this purpose, reliable identification of the necessity of encryption shall be
ensured. Whenever such a need is identified, procedures deemed secure according to the scientific and technical state of
the art shall be selected. Additionally, it shall be ensured that the secrets (key material) are adequately protected against
technical and organizational risks to confidentiality as well as integrity and availability throughout the lifecycle.

+ Any productively used encryption technologies shall be according to the technical state of the art.
+ The legal parameters for the use of encryption technologies are taken into account.

+ Creating regulations containing requirements for encryption in order to protect information according to its classification.
+ A concept for encryption is defined including at least the following specifications:
- the level of encryption
- the key management
- the cryptographic algorithm
- procedures for the complete lifecycle, such as generating, storing, archiving, retrieving, distributing, deactivating,
renewing and destroying cryptographic keys
+ The encryption concept is established.
+ An emergency process for recovering key material is established.
This may include:

None.

+ The following aspects shall be documented:
- description of the key authority
- authority regarding the management of key material in case of external processing (e.g. in the cloud)
+ Information of high protection needs should be transported or transferred in encrypted form.

+ Information of very high protection needs are stored in encrypted form.
+ The following shall be ensured during external processing or transfer:
- obligatory end-to-end encryption (preferably using key material from a company internal environment).
Requirements:
11 Physical and Environmental Security
11.1 To what extent are secure areas for the protection of sensitive or critical information and information processing
facilities defined, protected and monitored (entrance control)?
Objective: Processing of information assets outside the area affected by the measures intended for the target information security level
shall be prevented. Since it is generally not possible to implement corresponding measures for all areas of the location, a
zone concept is applied defining in which areas which type of information may be processed.
+ Requirements for the protection of affected assets are determined (see Control 8.1).
+ Security zones are specified under consideration of terrains/buildings/rooms and documented.
+ The concept of security zones is established.
+ The code of conduct for security zones is known to all persons involved.
+ The security zones are secured by adequate protective measures according to the assigned risk level. (See notes for
examples).

+ Procedures for allocation and revocation of access rights are established.
+ Regulations regarding visitor management including registration and escorting of visitors are defined.
+ The security zones are adequately monitored (see notes for examples).
+ External properties used for storing and processing information assets are taken into account in the scope of the security
concept (e.g. storage spaces, garages, workshops, test routes, data processing centres).
This may include:
+ The security zones are identified.

+ In case of externally located IT systems, e.g. external housing in an emergency data processing centre, direct access to
the systems by persons of the external service provider should be prevented (e.g. by means of locked racks).

None.
11.2 To what extent has the company taken measures against the effects of natural disasters, deliberate attacks or
accidents?
Objective: Natural disasters, deliberate attacks or accidents can critically impair the availability of IT systems. It shall be ensured that
effects on critical IT systems are identified and assessed according to their criticality and that adequate protective measures
have been defined and implemented.

Seite 16 von 44
#
+ Natural threats such as flooding are identified.
+ Social threats such as political instability or accidents involving industrial plants are identified.
+ Potentially affected infrastructure, assets and IT systems are identified.

+ Adequate protective measures, such as fire detection system, fire protection, water detector, are implemented and
reviewed regularly.
+ A redundant media supply (electric power, communication connections etc.) is provided.
+ Emergency plans are defined and reviewed regularly.
This may include:

None.

None.

None.
11.3 To what extent are protective measures taken to prevent access to delivery and shipping areas by unauthorized
persons?
Objective: It shall be ensured that all means of access to protected zones are protected against unauthorized access by means of
adequate measures. This is often associated with specific requirements in delivery and shipping areas, particularly where
those have to be designed for the delivery and shipping of large objects (e.g. vehicles or large tools).
+ The requirements for protecting the delivery and shipping areas are identified.
+ The shipping areas are integrated into the security concept.
+ Necessary protective measures are defined and implemented.
+ Access is permitted for identified and authorized staff only.

+ Sensitive IT systems are separated from delivery and shipping areas.
This may include:

+ There is a separate security zone for delivery by suppliers who do not have access to any other areas of the organization.
+ A lock function is provided in the delivery and shipping area.
+ The supplied material is inspected for potential threats.

None.

None.
11.4 To what extent are policies and procedures regarding the use of assets, including off-premises use, disposal and
re-use in place and implemented?
Objective: Where assets (e.g. IT equipment, information) are taken off the premises of an organization, they are exposed to increased
risks. For example, they are exposed to the risk of theft or unauthorized viewing. As an adequate reaction to those risks, the
security requirements associated with off-premises use shall be identified. This also applies to the disposal or re-use of
assets (e.g. notebooks).
+ Security requirements for the use and off-premises use of assets are identified.
+ Policies and procedures for use and off-premises use of assets are defined and implemented.
+ IT devices containing sensitive data are deleted such as to prevent data recovery.

+ Information shall be protected by adequate measures according to the protection needs.
This may include:

None.

+ Disposal of data storage devices is conducted in accordance with one of the relevant standards (e.g. DIN 66399, Security
Level 4).

+ Disposal of data storage devices is conducted in accordance with one of the relevant standards (e.g. DIN 66399, Security
Level 5).
12 Operations Security
12.1 To what extent are changes to the organization, business processes, information processing facilities and systems
controlled and implemented according to their security relevance?
Objective: In case of changes to the organization, business processes, information processing facilities and systems, aspects of
information security shall be considered. The objective is to ensure that all changes are made under consideration and
observation of the information security requirements.

Seite 17 von 44
#
+ Security-relevant requirements regarding changes to the organization, business processes, information processing
facilities and systems are determined and implemented.

+ A formal approval procedure is defined.
+ Fall-back solutions for fault cases are established.
+ Changes affecting information security are planned and reviewed.
This may include:

None.

+ In case of changes, observation of the information security requirements is verified.

None.
12.2 To what extent are development and testing environments kept separate from productive environments?
Objective: The objective of separating development and testing environments from productive environments is to prevent faults during
development from affecting the productive environment. A testing environment serves, for example, as an intermediate step
for testing software developments with the environmental variables of a productive environment and for verifying the
availability, reliability and integrity of their functions.
+ The IT systems have been subjected to risk assessment in order to determine the necessity of their separation into
development and productive systems.

+ The requirements for development and testing environments are determined, e.g.:
- segregation of development, testing and productive systems
- no development and system tools on productive systems (excluding those relevant to operation)
- use of different user profiles for testing and productive systems
- as far as possible, use of non-sensitive or anonymized test data
+ Specifications are defined for transferring software from the development and testing state to the productive state.
+ The identified requirements are implemented.
This may include:

None.

None.

None.
12.3 To what extent are protection controls (e.g. endpoint security) against malware (viruses, worms, Trojans,
spyware, ...) implemented in combination with appropriate user awareness?
Objective: Two aspects are of particular importance for malware protection - malware protection software on the one hand and user
awareness on the other. User training is particularly important since, despite all protective measures for hardware and
software, malware may be activated inadvertently by the actions of a user.
+ Requirements for protection against malware are determined.
+ Technical and organizational measures for protection against malware are defined and implemented.

+ User accounts are not provided with administrative rights (see Control 9.3).
+ Malware protection software is installed and updated automatically at regular intervals (e.g. virus scanner). + Received
data and programs are automatically inspected for malware prior to their execution (on-access scan).
+ The entire data contents of all systems is regularly inspected for malware.
+ Data transferred by central gateways (e.g. e-mail, internet, third party networks) are automatically inspected by means of
a protection software (including encrypted connections).
+ Measures to prevent protection software from being deactivated or altered by users are defined and implemented.
+ Employee awareness is raised in reaction to events.
This may include:

+ Systems with a high level of self-protection (e.g. specific hardening, few services, no active users) can be operated
without a virus scanner.

None.

None.
12.4 To what extent are backups created and regularly tested in accordance with an agreed backup policy?
Objective: The objective of a functioning backup strategy is to allow recovery of the functionality or availability of information within the
required time in case of a system failure or another type of data loss (e.g. ransomware). For this purpose, data backups
shall be created in compliance with a corresponding policy and tested regularly.

Seite 18 von 44
#
+ Backup requirements are determined and include: the systems to be secured, associated backup intervals and the
storage and transport of backup media.
+ Adequate protective measures, e.g. by means of encryption, taken during storage.
+ Backup media are stored in separate locations (different fire protection zones).
+ A backup concept is created and implemented.
+ An adequate backup verification is carried out.

None.
This may include:

None.

None.

+ In case of information of very high protection needs, suitable measures (e.g. encryption) shall be taken to ensure that
access is only possible for the authorized group.
12.5 To what extent are event logs (which may contain e.g. user activities, exceptions, errors and security events)
created, stored, reviewed and protected against modification?
Objective: Event logs support the traceability of events in case of a security incident. This requires that events which are necessary for
determining the causes are recorded and stored while being protected against modification.
+ Information security requirements regarding the handling of event logs are determined and implemented.
+ Where externally operated services (e.g. cloud services) are used, information on event-logging options are obtained.
- e.g. attack detection and report options (incident response)
+ Legal requirements such as storage durations and protection of personal rights are observed.
+ Rules and procedures for fulfilling the determined requirements are defined and implemented.

+ Event logs are protected against modification during storage.
This may include:

None.

+ Information security requirements relevant to the security during the handling of event logs, e.g. contractual requirements,
are determined and implemented.

None.
12.6 To what extent are the activities of system administrators and system operators logged, the logs protected against
modification and regularly reviewed?
Objective: System administrators and operators can use their comprehensive access rights to modify IT systems significantly. Logging
and analyzing activities in accordance with applicable legislation (such as Data Protection and Works Constitution Act) are
required to enable determining who has made changes to IT systems in case of information security events.
+ Security-relevant requirements regarding the logging of activities of system administrators and operators are determined
and implemented.
+ The IT systems used are assessed regarding the necessity of logging.
+ Where externally operated services (e.g. cloud services) are managed, information on event-logging options are obtained
and taken into account in the assessment.
- e.g. audit logs for configuration changes and use of/access to e-discovery functions or backup.
+ Procedures for handling violations of regulations are defined.
+ Logs are regularly reviewed for violation of rules in accordance with permissible legal and operational provisions.
+ The type of logging with respect to time, activity level and storage durations is defined and implemented.

+ A process to report violations to the authorized body (e.g. CERT) is established.
+ The log files are protected against alterations (e.g. by means of a dedicated environment).
This may include:

None.

+ Cases of access to external services during connection and disconnection (e.g. remote maintenance) are logged.

+ Logging of all cases of access
- as far as technically feasible
- to data of very high protection needs.
12.7 To what extent is information regarding technical vulnerabilities of IT systems acquired at an early stage, evaluated
and are appropriate measures taken (e.g. patch management)?
Objective: Known vulnerabilities increase the risk that IT systems can no longer fulfil the requirements regarding confidentiality,
availability and integrity if they allow attackers to access the IT system or compromise the stability of the system.

Seite 19 von 44
#
+ Information on technical vulnerabilities of the used assets are collected and assessed.
+ Potentially affected systems and software (assets) are identified (e.g. manufacturer, version, installation site).
+ An adequate patch management is defined and implemented
(e.g. patch testing and installation). + Where required, risk mitigating measures should be implemented. This includes e.g.:
- separation of affected systems
- shut-down of the affected service
- adjustment of access options, e.g. firewalls
- adjustment of monitoring
-increasing user awareness
This may include:

None.

None.

None.
12.8 To what extent are audit requirements and activities for reviewing IT systems planned, coordinated, aligned and
are those IT systems subsequently subjected to technical review (system audit)?
(Reference to ISO 27001: Control A.12.7.1, A.18.2.3)
Objective: During audits (particularly technical audits), problems with the stability of the IT systems under review may occur. Audit
activities involving a review of IT systems should be planned and agreed in order to avoid disturbances of the affected
processes.
+ Requirements for auditing IT systems are determined.
+ The scope of the audit is specified in a timely manner.
+ System audits are coordinated with the operator and users of IT systems.
+ The results of system audits are stored in a traceable manner and reported to the relevant management.
+ Measures are derived from the results.
+ The derived measures are traced under the ISMS.

+ System audits are carried out by trained experts.
+ For deviations, measures to be taken within an adequate period of time shall be defined and coordinated.
+ The audit report shall have been prepared and coordinated within an adequate period of time.
This may include:

None.

None.

None.
12.9 To what extent have effects due to critical functions of cloud services been taken into account?
Objective: Many cloud services provide functions which may lead to major changes to services in operative use. These functions may
jeopardize the confidentiality of information, be irreversible or reversible only with significant effort which then may impair
availability or integrity. These functions are often provided to administrative users via an easy-to-use automated
configuration interface. When an administrative user is executed, such activities are carried out without further human
supervision.
It shall be ensured that such functions can neither inadvertently nor by a wilful administrator be used without particular effort
to cause harm impairing confidentiality, availability or integrity.
+ Critical functions of all relevant services are identified and assessed.

+ Critical administrative functions of all relevant IT services are documented including their associated risk. Here, among
others, the following aspects (where applicable) have been considered:
- installation, modification or deletion of virtual resources (e.g. virtual servers, virtual networks and virtual storage)
- termination of services (cancellation)
- authorization of more users
- release and publication functions
- backup and recovery functions
+ The options to counteract by means of configuration and allocation of rights are known and documented.
+ The resulting risks are minimized by means of configuration and allocation of rights.
- As far as reasonable, critical non-administrative functions have been restricted.
+ An emergency concept describing the handling of harm scenarios exists and has been tested.
This may include:

+ Application of the several-eyes principle for critical functions.
+ Contractually agreed restriction of functionality by the provider (e.g. by means of suitable framework contracts).

None.

None.
13 Communications Security

Seite 20 von 44
#
13.1 To what extent are networks managed and controlled to protect information in IT systems and applications?
Objective: The protection of information in networks, IT systems and IT applications shall be ensured. For this purpose, measures
ensuring protection against unauthorized access shall be implemented. This includes taking suitable control measures
supported by means of monitoring the networks, IT systems and IT applications.
+ Procedures for the management and control of networks are defined.

+ Requirements for control and management of networks are determined and implemented. This includes e.g.:
- restrictions for connection of IT systems to the network
- special protective measures in case of network connections via potentially unsecured networks (e.g. encryption)
- adequate monitoring and recording of activities on a network that are relevant to information security
- use of auxiliary means such as firewall systems, intrusion detection and prevention systems (IDS/IPS), network
management tools, security software for networks
- When using externally operated network services that are accessible via the internet (cloud services), the resulting
increased risk is assessed and addressed in the applications.
This may include:

None.

+ Extended requirements for the control and management of networks are determined and implemented.
This includes e.g.:
- authentication of IT systems within the network

None.
13.2 To what extent are requirements for security mechanisms and service levels and also management requirements
for network services identified and documented in service level agreements?
Objective: Security mechanisms, quality of service provision and requirements for the management of all network services shall be
determined and incorporated into agreements (Service Level Agreements, SLAs) for both internal and external networks.
+ Requirements regarding the information security of network services are determined and implemented.

+ Procedures for securing and using network services are defined and implemented.
+ SLAs are defined and implemented for internally and externally operated network services.
+ Adequate redundancy solutions are implemented.
This may include:

None.

+ Procedures for monitoring the network (e.g. traffic flow analyses, availability measurements) are defined and carried out.

+ Out-of-band management is applied.
13.3 To what extent are groups of information services, users and information systems segmented on networks?
Objective: IT systems on the network usually have different protection needs. Thus, IT systems directly connected to the internet are
generally exposed to different dangers than IT systems on the office net. In order to detect and prevent undesired data
exchange between IT systems of different protection needs, corresponding groups shall be formed on the network and then
segregated from other groups.
+ Requirements regarding network segmentation are determined.
- Where cloud services are used, the possibilities of (virtual) networks are considered

+ Rules and procedures for network segmentation are defined and implemented.
This may include:

None.

None.

None.
13.4 To what extent is information protected during exchange or transfer?

Objective: During exchange and transfer of information, the information security requirements shall be observed. For this purpose, it
shall be defined which services within the organization may be used for which type of data and which protective measures
are to be taken when using those services.

Seite 21 von 44
#
+ The services (e.g. E-mail, EDI, voice over IP) used for transfer are identified.
+ Rules and procedures in accordance with the classification requirements for the use of services are defined and
implemented.
+ Measures for the protection of transferred contents against unauthorized access are implemented.

+ Measures for ensuring correct addressing and correct transport of the message are implemented.
+ A process for approving the use of external services (e.g. instant messaging, web meeting, webmail) is established.
+ Electronic data exchange is carried out according to the classification by means of content encryption and/or via
encrypted transmission paths (e.g. VPN, encrypted connections (HTTPS, SFTP, TLS)).
This may include:

+ Digital signatures are used in accordance with legal provisions.

+ E-mails are transmitted by means of transport encryption (e.g. TLS).
+ A suitable encryption is in use during data transfers to externally hosted IT systems (see Controls 10.1, 15.1).

+ E-mails are transmitted by means of end-to-end encryption (e.g. PGP, S/MIME, ZIP encryption).
13.5 To what extent are non-disclosure agreements applied prior to an information exchange and are the requirements
or needs for the protection of information documented and regularly reviewed?
Objective: Even where sensitive information is passed on outside the organization, it shall be ensured that external organizations are
obliged to meet the information security requirements and to implement the required measures.
Non-disclosure agreements provide the necessary legal basis for this obligation. Therefore, it shall be ensured that
sensitive information is only passed on if a corresponding non-disclosure agreement has been entered and is legally
effective.
+ All service providers and employees working with sensitive information have entered valid non-disclosure agreements.
+ Rules and procedures for applying non-disclosure agreements are defined and made known to all persons passing on
sensitive information.
+ The requirements, rules and procedures for applying non-disclosure agreements are reviewed regularly.

+ Non-disclosure agreement templates are available and checked for legal applicability.
+ The templates include clear indications regarding:
- the involved persons/companies
- the type of information covered by the agreement
- the subject of the agreement
- the duration of validity of the agreement (temporary or permanent)
- the responsibilities of the obligated party
+ The templates contain specifications of the rights of use for information beyond the contractual relationship.
+ Options of proving compliance with specifications (e.g. review by an independent third party or audit rights) are defined.
+ A process for monitoring the duration of validity of temporary agreements and initiating an extension in due time is defined
and implemented.
This may include:

None.

None.

None.
14 System acquisition, development and maintenance

14.1 To what extent are security specific requirements taken into account for new IT systems (including publicly
accessible systems) and for extensions to existing IT systems?
Objective: Information security shall be an integral part of the entire lifecycle of IT systems. This includes in particular that information
security requirements are taken into account in the development, acquisition and maintenance of IT systems.
+ The information security requirements associated with the acquisition or extension of IT systems are determined.

+ Requirement specifications are reviewed with respect to information security policies.
+ The IT system is reviewed for compliance with specifications prior to productive use.
This may include:

None.

None.

None.
14.2 To what extent are security-relevant aspects considered in the software development process (incl. change
management)?
(Reference to ISO 27001: Control A.14.2.1 - A.14.2.9)

Seite 22 von 44
#
Objective: Information security requirements shall be taken into account in the development process of software and IT systems within
an organization. They shall be incorporated as requirements and milestones into the respective process model.
None.

+ A policy for the development of software and IT systems is created and includes at least the following aspects:
- information security requirements regarding the development environment
- information security requirements during the software development lifecycle
- information security requirements during the design phase
- information security review points related to project milestones
- information security during version control and repositories
- knowledge about information security of application systems
- requirements for developers regarding the creation of systems/applications under consideration of information security
aspects (avoidance, detection and elimination of vulnerabilities)
+ Information security requirements are taken into account in change management.
+ Defined engineering principles for secure system development are defined and implemented.
+ Secure development processes are also defined for cases where systems are created by third parties.
+ System approval tests are carried out under consideration of the information security requirements.
This may include:

None.

None.

None.
14.3 To what extent are test data created, protected and used in a careful and controlled manner?
Objective: Test data are often required for testing purposes in the course of software development or change management. Testing is
conducted in test environments the access to which is often controlled less strictly and frequently allocated to persons (e.g.
service providers or developers) who do not need access to productive data. It shall be ensured that the test environment
does not give rise to enhanced risk of loss or disclosure of productive data.
None.

+ The use of productive data for testing purposes is avoided as far as possible.
+ Where productive data are used for testing purposes, the following shall be ensured:
- Anonymization or pseudonymization of productive data is carried out in accordance with legal provisions
- Identical access controls are applied both for the test system and for the productive system
+ Case-specific requirements for the generation of test data are defined.
This may include:

None.

+ Copying of information from the productive environment shall require prior approval by means of a defined process.
+ Immediately after completion of testing, operation-relevant information is removed from the test system.
+ The process of copying and the use of the organization-relevant information as test data are recorded for later review
(audit trail).

None.
14.4 To what extent is it ensured that only evaluated and approved external IT services (particularly cloud services) are
used for processing company data?
(Reference to ISO 27017: CLD.14.1.1)
Objective: Particularly cloud services the use of which is often related to relatively little or no cost, present an enhanced risk that
established acquisition processes are bypassed hence also leading to acquisition and commissioning without adequate
compliance with technical and contractual information security requirements. Security cannot be ensured in cases where
external IT services are used without considering security requirements.
Therefore, it shall be ensured that external IT services will not be commissioned unless the intended processes are
completed and thus the information security processes and provisions are met prior to commissioning.

Seite 23 von 44
#
+ All persons having access to sensitive information are aware that the use of external IT services is not permitted without
explicit assessment and implementation of the information security requirements.
- This also includes external IT services which can be used free of charge.

+ Requirements for the acquisition, commissioning and approval of using external IT services are established.
+ The commissioning and use of external IT services is regulated by instructions binding to all employees.
+ All employees are made aware of this in regular trainings.
- e.g. during information security trainings held at regular intervals.
+ Observation of the instruction is verified regularly.
+ The approved IT services and their acceptable use have been cataloged.
This may include:

+ Framework contracts with essential cloud service providers are entered allowing the use only in suitable and assessed
configurations and informing the responsible persons within the organization.
+ Catalogs of authorized IT services are provided to the respective specialized departments.

+ Internal audits are held regularly in order to verify that no unauthorized IT services are used.

None.
15 Supplier Relationships
15.1 To what extent are information security requirements contractually agreed with suppliers to mitigate risks when
suppliers have access to corporate assets (particularly information and communication services and in case such
assets are used by subcontractors)?
Objective: In collaboration with external companies (e.g. subcontractors), the requirements regarding the protection needs of
transferred information shall be considered.
Therefore, relevant risks and requirements regarding information security shall be addressed in the contracts.
+ External companies/third parties (e.g. subcontractors) shall be subjected to an information security assessment.
+ Contractual agreements with external companies regarding measures for protecting information (e.g. non-disclosure
agreements) are entered.
+ Requirements for other subcontractors of the supplier are taken into account in procurement.

None.
This may include:

+ Information security certification (e.g. ISO/IEC 27001, NIST).

+ A risk assessment is conducted for each commissioning of an external company and additional information security
measures are defined.
+ The supplier provides proof of information security (e.g. certificate, attestation).
+ Where a commissioned supplier is also granted access to customer information, contractual obligations shall be
observed. This can include:
- explicit approval of the passing-on, processing and storage of information by the customer
- measures for procurement control with respect to personally identifiable data (processing ordered by the customer,
handling by subcontractors, deletion/disabling etc.)
- the requirements for the protection of data during transfer, processing and storage (e.g. encryption)
- provisions for the reaction to information security events are known to the external companies/third parties
+ In case of externally operated IT infrastructure (e.g. networks, server) and/or cloud solutions, it is ensured that:
- external administrators do not have access to data content
- the requirements for encryption according to Control 10.1 are met

None.
15.2 To what extent are the services performed by a supplier or subcontractor monitored, reviewed and audited on a
regular basis?
Objective: The provision of services by service providers shall be monitored regularly by an organization. By means of monitoring and
verifying the provided services, it shall be ensured that the conditions of an agreement regarding information security are
fulfilled.
+ Compliance with contractual agreements is monitored and verified.

+ A process for monitoring and verifying service providers is defined and established.
+ Third party service reports and documents are monitored and verified.
This may include:

None.

+ Information security or compliance with security policies among business partners is adequately ensured by means of
suitable verifications (e.g. auditing).

None.

Seite 24 von 44
#
16 Information Security Incident Management
16.1 To what extent are responsibilities, procedures, reporting channels and criticality levels established to ensure an
effective response to information security incidents or vulnerabilities?
Objective: Detection of and defense against security events generally require an effective and consistent approach. For this purpose,
the responsibilities and procedures for handling information security events shall be specified in order to ensure a prompt
reaction to those events. Suitable reporting channels and awareness of all employees are essential elements of these
procedures.
+ A policy for reporting information security events or vulnerabilities is created including at least the following requirements:
- Reaction to information security events according to defined levels of criticality
- report form
- reporting channel
- processing organization
- specifications for feedback procedure
- indication of technical and organizational measures (such as disciplinary measures)

None.
This may include:

None.

+ Requirements resulting from business relations (e.g. obligations of reporting to customers) are determined and
implemented.

None.
16.2 To what extend is the handling of information security events performed?

Objective: Information security events shall be assessed. There shall be an adequate reaction to information security events based on
defined procedures. In the aftermath of information security events, findings shall be used to reduce the probability of future
events occurring.
+ Procedures for ensuring traceability in case of information security events/vulnerabilities are established and documented.
+ Information security events/vulnerabilities are assessed and documented in order to ensure traceability.
+ An adequate reaction to information security events/vulnerabilities is given.

+ Information security events/vulnerabilities (problem management) are analyzed.
+ Measures to prevent further occurrence of similar information security events are defined and implemented.
This may include:

None.

None.

None.
17 Information Security Aspects of Business Continuity Management

17.1 To what extent are information security requirements (including redundancy of corresponding facilities) and the
continuity of the ISMS in the event of a crisis defined, implemented, verified and evaluated?
(Reference to ISO 27001: Control A.17.1.1 - A.17.1.3 and A.17.2.1)
Objective: In events of crisis, information security is particularly at risk. Therefore, it shall be ensured that even in those cases the
defined ISMS measures continue to provide effective protection or previously defined supplementary measures are taken.
+ Potentially affected IT systems and software are identified.
+ For events of crisis, methods, processes and procedures relevant to information security are taken into account.

+ Taking information security into account in the BCM or the disaster recovery process, where available.
+ Information security measures for events of crisis are tested regularly.
This may include:

+ The persons responsible for information security (see Control 6.1) are part of the crisis management team.
+ The redundancy in the field of IT facilities and IT systems (availability aspects) is ensured.

None.

None.
18 Compliance
18.1 To what extent is compliance to relevant legal (country-specific) regulations and contractual requirements ensured
(e.g. protection of intellectual property rights, use of encryption technology and protection of records)?

Seite 25 von 44
#
(Reference to ISO 27001: Control A.18.1.1, A.18.1.2, A.18.1.3, A.18.1.5)
Objective: An essential aspect of compliance is the observation of legal, regulatory, contractual and business-related requirements and
specifications. An organization shall know and meet the requirements and specifications of relevance to it. This also
includes consideration of intellectual property rights. Additionally, requirements for records regarding their protection against
loss, destruction, forgery, unauthorized access and unauthorized disclosure shall be met. Also, cryptographic measures
shall be implemented while observing the relevant agreements, legislation and provisions.
+ Legal, regulatory and contractual requirements and specifications of relevance to information security, such as e.g. in
relation to copyright, are determined regularly.
+ Regulations regarding the compliance with legal, regulatory and contractual requirements are defined, implemented and
communicated to the entrusted persons.

+ Measures for fulfilling the requirements regarding intellectual property rights and the use of software products protected
by copyright (acquisition and license management) are defined and implemented.
+ Staff awareness measures with respect to compliance topics associated with information security are carried out regularly.
+ The integrity of records in accordance with legal, regulatory and contractual obligations and business requirements as well
as classification (access protection, storage) is taken into account.
This may include:

None.

None.

None.
18.2 To what extent is confidentiality and the protection of personally identifiable information ensured (according to
national legislation)?
Note: In case of commissioned data processing according to Art. 28 DSGVO, the module “Data protection (24)”
must be included and evaluated.
Objective: Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and
regulations, where applicable. For this purpose, processes and procedures ensuring adequate protection of personally
identifiable information shall be implemented.
+ Legal and contractual requirements regarding the procedures and processes in the processing of personally identifiable
information are determined.
+ Information assets are classified according to personally identifiable information.
+ Regulations regarding the compliance with legal and contractual requirements for the protection of personally identifiable
information are defined and communicated to the entrusted persons.
+ Processes and procedures for the protection of personally identifiable information are implemented.

None.
This may include:

None.

None.

None.
18.3 To what extent is the ISMS reviewed by an independent third party at regular intervals or in case of significant
changes?
Objective: Assessing the effectiveness of the ISMS only from an internal point of view is not sufficient to serve as an essential control
tool. Instead, an independent and therefore objective assessment shall be obtained at regular intervals and in case of
significant changes.
+ Information security reviews are carried out by an independent and competent body at regular intervals and in case of
significant changes.
+ Measures for correcting potential deviations are initiated and pursued.

+ The results of the conducted reviews are recorded and retained.
+ The results of the conducted reviews are reported to the management of the organization.
This may include:

None.

None.

None.
18.4 To what extent is the compliance of procedures and processes with policies, regulations and other relevant
information security standards ensured?
(Reference to ISO 27001: Control A.18.2.2, A.18.2.3)

Seite 26 von 44
#
Objective: The effectiveness of policies, regulations and relevant information security standards shall be continuously ensured. For this
purpose, compliance with the applicable security policies and standards shall be verified at regular intervals. This also
includes verification of compliance with technical specifications of the information security policies. The results of the
conducted reviews shall be recorded and the records shall be retained.
+ Compliance with policies, regulations and information security standards is monitored.
+ Information security regulations and procedures are reviewed throughout the organization at regular intervals.
+ Measures for correcting potential non-conformities (deviations) are initiated and pursued.

+ The results of the conducted reviews are recorded and retained.
+ A plan for content and framework conditions (time schedule, extent, controls) of the reviews to be conducted is provided.
This may include:

None.

None.

None.

Seite 27 von 44
#
Additional requirements for connection to third parties
based on ISO 27002:2013
Firma: 0
Ort: 0
Datum: 12/30/1899
Maturity
level
In case a question does not apply, please insert n.a. (not applicable).
Level 0-5;
n.a.
23 Additional requirements for connection to third parties

23.7 Human Resources Security
23.7.2 To what extent is staff (internal and external) made aware of and trained about the risks associated with the
handling and processing of information?
Objective: Information security must be a natural and integral part of the work environment and adopted in the daily work of all
employees. By means of information security training, employees must gain the necessary knowledge and competence for
security-conscious behaviour. They must be particularly aware of what is expected of them with respect to information
security and how to respond to security-critical situations.
+ Employees having access to customer networks have received the necessary training and awareness for handling the
associated security risks.

None.
This may include:

None.

None.

None.
23.9 Access Control

23.9.2 To what extent are procedures for user registration, change and de-registration implemented with the associated
access rights and is particularly the authentication information handled confidentially?
Objective: The identity of the user of an IT system or an IT application shall be clearly verifiable in order to enable the unambiguous
tracing of actions to the user. In order to ensure this, authentication (registration) procedures and mechanisms of IT
systems or IT applications shall be designed such that users are clearly identified and authenticated.
+ User-related access to customer systems shall not be used by multiple users.
+ Changes to the employment contract or the authority of an employee shall be reported to the system operator
immediately or user access shall be adapted accordingly.

None.
This may include:

None.

None.

None.
23.11.1 To what extent are secure areas for the protection of sensitive or critical information and information processing
facilities defined, protected and monitored (entrance control)?
Objective: Processing of sensitive information (assets) outside the area affected by the measures intended for the target information
security level shall be prevented. Since it is generally not possible to implement corresponding measures for all areas of the
location, a zone concept is applied defining in which areas which type of information may be processed.

Seite 28 von 44
Connection to 3rd parties (23)
#
None.

None.
This may include:

None.

+ Separate zones are established for the respective projects.
+ Work place computers (e.g. PCs, CAD work stations) should be installed in locked rooms.
+ Rooms accommodating servers should be alarm-monitored.
+ Protective measures against simple overhearing and viewing shall be implemented.
+ Access restriction to authorized persons (e.g. access system, own locking system).
+ Creating of print-outs only within the respective zone or by personally printing (e.g. print-to-me with PIN).
+ Destruction of files within those zones (e.g. by using shredders) or verifiably secure transport to the destruction site.
+ Where rooms have several users (e.g. server rooms), direct access to systems by external persons shall be prevented
(e.g. by means of locked racks).
+ Physically securing the property or project rooms (e.g. locking system).

+ Physically securing the property or project rooms outside the hours of operation (e.g. fence security system/video
surveillance with alarm activation function, not recording only, intrusion detection system with motion sensors, glass
breakage detectors, cameras and image recognition).
+ Immediate response to alarm messages according to alarm plan.
+ Permanent surveillance of escape doors.
23.13 Communications Security
23.13.3 To what extent are groups of information services, users and information systems segmented on networks?
Objective: IT systems on the network have different protection needs. Thus, IT systems directly connected to the internet are generally
exposed to different dangers than IT systems on the office net. In order to detect and prevent undesired data exchange
between IT systems of different protection needs, corresponding groups shall be formed on the network and then
segregated from other groups.
+ Requirements regarding network segmentation are defined.
+ Rules and procedures for network segmentation are defined and implemented.

None.
This may include:

None.

+ Physical and/or logical separation of supply network and customer network.
+ No access to the project office from outside except where explicitly permitted by a corresponding customer regulation.

None.

Seite 29 von 44
Connection to 3rd parties (23)
#
Information Security Assessment - Additional questions regarding
data protection for determining a service provider’s basic suitability
to act as a processor in the sense of Article 28 of the EU General Data Protection Regulation
Company: 0
Location: 0
Date: 12/30/1899
fulfilled
[yes/no]
24 Data protection
24.1 To what extent is the implementation of data protection organized?
References
+ Appointment of a data protection officer where legally required, otherwise appointment of a person responsible for data
protection
+ Organizational implementation of data protection
- Integration of the data protection officer into the corporate structure
- Voluntary or obligatory appointment of a data protection officer
- Full-time or part-time data protection officer
- Internal or external data protection officer
- Support of the data protection officer by directly assigned employees (department “Data protection”) depending on the
company size
- Support of the data protection officer by data protection coordinators in the company departments depending on the size
of the company (e.g. Marketing, Sales, Human resources, Logistics, Development, etc.)
24.2 To what extent are organizational measures taken in order to ensure that personally identifiable data is processed
in conformance with legislation?
References
+ Specification of data protection principles (processing of personally identifiable data) in a documented company-internal
data protection policy (e.g. company-internal guideline).
+ Implementation of company-internal steering committees or responsibilities - in collaboration with the data protection
officer - addressing topics relevant to data protection.
+ Implementation of a process which ensures the involvement of the data protection officer in any topics relevant to data
protection (e.g. in the context of a data protection impact assessment).
+ Documentation of work processes when processing personally identifiable data.
+ Documentation of statements and comments of the data protection officer regarding data protection law assessments.
+ Implementation of a process by means of which - in case a subcontracting processor is commissioned - the processor is
contractually or otherwise legally obliged to comply with the same data protection requirements as specified by contract
between the controller and the processor.
+ Company-internal work instructions or manuals in specific task fields concerning the processing of personally identifiable
data.
+ Employees’ (and, if applicable, subcontractors’) confidentiality obligation.
+ Implementation of technical and organizational measures for supporting the controller in handling data subject rights as
far as feasible and appropriate for processing.
+ Implementation of reporting processes for immediately informing the customer, under consideration of any subcontractors,
so the legal reporting deadlines for data protection incidents can be observed.
+ Documentation of subcontracting relationships including contractual regulations with relevant subcontractors, where any
right to inspect the contractual regulation is in any case limited to the subcontractor’s obligations concerning data protection.
+ Implementation of a process for documenting data protection provisions.

+ Capability of implementing data clearing concepts.
+ Implementation of a procedure for regular checking, assessment and evaluation of TOMs.
24.3 To what extent is it ensured that the internal processes or workflows are carried out according to the currently
valid data protection regulations and that these are regularly subjected to a quality check?
References
+ Demonstration of regular checks and optimizations of the data protection management system (e.g. certification).
+ Measures for maintaining confidentiality and integrity when transferring personally identifiable data.
+ Adequate protection mechanisms for reducing unauthorized access to personally identifiable data.
+ Obligatory training of employees entrusted with the processing of personally identifiable data of the customer (e.g.
classroom training, WBT).
+ Ensuring implementation of contracts and provisions of the customer.
24.4 To what extent are the relevant processing procedures documented with regard to their admissibility according to
data protection law?
References
+ Documentation of essential tasks regarding the processing of personally identifiable data in compliance with legal
requirements.
+ Supporting customers in conducting data protection impact assessments and documenting the results thereof.
+ Informing the customer when detecting unlawful data processing, where applicable, under consideration of different
national legislations.

Seite 30 von 44
Data protection (24)
#
Additional Prototype Protection Requirements
Company: 0
Location: 0
Date: 12/30/1899
Reifegrad
Level 0-5; In case a question does not apply, please insert n.a. (not applicable).
na
25 Prototype Protection
Prototype Protection includes vehicles, components and parts which are classified as requiring protection that have not yet
been presented to the public and/or published in a suitable form by the OEM.
The contracting department of the OEM is responsible for classifying the protection need of vehicles, components and
parts. The minimum requirements for Prototype Protection for the protection classes High and Very high shall be applied
according to VDA ISA.
The requirements described in Control 25.1 apply to all companies which, on their own properties, manufacture, store or are
provided for use vehicles, components or parts classified as requiring protection.
25.1.1 To what extent is a security concept available describing minimum requirements regarding the physical and
environmental security for Prototype Protection?
(PT module; no reference to ISO 27001)
Objective: The required measures for Prototype Protection must be applied to and implemented on properties and facilities of
suppliers, development partners and service providers. A security concept must be established by the respective operator.
Implementation and observation of the physical and environmental security measures defined in the security concept must
be ensured by the responsible operator.
+ A security concept under consideration of the following aspects is established:
- Stability of outer skin.
- View and sight protection.
- Protection against unauthorized access and access control.
- Intrusion monitoring.
- Visitor management.
- Client separation.

+ Perimeter security.
This may include:

None.
25.1.2 To what extent is perimeter security existent preventing unauthorized access to protected property objects?
Objective: Unauthorized access to properties where vehicles, components or parts classified as requiring protection are manufactured,
processed or stored must be prevented.
+ Unauthorized access to properties is not possible.

+ Artificial barriers (fence systems, walls).
+ Technical barriers (detection).
This may include:

+ Natural barriers (growth, vegetation).
25.1.3 To what extent is the outer skin of the protected buildings constructed such as to prevent removal or opening of
outer-skin components using commercially available tools?
Objective: Unauthorized access to buildings/security areas where vehicles, components or parts classified as requiring protection are
manufactured, processed or stored must be prevented.
+ Unauthorized access to buildings/security areas is not possible.

+ Solid construction (stone, concrete, steel/other metal).
+ Windows and doors in the outer skin are to be built in accordance with RC2 or higher.
This may include:

None.
25.1.4 To what extent is a view and sight protection of defined security areas ensured?

Seite 31 von 44
Prototype protection (25)
#
Company: 0
Location: 0
Date: 12/30/1899
Reifegrad
na
Objective: It must be ensured that unauthorized viewing of vehicles, components or parts classified as requiring protection is
Requirements: prevented.
This must include:
+ Unauthorized viewing of vehicles, components or parts classified as requiring protection is not possible.

+ Sight protection through relevant glass surfaces is ensured.
+ View into defined security areas through open doors/gates/windows is prevented.
This may include:

None.
Additionally in case of vehicles classified as requiring protection:

+ The spatial situation is also suitable for preventing unauthorized viewing of vehicles classified as requiring protection.
25.1.5 To what extent is the protection against unauthorized access regulated by means of access control?
Objective: It must be ensured that all entrances to security areas, where vehicles, components or parts classified as requiring
protection are manufactured, processed or stored, are protected against unauthorized access by adequate measures.
+ At least one of the following three requirements must be implemented:
- mechanical lock systems with documented key handover.
- electronic access control systems with documented assignment of access rights.
- personal access control with documentation.

None.
This may include:

None.

+ The spatial situation is also suitable for preventing unauthorized access to vehicles classified as requiring protection.
25.1.6 To what extent are the premises to be secured monitored for intrusion?
Objective: It must be ensured that premises where vehicles, components or parts classified as requiring protection are manufactured,
processed or stored are monitored for intrusion. The timely alarm processing is ensured.
+ Intrusion monitoring of the premises to be secured is ensured:
- an intrusion alarm system exists complying with DIN EN 50131 or conforming to VDS or similar and functioning with alarm
tracking to a certified security service or control center (e.g. according to DIN 77200, VdS 3138).
- or 24/7 guarding by a certified security service.
+ Alarm reaction plans are available.
+ Timely alarm processing is ensured.

None.
This may include:

None.
25.1.7 To what extent is a documented visitor management in place?

Objective: Protection against unauthorized access to security areas where vehicles, components or parts classified as requiring
protection are manufactured, processed or stored, including traceable documentation.
+ Compulsory registration for all visitors.
+ Documented non-disclosure obligation prior to access.
+ Publication of security and visitor regulations.
+ National legislation regarding data protection must be observed.

None.
This may include:

None.
25.1.8 To what extent is on-site client separation existent?

Seite 32 von 44
#
Company: 0
Location: 0
Date: 12/30/1899
Reifegrad
na
Objective: In order to ensure protection of the client-specific know-how at all times, a clear separation of clients must be guaranteed.
This particularly involves protection against unauthorized viewing and access to areas where vehicles, components or parts
classified as requiring protection are processed or stored.
+ Spatial separation by personal or technical measures is in effect according to the following aspects:
- clients and/or
- projects
- where separation is not in effect, explicit approval by the client is required.

None.
This may include:

None.

+ The spatial situation is also suitable for separating clients, when vehicles classified as requiring protection are processed
or stored.
25.2 Organizational Requirements
The requirements described in Control 25.2 apply to all companies which manufacture or are provided for use vehicles,
components or parts classified as requiring protection.
25.2.1 To what extent are non-disclosure agreements/obligations existent according to the valid contractual law?
Objective: When transmitting information classified as requiring protection, it must be ensured that external organizations are obliged
to meet the information security requirements and to implement the required measures. The necessary legal basis for this
obligation is provided by non-disclosure agreements. Hence, it must be ensured that information classified as requiring
protection is transmitted only if such a non-disclosure agreement has been entered and is legally effective.
+ A non-disclosure agreement:
- between contractor and client (on a company level)
- by all employees and project members (personal obligation)
+ National legislation regarding data protection must be observed.

None.
This may include:

None.
25.2.2 To what extent are requirements for commissioning subcontractors known and fulfilled?
Objective: When involving subcontractors, the minimum requirements for Prototype Protection must be met.
+ Approval by the initial client.
+ Non-disclosure agreement is effective according to the valid contractual law.
- between contractor and client (on company level)
- by all employees and project members (personal obligation)
+ Compliance with the security regulations by the initial client is ensured (proof is obtained).
+ Proof of the subcontractor’s compliance with the Minimum Requirements for Prototype Protection (e.g. certificate,
attestation) is provided.

None.
This may include:

None.
25.2.3 To what extent are the employees and project members evidently trained for and made aware of risks associated
with the handling of prototypes?
Objective: In trainings/awareness seminars on the subject of prototype protection, employees shall obtain the necessary knowledge
and skills for a security-conscious handling of vehicles, components or parts classified as requiring protection.

Seite 33 von 44
#
Company: 0
Location: 0
Date: 12/30/1899
Reifegrad
na

+ Ensuring that trainings/awareness programs are conducted by the management.
+ Training of employees and project members in the handling of prototypes when entering the project.
+ Regular (at least annual) training of employees in the handling of prototypes.
+ Ensuring the knowledge among employees and project members regarding the respective protection needs and the
resulting company-internal measures.
+ Compulsory participation in the trainings and awareness measures for each employee and project member.
+ Execution must be documented.
+ The training concept regarding Prototype Protection is an integral part of the general training concept (see also Control
7.2 Information Security)

None.
This may include:

None.
25.2.4 To what extent are security classifications of the project and the resulting protective measures known?
Objective: It must be ensured that the security classification and requirements in relation to the project progress are known to and
observed by each project member.
+ Ensuring that the security classification and requirements in relation to the project progress are known to each project
member.
+ Consideration of step-by-step plans, measures for secrecy and camouflage, development guidelines.
+ The requirements are considered as a project-related Information Security Requirement (see Controls 6.2 and 18.1
Information Security).

None.
This may include:

None.
25.2.5 To what extent is a process defined for granting access to defined security areas?
Objective: A process is defined for the protection against unauthorized access to security areas where vehicles, components or parts
classified as requiring protection are manufactured, processed or stored.
+ Responsibilities for granting access are clearly specified and documented.
+ A process for new allocations, changes and withdrawals of access rights is in place.
+ Code of conduct in case of the loss/theft of access control means.

None.
This may include:

None.
25.2.6 To what extent are regulations for image recording and handling of created image material existent?
Objective: Regulations for recording images of vehicles, components or parts classified as requiring protection must be defined in
order to prevent unauthorized creation or transmission of such image material.
+ Approval procedures for image recording.
+ Regulation for classification/categorization of image material.
+ Secure storage of image material.
+ Secure deletion/disposal of unrequired image material.
+ Secured passing-on/transfer of image material to authorized recipients only.

None.
This may include:

None.
25.2.7 To what extent is a process for carrying along and using mobile video and photography devices in(to) defined
security areas established?

Seite 34 von 44
#
Company: 0
Location: 0
Date: 12/30/1899
Reifegrad
na
Objective: A process is defined for carrying along and using mobile video and photography devices in(to) security areas where
vehicles, components or parts classified as requiring protection are manufactured, processed or stored. Unauthorized
creation or transmission of image material must be prevented.
+ Regulation for carrying along (e.g. with / without sealing, etc.).
+ Regulation for use (e.g. phone calls, photography, etc.).

None.
This may include:

None.
25.3 Handling of vehicles, components and parts
25.3.1 To what extent are transports of vehicles, components or parts classified as requiring protection arranged
according to the client's requirements?
Objective: During transport, vehicles, components or parts classified as requiring protection must be protected against unauthorized
viewing, unauthorized image recording and access.
+ A process for obtaining client-specific requirements for the transport of vehicles, components or parts classified as
requiring protection is described and implemented.
+ The security requirements defined by the client are known and observed.
+ The logistics/transport companies explicitly approved by the client are contracted.
+ A process for reporting any security-relevant incidents to the client is described and implemented.

None.
This may include:

None.
25.3.2 To what extent is it ensured that vehicles, components or parts classified as requiring protection are parked/stored
in accordance with the client's requirements?
Objective: While being parked/stored, vehicles, components or parts classified as requiring protection must be protected against
unauthorized viewing, unauthorized photography and access.
+ The client-specific requirements for parking/storage are evidently known and observed.

None.
This may include:

None.
25.4 Requirements for test vehicles

A process for obtaining client-specific requirements for the handling of test vehicles classified as requiring protection is
described and implemented. The requirements described in this chapter are not relevant to components and parts.
When using one’s own properties, the Controls 25.1, 25.2 and 25.3 must also be verified. When not using one’s own
properties, merely the requirements of Controls 25.2 and 25.3 must be met.
25.4.1 To what extent are the predefined camouflage regulations implemented by the project members?
Objective: It must be ensured, that the camouflage regulations are known to each project member and observed in order to guarantee
adequate view protection of test vehicles.

Seite 35 von 44
#
Company: 0
Location: 0
Date: 12/30/1899
Reifegrad
na

+ The requirements for use of the respective camouflage are known to the project members.
+ Obtaining client approval for changes to the camouflage.
+ A process for reporting any damages to the camouflage is described and implemented.

None.
This may include:

None.
25.4.2 To what extent are protective measures for approved test and proving grounds observed/implemented?
Objective: In order to maintain an undisturbed and secured testing operation on test and proving grounds, the respective protective
measures defined by the client must be observed.
+ A process for obtaining client-specific requirements for the use of test vehicles classified as requiring protection on test
and proving grounds is described and implemented.
+ The following aspects must be known to users of test and proving grounds:
- A current list of client-approved test and proving grounds.
- Code of conduct for ensuring the undisturbed test operation.
- Protective measures defined by the client. These are implemented.

None.
This may include:

None.
25.4.3 To what extent are protective measures for approved test drives in public observed/implemented?
Objective: It must be ensured that the respective client's requirements for the operation of test vehicles (classified as requiring
protection) on public roads are known and observed.
+ A process for obtaining client-specific requirements for the operation of test vehicles (classified as requiring protection) on
public roads is described and implemented.
+ Protective measures defined by the customer are known and observed.
+ Code of conduct in case of special incidents (e.g. breakdown, accident, theft ...).

None.
This may include:

None.
25.5 Requirements for events and photo/film productions

Client-specific security requirements for events and photo/film shootings involving vehicles, components or parts classified
as requiring protection are known to each project member. This must be verified by each company contracted with the
planning, preparation or execution of events or photo/film shootings.
When using one’s own properties, the Controls 25.1, 25.2 and 25.3 shall also be verified. When not using one’s own
properties, merely the requirements of Controls 25.2 and 25.3 must be met.
25.5.1 To what extent are security requirements for presentations and events involving vehicles, components or parts
classified as requiring protection known?
Objective: It must be ensured that the respective client-specific security requirements for presentations and events involving vehicles,
components or parts classified as requiring protection are known.

Seite 36 von 44
#
Company: 0
Location: 0
Date: 12/30/1899
Reifegrad
na

+ A process for obtaining client-specific requirements for presentations and events involving vehicles, components or parts
classified as requiring protection is described and implemented.
+ Created security concepts agreed with and approved by the client (including organizational, technical, staff-related
protective measures).
+ Code of conduct in case of special incidents.

None.
This may include:

None.
25.5.2 To what extent are the protective measures for film and photo shootings involving vehicles, components or parts
classified as requiring protection known?
Objective: It must be ensured that the respective client-specific security requirements for film and photo shootings involving vehicles,
components or parts classified as requiring protection are known.
+ A process for obtaining client-specific requirements for film and photo shootings involving vehicles, components or parts
classified as requiring protection is described and implemented.
+ Proof of approval for the presumably used premises.
+ Created security concepts agreed with and approved by the client (including organizational, technical, staff-related
protective measures).
+ Code of conduct in case of special incidents.

None.
This may include:

None.

Seite 37 von 44
#
Control 7.2 Awareness and training of employees 9.2 User registration 12.1 Change management 12.3 Protection against malware
VDA ISA target

4 4 4 4
maturity level
Scope COVERAGE EFFECTIVENESS COVERAGE COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS
Effectiveness of
Coverage degree of Effectiveness of Coverage degree Coverage degree Coverage degree Coverage degree
ID Collective accounts Change - error rate updating Endpoint
awareness measures awareness measures review “user accounts” review “authorizations” Change Management Endpoint Security
Security
Employees with raised

Regular reviews of user
awareness represent an The contents of awareness Collective accounts should
Regular reviews of systems accounts for unnecessary A comprehensive and
important pillar for the measures should consider principally not be used or A high quality of the change A comprehensive Endpoint
for unnecessary accounts is authorizations is a consistently adhered Current virus signatures are
information security in a outcomes of information used only in exceptional management process leads Security provides a
a prerequisite for a prerequisite for a consistent change management the prerequisite for an
company. Awareness security incidents. The KPI cases since an explicit to lower error rates of the company with an essential
consistent and current user and current authorization process is the basis for effective Endpoint Security.
measures should reach all measures the effectiveness allocation of user activities performed changes and protection against malware.
Description employees, as far as of awareness measures by
basis according to the need- basis according to the need-
is impeded. The KPI
secure operation. The KPI
contributes to secure The KPI measures the ratio
The KPI measures the
to-know principle. The KPI to-know principle. The KPI measures the coverage target and the actual state
possible. The KPI measures collection (number or cost measures the number of operation. The KPI of protected systems taking
measures the coverage measures the coverage degree of changes that are of virus definitions on
the coverage degree of based) of security incidents used collection accounts in measures the error rate of approved exceptions into
degree of the measure degree of the measure compliant with the reporting deadline.
trainings such as e- with human errors as a consideration of approved changes. account.
“regular user review” “regular authorization guidelines.
learnings, classroom cause. exceptions.
review”.
trainings.
All employees are trained No information security Comprehensive protection

All systems have valid user All authorizations comply All collective accounts are Guidelines-compliant Error-free performance of All systems have up-to-date
Objective (Vision) with respect to information incidents with human error
accounts only with current needs reviewed for their need performance of all changes changes
of all system threatened by
protection
security as a cause malware
Information Security; Local IT, Information Local IT, Information

Recipient supervisors
Information Security Information Security Information Security Information Security Information Security Information Security
Security Security
to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined

Frequency (reporting) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually)
to be determined
individually (0-20…low, 20- to be determined
to be determined to be determined to be determined
50 medium, 50+ high) individually (e.g. Green: >
to be determined individually (e.g. Green: > individually (e.g. Green: > to be determined to be determined individually (e.g. target:
possible characteristic for 90%, Yellow: 70-90%, Red:
individually (e.g. Green: > 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: individually (e.g. Green: < individually (e.g. Green: > 100% after max. 30
Threshold levels 90%, Yellow: 70-90%, Red:
comparability of business
< 70%, special case of < 70%, special case of
Number red: > 0,Green = 0 < 70%, special case of
10%, Yellow: 10-30%, Red: 90%, Yellow: 70-90%, Red: minutes,
units: in relation to the systems relevant to financial
< 70%) systems relevant to financial systems relevant to financial > 30%) < 70%) Green: > 90%, Yellow: 70-
number of employees e.g. reporting: target coverage
reporting: target coverage reporting: target coverage 90%, Red: < 70%)
unit: incidents/100 100%
employees
Analysis training Quotient: number of Quotient: number of

collecting the number of Quotient: number of
management Determining the number of Quotient: number of Quotient: number of approved and requested protected systems/total time comparison
collective accounts reversed changes/total
Measurement Quotient: number of security incidents with performed reviews/total performed reviews/total
(adjusted for authorized
changes (RFC)/total
number of performed
number of systems average actual rollout state
participants/total number of human error as a cause number of systems in scope number of users in scope number of performed (adjusted for authorized vs. target state
exceptions) changes
employees changes exceptions)
Frequency to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined
(measurement) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. monthly) individually (e.g. annually)
HR - Training Department -
Data Owner, User Data Owner, User IT Operations, Change IT Operations, Change AV Management, IT AV Management, IT
Interfaces IKS - Internal Audit Incident Management
Management, supervisors Management, supervisors
User Management
Management Management Operations Operations
Department
E-learnings, classroom User directory, authorization User directory, authorization User directory, authorization
Incident Mgt. Tool, Ticket Project Management, Project Management,
Components training, training plan,
System, ISMS Tool
management tool, IAM management tool, IAM management tool, IAM
Change Management Change Management
AV console, CMDB AV console, CMDB
training register platform, CMDB platform platform
Data archiving 5 years 5 years 10 years 10 years 5 years 10 years 5 years 5 years 5 years

Seite 38 von 44
KPIs
#
12.7 Detection of vulnerabilities
12.4 Backup 16.2 Processing of information security incidents 5.1 Information security policy 6.2 Information security in projects
(Patch management)
4 4 4 3 3
COVERAGE COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE COVERAGE COVERAGE
Creation degree of
Detection rate of Timely processing of Actuality of required Coverage degree of
Degree of backup Degree of restoration Coverage degree Patch Effectiveness of patch required
Backup effectiveness information security information security policies/documentation information security in
coverage test coverage Management installation policies/documentation
incidents incidents s projects
s
The contemporary
Information security Information security
A regular review of backup Backup quality must be A comprehensive patch installation of patches
A regular and complete incidents have to be incidents have to be
functionality (e.g. by ensured by correlating management protects the ensures the security of
backup provides protection detected and timely handled prioritized and handled Under an ISMS, For the ISMS, the prepared
restoring data or systems) is controls. Measures are e.g. company against the systems and applications Information security topics
against the loss of data, e.g. in order to protect the accordingly depending on mandatory/voluntary policies/documentations
essential for the availability data restore, system impacts of malware and and therefore reduces the shall be addressed during
in case of a system failure company from damages. their criticality. The KPI policies/documentations shall be reviewed for their
of business information. restoration. exploits. The KPI measures window of vulnerability for projects.
or malware infection. The KPI measures the measures the appropriate shall be prepared. actuality.
The KPI measures the The KPI measures the the inclusion of systems and the company. The KPI
The KPI measures the compliance of the incident timely handling of
degree of the restore test number of incorrect data applications in the Patch measures recording of the
degree of backup coverage. reporting process between information security
coverage. restores. Management process. target and actual state of
the involved interfaces. incidents.
Patches.
All information security

incidents will be detected, All information security All necessary
All necessary Information security
All data is adequately Regular restore tests for all All systems are involved in All systems are at up-to- reported and handled within incidents will be handled policies/documentations are
Correct backups policies/documentations are requirements are
protected backed-up systems the patch process date patch level the framework of the within an appropriate time reviewed for
present. considered in all projects
incident management frame actuality/content
process
Information Security, Information Security, Information Security,

Local IT, Information Local IT, Information Local IT, Information Local IT, Information Local IT, Information Local IT, Information Local IT, Information
Corporate Security, IT Corporate Security, IT Corporate Security, IT
Security, service owner Security, service owner Security, service owner Security Security Security, Compliance Security, Compliance
Security, HR, Business Security, HR, Business Security
to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined
Initial creation
individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually)
to be determined
individually (e.g. according
to category maximum
to be determined to be determined
to be determined to be determined periods for solution:
individually (e.g. Green: = individually (e.g. target: to be determined to be determined to be determined
individually (e.g. Green: > individually (e.g. Green: > -PRIO 1: days
100% (of systems to be Number Red: > 0,Green = 0 100% after max. 10 days, Number Red: < 1,Green = 1 individually (target coverage individually (target coverage individually (target coverage
90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: -PRIO 2: weeks
secured), Yellow: 70-99%, Green: > 90%, Yellow: 70- = 100 %) = 100 %) = 100 %)
< 70%) < 70%) -PRIO 3: months
Red: < 70%) 90%, Red: < 70%)
unsolved incidents within
period, e.g. Green: < 2%,
Yellow: 2-5%, Red: > 5%)
Quotient: number of
Quotient: number of Quotient: number of Quotient: number of information security
Quotient: number of For each individual criticality Quotient: number of policies Quotient: number of
systems covered with systems with tested currently patched time comparison incidents reported in the Quotient: number of existing
restorations with errors/total level: reviewed according to projects considering
backups/total number of restoration from systems/total number of average actual rollout state incident policies/population of
number of all restoration all unsolved incidents within cycle/population of policies security/total number of
systems (adjusted for backup/total number of all systems (adjusted for vs. target state management/number of all necessary policies
tests defined period/all incidents to be reviewed relevant projects
authorized exceptions) systems with backup authorized exceptions) incidents (of the surveying
unit)
to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined
individually (e.g. annually) individually (e.g. monthly) individually (e.g. annually) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually)
IT, CERT, Incident IT, CERT, Incident Information Security, Information Security,
Backup process, IT Backup process, IT Backup process, IT Patch/Change Patch/Change Project customer, project
Management, Helpdesk, Management, Helpdesk, Corporate Security, IT Corporate Security, IT
Operations Operations Operations Management, IT Operations Management, IT Operations management office (PMO)
Service Management Service Management Security, HR, Business Security, HR, Business
Change Management Change Management Contents derived from the Contents derived from the
console, software console, software Incident Management Incident Management Statement of Applicability Statement of Applicability Overview of projects per
Backup software, CMDB Backup software, CMDB Backup software, CMDB
distribution platform, CMDB, distribution platform, CMDB, System/Workflow System/Workflow (SoA) and documented in (SoA) and documented in PMO
WSUS WSUS accordance with ISO 27001 accordance with ISO 27001
10 years 10 years 10 years 5 years 5 years 10 years 10 years 5 years 5 years 5 years

Seite 39 von 44
KPIs
#
11.3 Protection measures in
6.2 Information security in projects 6.3 Mobile devices 11.1 Security zones the delivery and shipping 12.5 Event logging 12.6 Logging administrative activities
area
3 3 3 2 3 2
EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS
Effectiveness of
Protective measures - Implementation of Coverage degree of Coverage degree of
Coverage degree of implementation of Implementation degree Coverage degree
implementation in protective measures for event logs on security- Functioning log activity admin logs on security- Functioning log activity
mobile device security mobile device security of zone concept review “Authorizations”
projects zone concept critical systems critical systems
measures
Admin logging allows

Event logging enables traceability of administrator
A comprehensive and Results of admin logging
Properties shall be traceability of activities in a activities in a process or
consistent protection of all Results of logging activities activities shall allow their
A strong implementation of adequately protected, this Regular verifications of process or process step/on process step/on a system/in
relevant mobile devices is shall allow their analysis. analysis. Reliable and
Projects subject to protective measures can be achieved by Zones shall be protected access rights with respect to a system/in an application. an application. This
the basis for their secure Reliable end-to-end manipulation-protected end-
information security regarding relevant mobile implementation of a zone adequately according to the their need are a This functionality helps to functionality helps to solve
operation. The KPI recording of the activities to to-end recording of the
requirements devices reduces concept. The zone concept criticality. prerequisite for a secure solve system abnormalities. Administrator
measures the coverage be monitored is essential for admin activities to be
weaknesses. should be implemented delivery and shipping zone. failures/abnormalities. Logs logs should be activated in
degree of the defined traceability, if required. monitored is essential for
comprehensively. should be activated in security-critical systems and
protective measures. traceability, if required.
security-critical systems. protected against (admin)
manipulations.
Security zones are

All employees working in
Information security All relevant mobile devices All relevant mobile devices protected according to All relevant systems and All relevant systems and
Zones are defined for all the delivery and shipping Completeness and Completeness and integrity
requirements are are subject to protective are subject to up-to-date internal specifications (see applications are integrated applications are integrated
properties area are subject to regular correctness of logs of admin logs
implemented in all projects measures protection e.g. References “Security into event logging into admin logging
review of access rights
zones”).
Information Security,
IT Security, Information IT Security, Information Information Security, Information Security, Corporate Security, Local IT, Information Local IT, Information Local IT, Information Local IT, Information
Corporate Security, IT
Security Security, Corporate Security Corporate Security Corporate Security Logistics, authorities Security, Compliance Security, Compliance Security, Compliance Security, Compliance
Security
individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually)
to be determined to be determined
to be determined individually (e.g. Green: > individually (e.g. Green: >
to be determined to be determined to be determined to be determined Number of incorrect admin
individually (e.g. Green: > 90%, Yellow: 70-90%, Red: Number of incorrect logs 90%, Yellow: 70-90%, Red:
individually (target coverage individually (target coverage individually (target coverage individually (target coverage logs
90%, Yellow: 70-90%, Red: < 70%, special case of Red: > 0,Green = 0 < 70%, special case of
= 100 %) = 100 %) = 100 %) = 100 %) Red: > 0,Green = 0
< 70%) systems relevant to billing: systems relevant to billing:
target coverage target coverage
Quotient: number of
employees working in the
Quotient: number of Quotient: number of Quotient: number of mobile Quotient: number of Quotient: number of delivery and shipping area Quotient: number of logged Quotient: number of logged
projects considering protected mobile devices protected in a properties with zone adequately secured who are subject to regular security-critical number of incorrectly written security-critical number of incorrectly written
security aspects/total devices/total number of timely manner/total number concept/population of zones/population of all access rights systems/total number of logs systems/total number of admin logs
number of relevant projects mobile devices of mobile devices properties zones reviews/population of security-critical systems security-critical systems
employees working in the
delivery and shipping area
individually (e.g. annually) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. annually) individually (e.g. quarterly) individually (e.g. annually) individually (e.g. annually) individually (e.g. quarterly) individually (e.g. annually) individually (e.g. quarterly)
Plant security, local security Plant security, local security IT, System Owner, Data IT, System Owner, Data
Project customer, project Logistics, Access IT, System Owner, Data IT, System Owner, Data
IT operation, IT Security IT operation, IT Security functions, specialized functions, specialized Owner, Risk Owner, User Owner, Risk Owner, User
management office (PMO) Management Owner, Risk Owner Owner, Risk Owner
departments departments Management Management
Property plans, zone Property plans, zone Staff directory

Overview of projects per
Overview of mobile devices Overview of mobile devices concept, information concept, information (internal/external), access CMDB, Logging server CMDB, Logging server CMDB, Logging server, IAM CMDB, Logging server, IAM
PMO
classification classification control system
to be defined individually (if to be defined individually (if to be defined individually (if to be defined individually (if
5 years 5 years 5 years 5 years 5 years 10 years
relevant to billing: 10 years) relevant to billing: 10 years) relevant to billing: 10 years) relevant to billing: 10 years)

Seite 40 von 44
KPIs
#
14.1 Requirements for the
13.5 Non-disclosure
12.8 System audits 13.2 Network services acquisition of information 14.2 Security during the software development process 18.4 Effectiveness review
agreements
systems
2 3 3 3 3 3
COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS COVERAGE EFFECTIVENESS
Coverage degree of
Effectiveness of risk Timely elimination of
Coverage degree Coverage degree of risk Effectiveness of risk activities to eliminate
Coverage degree Effectivity of system Effectiveness of Coverage degree non- handling in information vulnerabilities
review service level assessment in software handling in vulnerabilities
system audits audit implementation observing SLAs disclosure agreements service acquisition determined during
agreements (SLA) development process development process determined during
processes audits
audits
Weaknesses identified in
The protection of Information security risks Weaknesses identified in
the course of information
IT systems processing or Measures resulting from Regular verifications of the information confidentiality associated with the Risks identified in the the course of information
Risks identified during the security audits (internal and
storing information of high those audits shall be SLAs for network services The agreed measures shall be subject to applications to be process of software security audits (internal and
acquisition process are external) shall be eliminated
or very high protection implemented in time in ensure consideration of resulting from SLAs shall be contractual agreement developed shall be development are treated in external) are eliminated
treated in a timely and in a consequent and
needs shall be subjected to order to eliminate current security implemented. where at least confidential identified as early as a timely and effective within the deadlines agreed
effective manner. traceable manner. Findings
audits at regular intervals. vulnerabilities. requirements at all times. information is exchanged possible in the process of manner. (with the audited
shall not remain
with external partners. software development. departments).
unaddressed.
Weaknesses identified in
Security risks are All weaknesses identified in
All relevant systems are All requirements resulting A non-disclosure agreement Risks identified in Security risks are taken into the course of audits are
All measures are All SLAs include the current addressed in the the course of audits are
subject to audits at regular from the SLAs are has been entered with all acquisition are handled in account in the software eliminated within the
implemented in time security requirements development process in an traced and assigned to
intervals implemented external partners an effective manner development process defined time and in an
effective manner activities
effective manner
Acquisition, Information Information Security, Information Security,

Local IT, Information Local IT, Information Local IT, Information Local IT, Information Information Security, Local Information Security, Local Information Security, Local
Security, specialized Corporate Security, Local Corporate Security, Local
Security Security Security Security IT, Procurement IT, Risk Management IT, Risk Management
department IT, Internal Audit IT, Internal Audit
individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually)
individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: >
90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red:
< 70%) < 70%) < 70%) < 70%) < 70%) < 70%) < 70%) < 70%) < 70%) < 70%)
Quotient: number of Quotient: number of

Quotient: number of Quotient: number of
Quotient: number of orders Quotient: number of treated software development Quotient: number of treated Quotient: number of findings activities for eliminating
Quotient: number of audited measures implemented in measures
Quotient: number of verified with concluded non- risks/population of risks projects that underwent risk risks/population of risks subject to subsequent vulnerabilities within the
systems/total number of time/number of measures implemented/number of
SLAs/total number of SLAs disclosure agreement/total identified in the acquisition assessment/population of identified in the activities/population of defined period for
security-critical systems still to be implemented measures agreed
number of relevant orders process relevant development development process identified findings implementation/population
projects of all specified activities
individually (e.g. monthly) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. quarterly) individually (e.g. quarterly) individually (e.g. quarterly)
individually (e.g. quarterly) individually (e.g. quarterly)
Internal Auditors, Internal Auditors,
Acquisition, Information Procurement, specialized Procurement, specialized Procurement, specialized
Audit Management, IT Audit Management, IT Local IT, Information Local IT, Information Information Security, IT, Information Security, IT,
Security, specialized departments (requisitioner), departments (requisitioner), departments (requisitioner),
Operation, System Owner Operation, System Owner Security Security specialized departments specialized departments
department IT IT IT
(Auditees) (Auditees)
Development system, Development system,

Acquisition register, Audit data base, follow-up Audit data base, follow-up
CMDB CMDB, Audit system CMDB CMDB Acquisition system development project data development project data
ordering system data base data base
base base
5 years 5 years 5 years 5 years 5 years 5 years 5 years 5 years 10 years 10 years

Seite 41 von 44
KPIs
#
Security zones
Zone White (public) Green (controlled zone) Yellow (restricted zone) Red (high risk zone)
Explanation Areas of public character, which are permanently or temporarily accessible to everyone. Area with technical or organizationally controlled safety measures, not Area with additional safety measures, restrictive, protection of special Area with the highest security requirements, protection of sensitive
Areas with low risk without particularly sensitive values. None or only preventive safety freely accessible, usually internal scopes scopes, limited number of persons, usually confidential scopes as well. values strictly regulated access rights, usually secret scopes.
requirements. Domestic authority exists. (e.g. visitors' parking space, connecting routes)
Aspect
Accessibility No special requirements Values cannot be viewed freely, Clean Desk Temporary measures (according to the risk analysis) for sight Permanent sight protection/noise reduction
protection/noise reduction
Visitor requirements Appropriate signs Only registered visitors, explicit reference to confidentiality/non- Restricted group of visitors, written confirmation of the non-disclosure, Only in exceptional cases: additionally to “Yellow” four-eyes principle,
disclosure in permanent personal escort by own staff householder’s consent
Driving on/parking Permitted Vehicles are allowed to drive on/park only after registration. Special restrictions Special restrictions
Access control and None Area must be protected against unauthorized access (personnel or Monitoring the entering/exiting of the zones via online access reader, Monitoring the entering/exiting of the zones via online access reader
protection technical measures) compensating locking system with limited circle
Monitorings If required, camera surveillance (prevention of damage to property) Camera surveillance and/or patrolling (prevention of unauthorized Camera surveillance, motion detection at least in the access areas or Camera surveillance, glass breakage detector, windows with sight
penetration) easily accessible areas (e.g., ground floor windows) protection, double illumination with motion detectors, central circuit,
intrusion detection system installed by professionals
Resistance values . Fences 2.2m with anti-climbing protection and undermine At least RC 2 or compensating measures At least RC 2 (resistance time 5 minutes) with additional measures
protection/building shell consisting of windows, doors, walls, roofs
Response time (alarm to . 30 minutes 10 minutes 5 minutes
visual inspection and
acknowledgment)
Photography/use of optics . No internal information, otherwise only using business devices No use of private devices, business devices only in case of No private devices, business devices in exceptional cases only Four-
professional assignment eyes principle, approval by company management
Optics
Zone Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Explanation Areas of public character, which are permanently or temporarily accessible to everyone. Area with technical or organizationally controlled security measures, Area with additional security measures, restrictive, protection of special Area with the highest security requirements, protection of sensitive
Areas with low risk without particularly sensitive values. None or only preventive safety not freely accessible, usually internal scopes scopes, limited number of persons, usually confidential scopes as well. values strictly regulated access rights, usually secret scopes.
requirements. Subject to householders rights (e.g. visitors' parking space, connecting
routes)
Aspect “carrying along” Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Company owned devices No special requirements Carrying along unsealed devices allowed Carrying along unsealed devices allowed Carrying along sealed devices allowed
(independent from Mobile Carrying along unsealed devices forbidden
Device Management
(MDM))
Private devices of No special requirements Carrying along unsealed devices allowed Carrying along unsealed devices allowed Carrying along sealed devices allowed
company employees Carrying along unsealed devices forbidden
(wearables with optics as
well)
Devices of contractors No special requirements Carrying along unsealed devices allowed Carrying along sealed devices allowed Carrying along even sealed devices forbidden
and visitors (wearables Carrying along unsealed devices forbidden
with optics as well)
Aspect “use” Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Video telephony/video No special requirements Allowed in all areas Allowed in office workplaces and meeting rooms, otherwise upon In defined meeting rooms with permanently installed equipment,
conferencing (without approval otherwise upon approval
recording)
Photography/video No special requirements - No use of private devices or devices of contractors/visitors - No use of private devices or devices of contractors/visitors - No use of private devices or devices of contractors/visitors
recordings - Allowed with company owned devices allowed with company owned devices upon approval - Allowed in exceptional cases upon approval (e.g. four-eyes
principles, consent of the management)
Recording of persons and Declaration of consent required Declaration of consent required Declaration of consent required - Allowed only in exceptional cases upon approval
sound recording with - Declaration of consent required
company owned devices
Personnel
Type of employment
Standard validation Certificate of good conduct/criminal record certificate Intensive verifications of the CV, references Validation of certificates, diplomas and vocational training
relationship
547235404.xlsx /
References
#
Ordinary X
employee/worker
Head of department
IT department X X
employees with special
access rights
Department Manager X X X
General Manager,
Directors, Executive X X X X
Assistants, Security
Manager
Contractors & suppliers X

Contractors & suppliers
for critical infrastructure X X
components
Off-Premises workplace
temporary working environment (e.g. hotel) regular alternative working environment (in particular home
office)
Confidentiality of the
information
Highest protection class Paper: principally not Paper: principally not
“secret”
Local data storage: principally not Local data storage: principally not
Remote Access: principally not Remote Access: principally not
Medium protection class Paper: continuously under personal control Paper: principally only temporarily
“confidential”
Local data storage: strongly encrypted or Mobile Device Management (MDM) Local data storage: strongly encrypted or Mobile Device
active (remote deletion on demand) Management (MDM) active (remote deletion on demand)
Remote Access: strongly authenticated & strongly transport encrypted, integrity Remote Access: strongly authenticated & strongly transport
of the access device ensured, data “non-permanent” encrypted, integrity of the access device ensured, data “non-
permanent”
Lowest protection class Paper: under personal control Paper: in office furniture with special closing
“internal”
Local data storage: encrypted or Mobile Device Management (MDM) active Local data storage: encrypted or Mobile Device Management
(remote deletion on demand) (MDM) active (remote deletion on demand)
Remote Access: strongly authenticated & strongly transport encrypted, integrity Remote Access: strongly authenticated & strongly transport
of the access device ensured, data “non-permanent” encrypted, integrity of the access device ensured, data “non-
permanent”
Protection classes Classification level

Protection objective: confidentiality
Description Classification levels Color coding (for IT applications)
Public
The potential damage is marginal, short-term nature, and limited to a single

Normal entity. Internal Green
The potential damage is significant or medium-term nature or is not limited to a

High single entity. Confidential Yellow
The potential damage threatens the existence of the company or long-term

Very high nature or is not limited to a single entity. Strictly confidential Red
From VDA White Paper 'Harmonization Classification Levels'
547235404.xlsx /
References
#
Änderungshistorie
1.0 First release (Initial build)
1.1 Change open questions to enclosed questions

More precise level descriptions
Inserting examples from practises
Spelling errors corrected
1.2 8.2 and 10.1 reference adjustment

10.2 change from production to productive environment
10.5 change from IDS/IPS to HIDS/HIPS
11.2 change of the translation
11.3 and 11.4 restructuring of controls
1.3 11.4 add “IT systems”

9.4 revise Maturity Level 2
2.0 Revision due to the new edition of ISO 27002:2013

Adjustment of the maturity levels
2.0.1 Fix for error in calculation and spider diagram
2.1.0 Revision of the maturity levels, corrections of some controls
2.1.1 Release version 2.1
2.1.2 Print area adjusted
2.1.3 Spider diagram shows result without cutback to target maturity levels
Control 13.5 revised
Control 7.1 maturity level 1 revised
Controls 9.4 and 9.5 reference revised
2.1.4 Maturity Control changed from 12.4 into 4

Maturity Control changed from 16.3 into 3
Addition of KPIs
Spell checking in maturity level 3
3.0.2 Revision for TISAX

Module Connection of third parties included
Module Prototype protection (25) included, derived from the Whitepaper from 6.10.2016
Module Data Protection (24) included, reference to 18.2 removed, maturity levels removed from the module, references
from the Level 1 generated instead. Reference included (ISMS, 18.2) showing that the Data Protection module will be used
only once in a commissioned data processing according to §11 BDSG, implementation of questions “fulfilled [yes/no]”
547235404.xlsx /
Change history
#

ISMS Analysis

Uploaded by

Copyright:

Available Formats

ISMS Analysis

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISMS Analysis

Uploaded by

Copyright:

Available Formats

Information Security Assessment

VDA ISA provides the basis for

Short description of the

D&B D-U-N-S® No.

Date of the assessment:

Version: 4.1.0 / 2018-12-13

18 Compliance 3 7 Human Resources Security

16 Information Security Incident Management 9 Access Control

15 Supplier Relationships 10 Cryptography

14 System acquisition, development and maintenance 11 Physical and Environmental Security

Result with cutback to target

Information Security Assessment

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

1.3 To what extent is the effectiveness of the ISMS ensured?

Gedruckt am: 10/06/2021_x000D_ [Public] 547235404.xlsx /

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

5 Information Security Policies

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

6 Organization of Information Security

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

Gedruckt am: 10/06/2021_x000D_ [Public] 547235404.xlsx /

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

Gedruckt am: 10/06/2021_x000D_ [Public] 547235404.xlsx /

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

7 Human Resources Security

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs: