Vda-Isa en 4

Information Security Assessment
Group:
Company:
Location:
Address:
Homepage:
Short description of the

group company:
Scope/TISAX Scope-ID
D&B D-U-N-S® No.
Date of the assessment:
Contact person:
Telephone number:
Email address:
Creator:
Telephone number:
Email address:
Managing Director:
Signature:
Version: 4.0.3 / 2018-02-15
505025421.xlsx /
Printed on: 01/06/2021 Page 1 of 37
Cover
Results
Company: 0
Location: 0
Date: 12/30/1899
Result with cutback to target
maturity levels:
Maximum score: 3.00
1 ISMS
18 Compliance 5 5 Information Security Policies
4
17 Information Security Aspects of Business Continuity Management 6 Organization of Information Security
3
2
16 Information Security Incident Management 1 7 Human Resources Security
15 Supplier Relationships 8 Asset Management
14 System acquisition, development and maintenance 9 Access Control
13 Communications Security 10 Cryptography

1211
Operations
Physical and
Security
Environmental Security
Target maturity level Result
505025421.xlsx /
Results
Results
maturity level:
Maximum score: 3.00
Details:
Target
Question
Topics maturity Result
No.
level
1.1 Release of an Information Security Management System (ISMS) 3
1.2 IS Risk Management 3
1.3 Effectiveness of the ISMS 3
5.1 Information Security Policy 3
6.1 Assigning responsibility for information security 3
6.2 Information Security in projects 3
6.3 Mobile devices 3
6.4 Roles and responsibilities
Contractual for external
information security IT service providers
obligation
3
7.1 of employees 3
7.2 Awareness and training of employees 4
8.1 Inventory of assets 3
8.2 Classification of information 2
8.3 Storage of information on mobile storage devices 3
8.4 Removal of externally stored information assets 3
9.1 Access to networks and network services 3
9.2 User registration 4
9.3 Privileged user accounts 3
9.4 Confidentiality of authentication data 3
9.5 Access to information and applications 3
9.6 Separation of information in shared environments 3
10.1 Cryptography 3
11.1 Security zones 3
11.2 Protection against external influences and external threats 3
11.3 Protection measures in the delivery and shipping area 2
11.4 Use of equipment 2
12.1 Change management 4
12.2 Separation of development, test and operational environments 2
12.3 Protection against malware 4
12.4 Back-up procedures 4
12.5 Event logging 3
12.6 Logging administrational activities 2
12.7 Prosecution of vulnerability (patch management) 4
12.8 Review of information systems 2
12.9 Consideration of critical administrative functions of cloud services 3
13.1 Management of networks 3
13.2 Security requirements for networks/services 3
13.3 Separation of networks (network segmentation) 3
13.4 Electronic exchange of information 3
13.5 Non-disclosure agreements for information exchange with third parties 3
14.1 Requirements for the acquisition of information systems 3
14.2 Security along the software development process 3
14.3 Management of test data 2
14.4 Approval of external IT services 3
15.1 Risk management in collaboration with suppliers 3
15.2 Review of service provision by suppliers 3
505025421.xlsx /
Results
16.1 Reporting system for information security incidents (incident management) 3
16.2 Processing of information security incidents 4
17.1 Information Security Aspects of Business Continuity Management (BCM) 3
18.1 Legal and contractual provisions 3
18.2 Confidentiality and protection of personally identifiable data 3
18.3 Audit of the ISMS by independent bodies 3
18.4 Efficiency test 3
Method: - comparison of the top 52 security topics 3.00
- based on ISO 27001 controls
- evaluated using SPICE ISO 15504
505025421.xlsx /
Results
Results -
Connection to third parties

maturity level:
Maximum score: 3.00
Details:
Target
Question
No.
level
23.7.2 Awareness and training of employees 3
23.9.2 User registration 3
23.11.1 Security zones 3
23.13.3 Separation of networks (network segmentation) 3

Results - Prototype protection
maturity level:
Maximum score: 3.00
Details:
Target
Question
No.
level
25.1.1 Security concept 3
25.1.2 Perimeter safety 3
25.1.3 Outer-skin protection 3
25.1.4 View and sight protection 3
25.1.5 Access control 3
25.1.6 Intrusion detection system 3
25.1.7 Documented visitor management 3
25.1.8 On-site client separation 3
25.2.1 Non-disclosure agreement 3
25.2.2 Relationships with subcontractors 3
25.2.3 Training and raising the awareness of employees 3
25.2.4 Security classification of the project 3
25.2.5 Process of allocation of access 3
25.2.6 Filming and photography 3
25.2.7 Bringing along image recording devices 3
25.3.1 Camouflage of prototypes 3
25.3.2 Transport of prototypes 3
25.3.3 Storage/parking of prototypes 3
25.3.4 Own test and trial ground 3
25.3.5 Test and trial ground in public area 3
25.3.6 Safety requirements for presentations and events 3
25.3.7 Safety requirements for film and photo shootings 3
505025421.xlsx /
Results
Information Security Assessment - Questions
based on ISO 27001:2013

Company: 0
Location: 0
Date: 12/30/1899
Maturity
level
In case a question does not apply, please insert na (not applicable).
Level 0-5;
na
1 General aspects
1.1 To what extent is an Information Security Management System approved by the organization’s management and is
its scope documented.
(Reference to ISO 27001: 4 and 5.1)
Objective: Systematic control and review of information security within the specified scope is effected by means of the establishment,
operation and further development of an Information Security Management System (ISMS) and the assignment of
responsibilities. The ISMS must define processes and procedures in order to achieve the information security objectives
with respect to adequate confidentiality, availability and integrity of the company assets based on the security policy.
Requirements: This must include:
+ The organization’s requirements for an ISMS are determined.
+ An ISMS approved by the organization’s management is established.
+ The scope of the ISMS is specified (e.g. organization in whole or in part).
+ A Statement of Applicability (SoA) is provided (e.g. filled-in VDA ISA catalogue).
This should include:

+ Criteria (e.g. characteristic values or quantities) for information security assessment are specified.
This may include:

+ Certification in accordance with ISO 27001:2013 (including Scope Statement and SoA).
Additionally in case of high protection needs:

None.
Additionally in case of very high protection needs:

None.
1.2 To what extent is a process for identifying, assessing and handling information security risks defined, documented
and implemented?
(Reference to ISO 27001: 8.2 and 6.1.2)
Objective: The objective of an organization-specific ISMS is an adequate balance between information security efforts and the assets
to be protected. In order to achieve this, the assets, their protection needs and threats shall be identified, analysed,
assessed and documented by means of risk assessment. Absence of an information security risk assessment rises the
danger that information security risks remain undetected leading to potential harm.
+ Risk assessments are carried out both at regular intervals and in case of events.
+ Information security risks are divided into levels according to their protection needs, e.g. normal, high and very high.
+ In case of changes to the environment (e.g. organizational structure, location, changes to regulations), reassessment is
carried out in a timely manner.

+ A process description indicating how to identify, assess and evaluate information security risks within the organization
exists.
+ Criteria for the evaluation and handling as well as the acceptance of information security risks exists.
+ The identified information security risks, including cause, probability of occurrence, potential effects and their assessment
are documented.
+ Measures for handling risks and the corresponding responsible persons are specified and documented.
- A plan of measures or an overview of their state of implementation exists.
This may include:

+ An overview of the experts (risk owners) exists.

None.

None.
1.3 To what extent is the effectiveness of the ISMS ensured?

(Reference to ISO 27001: 8.1, 9.1, 10.1 and 10.2)
Objective: The ISMS must be reviewed at regular intervals (e.g. annually) with respect to its effectiveness. This includes verifying the
achievement of objectives and the compliance with applicable requirements.
Only an ISMS adapted specifically to the organization’s requirements can fulfil its purpose. Since influencing factors such as
organizational structure or local conditions may change, the effectiveness of the ISMS must be reviewed regularly.
505025421.xlsx /
Information security
+ The effectiveness is reviewed regularly by the persons responsible for information security and management.
+ The results of the effectiveness inspection and the specified measures are documented.
+ A plan of measures or an overview of their state of implementation (including those resulting from previous reviews) is in
place, the implementation of those measures is monitored.
+ If any security related events occur, they are analysed.

The ISMS is regularly inspected for its adequacy and appropriateness.
+ The documentation is regularly reviewed and revised with respect to their actuality.
This may include:

None.

None.

None.
5 Information Security Policies

5.1 To what extent is an information security policy created, published or distributed and is it reviewed at regular
intervals?
(Reference to ISO 27001: Control A.5.1.1 and A.5.1.2)
Objective: An organization must define a policy reflecting the importance and significance of information security to the organization.
This must be adapted to the business strategy, regulations, legislation and potential threat situations regarding information
security. It must be evident to all of the involved parties that information security is supported by the management of the
organization, that it is of relevance to everyone and that requirements and rules apply and must be met.
+ The information security requirements adapted to the company’s objectives with respect to information protection are
documented in a policy and are approved by the management of the organization.
+ The policy includes objectives and significance of information security within the organization.

+ The information security requirements based on the strategy of the organization, legislation and contracts are taken into
account in the policy.
+ Responsibilities for implementation are defined.
+ The policy indicates consequences in case of non-conformance.
+ Further policies/regulations/standards regarding information security are prepared.
+ A process for regular review and revision of the policies is established.
+ The policies are made adequately available to employees.
+ These policies (or extracts thereof) are handed over to external business partners depending on the respective case.
This may include:

+ The policies are made available on the intranet.

None.

None.
6 Organization of Information Security

6.1 To what extent are responsibilities for information security defined and assigned?
(Reference to ISO 27001: Control A.6.1.1)
Objective: Successful implementation of an ISMS requires adequate assignment of information security responsibilities. This requires
the definition of functions fulfilling the tasks for achieving the protection objectives. Qualified employees who are known to
the organization’s staff and, if appropriate, also to business partners must be required to fulfil those tasks.
+ Responsibilities for the information security within the organization are defined, documented and assigned.
+ The responsible employees are defined and are qualified for their task.
+ The contact persons are known within the organization and to relevant business partners.

+ There is a definition and documentation of an adequate information security structure within the organization.
This may include:

+ Responsibilities and contact persons for information security are made known and available to employees and external
business partners, as far as required for fulfilling the assigned task(s).

+ An appropriate organizational separation of responsibilities should be established in order to avoid conflict of interests.

None.
6.2 To what extent are information security requirements taken into account in project work (irrespective of project
type)?
505025421.xlsx /
Objective: The information security requirements must be taken into account irrespective of the project type (this includes non-IT
projects). This also includes the handling of information security and information security risks in the organization’s project
management methods.

+ Projects are to be classified while taking into account the information security requirements.

+ The procedure and criteria for the classification of projects are documented.
+ In early project phases, risk assessments are carried out based on the defined procedures.
+ For identified information security risks (see Control 1.2), measures are derived and taken into account in the project.
This may include:

None.

+ The measures derived are reviewed regularly during the project and reassessed in case of changes to the assessment
criteria.

None.
6.3 To what extent is a policy in place regarding the use of mobile devices and remote access to organization's data?
Objective: The handling of mobile devices, particularly in unprotected environments, is associated with increased risks (e.g. loss, theft,
malware infection). In order to protect the information stored on the device, technical protective measures must be
implemented. Additionally, employees must be made aware of the risks involved in the handling of mobile devices.
+ The use of mobile devices (e.g. smartphones, notebooks) is subject to regulation.

+ A policy is prepared considering the following aspects:
- Registration of mobile devices
- Physical protection requirements (among others against theft, spying on information)
- Software installation restrictions
- Requirements for the versioning of software for mobile devices and the associated patch management
- Limitations of access to certain information services
- Encryption techniques
- Data backup
- Protection against malware
- Remote deletion methods
- Use of web services and web apps
- Procedure in case the mobile device is lost
+ Users sign an obligation declaration regarding the handling of particularities when working with mobile devices depending
on the protection needs, e.g. anti-theft protection, software installation, prevention of visibility of information itself (view and
sight protection), use of a protected environment (e.g. enclosed space, non-public location), handling of authentication
ressources.
This may include:

None.

None.

None.
6.4 To what extent are the roles and responsibilities defined which are shared between IT service providers
(particularly cloud providers) and the own organization?
(Reference to ISO 27017: Control CLD.6.3.1)
Objective: When using IT services (particularly cloud services), the relationship between provider and the own organization is of
particular significance to information security due to the shared responsibilities for the implementation of requirements. The
own organization must continue to independently fulfil parts of the security requirements while other requirements are
fulfilled in whole or in part by the provider. The exact allocation of responsibilities always depends on the services used and
cannot be generally answered.
If common understanding regarding the allocation of responsibilities is lacking among all parties involved, the security
system may be weakened or rendered entirely ineffective. Therefore, the service user must ensure at all times that a mutual
understanding regarding the allocation of responsibilities is given and that it is clarified for each requirement, that and by
whom it is fulfilled.
505025421.xlsx /
+ The security requirements relevant to the service are determined and documented:
- At least the applicability of the VDA ISA controls is verified and documented.
+ For each requirement, it is documented who is responsible to what extent for its implementation.
- For the applicable VDA ISA controls, it is documented who has the responsibility for implementation or how it is shared.
+ The own organization fulfils its responsibilities.
+ Proof is provided that the service provider fulfils his responsibility.

+ The service configuration is designed, implemented and documented according to the necessary security requirements.
+ The service configuration is included in the regular security assessments.
+ Integration into local protective measures (such as secure authentication mechanisms) is established and documented.
+ The staff is trained (e.g. with respect to safe operation and configuration, secure handling of data according to their
classification, danger awareness, handling of incidents).
This may include:

None.

None.

None.
7 Human Resources Security

7.1 To what extent are employees (internal and external) contractually bound to comply with information security
policies?
Objective: Organizations are subject to legislation, regulations and internal rules. Already at the hiring of staff, it must be ensured that
both internal and external employees commit to compliance with the policies and are aware of the consequences of
misconduct.
+ A non-disclosure obligation is in effect - even beyond the employment contract or assignment.
+ An obligation to comply with the information security policies is in effect (see 5.1)

+ Information security aspects are considered in the employment contracts of employees.
+ Responsibilities and duties associated with the handling of sensitive information are part of the employment contract.
+ A procedure for handling violations of contractual specifications relevant to information security is described.
+ Employees are informed of policy changes.
This may include:

None.

None.

None.
7.2 To what extent is staff (internal and external) made aware of and trained about the risks arising from handling and
processing information?
(Reference to ISO 27002: Control 7.2.1 and 7.2.2)
Objective: Information security must be a natural and integral part of the work environment and must be adopted into the daily work of
all employees. By means of information security training, employees shall gain the necessary knowledge and competence
for security-conscious behaviour. They must be particularly aware of what is expected of them with respect to information
security and how to react to security-critical situations.
+ Employees are trained and made aware.

+ A concept for awareness and training of employees is prepared.
- Target groups for awareness and training measures (e.g. new employees, administrators) are defined and taken into
account in the training concept.
+ The concept has been approved by the responsible management
- Resources required for implementation are released
+ Training and awareness measures are carried out both at regular intervals and in reaction to events.
+ Participation in training and awareness measures is documented.
+ Contact persons for information security are known to employees.
+ Suitable KPIs for training and awareness purposes are defined and analysed.
This may include:

+ Regular learning objectives tests are conducted for participants of completed awareness and training measures.
+ The learning success associated with awareness and training programs is reviewed quantitatively and qualitatively.

None.

None.
8 Asset Management
8.1 To what extent are directories existent for objects (assets) that contain information in different versions?
(Reference to ISO 27001: Control A.8.1.1, A.8.1.2, A.8.1.3 and A.8.1.4)
505025421.xlsx /
Objective: Beside the conventional inventory of physical objects, it is essential to obtain an overview of the information processed
within the organization. For this purpose, information assets are elements of information-related character such as
documents, illustrations/phtographs, files, programs, servers, networks, facilities, vehicle prototypes, tools and equipment.
An information owner takes on the role of responsible person for the respective information assets.
+ Each information asset is assigned to a responsible entity (individual or organizational unit).
+ Information assets are classified. (see also Control 8.2)
This should involve:

+ Information asset inventories are prepared and updated regularly.
+ The lifecycle of information assets is defined for the phases of preparation, processing, storage or retention, transfer and
deletion or destruction.
+ Regulations for returning information assets on leaving the organization or on contract termination are in effect.
This may include:

+ Regulations for acceptable use of information assets (“acceptable use policy”) exist.
+ Information assets may be grouped (e.g. workplace computer), if required.

+ A specification regarding the explicit approval of the use of an information asset is defined.

None.
8.2 To what extent is information classified according to its protection needs and are there regulations in place
regarding labelling, handling, transport, storage, retention, deletion and disposal?
(Reference to ISO 27001: Control A.8.2.1, A.8.2.2 and A.8.2.3)
Objective: Information must be classified according to its value to an organization. During this assessment, the value of information to
the organization shall be evaluated based on factors such as confidentiality, integrity and availability. The handling of
information according to its classification must be defined and implemented by all employees.
+ A consistent scheme for the classification of documents/information is in place and implemented.

+ Classification of information is done according to defined criteria, e.g. value, legal requirements, confidentiality, integrity
and availability.
+ A policy including requirements for classification of information as well as the respective protective measures for
identification, handling, transfer, storage, deletion and disposal is in place and implemented.
This may include:

None.

None.

None.
8.3 To what extent are appropriate procedures implemented for the management of information on mobile storage
devices?
Objective: Information on mobile storage devices are generally exposed to increased risks. In order to prevent loss or theft of
information in case a mobile storage device is lost, regulations to reduce these risks must be defined and measures must
be taken.
None.

+ Definition of regulations for handling information on mobile storage devices according to its classification. This includes
the following aspects: Deletion, transfer, disposal and protective measures.
+ Data on mobile storage devices are to be protected according to defined regulations according to its classification.
This may include:

+ The organization provides means to support the employee in observing the rules.

+ A procedure shall be established for the required reaction of employees to cases of loss.
+ Regulations for handling during (business) travels within the country and abroad, e.g. inspection by authorities

None.
8.4 To what extent is the secure removal of information assets from IT services (particularly cloud) ensured?
Objective: It must be ensured that it is known how the use of a service can be terminated in a controlled way. Particular consideration
must be given how information can be securely removed from external systems (e.g. cloud systems).
505025421.xlsx /
+ A withdrawal strategy (termination process) including the deletion and removal of assets from the cloud service is defined.
+ It is ensured that the provider will fulfil his responsibilities.

+ The fulfilment of the provider’s responsibilities is regulated by contract.
+ A description of the termination process is available and reviewed regularly.
+ The responsibilities provided in the process are documented and accepted by the provider.
This may include:

+ The responsibilities are derived from the service documentation made available by the provider and documented.

None.

None.
9 Access Control
9.1 To what extent are policies and procedures regarding the access to IT systems in place?
Objective: The identity of the user of a network service, an IT system or an IT application must be clearly verifiable to enable to a trace
of actions unambiguously to the user. In order to ensure this, authentication (registration) procedures and mechanisms of IT
systems or IT applications must be designed such that users are clearly identified and authenticated.
+ The procedures applied for user authentication are deemed secure and comply with the current state of the art.
+ The procedures for user authentication have been selected based on a risk assessment. Possible attack scenarios have
been taken into account (e.g. possibility of direct access from the internet).
+ Further interactions must only be possible after successful authentication.

+ A policy based on business and security-relevant requirements is created and documented.
+ Depending on the criticality of the information processed in IT systems or IT applications, suitable and secure
authentication procedures are required and applied.
This may include:

None.

+ Data of high protection needs is to be securedat leastby strong passwords, according to the state of the art.
+ Depending on the risk assessment, the authentication procedure has been enhanced by supplementary measures
(e.g. permanent access monitoring with respect to irregularities or use of strong authentication)

+ Data of very high protection needs is to be secured by means of strong authentication (e.g. two-factor authentication).
9.2 To what extent are procedures for user registration, change and de-registration implemented with the associated
access rights and is particularly the authentication information handled confidentially?
Objective: The use of unique and personalized user IDs (user accounts) ensures clear traceability of actions. The authentication
information (e.g. passwords) must be known to the authorized user only. Defined processes for the lifecycle of user
accounts are in place. It is regularly reviewed whether existing user accounts are needed.
+ The process of user ID management is documented and established.
+ The use of unique and personalized user accounts is specified.
+ The use of collective accounts is regulated (e.g. restricted to cases where proof of actions is dispensable).
+ User accounts are disabled immediately after the user has left the company (e.g. upon termination of the employment
contract).
+ The authentication information is provided securely to the user.

+ A basic user account with minimum access rights and functionalities is existent and in use.
+ The allocation of basic access rights and the creating of user accounts is carried out or authorized by the responsible
body.
+ Creating user accounts is subject to an approval process (four-eyes principle).
+ Disabling the user accounts of service providers after completion of the task.
+ Deadlines for disabling and deleting user accounts are defined.
+ Aligned change of user accounts after the reassignment of the user to another work field.
+ Secure processes are established for distribution of authentication credentials
This may include:

None.

None.

None.
9.3 To what extent is the allocation and use of privileged user and technical accounts regulated and is it subject to
reviews?
Objective: The use of unique and personalized administrative user accounts ensures clear traceability of administrative actions.
Administrators should use the user account provided with privileged rights for administrative tasks only and must use their
standard user account for all other activities (e.g. E-mail, internet). Thus, it must be ensured that only activities requiring
privileged rights are actually carried out in this context.
505025421.xlsx /
+ The use of unique and personalized administrative user accounts is regulated and established.
+ Distinction between user accounts (privileged user account, “office user account”) is ensured, e.g. by having two or more
user accounts.
+ The management process (allocation/change/deletion) for privileged user IDs is documented and established.
+ Privileged rights are allocated upon approval only.
+ Secure authentication procedures are in use for privileged user accounts.
+ User accounts with privileged rights are documented and reviewed regularly.

+ Identification of the relevant or affected IT systems is completed and documented.
+ Rights are allocated on a need-to-use basis and according to the role and/or area of responsibility (observing the
separation of functions).
+ The following points shall be considered when reviewing the allocated privileged rights:
- Privileged access rights are reviewed regularly (adequate intervals, e.g. quarterly)
- The reviews are documented.
- Changes in responsibility are immediately taken into account
This may include:

None.

None.

None.
9.4 To what extent is the user subject to binding policies concerning creation and handling of secret authentication
information?
Objective: Where authentication information is used in an IT system or application, information security critically depends on the
correct use of this information (e.g. passwords, PINs). Therefore,user awareness regarding the correct handling of this
authentication information must be regularly raised.
+ Regulation of the handling of authentication information is created considering at least the following aspects:
- no disclosure of authentication information to third parties - not even persons of authority - under consideration of legal
restrictions
- no writing down or unencrypted storing of authentication information
- immediate changing of authentication information whenever potential compromise is suspected
- no use of identical authentication information for business and non-business purposes
- changing of temporary or initial authentication information following the 1st login
- requirements for the quality of authentication information (e.g. length of password, types of characters to be used).

+ Users are informed and made aware of the regulations (e.g. password rules).
+ The use of default passwords is technically prevented.
+ Where strong authentication is applied, the use of the medium (e.g. factor ownership) is secure.
This may include:

+ Means of secure retention of authentication information (e.g. password safe) are provided.

None.

None.
9.5 To what extent is access to information and applications restricted to authorized persons?
Objective: Authorization must ensure that only authorized users have access to information and IT applications. For this purpose,
access rights must be allocated to users. These access rights must be reviewed regularly.
+ The requirements for access to information and applications are determined.
+ An authorization policy is created including at least the following aspects:
- procedures for request, review and approval
- application of authorization roles
- separation of functions
- application of the minimalistic (“need-to-know”) principle
+ The policy is binding to all users of information and applications.
+ The access rights allocated to users and technical accounts are reviewed regularly.

+ Authorization concepts of applications are created (e.g. ERP systems).
This may include:

None.

+ The access rights are released by the person responsible for information (internal).
+ Existing access rights are reviewed regularly. (at adequate intervals, e.g. quarterly)

+ Functions in application systems are restricted as far as possible. (e.g. export and print)
+ Encrypted data storage in order to prevent access and viewing by unauthorized persons/roles
(e.g. administrators) at least on file level.
9.6 To what extent is the separation of data within an environment shared with other organizations ensured?
505025421.xlsx /
(Reference to ISO 27017: Control CLD.9.5.1 and CLD.9.5.2)
Objective: Cloud solutions are characterized by enhanced standardization and a high level of virtualization on infrastructure the use of
which is shared by various customers. Such a collaborative environment enables numerous cloud customers to work. In
order to protect own information at all times, a clear/mandatory separation of data must be ensured.
+ Effective separation prevents access to own information by unauthorized users of other organizations.

+ The provider’s concept of separation (e.g. separation of clients) is documented and reviewed regularly. This concept
should at least include the following:
- separation of data, applications, operating system, storage and network
- separation of clients area and internal administration area
- implementation of suitable separation measures for users of multitenant applications (in multitenant environments)
- risk assessment for the operation of external software within the shared environment (particularly for IaaS/PaaS services)
+ shared virtual machines and/or application instances are hardened accordingly
- adherence to the minimalistic principle (e.g. restriction of rights, ports, protocols, software)
- application of technical protective measures (e.g. anti-virus, logging).
This may include:

None.

None.

None.
10 Cryptography
10.1 To what extent are rules for encryption, including the management of cryptographic keys (complete lifecycle
process) for the protection of information during storage and transport existent and have they been implemented?
Objective: Protection of the confidentiality of information during both storage and transfer (e.g. when gaining physical access to data
storage devices or data transfer infrastructure) must be ensured. This is generally achieved by means of encryption. For
handling encryption, it is essential that it provides the expected security characteristics at all times without simultaneously
creating inadequately high availability risks. For this purpose, reliable identification of the necessity of encryption must be
ensured. Whenever such a need is identified, procedures deemed secure according to the scientific and technical state of
the art must be selected. Additionally, it must be ensured that the secrets (key material) are adequately protected against
technical and organizational risks to confidentiality as well as integrity and availability throughout the lifecycle.

+ Any productively used encryption technologies shall be according to the technical state of the art.
+ The legal conditions for the use of encryption technologies are taken into account.

+ Creating regulations containing requirements for encryption in order to protect information according to its classification.
+ An concept for encryption is defined including at least the following specifications:
- the encryption strength
- the key management
- the cryptographic algorithms
- procedures for the complete lifecycle, such as generating, storing, archiving, retrieving, distributing, deactivating,
renewing and destroying cryptographic keys
+ The encryption concept is established.
+ An emergency process for recovering key material is established.
This may include:

None.

+ The following aspects must be documented:
- description of the key authority
- authority regarding the management of key material in case of external processing (e.g. in the cloud)
+ information of high protection needs should be transported or transferred in encrypted form only.
+ Where encryption is not feasible, protection from risks must be provided by means of similarly effective measures.

+ Information of very high protection needs are stored in encrypted form.
+ The following must be ensured during external processing or transfer:
- obligatory end-to-end encryption (preferably using key material from company internal environment).
Requirements:
11 Physical and Environmental Security
11.1 To what extent are secure areas for the protection of sensitive or critical information and information processing
facilities defined, protected and monitored (entrance control)?
Objective: Processing of information assets outside the area affected by the measures intended for the target information security level
must be prevented. Since it is generally not possible to implement corresponding measures for all areas of the location, a
zone concept should be applied defining in which areas which type of information may be processed.
505025421.xlsx /
+ Requirements for the protection of affected assets are determined (see Control 8.1).
+ Security zones are specified under consideration of terrains/buildings/rooms and documented.
+ The concept of security zones is established and known to all persons handling sensitive information.
+ The security zones are secured by adequate protective measures according to the assigned risk level. (See notes for
examples).

+ Procedures for allocation and revocation of access rights are established.
+ Regulations regarding visitor management including registration and accompanying visitors are defined.
+ The security zones are adequately monitored. (See notes for examples)
+ External property used for storing and processing information assets are considered within the scope of the security
concept. (e.g. storage spaces, garages, workshops, test routes, data processing centres)
This may include:

+ The security zones are identified.

+ In case of externally located IT systems, e.g. external housing in an emergency data processing centre, direct access to
the systems by administrators of the external service provider should be prevented (e.g. by means of locked racks).

None.
11.2 To what extent has the company taken measures against the effects of natural disasters, deliberate attacks or
accidents?
Objective: Natural disasters, deliberate attacks or accidents can critically impair the availability of IT systems. It must be ensured that
effects on critical IT systems are identified and assessed according to their criticality and that adequate protective measures
have been defined and implemented.
+ Natural threats, such as flooding, are identified.
+ Social threats such as political instability or accidents involving industrial plants are identified.
+ Potentially affected infrastructure, assets and IT systems are identified.

+ Adequate protective measures, such as fire detection system, fire protection, water detector, are implemented and
reviewed regularly.
+ A redundant media supply (electric power, communication connections etc.) is provided.
+ Emergency plans are defined and reviewed regularly.
This may include:

None.

None.

None.
11.3 To what extent are protective measures taken to prevent access to delivery and shipping areas by unauthorized
persons?
Objective: It must be ensured that all means of access to protected zones are protected against unauthorized access by means of
adequate measures. This is often associated with specific requirements in delivery and shipping areas, particularly where
those have to be designed for the delivery and shipping of large objects (e.g. vehicles or large tools).
+ The requirements for protecting the delivery and shipping areas are identified.
+ The shipping areas are integrated into the security concept.
+ Necessary protective measures are defined and implemented.
+ Access is permitted by identified and authorized personnel only.

+ Sensitive IT systems are separated from delivery and shipping areas.
This may include:

+ There is a separate security zone for delivery by suppliers who do not have access to any other areas of the organization.
+ A lock function is provided in the delivery and shipping area.
+ The supplied material is inspected for potential threats.

None.

None.
11.4 To what extent are policies and procedures regarding the use of assets, including off-site use, disposal and re-use
in place and implemented?
Objective: Where assets (e.g. IT equipment, information) are taken off the premises of an organization, they are exposed to increased
risks. For example, they are exposed to the risk of theft or unauthorized viewing. As an adequate reaction to those risks, the
security requirements associated with off-site use must be identified. This also applies to the disposal or re-use of assets
(e.g. notebooks).
505025421.xlsx /
+ Security requirements for the use and off-premises use of assets are identified.
+ Policies and procedures for use and off-premises use of assets are defined and implemented.
+ IT devices containing sensitive data are deleted such as to prevent data recovery.

+ Information shall be protected by adequate measures according to the protection needs.
This may include:

None.

+ Disposal of data storage devices is conducted in accordance with one of the relevant standards (e.g. DIN 66399, Security
Level 4).

+ Disposal of data storage devices is conducted in accordance with one of the relevant standards (e.g. DIN 66399, Security
Level 5).
12 Operations Security
12.1 To what extent are changes to the organization, business processes, information processing facilities and systems
controlled and implemented according to their security relevance?
Objective: In case of changes to the organization, business processes, information processing facilities and systems, aspects of
information security shall be considered. The objective is to ensure that all changes are made under consideration and
adherence of the information security requirements.
+ Security-relevant requirements regarding changes to the organization, business processes, information processing
facilities and systems are determined and implemented.

+ A formal approval procedure is defined.
+ Fall-back solutions for fault cases are established.
+ Changes affecting information security are planned and reviewed.
This may include:

None.

+ In case of changes, adherence of the information security requirements is verified.

None.
12.2 To what extent are development and testing environments kept separate from productive environments?
Objective: The objective of separating development and testing environments from productive environments is to prevent faults during
development from affecting the productive environment. A testing environment serves for example as an intermediate step
for testing software developments with the environmental variables of a productive environment and for verifying the
availability, reliability and integrity of their functions.
+ The IT systems have been subjected to risk assessment in order to determine the necessity of their separation into
development and productive systems.

+ The requirements for development and testing environments are determined, e.g.:
- Separation of development, testing and productive systems
- No development and system tools on productive systems (excluding those relevant to operation)
- Use of different user profiles for testing and productive systems
- Use of non-sensitive or anonymized test data if applicable
+ Specifications are defined for transferring software from the development and testing state to the productive state.
+ The identified requirements are implemented.
This may include:

None.

None.

None.
12.3 To what extent are protection controls (e.g. endpoint security) against malware (viruses, worms, Trojans,
spyware, ...) implemented and combined with appropriate user awareness?
Objective: Two aspects must be addressed since they are of particular importance for malware protection - The malware protection
software on the one hand and user awareness on the other. User training is particularly important since, despite all
protective measures for hardware and software, malware may be activated inadvertently by the actions of a user.
505025421.xlsx /
+ Requirements for protection against malware are determined.
+ Technical and organizational measures for protection against malware are defined and implemented.

+ User accounts are not provided with administrative rights (see Control 9.3).
+ Malware protection software is installed and updated automatically at regular intervals. (e.g. virus scanner)
+ Received data and programs are automatically inspected for malware prior to their execution (on-access scan).
+ The entire data contents of all systems is regularly inspected for malware.
+ Data transferred by central gateways (e.g. e-mail, internet, third party networks) are automatically inspected using a
protection software (including encrypted connections).
+ Measures to prevent protection software from being deactivated or altered by users are defined and implemented.
+ Employee awareness is raised in reaction to events.
This may include:

+ Systems with a high level of self-protection (e.g. specific hardening, few services, no active users) can be operated
without a virus scanner.

None.

None.
12.4 To what extent are backups created and tested regularly in accordance with an agreed backup policy?
Objective: The objective of a working backup strategy is to allow recovery of the functionality or availability of information within the
required time in case of a system failure or another type of data loss (e.g. ransomware). For this purpose, data backups
must be created in compliance with a corresponding policy and tested regularly.
+ Backup requirements are determined and include: the systems to be secured, associated backup intervals and the
storage and transport of backup media.
+ Adequate protective measures, e.g. by means of encryption, taken during storage.
+ Backup media are stored in separate locations (different fire protection zones).
+ A backup concept is created and implemented.
+ An adequate backup verification is carried out.

None.
This may include:

None.

None.

+ In case of information of very high protection needs, suitable measures (e.g. encryption) must be taken to ensure that
access is only possible for the authorized group.
12.5 To what extent are event logs (which may contain e.g. user activities, exceptions, errors and security events)
created, stored, reviewed and protected against modification?
Objective: Event logs support the traceability of events in case of a security incident. This requires that events which are necessary for
determining the causes should be recorded and stored while being protected against modification.
+ Information security requirements regarding the handling of event logs are determined.
+ Where externally operated services (in particular, cloud services) are used, information on monitoring options are
obtained
- e.g. attack detection and report options (incident response)
+ Legal requirements such as storage durations and protection of personal rights are observed.
+ Rules and procedures for fulfilling the determined requirements are defined and implemented.

+ Event logs are protected against modification during storage.
This may include:

None.

+ Information security requirements relevant to the security during the handling of event logs, e.g. contractual requirements,
are determined and implemented.

None.
12.6 To what extent are the activities of system administrators and system operators logged, the logs protected against
modification and regularly reviewed?
Objective: System administrators and operators can use their comprehensive access rights to modify IT systems significantly. Logging
and analysing activities in accordance with valid legislation (such as Data Protection and Works Constitution Act) are
required to enable determining who has made changes to IT systems in case of information security events.
505025421.xlsx /
+ Security-relevant requirements regarding the logging of activities of system administrators and operators are determined
and implemented.
+ The IT systems used are assessed regarding the necessity of logging.
+ Where externally operated services (in particular, cloud services) are used, information on monitoring options are
obtained and taken into account in the assessment.
- e.g. audit logs for configuration changes and use of/access to e-discovery functions or backup.
+ Procedures for handling violations of regulations are defined.
+ Logs are regularly reviewed for violation of rules in accordance with permissible legal and operational provisions.
+ The type of logging with respect to time, activity level and storage durations is defined and implemented.

+ A process to report violations to the authorized body (e.g. CERT) is established.
+ The log files are protected against modifications. (e.g. by means of a dedicated environment)
This may include:

None.

+ Cases of access to external services during connection and disconnection (e.g. remote maintenance) are logged.

+ Logging of all cases of access
- as far as technically feasible
- to data of very high protection needs.
12.7 To what extent is information regarding technical vulnerabilities of IT systems acquired at an early stage, evaluated
and are appropriate measures taken (e.g. patch management)?
Objective: Known weaknesses increase the risk that IT systems can no longer fulfil the requirements for confidentiality, availability and
integrity if they allow attackers access to the IT system or compromise the stability of the system.
+ Information on technical weaknesses of the used assets are collected and assessed.
+ Potentially affected systems and software (assets) are identified. (e.g. manufacturer, version, installation site)

+ An adequate patch management is defined and implemented. (e.g. patch testing and installation)
+ Where required, risk mitigating measures should be implemented. This includes e.g.:
- Separation of affected systems
- shut-down of the affected service
- adjustment of access options, e.g. firewalls
- adjustment of monitoring
- increasing user awareness
This may include:

None.

None.

None.
12.8 To what extent are audit requirements and activities for reviewing IT systems planned, coordinated, aligned and
are those IT systems subsequently subjected to technical review (system audit)?
(Reference to ISO 27001: Control A.12.7.1, A.18.2.3)
Objective: During audits (particularly technical audits), problems with the stability of the IT systems under review may occur. Audit
activities involving a review of IT systems must be planned and agreed in order to avoid disturbances of the corresponding
processes.
+ Requirements for auditing IT systems are determined.
+ The scope of the audit is specified in a timely manner.
+ System audits are coordinated with the operator and users of IT systems.
+ The results of system audits are stored in a traceable manner and reported to the relevant management.
+ Measures are derived from the results.
+ The derived measures are traced under the ISMS.

+ System audits are carried out by trained experts.
+ For deviations, measures to be taken within an adequate period of time shall be defined and coordinated.
+ The audit report shall have been prepared and coordinated within an adequate period of time.
This may include:

None.

None.

None.
12.9 To what extent have effects due to critical administrative functions of external IT services (particularly cloud
services) been taken into account?
505025421.xlsx /
Objective: Many cloud services provide functions which may lead to major changes to services in operative use. These functions may
jeopardize the confidentiality of information, be irreversible or reversible only with significant effort which then may impair
availability or integrity. These functions are often provided to administrative users via an easy-to-use automated
configuration interface. When an administrative user executes such functions, such activities are carried out without further
human supervision.
It must be ensured that such functions can neither inadvertently nor by a wilful administrator be used without particular effort
to cause harm impairing confidentiality, availability or integrity.
+ Critical functions of all relevant services are identified and assessed.

+ Critical functions of all relevant services are documented together with their associated risk. Here, among others, the
following aspects (where applicable) have been considered:
- installation, modification or deletion of virtual resources (e.g. virtual servers, virtual networks and virtual storage)
- termination of services (cancellation)
- authorization of more users
- release and publication functions
- backup and recovery functions
+ The options to counteract by means of configuration and allocation of rights are known and documented.
+ The resulting risks are minimized by means of configuration and allocation of rights.
- Critical non-administrative functions have been restricted as far as reasonable.
- Access to non-administrative and administrative functions is, as far as possible, restricted to a minimum number of
persons.
- As far as possible, both technically and without any restriction of the desired functionality that would be inadequate in
relation to the addressed risk, critical non-administrative and administrative functions have been deactivated.
+ An emergency concept describing the handling of harm scenarios exists and is tested.
This may include:

+ Application of the several-eyes principle for critical functions.
+ Contractually agreed restriction of functionality by the provider (e.g. by means of suitable framework contracts)

None.

None.
13 Communications Security
13.1 To what extent are networks managed and controlled to protect information in IT systems and applications?
Objective: The protection of information in networks, IT systems and IT applications must be ensured. For this purpose, measures
ensuring protection against unauthorized access must be implemented. This includes taking suitable control measures
supported by means of monitoring the networks, IT systems and IT applications.
+ Procedures for management and control of networks are defined.

+ Requirements for control and management of networks are determined and implemented. This includes e.g.:
- Restrictions for connection of IT systems to the network
- Special protective measures in case of network connections via potentially unsecured networks (e.g. encryption)
- Adequate monitoring and recording of activities on a network that are relevant to information security
- Use of auxiliary means such as firewall systems, intrusion detection and prevention systems (IDS/IPS), network
management tools, security software for networks
- When using externally operated network services that are accessible via the internet (cloud services), the resulting
increased risk is assessed and addressed in the applications.
This may include:

None.

+ Extended requirements for the control and management of networks must be determined and implemented.
This includes e.g.:
- Authentication of IT systems within the network

None.
13.2 To what extent are requirements for security mechanisms and service levels and also management requirements
for network services identified and documented in service level agreements?
Objective: Security mechanisms, quality of service provision and requirements for the management of all network services must be
determined and incorporated into agreements (Service Level Agreements, SLAs) for both internal and external networks.
+ Requirements regarding the information security of network services are determined and implemented.

+ Procedures for securing and using network services are defined and implemented.
+ SLAs are defined and implemented for internally and externally operated network services.
+ Adequate redundancy solutions are implemented.
This may include:

None.

+ Procedures for monitoring the network (e.g. traffic flow analyses, availability measurements) are defined and carried out.

+ Out-of-band management is applied.
505025421.xlsx /
13.3 To what extent are groups of information services, users and information systems segregated on networks?
Objective: IT systems on the network usually have different protection needs. Thus, IT systems directly connected to the internet are
generally exposed to different threats than IT systems on the office network. In order to detect and prevent undesired data
exchange between IT systems of different protection needs, corresponding groups must be formed on the network and then
segregated from other groups.
+ Requirements regarding network segmentation are determined.
- Where cloud services are used, the possibilities of (virtual) network separation is considered

+ Rules and procedures for network segmentation are defined and implemented.
This may include:

None.

None.

None.
13.4 To what extent is information protected during exchange or transfer?

Objective: During exchange and transfer of information, the information security requirements must be considered. For this purpose, it
must be defined which services within the organization may be used for which type of data and which protective measures
are to be taken when using those services.
+ The services (e.g. email, EDI, voice over IP) used for transfer are identified.
+ Rules and procedures in accordance with the classification for the use of services are defined and implemented.
+ Measures for the protection of transferred contents against unauthorized access are implemented.

+ Measures for ensuring correct addresses and correct transport of the message are implemented.
+ A process for approving the use of external services (e.g. instant messaging, web meeting, webmail) is established.
+ Electronic data exchange is carried out according to the classification by means of content encryption and/or via
encrypted transmission paths (e.g. VPN, encrypted connections (HTTPS, SFTP, TLS)).
This may include:

+ Digital signatures are used in accordance with legal provisions.

+ Emails are transmitted by means of transport encryption (e.g. TLS).
+ A suitable encryption is in use during data transfers to externally hosted IT systems (see Controls 10.1, 15.1).

+ Emails are transmitted by means of end-to-end encryption (e.g. PGP, S/MIME, ZIP encryption).
13.5 To what extent are non-disclosure agreements applied prior to an information exchange and are the requirements
or needs for the protection of information documented and regularly reviewed?
Objective: Even where sensitive information is passed on outside the organization, it must be ensured that external organizations are
obliged to meet the information security requirements and to implement the required measures. Non-disclosure agreements
provide the necessary legal basis for this obligation. Therefore, it must be ensured that sensitive information is only passed
on if a corresponding non-disclosure agreement has been entered and is legally effective.
+ All service providers and employees working with sensitive information have entered valid non-disclosure agreements.
+ Rules and procedures for applying non-disclosure agreements are defined and made known to all persons passing on
sensitive information.
+ The requirements, rules and procedures for applying non-disclosure agreements are reviewed regularly.

+ Non-disclosure agreement templates are available and checked for legal applicability.
+ The templates include clear indications of:
- the involved persons/companies
- the type of information covered by the agreement,
- the subject of the agreement
- the duration of validity of the agreement (temporary or permanent)
- the responsibilities of the obligated party
+ The templates contain specifications of the rights of use for information beyond the contractual relationship.
+ Options of proving compliance with specifications (e.g. review by an independent third party or audit rights) are defined.
+ A process for monitoring the duration of validity of temporary agreements and initiating an extension in due time is defined
and implemented.
This may include:

None.

None.

None.
14 System Acquisition, Development and Maintenance
505025421.xlsx /
14.1 To what extent are security specific requirements taken into account for new IT systems (incl. publically accessible
systems) and for extensions to existing IT systems?
Objective: Information security must be an integral part of the entire lifecycle of IT systems. This includes in particular that information
security requirements are taken into account in the development, acquisition and maintenance of IT systems.
+ The information security requirements associated with the acquisition or extension of IT systems are determined.

+ Requirement specifications are reviewed with respect to information security policies.
+ The IT system is reviewed for compliance with specifications prior to productive use.
This may include:

None.

None.

None.
14.2 To what extent are security-relevant aspects considered in the software development process (incl. change
management)?
(Reference to ISO 27001: Control A.14.2.1 - A.14.2.9)
Objective: Information security requirements must be taken into account in the development process of software and IT systems. They
must be incorporated as requirements and milestones into the respective process model.
None.

+ A policy for the development of software and IT systems is created and includes at least the following aspects:
- information security requirements regarding the development environment
- information security requirements during the software development lifecycle
- information security requirements during the design phase
- information security review points related to project milestones
- information security during version control and repositories
- knowledge about information security of application systems
- requirements for developers regarding the creation of systems/applications under consideration of information security
aspects (avoidance, detection and elimination of weaknesses)
+ Information security requirements are taken into account in change management.
+ Defined engineering principles for secure system development are defined and implemented.
+ Secure development processes are also defined for cases where systems are created by third parties.
+ System approval tests are carried out under consideration of the information security requirements.
This may include:

None.

None.

None.
14.3 To what extent are test data created, protected and used in a careful and controlled manner?
Objective: Test data is often required for testing purposes in the course of software development or change management. Testing is
conducted in test environments the access to which is often controlled less strictly and often allocated to persons (e.g.
service providers or developers) who do not need access to productive data. It must be ensured that the test environment
does not increase the risk of loss or disclosure of productive data.
None.

+ The use of productive data for testing purposes is avoided as far as possible.
+ Where productive data are used for testing purposes, the following shall be ensured:
- Anonymization or pseudonymization of productive data is carried out in accordance with legal regulations
- Identical access controls are applied both for the test system and for the productive system
+ Case-specific requirements for the generation of test data are defined.
This may include:

None.

+ Copying of information from the productive environment must require prior approval by means of a defined process.
+ Immediately after completion of testing, operation-relevant information must be removed from the test system.
+ The process of copying and the use of the organization-relevant information as test data must be recorded for later review
(audit trail).

None.
14.4 To what extent is it ensured that only evaluated and approved external IT services (particularly cloud services) are
used for processing company data?
-
505025421.xlsx /
Objective: Particularly cloud services, whose use is often related to little or no cost, present an enhanced risk that established
acquisition processes are bypassed thus also leading to acquisition and commissioning without adequate compliance with
technical and contractual information security requirements. Security cannot be ensured in cases where external IT services
are used without considering security requirements.
Therefore, it must be ensured that external IT services will not be commissioned unless the intended processes are
completed and thus the information security processes and provisions are met prior to commissioning.

+ All persons having access to sensitive information are aware that the use of external IT services is not permitted without
explicit assessment and implementation of the information security requirements.
- This also includes external IT services which can be used free of charge.

+ Requirements for the acquisition, commissioning and approval of use of external IT services are established.
+ The commissioning and use of external IT services is regulated by an instruction binding to all employees.
+ All employees are made aware of this in regular trainings.
- e.g. during information security trainings held at regular intervals.
+ Observation of the instruction is verified regularly.
+ The approved IT services and their acceptable use are catalogued outlined in catalogues.
This may include:

+ Framework contracts with essential cloud service providers are entered allowing the use only in suitable and assessed
configurations and informing the responsible persons within the organization.
+ Catalogues of authorized IT services are provided to the respective specialized departments.

+ Internal audits are held regularly in order to verify that no unauthorized IT services are used.

None.
15 Supplier Relationships
15.1 To what extent are information security requirements contractually agreed with suppliers to mitigate risks when
suppliers have access to corporate assets (particularly information and communication services and in case such
assets are used by subcontractors)?
Objective: In collaboration with external companies (e.g. subcontractors), the requirements regarding the protection needs of
transferred information msut be considered. Therefore, relevant risks and requirements regarding information security must
be addressed in the contracts.
+ External companies/third parties (e.g. subcontractors) shall be subjected to an information security assessment.
+ Contractual agreements with external companies regarding measures for protecting information (e.g. non-disclosure
agreements) are entered.
+ Requirements for other subcontractors of the supplier are taken into account in procurement.

None.
This may include:

+ Information security certification (e.g. ISO/IEC 27001, NIST).

+ A risk assessment is conducted for each commissioning of an external company and additional information security
measures are defined.
+ The supplier provides proof of information security (e.g. certificate, testimony).
+ Where a commissioned supplier also gains access to customer information, contractual obligations shall be observed.
This can be:
- Explicit approval of the passing-on, processing and storage of information by the information owner (e.g. customer)
- measures for procurement control with respect to personally identifiable data (processing ordered by the customer,
handling by subcontractors, deletion/disabling etc.)
- The requirements for the protection of data during transfer, processing and storage (e.g. encryption)
- Provisions for the reaction to information security events are known to the external companies/third parties
+ In case of externally operated IT infrastructure (e.g. networks, server) and/or cloud solutions, it is ensured that:
- external administrators do not have access to data content
- The requirements for encryption according to Control 10.1 are met

None.
15.2 To what extent are the services performed by a supplier or subcontractor monitored, reviewed and audited on a
regular basis?
Objective: The provision of services by service providers shall be monitored regularly by an organization. By means of monitoring and
verifying the provided services, it must be ensured that the conditions of an agreement regarding information security are
fulfilled.
505025421.xlsx /
+ Compliance with contractual agreements is monitored and verified.

+ A process for monitoring and verifying service providers is defined and established.
+ Third party service reports and documents are monitored and verified.
This may include:

None.

+ Information security or compliance with security policies among business partners is adequately ensured by means of
suitable verifications (e.g. auditing).

None.
16 Information Security Incident Management
16.1 To what extent are responsibilities, procedures, reporting channels and criticality levels established to ensure an
effective response to information security incidents or weaknesses?
Objective: Detection of and defence against security events generally require an effective and consistent approach. For this purpose,
the responsibilities and procedures for handling information security events must be specified in order to ensure a prompt
reaction to those events. Suitable reporting channels and awareness of all employees are essential elements of these
procedures and must be considered.
+ A policy for reporting information security events or weaknesses is created including at least the following requirements:
- reaction to information security events according to defined levels of criticality
- report form
- reporting channel
- processing organization
- specifications for feedback procedure
- indication of technical and organizational measures (such as disciplinary measures)

None.
This may include:

None.

+ Requirements resulting from business relations (e.g. obligations of reporting to customers) are determined and
implemented.

None.
16.2 To what extend is the handling on security events performed?

Objective: Information security events must be assessed. There shall be an adequate reaction to information security events based on
defined procedures. In the aftermath of information security events, findings must be used to reduce the probability of future
events occurring.

+ Procedures are established and documented in order to ensure verifiability in case of Information security
events/weaknesses.
+ Information security events/ weaknesses are assessed and documented in order to ensure verifiability.
+ An adequate reaction to information security events/ weaknesses is given.

+ Information security events/weaknesses (problem management) are analysed.
+ Measures to prevent further occurrence of similar information security events are defined and implemented.
This may include:

None.

None.

None.
17 Information Security Aspects of Business Continuity Management

17.1 To what extent are information security requirements (including redundancy of corresponding facilities) and the
continuity of the ISMS in the event of a crisis defined, implemented, verified and evaluated?
(Reference to ISO 27001: Control A.17.1.1 - A.17.1.3 and A.17.2.1)
Objective: In events of crisis, information security is particularly at risk. Therefore, it must be ensured that even in those cases the
defined ISMS measures continue to provide effective protection or previously defined supplementary measures must be
taken.
505025421.xlsx /
+ Potentially affected IT systems and software are identified.
+ For events of crisis, methods, processes and procedures relevant to information security are taken into account.

+ Taking information security into account in the BCM (Business Continuity Management) or the disaster recovery process,
where available.
+ Information security measures for events of crisis are reviewed regularly.
This may include:

+ The persons responsible for information security (see Control 6.1) are part of the crisis management team.
+ The redundancy in the field of IT facilities and IT systems (availability aspects) is ensured.

None.

None.
18 Compliance
18.1 To what extent is compliance to relevant legal (country-specific) regulations and contractual requirements ensured
(e.g. protection of intellectual property rights, use of encryption technology and protection of records)?
(Reference to ISO 27001: Control A.18.1.1, A.18.1.2, A.18.1.3, A.18.1.5)
Objective: An essential aspect of compliance is the adherence of legal, regulatory, contractual and business-related requirements and
specifications. An organization must know relevant requirements and specifications and meet them. This also includes
consideration of intellectual property rights. Additionally, requirements for records regarding their protection against loss,
destruction, forgery, unauthorized access and unauthorized disclosure must be met. additionally cryptographic measures
shall be implemented while taking the relevant agreements, legislation and provisions into account.
+ Legal, regulatory and contractual requirements and specifications of relevance to information security, such as e.g. in
relation to copyright, are determined regularly.
+ Regulations regarding the compliance with legal, regulatory and contractual requirements are defined, implemented and
communicated to the entrusted persons.

+ Measures for fulfilling the requirements regarding intellectual property rights and the use of software products protected
by copyright (acquisition and license management) are defined and implemented.
+ Staff awareness measures with respect to compliance topics associated with information security are carried out regularly.
+ The integrity of records in accordance with legal, regulatory and contractual obligations and business requirements as well
as classification (access protection, storage) is taken into account.
This may include:

None.

None.

None.
18.2 To what extent is confidentiality and the protection of personally identifiable information ensured (according to
national legislation)?
Objective: Privacy and protection of personally identifiable information must be ensured as required in relevant legislation and
regulation where applicable. For this purpose, processes and procedures ensuring adequate protection of personally
identifiable information shall be implemented.
+ Legal and contractual requirements regarding the procedures and processes in the processing of personally identifiable
information are determined.
+ Information assets are classified according to personally identifiable information.
+ Regulations regarding the compliance with legal and contractual requirements for the protection of personally identifiable
information are defined and communicated to the entrusted persons.
+ Processes and procedures for the protection of personally identifiable information are implemented.

None.
This may include:

None.

None.

None.
18.3 To what extent is the ISMS reviewed by an independent third party at regular intervals or in case of significant
changes?
Objective: Assessing the effectiveness of the ISMS only from an internal point of view is not sufficient to serve as an essential control
tool. Instead, an independent and therefore objective assessment must be obtained at regular intervals and in case of
significant changes.
505025421.xlsx /
+ Information security reviews are carried out by an independent and competent body at regular intervals and in case of
significant changes.
+ Measures for correcting potential deviations are initiated and pursued.

+ The results of the conducted tests are recorded and retained.
+ The results of the conducted tests are reported to the management of the organization.
This may include:

None.

None.

None.
18.4 To what extent is the compliance of procedures and processes with policies, regulations and other relevant
information security standards ensured?
(Reference to ISO 27001: Control A.18.2.2, A.18.2.3)
Objective: The effectiveness of policies, regulations and relevant information security standards must be ensured continuously. For
this purpose, compliance with the applicable security policies and standards must be verified at regular intervals. This also
includes verification of compliance with technical specifications of the information security policies. The results of the
conducted tests must be recorded and the records must be retained.
+ Compliance with policies, regulations and information security standards is monitored.
+ Information security regulations and procedures are reviewed throughout the organization at regular intervals.
+ Measures for correcting potential non-conformities (deviations) are initiated and pursued.

+ The results of the conducted tests are recorded and retained.
+ A plan for content and framework conditions (time schedule, extent, controls) of the tests to be conducted is provided.
This may include:

None.

None.

None.
505025421.xlsx /
Information Security Assessment -
Additional requirements for connection to third parties
based on ISO 27002:2013
Company: 0
Location: 0
Date: 12/30/1899
Maturity
level
In case a question does not apply, please insert n.a. (not applicable).
Level 0-5;
n.a.
23 Additional requirements for connection to third parties

23.7 Human Resources Security
23.7.2 To what extent is staff (internal and external) made aware of and trained about the risks associated with handling
and processing information?
Objective: Information security must be a natural and integral part of the work environment and adopted in the daily work of all
employees. By means of information security training, employees must gain the necessary knowledge and competence for
security-conscious behaviour. They must be particularly aware of what is expected of them with respect to information
security and how to react to security-critical situations.
+ Employees having access to customer networks have received the necessary training and awareness for handling the
associated security risks.

None.
This may include:

None.

None.

None.
23.9 Access Control
23.9.2 To what extent are procedures for the registration, modification and deletion of users with the corresponding
access rights implemented, and in particular is the authentication information handled confidentially?
Objective: The identity of the user of an IT system or an IT application must be clearly verifiable to allow the assignment of actions. In
order to ensure this, authentication (registration) procedures and mechanisms of IT systems or IT applications must be
designed such that users are clearly identified and authenticated.
+ User related access to customer systems shall not be used by multiple users.
+ Changes to the employment contract or the authority of an employee shall be reported to the system operator
immediately or user access shall be adapted accordingly.

None.
This may include:

None.

None.
23.11 Physical and Environmental Security
None.
23.11.1 To what extent are security zones for the protection of sensitive or critical information and information processing
facilities defined, protected and monitored (access control)?
Objective: Processing of information assets outside the area affected by the measures intended for achieving the target information
security level shall be prevented. Since it is generally not possible to implement corresponding measures for all areas of the
location, a zone concept must be applied defining in which areas which type of information may be processed.
505025421.xlsx /
Connection to 3rd parties (23)
None.

None.
This may include:

None.

+ Separate zones are established for the respective projects.
+ Work place computers (e.g. PCs, CAD work stations) should be installed in locked rooms.
+ Rooms accommodating servers should be alarm-monitored.
+ Protective measures against simple eavesdropping and viewing shall be implemented.
+ Access restricted to authorized persons (e.g. access system, own locking system).
+ Creating of print-outs only within the respective zone or by personally printing (e.g. print-to-me with PIN).
+ Destruction of (phyiscal) files within those zones (e.g. by using shredders).
+ Where rooms have several users (e.g. server rooms), direct access to systems by external persons shall be prevented.
+ Physically securing the property or project rooms (e.g. locking system).

+ Physically securing the property or project rooms outside the hours of operation (e.g. fence security system/video
surveillance with alarm activation function, not recording only, intrusion detection system with motion sensors, glass
breakage detectors, cameras and image recognition).
+ Immediate response to alarm messages according to alarm plan.
+ Permanent surveillance of escape doors.
23.13 Communications Security
23.13.3 To what extent are groups of information services, users and information systems segmented within the network?
Objective: IT systems on the network have different protection needs. Thus, IT systems directly connected to the internet are generally
exposed to different threats than IT systems on the office net. In order to detect and prevent undesired data exchange
between IT systems of different protection needs, corresponding groups must be designed on the network and these must
be segregated from other groups.
+ Requirements regarding network segmentation are defined.
+ Rules and procedures for network segmentation are defined and implemented.

None.
This may include:

None.

+ Physical and/or logical separation of supplier/vendor network and customer network.
+ No access to the project office from outside.

None.
505025421.xlsx /
Connection to 3rd parties (23)
Zusatzanforderungen Prototypenschutz
Company: 0
Location: 0
Date: 12/30/1899
Maturity
level
Level 0-5;
n.a.
25 Prototype Protection
25.1 Physical and Environmental Security

25.1.1 To what extent is a security concept available describing minimum requirements regarding object security for
prototype protection?
(PT module; no reference to ISO 27001)
Requirements: This includes e.g.:

+ perimeter security
+ stability of outer skin
+ view and sight protection
+ protection against unauthorized access and access control
+ intrusion detection system
+ documented visitor management
+ client separation.
25.1.2 To what extent is perimeter security existent preventing unauthorized access to protected objects of the
properties?

+ artificial barriers (fence systems, walls)
+ natural barriers (growth, vegetation)
+ technical barriers (detection).
25.1.3 To what extent is the outer skin of protected buildings constructed such as to prevent removal or opening of outer-
skin components using standard tools?

+ massive construction (stone, concrete, steel metal).
25.1.4 To what extent is a view and sight protection ensured in defined protection areas?

+ protection against sight through relevant glass surfaces
+ prevention of sight through open doors/gates/windows.
25.1.5 To what extent is the protection against unauthorized entry regulated in the form of an access control?

+ mechanical locks with documented distribution of keys
+ electronic access systems with documented authorization assignment
+ personal access control with documentation.
25.1.6 To what extent is a functioning intrusion detection system implemented on the premises to be secured?

+ use of technology in accordance with DIN EN 50131, complying with VDS or similar and functional
+ preparation of alarm plans
+ alarm tracing to a certified security service or control centre (e.g. according to DIN 77200, VdS 3138).
25.1.7 To what extent is a documented visitor management in place?


+ mandatory registration for all visitors
+ documented non-disclosure obligation prior to entry
+ publication of security and visitor regulations.
25.1.8 To what extent is on-site client separation existent?


+ spatial separation of different
- customers and/or
- projects.
505025421.xlsx /
Prototype protection (25)
Company: 0
Location: 0
Date: 12/30/1899
Maturity
level
Level 0-5;
n.a.
25.2 Organizational Requirements
25.2.1 To what extent are non-disclosure agreements/obligations existent according to the valid contractual law?
Requirements: This includes a non-disclosure agreement e.g.:

+ between contractor and customer (companies)
+ with all employees and project members (personal obligation).
25.2.2 To what extent are requirements for commissioning subcontractors known and fulfilled?

+ approval by initial customer
+ valid non-disclosure agreement according to contractual law
- between customer and subcontractor (companies)
- with all employees and project members of the subcontractor (personal obligation)
+ demonstration of compliance with security requirements of the initial customer.
25.2.3 To what extent are the employees and project members evidently trained for and made aware of risks associated
with handling prototypes?

+ ensuring by the management training/awareness programs are carried out
+ training of employees and project members in the handling of prototypes on entering the project
+ regular (at least annual) training of employees in handling prototypes
+ ensuring the awareness among employees and project members of the respective protection needs and the resulting
company-internal measures
+ obligation of employees and project members to attend training and awareness measures.
25.2.4 To what extent are security classifications of the project and the resulting measures for protection known?

+ ensuring that all project members have been made aware of the security levels and security requirements according to
the progress of the project
+ consideration of level plans, measures for non-disclosure and camouflage, development policies.
25.2.5 To what extent is a process defined for allocation of access to defined security areas?

+ responsibilities for the allocation of access are clearly regulated and documented
+ consideration of new allocations, changes and deletions
+ rules of conduct for reacting to loss/theft of locking means.
25.2.6 To what extent are regulations for image recording and handling of created image material existent?

+ approval procedure for image recording
+ regulation for classification of image material
+ secure storage of image material
+ secure deletion/disposal of unrequired image material
+ secured passing-on/transfer of image material to authorized recipients only.
25.2.7 To what extent is a process for carrying along and using mobile video and photography devices in(to) defined
security areas established?

+ approval procedure for image recording
+ regulation for classification of image material
+ secure storage of image material
+ secure deletion/disposal of unrequired image material
+ secured passing-on/transfer of image material to authorized recipients only
+ regulation for carrying along.
25.3 Handling Prototypes
505025421.xlsx /
Company: 0
Location: 0
Date: 12/30/1899
Maturity
level
Level 0-5;
n.a.
25.3.1 To what extent are the predefined regulations for camouflage implemented by the project members?

+ project members are aware of the requirements for use of the respective camouflage
+ agreement on changes to the camouflage with the customer
+ prompt reporting of damages to the camouflage.
25.3.2 To what extent are transports in need of protection arranged according to the specifications of the customer?

+ that those logistics/transport companies specifically approved by the customer are used
+ that the loading and unloading requirements specified by the customer are known and met
+ that any security-relevant incidents are reported to the customer.
25.3.3 To what extent is it ensured that vehicles, components or parts which require confidentiality are parked/stored in
accordance with customer requirements?

+ the customer-specific parking/storage requirements are evidently known.
25.3.4 To what extent are security requirements of approved test and trial grounds observed/implemented?

+ an up-to-date listing of customer-approved test and trial grounds
+ rules of conduct for ensuring trouble-free testing
+ protective measures defined by the customer.
25.3.5 To what extent are security requirements for approved test and trial drives in public observed/implemented?
Requirements: This includes e.g.: .

+ protective measures defined by the customer.
+ rules of conduct in case of unusual events (e.g. incident, accident, theft...).
25.3.6 To what extent are security requirements for presentations and events with scope/contents subject to
confidentiality implemented?
Requirements: This includes e.g.: .

+ created security concepts agreed with and approved by the customer (organizational, technical,staff-related)
+ rules of conduct in case of unusual events
25.3.7 To what extent are security requirements for film and photo shootings with scope/contents subject to
confidentiality implemented?

+ proof of approval of the premises expected to be used
+ created security concepts agreed with and approved by the customer (organizational, technical, staff-related)
+ rules of conduct in case of unusual events
505025421.xlsx /
Control 7.2 Awareness and training of employees 9.2 User registration 12.1 Change management 12.3 Protection against malware
VDA ISA target

4 4 4 4
maturity level
Scope COVERAGE EFFEKTIVENESS COVERAGE COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS
Effectiveness of
Coverage degree of Effectiveness of Coverage degree Coverage degree Coverage degree Coverage degree
ID Collective accounts Change - error rate updating Endpoint
awareness measures awareness measures review “user accounts” review “authorizations” Change Management Endpoint Security
Security
Employees with raised

Regular reviews of user
awareness represent an The contents of awareness Collective accounts should
Regular reviews of systems accounts for unnecessary A comprehensive and
important pillar for the measures should consider principally not be used or A high quality of the change A comprehensive Endpoint
for unnecessary accounts is authorizations is a consistently adhered Current virus signatures are
information security in a outcomes of information used only in exceptional management process leads Security provides a
a prerequisite for a prerequisite for a consistent change management the prerequisite for an
company. Awareness security incidents. The KPI cases since an explicit to lower error rates of the company with an essential
consistent and current user and current authorization process is the basis for effective Endpoint Security.
measures should reach all measures the effectiveness allocation of user activities performed changes and protection against malware.
Description employees, as far as of awareness measures by
basis according to the need- basis according to the need-
is impeded. The KPI
secure operation. The KPI
contributes to secure The KPI measures the ratio
The KPI measures the
to-know principle. The KPI to-know principle. The KPI measures the coverage target and the actual state
possible. The KPI measures collection (number or cost measures the number of operation. The KPI of protected systems taking
measures the coverage measures the coverage degree of changes that are of virus definitions on
the coverage degree of based) of security incidents used collection accounts in measures the error rate of approved exceptions into
degree of the measure degree of the measure compliant with the reporting deadline.
trainings such as e- with human errors as a consideration of approved changes. account.
“regular user review” “regular authorization guidelines.
learnings, classroom cause. exceptions.
review”.
trainings.
All employees are trained No information security Comprehensive protection

All systems have valid user All authorizations comply All collective accounts are Guidelines-compliant Error-free performance of All systems have up-to-date
Objective (Vision) with respect to information incidents with human error of all system threatened by
accounts only with current needs reviewed for their need performance of all changes changes protection
security as a cause malware
Information Security; Local IT, Information Local IT, Information

Recipient supervisors
Information Security Information Security Information Security Information Security Information Security Information Security
Security Security
to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined

Frequency (reporting) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually)
to be determined
individually (0-20…low, 20- to be determined
to be determined to be determined to be determined
50 medium, 50+ high) individually (e.g. Green: >
to be determined individually (e.g. Green: > individually (e.g. Green: > to be determined to be determined individually (e.g. target:
possible characteristic for 90%, Yellow: 70-90%, Red:
individually (e.g. Green: > 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: individually (e.g. Green: < individually (e.g. Green: > 100% after max. 30
Threshold levels 90%, Yellow: 70-90%, Red:
comparability of business
< 70%, special case of < 70%, special case of
Number red: > 0,Green = 0 < 70%, special case of
10%, Yellow: 10-30%, Red: 90%, Yellow: 70-90%, Red: minutes,
units: in relation to the systems relevant to financial
< 70%) systems relevant to financial systems relevant to financial > 30%) < 70%) Green: > 90%, Yellow: 70-
number of employees e.g. reporting: target coverage
reporting: target coverage reporting: target coverage 90%, Red: < 70%)
unit: incidents/100 100%
employees
Analysis training Quotient: number of Quotient: number of

collecting the number of Quotient: number of
management Determining the number of Quotient: number of Quotient: number of approved and requested protected systems/total time comparison
collective accounts reversed changes/total
Measurement Quotient: number of security incidents with performed reviews/total performed reviews/total changes (RFC)/total number of systems average actual rollout state
(adjusted for authorized number of performed
participants/total number of human error as a cause number of systems in scope number of users in scope number of performed (adjusted for authorized vs. target state
exceptions) changes
employees changes exceptions)
Frequency to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined
(measurement) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. monthly) individually (e.g. annually)
HR - Training Department -
Data Owner, User Data Owner, User IT Operations, Change IT Operations, Change AV Management, IT AV Management, IT
Interfaces IKS - Internal Audit Incident Management
Management, supervisors Management, supervisors
User Management
Management Management Operations Operations
Department
E-learnings, classroom User directory, authorization User directory, authorization User directory, authorization
Incident Mgt. Tool, Ticket Project Management, Project Management,
Components training, training plan, management tool, IAM management tool, IAM management tool, IAM AV console, CMDB AV console, CMDB
System, ISMS Tool Change Management Change Management
training register platform, CMDB platform platform
Data archiving 5 years 5 years 10 years 10 years 5 years 10 years 5 years 5 years 5 years
505025421.xlsx /
KPIs
12.7 Detection of vulnerabilities
12.4 Backup 16.2 Processing of information security incidents 5.1 Information security policy 6.2 Information security in projects
(Patch management)
4 4 4 3 3
COVERAGE COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE COVERAGE COVERAGE
Creation degree of
Detection rate of Timely processing of Actuality of required Coverage degree of
Degree of backup Degree of restoration Coverage degree Patch Effectiveness of patch required
Backup effectiveness information security information security policies/documentation information security in
coverage test coverage Management installation policies/documentation
incidents incidents s projects
s
The contemporary
Information security Information security
A regular review of backup Backup quality must be A comprehensive patch installation of patches
A regular and complete incidents have to be incidents have to be
functionality (e.g. by ensured by correlating management protects the ensures the security of
backup provides protection detected and timely handled prioritized and handled Under an ISMS, For the ISMS, the prepared
restoring data or systems) is controls. Measures are e.g. company against the systems and applications Information security topics
against the loss of data, e.g. in order to protect the accordingly depending on mandatory/voluntary policies/documentations
essential for the availability data restore, system impacts of malware and and therefore reduces the shall be addressed during
in case of a system failure company from damages. their criticality. The KPI policies/documentations shall be reviewed for their
of business information. restoration. exploits. The KPI measures window of vulnerability for projects.
or malware infection. The KPI measures the measures the appropriate shall be prepared. actuality.
The KPI measures the The KPI measures the the inclusion of systems and the company. The KPI
The KPI measures the compliance of the incident timely handling of
degree of the restore test number of incorrect data applications in the Patch measures recording of the
degree of backup coverage. reporting process between information security
coverage. restores. Management process. target and actual state of
the involved interfaces. incidents.
Patches.
All information security

incidents will be detected, All information security All necessary
All necessary Information security
All data is adequately Regular restore tests for all All systems are involved in All systems are at up-to- reported and handled within incidents will be handled policies/documentations are
Correct backups policies/documentations are requirements are
protected backed-up systems the patch process date patch level the framework of the within an appropriate time reviewed for
present. considered in all projects
incident management frame actuality/content
process
Information Security, Information Security, Information Security,

Local IT, Information Local IT, Information Local IT, Information Local IT, Information Local IT, Information Local IT, Information Local IT, Information
Corporate Security, IT Corporate Security, IT Corporate Security, IT
Security, service owner Security, service owner Security, service owner Security Security Security, Compliance Security, Compliance
Security, HR, Business Security, HR, Business Security
to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined
Initial creation
individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually)
to be determined
individually (e.g. according
to category maximum
to be determined to be determined
to be determined to be determined periods for solution:
individually (e.g. Green: = individually (e.g. target: to be determined to be determined to be determined
individually (e.g. Green: > individually (e.g. Green: > -PRIO 1: days
100% (of systems to be Number Red: > 0,Green = 0 100% after max. 10 days, Number Red: < 1,Green = 1 individually (target coverage individually (target coverage individually (target coverage
90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: -PRIO 2: weeks
secured), Yellow: 70-99%, Green: > 90%, Yellow: 70- = 100 %) = 100 %) = 100 %)
< 70%) < 70%) -PRIO 3: months
Red: < 70%) 90%, Red: < 70%)
unsolved incidents within
period, e.g. Green: < 2%,
Yellow: 2-5%, Red: > 5%)
Quotient: number of
Quotient: number of Quotient: number of Quotient: number of information security
Quotient: number of For each individual criticality Quotient: number of policies Quotient: number of
systems covered with systems with tested currently patched time comparison incidents reported in the Quotient: number of existing
restorations with errors/total level: reviewed according to projects considering
backups/total number of restoration from systems/total number of average actual rollout state incident policies/population of
number of all restoration all unsolved incidents within cycle/population of policies security/total number of
systems (adjusted for backup/total number of all systems (adjusted for vs. target state management/number of all necessary policies
tests defined period/all incidents to be reviewed relevant projects
authorized exceptions) systems with backup authorized exceptions) incidents (of the surveying
unit)
to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined
individually (e.g. annually) individually (e.g. monthly) individually (e.g. annually) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually)
IT, CERT, Incident IT, CERT, Incident Information Security, Information Security,
Backup process, IT Backup process, IT Backup process, IT Patch/Change Patch/Change Project customer, project
Management, Helpdesk, Management, Helpdesk, Corporate Security, IT Corporate Security, IT
Operations Operations Operations Management, IT Operations Management, IT Operations management office (PMO)
Service Management Service Management Security, HR, Business Security, HR, Business
Change Management Change Management Contents derived from the Contents derived from the
console, software console, software Incident Management Incident Management Statement of Applicability Statement of Applicability Overview of projects per
Backup software, CMDB Backup software, CMDB Backup software, CMDB
distribution platform, CMDB, distribution platform, CMDB, System/Workflow System/Workflow (SoA) and documented in (SoA) and documented in PMO
WSUS WSUS accordance with ISO 27001 accordance with ISO 27001
10 years 10 years 10 years 5 years 5 years 10 years 10 years 5 years 5 years 5 years
505025421.xlsx /
KPIs
11.3 Protection measures in
6.2 Information security in projects 6.3 Mobile devices 11.1 Security zones the delivery and shipping 12.5 Event logging 12.6 Logging administrative activities
area
3 3 3 2 3 2
EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS
Effectiveness of
Protective measures - Implementation of Coverage degree of Coverage degree of
Coverage degree of implementation of Implementation degree Coverage degree
implementation in protective measures for event logs on security- Functioning log activity admin logs on security- Functioning log activity
mobile device security mobile device security of zone concept review “Authorizations”
projects zone concept critical systems critical systems
measures
Admin logging allows

Event logging enables traceability of administrator
A comprehensive and Results of admin logging
Properties shall be traceability of activities in a activities in a process or
consistent protection of all Results of logging activities activities shall allow their
A strong implementation of adequately protected, this Regular verifications of process or process step/on process step/on a system/in
relevant mobile devices is shall allow their analysis. analysis. Reliable and
Projects subject to protective measures can be achieved by Zones shall be protected access rights with respect to a system/in an application. an application. This
the basis for their secure Reliable end-to-end manipulation-protected end-
information security regarding relevant mobile implementation of a zone adequately according to the their need are a This functionality helps to functionality helps to solve
operation. The KPI recording of the activities to to-end recording of the
requirements devices reduces concept. The zone concept criticality. prerequisite for a secure solve system abnormalities. Administrator
measures the coverage be monitored is essential for admin activities to be
weaknesses. should be implemented delivery and shipping zone. failures/abnormalities. Logs logs should be activated in
degree of the defined traceability, if required. monitored is essential for
comprehensively. should be activated in security-critical systems and
protective measures. traceability, if required.
security-critical systems. protected against (admin)
manipulations.
Security zones are

All employees working in
Information security All relevant mobile devices All relevant mobile devices protected according to All relevant systems and All relevant systems and
Zones are defined for all the delivery and shipping Completeness and Completeness and integrity
requirements are are subject to protective are subject to up-to-date internal specifications (see applications are integrated applications are integrated
properties area are subject to regular correctness of logs of admin logs
implemented in all projects measures protection e.g. References “Security into event logging into admin logging
review of access rights
zones”).
Information Security,
IT Security, Information IT Security, Information Information Security, Information Security, Corporate Security, Local IT, Information Local IT, Information Local IT, Information Local IT, Information
Corporate Security, IT
Security Security, Corporate Security Corporate Security Corporate Security Logistics, authorities Security, Compliance Security, Compliance Security, Compliance Security, Compliance
Security
individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually)
to be determined to be determined
to be determined individually (e.g. Green: > individually (e.g. Green: >
to be determined to be determined to be determined to be determined Number of incorrect admin
individually (e.g. Green: > 90%, Yellow: 70-90%, Red: Number of incorrect logs 90%, Yellow: 70-90%, Red:
individually (target coverage individually (target coverage individually (target coverage individually (target coverage logs
90%, Yellow: 70-90%, Red: < 70%, special case of Red: > 0,Green = 0 < 70%, special case of
= 100 %) = 100 %) = 100 %) = 100 %) Red: > 0,Green = 0
< 70%) systems relevant to billing: systems relevant to billing:
target coverage target coverage
Quotient: number of
employees working in the
Quotient: number of Quotient: number of Quotient: number of mobile Quotient: number of Quotient: number of delivery and shipping area Quotient: number of logged Quotient: number of logged
projects considering protected mobile devices protected in a properties with zone adequately secured who are subject to regular security-critical number of incorrectly written security-critical number of incorrectly written
security aspects/total devices/total number of timely manner/total number concept/population of zones/population of all access rights systems/total number of logs systems/total number of admin logs
number of relevant projects mobile devices of mobile devices properties zones reviews/population of security-critical systems security-critical systems
employees working in the
delivery and shipping area
individually (e.g. annually) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. annually) individually (e.g. quarterly) individually (e.g. annually) individually (e.g. annually) individually (e.g. quarterly) individually (e.g. annually) individually (e.g. quarterly)
Plant security, local security Plant security, local security IT, System Owner, Data IT, System Owner, Data
Project customer, project Logistics, Access IT, System Owner, Data IT, System Owner, Data
IT operation, IT Security IT operation, IT Security functions, specialized functions, specialized Owner, Risk Owner, User Owner, Risk Owner, User
management office (PMO) Management Owner, Risk Owner Owner, Risk Owner
departments departments Management Management
Property plans, zone Property plans, zone Staff directory

Overview of projects per
Overview of mobile devices Overview of mobile devices concept, information concept, information (internal/external), access CMDB, Logging server CMDB, Logging server CMDB, Logging server, IAM CMDB, Logging server, IAM
PMO
classification classification control system
to be defined individually (if to be defined individually (if to be defined individually (if to be defined individually (if
5 years 5 years 5 years 5 years 5 years 10 years
relevant to billing: 10 years) relevant to billing: 10 years) relevant to billing: 10 years) relevant to billing: 10 years)
505025421.xlsx /
KPIs
14.1 Requirements for the
13.5 Non-disclosure
12.8 System audits 13.2 Network services acquisition of information 14.2 Security during the software development process 18.4 Effectiveness review
agreements
systems
2 3 3 3 3 3
COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS
Coverage degree of
Effectiveness of risk Timely elimination of
Coverage degree Coverage degree of risk Effectiveness of risk activities to eliminate
Coverage degree Effectivity of system Effectiveness of Coverage degree non- handling in information vulnerabilities
review service level assessment in software handling in vulnerabilities
system audits audit implementation observing SLAs disclosure agreements service acquisition determined during
agreements (SLA) development process development process determined during
processes audits
audits
Weaknesses identified in
The protection of Information security risks Weaknesses identified in
the course of information
IT systems processing or Measures resulting from Regular verifications of the information confidentiality associated with the Risks identified in the the course of information
Risks identified during the security audits (internal and
storing information of high those audits shall be SLAs for network services The agreed measures shall be subject to applications to be process of software security audits (internal and
acquisition process are external) shall be eliminated
or very high protection implemented in time in ensure consideration of resulting from SLAs shall be contractual agreement developed shall be development are treated in external) are eliminated
treated in a timely and in a consequent and
needs shall be subjected to order to eliminate current security implemented. where at least confidential identified as early as a timely and effective within the deadlines agreed
effective manner. traceable manner. Findings
audits at regular intervals. vulnerabilities. requirements at all times. information is exchanged possible in the process of manner. (with the audited
shall not remain
with external partners. software development. departments).
unaddressed.
Weaknesses identified in
Security risks are All weaknesses identified in
All relevant systems are All requirements resulting A non-disclosure agreement Risks identified in Security risks are taken into the course of audits are
All measures are All SLAs include the current addressed in the the course of audits are
subject to audits at regular from the SLAs are has been entered with all acquisition are handled in account in the software eliminated within the
implemented in time security requirements development process in an traced and assigned to
intervals implemented external partners an effective manner development process defined time and in an
effective manner activities
effective manner
Acquisition, Information Information Security, Information Security,

Local IT, Information Local IT, Information Local IT, Information Local IT, Information Information Security, Local Information Security, Local Information Security, Local
Security, specialized Corporate Security, Local Corporate Security, Local
Security Security Security Security IT, Procurement IT, Risk Management IT, Risk Management
department IT, Internal Audit IT, Internal Audit
individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually)
individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: >
90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red:
< 70%) < 70%) < 70%) < 70%) < 70%) < 70%) < 70%) < 70%) < 70%) < 70%)
Quotient: number of Quotient: number of

Quotient: number of Quotient: number of
Quotient: number of orders Quotient: number of treated software development Quotient: number of treated Quotient: number of findings activities for eliminating
Quotient: number of audited measures implemented in measures
Quotient: number of verified with concluded non- risks/population of risks projects that underwent risk risks/population of risks subject to subsequent vulnerabilities within the
systems/total number of time/number of measures implemented/number of
SLAs/total number of SLAs disclosure agreement/total identified in the acquisition assessment/population of identified in the activities/population of defined period for
security-critical systems still to be implemented measures agreed
number of relevant orders process relevant development development process identified findings implementation/population
projects of all specified activities
individually (e.g. monthly) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. quarterly) individually (e.g. quarterly) individually (e.g. quarterly)
individually (e.g. quarterly) individually (e.g. quarterly)
Internal Auditors, Internal Auditors,
Acquisition, Information Procurement, specialized Procurement, specialized Procurement, specialized
Audit Management, IT Audit Management, IT Local IT, Information Local IT, Information Information Security, IT, Information Security, IT,
Security, specialized departments (requisitioner), departments (requisitioner), departments (requisitioner),
Operation, System Owner Operation, System Owner Security Security specialized departments specialized departments
department IT IT IT
(Auditees) (Auditees)
Development system, Development system,

Acquisition register, Audit data base, follow-up Audit data base, follow-up
CMDB CMDB, Audit system CMDB CMDB Acquisition system development project data development project data
ordering system data base data base
base base
5 years 5 years 5 years 5 years 5 years 5 years 5 years 5 years 10 years 10 years
505025421.xlsx /
KPIs
Security zones
Zone White (public) Green (controlled zone) Yellow (restricted zone) Red (high risk zone)
Explanation Areas of public character, which are permanently or temporarily accessible to everyone. Area with technical or organizationally controlled safety measures, not Area with additional safety measures, restrictive, protection of special Area with the highest security requirements, protection of sensitive
Areas with low risk without particularly sensitive values. None or only preventive safety freely accessible, usually internal scopes scopes, limited number of persons, usually confidential scopes as well. values strictly regulated access rights, usually secret scopes.
requirements. Domestic authority exists. (e.g. visitors' parking space, connecting routes)
Aspect
Accessibility No special requirements Values cannot be viewed freely, Clean Desk Temporary measures (according to the risk analysis) for sight Permanent sight protection/noise reduction
protection/noise reduction
Visitor requirements Appropriate signs Only registered visitors, explicit reference to confidentiality/non- Restricted group of visitors, written confirmation of the non-disclosure, Only in exceptional cases: additionally to “Yellow” four-eyes principle,
disclosure in permanent personal escort by own staff householder’s consent
Driving on/parking Permitted Vehicles are allowed to drive on/park only after registration. Special restrictions Special restrictions
Access control and None Area must be protected against unauthorized access (personnel or Monitoring the entering/exiting of the zones via online access reader, Monitoring the entering/exiting of the zones via online access reader
protection technical measures) compensating locking system with limited circle
Monitorings If required, camera surveillance (prevention of damage to property) Camera surveillance and/or patrolling (prevention of unauthorized Camera surveillance, motion detection at least in the access areas or Camera surveillance, glass breakage detector, windows with sight
penetration) easily accessible areas (e.g., ground floor windows) protection, double illumination with motion detectors, central circuit,
intrusion detection system installed by professionals
Resistance values . Fences 2.2m with anti-climbing protection and undermine At least RC 2 or compensating measures At least RC 2 (resistance time 5 minutes) with additional measures
protection/building shell consisting of windows, doors, walls, roofs
Response time (alarm to . 30 minutes 10 minutes 5 minutes
visual inspection and
acknowledgment)
Photography/use of optics . No internal information, otherwise only using business devices No use of private devices, business devices only in case of No private devices, business devices in exceptional cases only Four-
professional assignment eyes principle, approval by company management
Optics
Zone Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Explanation Areas of public character, which are permanently or temporarily accessible to everyone. Area with technical or organizationally controlled security measures, Area with additional security measures, restrictive, protection of special Area with the highest security requirements, protection of sensitive
Areas with low risk without particularly sensitive values. None or only preventive safety not freely accessible, usually internal scopes scopes, limited number of persons, usually confidential scopes as well. values strictly regulated access rights, usually secret scopes.
requirements. Subject to householders rights (e.g. visitors' parking space, connecting
routes)
Aspect “carrying along” Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Company owned devices No special requirements Carrying along unsealed devices allowed Carrying along unsealed devices allowed Carrying along sealed devices allowed
(independent from Mobile Carrying along unsealed devices forbidden
Device Management
(MDM))
Private devices of No special requirements Carrying along unsealed devices allowed Carrying along unsealed devices allowed Carrying along sealed devices allowed
company employees Carrying along unsealed devices forbidden
(wearables with optics as
well)
Devices of contractors No special requirements Carrying along unsealed devices allowed Carrying along sealed devices allowed Carrying along even sealed devices forbidden
and visitors (wearables Carrying along unsealed devices forbidden
with optics as well)
Aspect “use” Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Video telephony/video No special requirements Allowed in all areas Allowed in office workplaces and meeting rooms, otherwise upon In defined meeting rooms with permanently installed equipment,
conferencing (without approval otherwise upon approval
recording)
Photography/video No special requirements - No use of private devices or devices of contractors/visitors - No use of private devices or devices of contractors/visitors - No use of private devices or devices of contractors/visitors
recordings - Allowed with company owned devices allowed with company owned devices upon approval - Allowed in exceptional cases upon approval (e.g. four-eyes
principles, consent of the management)
Recording of persons and Declaration of consent required Declaration of consent required Declaration of consent required - Allowed only in exceptional cases upon approval
sound recording with - Declaration of consent required
company owned devices
Personnel
Type of employment
Standard validation Certificate of good conduct/criminal record certificate Intensive verifications of the CV, references Validation of certificates, diplomas and vocational training
relationship
Ordinary X
employee/worker
505025421.xlsx /
References
Head of department
IT department X X
employees with special
access rights
Department Manager X X X
General Manager,
Directors, Executive X X X X
Assistants, Security
Manager
Contractors & suppliers X

Contractors & suppliers
for critical infrastructure X X
components
Off-Premises workplace
temporary working environment (e.g. hotel) regular alternative working environment (in particular home
office)
Confidentiality of the
information
Highest protection class Paper: principally not Paper: principally not
“secret”
Local data storage: principally not Local data storage: principally not
Remote Access: principally not Remote Access: principally not
Medium protection class Paper: continuously under personal control Paper: principally only temporarily
“confidential”
Local data storage: strongly encrypted or Mobile Device Management (MDM) Local data storage: strongly encrypted or Mobile Device
active (remote deletion on demand) Management (MDM) active (remote deletion on demand)
Remote Access: strongly authenticated & strongly transport encrypted, integrity Remote Access: strongly authenticated & strongly transport
of the access device ensured, data “non-permanent” encrypted, integrity of the access device ensured, data “non-
permanent”
Lowest protection class Paper: under personal control Paper: in office furniture with special closing
“internal”
Local data storage: encrypted or Mobile Device Management (MDM) active Local data storage: encrypted or Mobile Device Management
(remote deletion on demand) (MDM) active (remote deletion on demand)
Remote Access: strongly authenticated & strongly transport encrypted, integrity Remote Access: strongly authenticated & strongly transport
of the access device ensured, data “non-permanent” encrypted, integrity of the access device ensured, data “non-
permanent”
Protection classes
Description
Normal The potential damage is marginal, short-term nature, and limited to a single
High entity.
The potential damage is significant or medium-term nature or is not limited to a
single entity.
Very high The potential damage threatens the existence of the company or long-term
nature or is not limited to a single entity.
505025421.xlsx /
References
Glossary
GWP = Generic Work Product = a general result that arises from the execution of the process
PA = Process Attributes = a measurable characteristic to a process capability that is
applicable for each process.
Evaluation basis:
Cutback result
In the “Result with cutback to target level”, the cutback of achieved results to the target
maturity level ensures that “overachieved” controls do not compensate underachieved
controls in the overall result.
Maximum score:
The variations in the maximum score arise when individual controls are marked with “n.a.”
(not applicable) and therefore the average value of the target maturity levels changes.
Spider diagram:
All results are shown without cutback. The line for the target maturity level considers controls
that were marked as n.a.
505025421.xlsx /
Gedruckt am: 01/06/2021 Seite 36 von 37
Glossar
1.0 First release (Initial build)
1.1 Change open questions to enclosed questions

More precise level descriptions
Inserting examples from practises
Spelling errors corrected
1.2 8.2 and 10.1 reference adjustment

10.2 change from production to productive environment
10.5 change from IDS/IPS to HIDS/HIPS
11.2 change of the translation
11.3 and 11.4 restructuring of controls
1.3 11.4 add “IT systems”

9.4 revise Maturity Level 2
2.0 Revision due to the new edition of ISO 27002:2013

Adjustment of the maturity levels
2.0.1 Fix for error in calculation and spider diagram
2.1.0 Revision of the maturity levels, corrections of some controls
2.1.1 Release version 2.1
2.1.2 Print area adjusted
2.1.3 Spider diagram shows result without cutback to target maturity levels
Control 13.5 revised
Control 7.1 maturity level 1 revised
Controls 9.4 and 9.5 reference revised
2.1.4 Maturity Control changed from 12.4 into 4

Maturity Control changed from 16.3 into 3
Addition of KPIs
Spell checking in maturity level 3
3.0.2 Revision for TISAX

Module Connection of third parties included
Module Prototype protection (25) included, derived from the Whitepaper from 6.10.2016
Module Data Protection (24) included, reference to 18.2 removed, maturity levels
removed from the module, references from the Level 1 generated instead. Reference
included (ISMS, 18.2) showing that the Data Protection module will be used only once in
a commissioned data processing according to §11 BDSG, implementation of questions
“fulfilled [yes/no]”
505025421.xlsx /
Gedruckt am: 01/06/2021 Seite 37 von 37
Change history

Vda-Isa en 4

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Vda-Isa en 4

Загружено:

Авторское право:

Доступные форматы

Information Security Assessment

Short description of the

D&B D-U-N-S® No.

Date of the assessment:

Version: 4.0.3 / 2018-02-15

15 Supplier Relationships 8 Asset Management

14 System acquisition, development and maintenance 9 Access Control

13 Communications Security 10 Cryptography

Result with cutback to target

Information Security Assessment

based on ISO 27001:2013

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

1.3 To what extent is the effectiveness of the ISMS ensured?

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

5 Information Security Policies

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

6 Organization of Information Security

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

Requirements: This must include:

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

7 Human Resources Security

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

This should include:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

This should involve:

This may include:

Additionally in case of high protection needs:

Additionally in case of very high protection needs:

This should include:

This may include:

Additionally in case of high protection needs: