Академический Документы
Профессиональный Документы
Культура Документы
Group:
Company:
Location:
Address:
Homepage:
Scope/TISAX Scope-ID
Contact person:
Telephone number:
Email address:
Creator:
Telephone number:
Email address:
Managing Director:
Signature:
505025421.xlsx /
Printed on: 01/06/2021 Page 1 of 37
Cover
Information Security Assessment
Results
Company: 0
Location: 0
Date: 12/30/1899
Result with cutback to target
maturity levels:
Maximum score: 3.00
1 ISMS
18 Compliance 5 5 Information Security Policies
4
17 Information Security Aspects of Business Continuity Management 6 Organization of Information Security
3
2
16 Information Security Incident Management 1 7 Human Resources Security
505025421.xlsx /
Printed on: 01/06/2021 Page 2 of 37
Results
Information Security Assessment
Results
Result with cutback to target
maturity level:
Maximum score: 3.00
Details:
Target
Question
Topics maturity Result
No.
level
1.1 Release of an Information Security Management System (ISMS) 3
1.2 IS Risk Management 3
1.3 Effectiveness of the ISMS 3
5.1 Information Security Policy 3
6.1 Assigning responsibility for information security 3
6.2 Information Security in projects 3
6.3 Mobile devices 3
6.4 Roles and responsibilities
Contractual for external
information security IT service providers
obligation
3
7.1 of employees 3
7.2 Awareness and training of employees 4
8.1 Inventory of assets 3
8.2 Classification of information 2
8.3 Storage of information on mobile storage devices 3
8.4 Removal of externally stored information assets 3
9.1 Access to networks and network services 3
9.2 User registration 4
9.3 Privileged user accounts 3
9.4 Confidentiality of authentication data 3
9.5 Access to information and applications 3
9.6 Separation of information in shared environments 3
10.1 Cryptography 3
11.1 Security zones 3
11.2 Protection against external influences and external threats 3
11.3 Protection measures in the delivery and shipping area 2
11.4 Use of equipment 2
12.1 Change management 4
12.2 Separation of development, test and operational environments 2
12.3 Protection against malware 4
12.4 Back-up procedures 4
12.5 Event logging 3
12.6 Logging administrational activities 2
12.7 Prosecution of vulnerability (patch management) 4
12.8 Review of information systems 2
12.9 Consideration of critical administrative functions of cloud services 3
13.1 Management of networks 3
13.2 Security requirements for networks/services 3
13.3 Separation of networks (network segmentation) 3
13.4 Electronic exchange of information 3
13.5 Non-disclosure agreements for information exchange with third parties 3
14.1 Requirements for the acquisition of information systems 3
14.2 Security along the software development process 3
14.3 Management of test data 2
14.4 Approval of external IT services 3
15.1 Risk management in collaboration with suppliers 3
15.2 Review of service provision by suppliers 3
505025421.xlsx /
Printed on: 01/06/2021 Page 3 of 37
Results
16.1 Reporting system for information security incidents (incident management) 3
16.2 Processing of information security incidents 4
17.1 Information Security Aspects of Business Continuity Management (BCM) 3
18.1 Legal and contractual provisions 3
18.2 Confidentiality and protection of personally identifiable data 3
18.3 Audit of the ISMS by independent bodies 3
18.4 Efficiency test 3
Method: - comparison of the top 52 security topics 3.00
- based on ISO 27001 controls
- evaluated using SPICE ISO 15504
505025421.xlsx /
Printed on: 01/06/2021 Page 4 of 37
Results
Information Security Assessment
Results -
Connection to third parties
Details:
Target
Question
Topics maturity Result
No.
level
23.7.2 Awareness and training of employees 3
23.9.2 User registration 3
23.11.1 Security zones 3
23.13.3 Separation of networks (network segmentation) 3
Details:
Target
Question
Topics maturity Result
No.
level
25.1.1 Security concept 3
25.1.2 Perimeter safety 3
25.1.3 Outer-skin protection 3
25.1.4 View and sight protection 3
25.1.5 Access control 3
25.1.6 Intrusion detection system 3
25.1.7 Documented visitor management 3
25.1.8 On-site client separation 3
25.2.1 Non-disclosure agreement 3
25.2.2 Relationships with subcontractors 3
25.2.3 Training and raising the awareness of employees 3
25.2.4 Security classification of the project 3
25.2.5 Process of allocation of access 3
25.2.6 Filming and photography 3
25.2.7 Bringing along image recording devices 3
25.3.1 Camouflage of prototypes 3
25.3.2 Transport of prototypes 3
25.3.3 Storage/parking of prototypes 3
25.3.4 Own test and trial ground 3
25.3.5 Test and trial ground in public area 3
25.3.6 Safety requirements for presentations and events 3
25.3.7 Safety requirements for film and photo shootings 3
505025421.xlsx /
Printed on: 01/06/2021 Page 5 of 37
Results
Information Security Assessment - Questions
Maturity
level
In case a question does not apply, please insert na (not applicable).
Level 0-5;
na
1 General aspects
1.1 To what extent is an Information Security Management System approved by the organization’s management and is
its scope documented.
(Reference to ISO 27001: 4 and 5.1)
Objective: Systematic control and review of information security within the specified scope is effected by means of the establishment,
operation and further development of an Information Security Management System (ISMS) and the assignment of
responsibilities. The ISMS must define processes and procedures in order to achieve the information security objectives
with respect to adequate confidentiality, availability and integrity of the company assets based on the security policy.
Requirements: This must include:
+ The organization’s requirements for an ISMS are determined.
+ An ISMS approved by the organization’s management is established.
+ The scope of the ISMS is specified (e.g. organization in whole or in part).
+ A Statement of Applicability (SoA) is provided (e.g. filled-in VDA ISA catalogue).
1.2 To what extent is a process for identifying, assessing and handling information security risks defined, documented
and implemented?
(Reference to ISO 27001: 8.2 and 6.1.2)
Objective: The objective of an organization-specific ISMS is an adequate balance between information security efforts and the assets
to be protected. In order to achieve this, the assets, their protection needs and threats shall be identified, analysed,
assessed and documented by means of risk assessment. Absence of an information security risk assessment rises the
danger that information security risks remain undetected leading to potential harm.
Requirements: This must include:
+ Risk assessments are carried out both at regular intervals and in case of events.
+ Information security risks are divided into levels according to their protection needs, e.g. normal, high and very high.
+ In case of changes to the environment (e.g. organizational structure, location, changes to regulations), reassessment is
carried out in a timely manner.
Objective: The ISMS must be reviewed at regular intervals (e.g. annually) with respect to its effectiveness. This includes verifying the
achievement of objectives and the compliance with applicable requirements.
Only an ISMS adapted specifically to the organization’s requirements can fulfil its purpose. Since influencing factors such as
organizational structure or local conditions may change, the effectiveness of the ISMS must be reviewed regularly.
505025421.xlsx /
Printed on: 01/06/2021 Page 6 of 37
Information security
Requirements: This must include:
+ The effectiveness is reviewed regularly by the persons responsible for information security and management.
+ The results of the effectiveness inspection and the specified measures are documented.
+ A plan of measures or an overview of their state of implementation (including those resulting from previous reviews) is in
place, the implementation of those measures is monitored.
+ If any security related events occur, they are analysed.
Objective: An organization must define a policy reflecting the importance and significance of information security to the organization.
This must be adapted to the business strategy, regulations, legislation and potential threat situations regarding information
security. It must be evident to all of the involved parties that information security is supported by the management of the
organization, that it is of relevance to everyone and that requirements and rules apply and must be met.
Requirements: This must include:
+ The information security requirements adapted to the company’s objectives with respect to information protection are
documented in a policy and are approved by the management of the organization.
+ The policy includes objectives and significance of information security within the organization.
Objective: Successful implementation of an ISMS requires adequate assignment of information security responsibilities. This requires
the definition of functions fulfilling the tasks for achieving the protection objectives. Qualified employees who are known to
the organization’s staff and, if appropriate, also to business partners must be required to fulfil those tasks.
Requirements: This must include:
+ Responsibilities for the information security within the organization are defined, documented and assigned.
+ The responsible employees are defined and are qualified for their task.
+ The contact persons are known within the organization and to relevant business partners.
6.2 To what extent are information security requirements taken into account in project work (irrespective of project
type)?
(Reference to ISO 27001: Control A.6.1.5)
505025421.xlsx /
Printed on: 01/06/2021 Page 7 of 37
Information security
Objective: The information security requirements must be taken into account irrespective of the project type (this includes non-IT
projects). This also includes the handling of information security and information security risks in the organization’s project
management methods.
6.3 To what extent is a policy in place regarding the use of mobile devices and remote access to organization's data?
(Reference to ISO 27001: Control A.6.2.1 and A.6.2.2)
Objective: The handling of mobile devices, particularly in unprotected environments, is associated with increased risks (e.g. loss, theft,
malware infection). In order to protect the information stored on the device, technical protective measures must be
implemented. Additionally, employees must be made aware of the risks involved in the handling of mobile devices.
Requirements: This must include:
+ The use of mobile devices (e.g. smartphones, notebooks) is subject to regulation.
6.4 To what extent are the roles and responsibilities defined which are shared between IT service providers
(particularly cloud providers) and the own organization?
(Reference to ISO 27017: Control CLD.6.3.1)
Objective: When using IT services (particularly cloud services), the relationship between provider and the own organization is of
particular significance to information security due to the shared responsibilities for the implementation of requirements. The
own organization must continue to independently fulfil parts of the security requirements while other requirements are
fulfilled in whole or in part by the provider. The exact allocation of responsibilities always depends on the services used and
cannot be generally answered.
If common understanding regarding the allocation of responsibilities is lacking among all parties involved, the security
system may be weakened or rendered entirely ineffective. Therefore, the service user must ensure at all times that a mutual
understanding regarding the allocation of responsibilities is given and that it is clarified for each requirement, that and by
whom it is fulfilled.
505025421.xlsx /
Printed on: 01/06/2021 Page 8 of 37
Information security
Requirements: This must include:
+ The security requirements relevant to the service are determined and documented:
- At least the applicability of the VDA ISA controls is verified and documented.
+ For each requirement, it is documented who is responsible to what extent for its implementation.
- For the applicable VDA ISA controls, it is documented who has the responsibility for implementation or how it is shared.
+ The own organization fulfils its responsibilities.
+ Proof is provided that the service provider fulfils his responsibility.
Objective: Organizations are subject to legislation, regulations and internal rules. Already at the hiring of staff, it must be ensured that
both internal and external employees commit to compliance with the policies and are aware of the consequences of
misconduct.
Requirements: This must include:
+ A non-disclosure obligation is in effect - even beyond the employment contract or assignment.
+ An obligation to comply with the information security policies is in effect (see 5.1)
7.2 To what extent is staff (internal and external) made aware of and trained about the risks arising from handling and
processing information?
(Reference to ISO 27002: Control 7.2.1 and 7.2.2)
Objective: Information security must be a natural and integral part of the work environment and must be adopted into the daily work of
all employees. By means of information security training, employees shall gain the necessary knowledge and competence
for security-conscious behaviour. They must be particularly aware of what is expected of them with respect to information
security and how to react to security-critical situations.
Requirements: This must include:
+ Employees are trained and made aware.
8 Asset Management
8.1 To what extent are directories existent for objects (assets) that contain information in different versions?
(Reference to ISO 27001: Control A.8.1.1, A.8.1.2, A.8.1.3 and A.8.1.4)
505025421.xlsx /
Printed on: 01/06/2021 Page 9 of 37
Information security
Objective: Beside the conventional inventory of physical objects, it is essential to obtain an overview of the information processed
within the organization. For this purpose, information assets are elements of information-related character such as
documents, illustrations/phtographs, files, programs, servers, networks, facilities, vehicle prototypes, tools and equipment.
An information owner takes on the role of responsible person for the respective information assets.
Requirements: This must include:
+ Each information asset is assigned to a responsible entity (individual or organizational unit).
+ Information assets are classified. (see also Control 8.2)
8.2 To what extent is information classified according to its protection needs and are there regulations in place
regarding labelling, handling, transport, storage, retention, deletion and disposal?
(Reference to ISO 27001: Control A.8.2.1, A.8.2.2 and A.8.2.3)
Objective: Information must be classified according to its value to an organization. During this assessment, the value of information to
the organization shall be evaluated based on factors such as confidentiality, integrity and availability. The handling of
information according to its classification must be defined and implemented by all employees.
Requirements: This must include:
+ A consistent scheme for the classification of documents/information is in place and implemented.
8.3 To what extent are appropriate procedures implemented for the management of information on mobile storage
devices?
(Reference to ISO 27001: Control A.8.3.1, A.8.3.2 and A.8.3.3)
Objective: Information on mobile storage devices are generally exposed to increased risks. In order to prevent loss or theft of
information in case a mobile storage device is lost, regulations to reduce these risks must be defined and measures must
be taken.
Requirements: This must include:
None.
8.4 To what extent is the secure removal of information assets from IT services (particularly cloud) ensured?
(Reference to ISO 27017: Control CLD.8.1.5)
Objective: It must be ensured that it is known how the use of a service can be terminated in a controlled way. Particular consideration
must be given how information can be securely removed from external systems (e.g. cloud systems).
505025421.xlsx /
Printed on: 01/06/2021 Page 10 of 37
Information security
Requirements: This must include:
+ A withdrawal strategy (termination process) including the deletion and removal of assets from the cloud service is defined.
+ It is ensured that the provider will fulfil his responsibilities.
9 Access Control
9.1 To what extent are policies and procedures regarding the access to IT systems in place?
(Reference to ISO 27001: Control A.9.1.2)
Objective: The identity of the user of a network service, an IT system or an IT application must be clearly verifiable to enable to a trace
of actions unambiguously to the user. In order to ensure this, authentication (registration) procedures and mechanisms of IT
systems or IT applications must be designed such that users are clearly identified and authenticated.
Requirements: This must include:
+ The procedures applied for user authentication are deemed secure and comply with the current state of the art.
+ The procedures for user authentication have been selected based on a risk assessment. Possible attack scenarios have
been taken into account (e.g. possibility of direct access from the internet).
+ Further interactions must only be possible after successful authentication.
9.2 To what extent are procedures for user registration, change and de-registration implemented with the associated
access rights and is particularly the authentication information handled confidentially?
(Reference to ISO 27001: Control A.9.2.1, A.9.2.2, A.9.2.4 and A.9.2.5)
Objective: The use of unique and personalized user IDs (user accounts) ensures clear traceability of actions. The authentication
information (e.g. passwords) must be known to the authorized user only. Defined processes for the lifecycle of user
accounts are in place. It is regularly reviewed whether existing user accounts are needed.
Requirements: This must include:
+ The process of user ID management is documented and established.
+ The use of unique and personalized user accounts is specified.
+ The use of collective accounts is regulated (e.g. restricted to cases where proof of actions is dispensable).
+ User accounts are disabled immediately after the user has left the company (e.g. upon termination of the employment
contract).
+ The authentication information is provided securely to the user.
9.3 To what extent is the allocation and use of privileged user and technical accounts regulated and is it subject to
reviews?
(Reference to ISO 27001: Control A.9.2.3)
Objective: The use of unique and personalized administrative user accounts ensures clear traceability of administrative actions.
Administrators should use the user account provided with privileged rights for administrative tasks only and must use their
standard user account for all other activities (e.g. E-mail, internet). Thus, it must be ensured that only activities requiring
privileged rights are actually carried out in this context.
505025421.xlsx /
Printed on: 01/06/2021 Page 11 of 37
Information security
Requirements: This must include:
+ The use of unique and personalized administrative user accounts is regulated and established.
+ Distinction between user accounts (privileged user account, “office user account”) is ensured, e.g. by having two or more
user accounts.
+ The management process (allocation/change/deletion) for privileged user IDs is documented and established.
+ Privileged rights are allocated upon approval only.
+ Secure authentication procedures are in use for privileged user accounts.
+ User accounts with privileged rights are documented and reviewed regularly.
9.4 To what extent is the user subject to binding policies concerning creation and handling of secret authentication
information?
(Reference to ISO 27001: Control A.9.3.1 and A.9.4.3)
Objective: Where authentication information is used in an IT system or application, information security critically depends on the
correct use of this information (e.g. passwords, PINs). Therefore,user awareness regarding the correct handling of this
authentication information must be regularly raised.
Requirements: This must include:
+ Regulation of the handling of authentication information is created considering at least the following aspects:
- no disclosure of authentication information to third parties - not even persons of authority - under consideration of legal
restrictions
- no writing down or unencrypted storing of authentication information
- immediate changing of authentication information whenever potential compromise is suspected
- no use of identical authentication information for business and non-business purposes
- changing of temporary or initial authentication information following the 1st login
- requirements for the quality of authentication information (e.g. length of password, types of characters to be used).
9.5 To what extent is access to information and applications restricted to authorized persons?
(Reference to ISO 27001: Control A.9.4.1 and A.9.4.2)
Objective: Authorization must ensure that only authorized users have access to information and IT applications. For this purpose,
access rights must be allocated to users. These access rights must be reviewed regularly.
Requirements: This must include:
+ The requirements for access to information and applications are determined.
+ An authorization policy is created including at least the following aspects:
- procedures for request, review and approval
- application of authorization roles
- separation of functions
- application of the minimalistic (“need-to-know”) principle
+ The policy is binding to all users of information and applications.
+ The access rights allocated to users and technical accounts are reviewed regularly.
9.6 To what extent is the separation of data within an environment shared with other organizations ensured?
505025421.xlsx /
Printed on: 01/06/2021 Page 12 of 37
Information security
(Reference to ISO 27017: Control CLD.9.5.1 and CLD.9.5.2)
Objective: Cloud solutions are characterized by enhanced standardization and a high level of virtualization on infrastructure the use of
which is shared by various customers. Such a collaborative environment enables numerous cloud customers to work. In
order to protect own information at all times, a clear/mandatory separation of data must be ensured.
Requirements: This must include:
+ Effective separation prevents access to own information by unauthorized users of other organizations.
10 Cryptography
10.1 To what extent are rules for encryption, including the management of cryptographic keys (complete lifecycle
process) for the protection of information during storage and transport existent and have they been implemented?
(Reference to ISO 27001: Control A.10.1.1)
Objective: Protection of the confidentiality of information during both storage and transfer (e.g. when gaining physical access to data
storage devices or data transfer infrastructure) must be ensured. This is generally achieved by means of encryption. For
handling encryption, it is essential that it provides the expected security characteristics at all times without simultaneously
creating inadequately high availability risks. For this purpose, reliable identification of the necessity of encryption must be
ensured. Whenever such a need is identified, procedures deemed secure according to the scientific and technical state of
the art must be selected. Additionally, it must be ensured that the secrets (key material) are adequately protected against
technical and organizational risks to confidentiality as well as integrity and availability throughout the lifecycle.
Requirements:
11 Physical and Environmental Security
11.1 To what extent are secure areas for the protection of sensitive or critical information and information processing
facilities defined, protected and monitored (entrance control)?
(Reference to ISO 27001: Control A.11.1.1 and A.11.1.2)
Objective: Processing of information assets outside the area affected by the measures intended for the target information security level
must be prevented. Since it is generally not possible to implement corresponding measures for all areas of the location, a
zone concept should be applied defining in which areas which type of information may be processed.
505025421.xlsx /
Printed on: 01/06/2021 Page 13 of 37
Information security
Requirements: This must include:
+ Requirements for the protection of affected assets are determined (see Control 8.1).
+ Security zones are specified under consideration of terrains/buildings/rooms and documented.
+ The concept of security zones is established and known to all persons handling sensitive information.
+ The security zones are secured by adequate protective measures according to the assigned risk level. (See notes for
examples).
11.2 To what extent has the company taken measures against the effects of natural disasters, deliberate attacks or
accidents?
(Reference to ISO 27001: Control A.11.1.4)
Objective: Natural disasters, deliberate attacks or accidents can critically impair the availability of IT systems. It must be ensured that
effects on critical IT systems are identified and assessed according to their criticality and that adequate protective measures
have been defined and implemented.
Requirements: This must include:
+ Natural threats, such as flooding, are identified.
+ Social threats such as political instability or accidents involving industrial plants are identified.
+ Potentially affected infrastructure, assets and IT systems are identified.
11.3 To what extent are protective measures taken to prevent access to delivery and shipping areas by unauthorized
persons?
(Reference to ISO 27001: Control A.11.1.6)
Objective: It must be ensured that all means of access to protected zones are protected against unauthorized access by means of
adequate measures. This is often associated with specific requirements in delivery and shipping areas, particularly where
those have to be designed for the delivery and shipping of large objects (e.g. vehicles or large tools).
Requirements: This must include:
+ The requirements for protecting the delivery and shipping areas are identified.
+ The shipping areas are integrated into the security concept.
+ Necessary protective measures are defined and implemented.
+ Access is permitted by identified and authorized personnel only.
11.4 To what extent are policies and procedures regarding the use of assets, including off-site use, disposal and re-use
in place and implemented?
(Reference to ISO 27001: Control A.11.2.5, A.11.2.6 and A.11.2.7)
Objective: Where assets (e.g. IT equipment, information) are taken off the premises of an organization, they are exposed to increased
risks. For example, they are exposed to the risk of theft or unauthorized viewing. As an adequate reaction to those risks, the
security requirements associated with off-site use must be identified. This also applies to the disposal or re-use of assets
(e.g. notebooks).
505025421.xlsx /
Printed on: 01/06/2021 Page 14 of 37
Information security
Requirements: This must include:
+ Security requirements for the use and off-premises use of assets are identified.
+ Policies and procedures for use and off-premises use of assets are defined and implemented.
+ IT devices containing sensitive data are deleted such as to prevent data recovery.
12 Operations Security
12.1 To what extent are changes to the organization, business processes, information processing facilities and systems
controlled and implemented according to their security relevance?
(Reference to ISO 27001: Control A.12.1.2)
Objective: In case of changes to the organization, business processes, information processing facilities and systems, aspects of
information security shall be considered. The objective is to ensure that all changes are made under consideration and
adherence of the information security requirements.
Requirements: This must include:
+ Security-relevant requirements regarding changes to the organization, business processes, information processing
facilities and systems are determined and implemented.
12.2 To what extent are development and testing environments kept separate from productive environments?
(Reference to ISO 27001: Control A.12.1.4)
Objective: The objective of separating development and testing environments from productive environments is to prevent faults during
development from affecting the productive environment. A testing environment serves for example as an intermediate step
for testing software developments with the environmental variables of a productive environment and for verifying the
availability, reliability and integrity of their functions.
Requirements: This must include:
+ The IT systems have been subjected to risk assessment in order to determine the necessity of their separation into
development and productive systems.
12.3 To what extent are protection controls (e.g. endpoint security) against malware (viruses, worms, Trojans,
spyware, ...) implemented and combined with appropriate user awareness?
(Reference to ISO 27001: Control A.12.2.1)
Objective: Two aspects must be addressed since they are of particular importance for malware protection - The malware protection
software on the one hand and user awareness on the other. User training is particularly important since, despite all
protective measures for hardware and software, malware may be activated inadvertently by the actions of a user.
505025421.xlsx /
Printed on: 01/06/2021 Page 15 of 37
Information security
Requirements: This must include:
+ Requirements for protection against malware are determined.
+ Technical and organizational measures for protection against malware are defined and implemented.
12.4 To what extent are backups created and tested regularly in accordance with an agreed backup policy?
(Reference to ISO 27001: Control A.12.3.1)
Objective: The objective of a working backup strategy is to allow recovery of the functionality or availability of information within the
required time in case of a system failure or another type of data loss (e.g. ransomware). For this purpose, data backups
must be created in compliance with a corresponding policy and tested regularly.
Requirements: This must include:
+ Backup requirements are determined and include: the systems to be secured, associated backup intervals and the
storage and transport of backup media.
+ Adequate protective measures, e.g. by means of encryption, taken during storage.
+ Backup media are stored in separate locations (different fire protection zones).
+ A backup concept is created and implemented.
+ An adequate backup verification is carried out.
12.5 To what extent are event logs (which may contain e.g. user activities, exceptions, errors and security events)
created, stored, reviewed and protected against modification?
(Reference to ISO 27001: Control A.12.4.1 and A.12.4.2)
Objective: Event logs support the traceability of events in case of a security incident. This requires that events which are necessary for
determining the causes should be recorded and stored while being protected against modification.
Requirements: This must include:
+ Information security requirements regarding the handling of event logs are determined.
+ Where externally operated services (in particular, cloud services) are used, information on monitoring options are
obtained
- e.g. attack detection and report options (incident response)
+ Legal requirements such as storage durations and protection of personal rights are observed.
+ Rules and procedures for fulfilling the determined requirements are defined and implemented.
12.6 To what extent are the activities of system administrators and system operators logged, the logs protected against
modification and regularly reviewed?
(Reference to ISO 27001: Control A.12.4.3)
Objective: System administrators and operators can use their comprehensive access rights to modify IT systems significantly. Logging
and analysing activities in accordance with valid legislation (such as Data Protection and Works Constitution Act) are
required to enable determining who has made changes to IT systems in case of information security events.
505025421.xlsx /
Printed on: 01/06/2021 Page 16 of 37
Information security
Requirements: This must include:
+ Security-relevant requirements regarding the logging of activities of system administrators and operators are determined
and implemented.
+ The IT systems used are assessed regarding the necessity of logging.
+ Where externally operated services (in particular, cloud services) are used, information on monitoring options are
obtained and taken into account in the assessment.
- e.g. audit logs for configuration changes and use of/access to e-discovery functions or backup.
+ Procedures for handling violations of regulations are defined.
+ Logs are regularly reviewed for violation of rules in accordance with permissible legal and operational provisions.
+ The type of logging with respect to time, activity level and storage durations is defined and implemented.
12.7 To what extent is information regarding technical vulnerabilities of IT systems acquired at an early stage, evaluated
and are appropriate measures taken (e.g. patch management)?
(Reference to ISO 27001: Control A.12.6.1 and A.12.6.2)
Objective: Known weaknesses increase the risk that IT systems can no longer fulfil the requirements for confidentiality, availability and
integrity if they allow attackers access to the IT system or compromise the stability of the system.
Requirements: This must include:
+ Information on technical weaknesses of the used assets are collected and assessed.
+ Potentially affected systems and software (assets) are identified. (e.g. manufacturer, version, installation site)
12.8 To what extent are audit requirements and activities for reviewing IT systems planned, coordinated, aligned and
are those IT systems subsequently subjected to technical review (system audit)?
(Reference to ISO 27001: Control A.12.7.1, A.18.2.3)
Objective: During audits (particularly technical audits), problems with the stability of the IT systems under review may occur. Audit
activities involving a review of IT systems must be planned and agreed in order to avoid disturbances of the corresponding
processes.
Requirements: This must include:
+ Requirements for auditing IT systems are determined.
+ The scope of the audit is specified in a timely manner.
+ System audits are coordinated with the operator and users of IT systems.
+ The results of system audits are stored in a traceable manner and reported to the relevant management.
+ Measures are derived from the results.
+ The derived measures are traced under the ISMS.
12.9 To what extent have effects due to critical administrative functions of external IT services (particularly cloud
services) been taken into account?
(Reference to ISO 27017: Control CLD.12.1.5)
505025421.xlsx /
Printed on: 01/06/2021 Page 17 of 37
Information security
Objective: Many cloud services provide functions which may lead to major changes to services in operative use. These functions may
jeopardize the confidentiality of information, be irreversible or reversible only with significant effort which then may impair
availability or integrity. These functions are often provided to administrative users via an easy-to-use automated
configuration interface. When an administrative user executes such functions, such activities are carried out without further
human supervision.
It must be ensured that such functions can neither inadvertently nor by a wilful administrator be used without particular effort
to cause harm impairing confidentiality, availability or integrity.
Requirements: This must include:
+ Critical functions of all relevant services are identified and assessed.
13 Communications Security
13.1 To what extent are networks managed and controlled to protect information in IT systems and applications?
(Reference to ISO 27001: Control A.13.1.1)
Objective: The protection of information in networks, IT systems and IT applications must be ensured. For this purpose, measures
ensuring protection against unauthorized access must be implemented. This includes taking suitable control measures
supported by means of monitoring the networks, IT systems and IT applications.
Requirements: This must include:
+ Procedures for management and control of networks are defined.
13.2 To what extent are requirements for security mechanisms and service levels and also management requirements
for network services identified and documented in service level agreements?
(Reference to ISO 27001: Control A.13.1.2)
Objective: Security mechanisms, quality of service provision and requirements for the management of all network services must be
determined and incorporated into agreements (Service Level Agreements, SLAs) for both internal and external networks.
Requirements: This must include:
+ Requirements regarding the information security of network services are determined and implemented.
505025421.xlsx /
Printed on: 01/06/2021 Page 18 of 37
Information security
13.3 To what extent are groups of information services, users and information systems segregated on networks?
(Reference to ISO 27001: Control A.13.1.3)
Objective: IT systems on the network usually have different protection needs. Thus, IT systems directly connected to the internet are
generally exposed to different threats than IT systems on the office network. In order to detect and prevent undesired data
exchange between IT systems of different protection needs, corresponding groups must be formed on the network and then
segregated from other groups.
Requirements: This must include:
+ Requirements regarding network segmentation are determined.
- Where cloud services are used, the possibilities of (virtual) network separation is considered
Objective: During exchange and transfer of information, the information security requirements must be considered. For this purpose, it
must be defined which services within the organization may be used for which type of data and which protective measures
are to be taken when using those services.
Requirements: This must include:
+ The services (e.g. email, EDI, voice over IP) used for transfer are identified.
+ Rules and procedures in accordance with the classification for the use of services are defined and implemented.
+ Measures for the protection of transferred contents against unauthorized access are implemented.
13.5 To what extent are non-disclosure agreements applied prior to an information exchange and are the requirements
or needs for the protection of information documented and regularly reviewed?
(Reference to ISO 27001: Control A.13.2.4)
Objective: Even where sensitive information is passed on outside the organization, it must be ensured that external organizations are
obliged to meet the information security requirements and to implement the required measures. Non-disclosure agreements
provide the necessary legal basis for this obligation. Therefore, it must be ensured that sensitive information is only passed
on if a corresponding non-disclosure agreement has been entered and is legally effective.
Requirements: This must include:
+ All service providers and employees working with sensitive information have entered valid non-disclosure agreements.
+ Rules and procedures for applying non-disclosure agreements are defined and made known to all persons passing on
sensitive information.
+ The requirements, rules and procedures for applying non-disclosure agreements are reviewed regularly.
505025421.xlsx /
Printed on: 01/06/2021 Page 19 of 37
Information security
14.1 To what extent are security specific requirements taken into account for new IT systems (incl. publically accessible
systems) and for extensions to existing IT systems?
(Reference to ISO 27001: Control A.14.1.1, A.14.1.2 and A.14.1.3)
Objective: Information security must be an integral part of the entire lifecycle of IT systems. This includes in particular that information
security requirements are taken into account in the development, acquisition and maintenance of IT systems.
Requirements: This must include:
+ The information security requirements associated with the acquisition or extension of IT systems are determined.
14.2 To what extent are security-relevant aspects considered in the software development process (incl. change
management)?
(Reference to ISO 27001: Control A.14.2.1 - A.14.2.9)
Objective: Information security requirements must be taken into account in the development process of software and IT systems. They
must be incorporated as requirements and milestones into the respective process model.
Requirements: This must include:
None.
14.3 To what extent are test data created, protected and used in a careful and controlled manner?
(Reference to ISO 27001: Control A.14.3.1)
Objective: Test data is often required for testing purposes in the course of software development or change management. Testing is
conducted in test environments the access to which is often controlled less strictly and often allocated to persons (e.g.
service providers or developers) who do not need access to productive data. It must be ensured that the test environment
does not increase the risk of loss or disclosure of productive data.
Requirements: This must include:
None.
14.4 To what extent is it ensured that only evaluated and approved external IT services (particularly cloud services) are
used for processing company data?
-
505025421.xlsx /
Printed on: 01/06/2021 Page 20 of 37
Information security
Objective: Particularly cloud services, whose use is often related to little or no cost, present an enhanced risk that established
acquisition processes are bypassed thus also leading to acquisition and commissioning without adequate compliance with
technical and contractual information security requirements. Security cannot be ensured in cases where external IT services
are used without considering security requirements.
Therefore, it must be ensured that external IT services will not be commissioned unless the intended processes are
completed and thus the information security processes and provisions are met prior to commissioning.
15 Supplier Relationships
15.1 To what extent are information security requirements contractually agreed with suppliers to mitigate risks when
suppliers have access to corporate assets (particularly information and communication services and in case such
assets are used by subcontractors)?
(Reference to ISO 27001: Control A.15.1.1 - A.15.1.3)
Objective: In collaboration with external companies (e.g. subcontractors), the requirements regarding the protection needs of
transferred information msut be considered. Therefore, relevant risks and requirements regarding information security must
be addressed in the contracts.
Requirements: This must include:
+ External companies/third parties (e.g. subcontractors) shall be subjected to an information security assessment.
+ Contractual agreements with external companies regarding measures for protecting information (e.g. non-disclosure
agreements) are entered.
+ Requirements for other subcontractors of the supplier are taken into account in procurement.
15.2 To what extent are the services performed by a supplier or subcontractor monitored, reviewed and audited on a
regular basis?
(Reference to ISO 27001: Control A.15.2.1)
Objective: The provision of services by service providers shall be monitored regularly by an organization. By means of monitoring and
verifying the provided services, it must be ensured that the conditions of an agreement regarding information security are
fulfilled.
505025421.xlsx /
Printed on: 01/06/2021 Page 21 of 37
Information security
Requirements: This must include:
+ Compliance with contractual agreements is monitored and verified.
16.1 To what extent are responsibilities, procedures, reporting channels and criticality levels established to ensure an
effective response to information security incidents or weaknesses?
(Reference to ISO 27001: Control A.16.1.1 - A.16.1.3)
Objective: Detection of and defence against security events generally require an effective and consistent approach. For this purpose,
the responsibilities and procedures for handling information security events must be specified in order to ensure a prompt
reaction to those events. Suitable reporting channels and awareness of all employees are essential elements of these
procedures and must be considered.
Requirements: This must include:
+ A policy for reporting information security events or weaknesses is created including at least the following requirements:
- reaction to information security events according to defined levels of criticality
- report form
- reporting channel
- processing organization
- specifications for feedback procedure
- indication of technical and organizational measures (such as disciplinary measures)
Objective: Information security events must be assessed. There shall be an adequate reaction to information security events based on
defined procedures. In the aftermath of information security events, findings must be used to reduce the probability of future
events occurring.
Objective: In events of crisis, information security is particularly at risk. Therefore, it must be ensured that even in those cases the
defined ISMS measures continue to provide effective protection or previously defined supplementary measures must be
taken.
505025421.xlsx /
Printed on: 01/06/2021 Page 22 of 37
Information security
Requirements: This must include:
+ Potentially affected IT systems and software are identified.
+ For events of crisis, methods, processes and procedures relevant to information security are taken into account.
18 Compliance
18.1 To what extent is compliance to relevant legal (country-specific) regulations and contractual requirements ensured
(e.g. protection of intellectual property rights, use of encryption technology and protection of records)?
(Reference to ISO 27001: Control A.18.1.1, A.18.1.2, A.18.1.3, A.18.1.5)
Objective: An essential aspect of compliance is the adherence of legal, regulatory, contractual and business-related requirements and
specifications. An organization must know relevant requirements and specifications and meet them. This also includes
consideration of intellectual property rights. Additionally, requirements for records regarding their protection against loss,
destruction, forgery, unauthorized access and unauthorized disclosure must be met. additionally cryptographic measures
shall be implemented while taking the relevant agreements, legislation and provisions into account.
Requirements: This must include:
+ Legal, regulatory and contractual requirements and specifications of relevance to information security, such as e.g. in
relation to copyright, are determined regularly.
+ Regulations regarding the compliance with legal, regulatory and contractual requirements are defined, implemented and
communicated to the entrusted persons.
18.2 To what extent is confidentiality and the protection of personally identifiable information ensured (according to
national legislation)?
(Reference to ISO 27001: Control A.18.1.4)
Objective: Privacy and protection of personally identifiable information must be ensured as required in relevant legislation and
regulation where applicable. For this purpose, processes and procedures ensuring adequate protection of personally
identifiable information shall be implemented.
Requirements: This must include:
+ Legal and contractual requirements regarding the procedures and processes in the processing of personally identifiable
information are determined.
+ Information assets are classified according to personally identifiable information.
+ Regulations regarding the compliance with legal and contractual requirements for the protection of personally identifiable
information are defined and communicated to the entrusted persons.
+ Processes and procedures for the protection of personally identifiable information are implemented.
18.3 To what extent is the ISMS reviewed by an independent third party at regular intervals or in case of significant
changes?
(Reference to ISO 27001: Control A.18.2.1)
Objective: Assessing the effectiveness of the ISMS only from an internal point of view is not sufficient to serve as an essential control
tool. Instead, an independent and therefore objective assessment must be obtained at regular intervals and in case of
significant changes.
505025421.xlsx /
Printed on: 01/06/2021 Page 23 of 37
Information security
Requirements: This must include:
+ Information security reviews are carried out by an independent and competent body at regular intervals and in case of
significant changes.
+ Measures for correcting potential deviations are initiated and pursued.
18.4 To what extent is the compliance of procedures and processes with policies, regulations and other relevant
information security standards ensured?
(Reference to ISO 27001: Control A.18.2.2, A.18.2.3)
Objective: The effectiveness of policies, regulations and relevant information security standards must be ensured continuously. For
this purpose, compliance with the applicable security policies and standards must be verified at regular intervals. This also
includes verification of compliance with technical specifications of the information security policies. The results of the
conducted tests must be recorded and the records must be retained.
Requirements: This must include:
+ Compliance with policies, regulations and information security standards is monitored.
+ Information security regulations and procedures are reviewed throughout the organization at regular intervals.
+ Measures for correcting potential non-conformities (deviations) are initiated and pursued.
505025421.xlsx /
Printed on: 01/06/2021 Page 24 of 37
Information security
Information Security Assessment -
Additional requirements for connection to third parties
based on ISO 27002:2013
Company: 0
Location: 0
Date: 12/30/1899
Maturity
level
In case a question does not apply, please insert n.a. (not applicable).
Level 0-5;
n.a.
Objective: Information security must be a natural and integral part of the work environment and adopted in the daily work of all
employees. By means of information security training, employees must gain the necessary knowledge and competence for
security-conscious behaviour. They must be particularly aware of what is expected of them with respect to information
security and how to react to security-critical situations.
Requirements: This must include:
+ Employees having access to customer networks have received the necessary training and awareness for handling the
associated security risks.
23.9.2 To what extent are procedures for the registration, modification and deletion of users with the corresponding
access rights implemented, and in particular is the authentication information handled confidentially?
(Reference to ISO 27001: Control A.9.2.1, A.9.2.2, A.9.2.4 and A.9.2.5)
Objective: The identity of the user of an IT system or an IT application must be clearly verifiable to allow the assignment of actions. In
order to ensure this, authentication (registration) procedures and mechanisms of IT systems or IT applications must be
designed such that users are clearly identified and authenticated.
Requirements: This must include:
+ User related access to customer systems shall not be used by multiple users.
+ Changes to the employment contract or the authority of an employee shall be reported to the system operator
immediately or user access shall be adapted accordingly.
Objective: Processing of information assets outside the area affected by the measures intended for achieving the target information
security level shall be prevented. Since it is generally not possible to implement corresponding measures for all areas of the
location, a zone concept must be applied defining in which areas which type of information may be processed.
505025421.xlsx /
Printed on: 01/06/2021 Page 25 of 37
Connection to 3rd parties (23)
Requirements: This must include:
None.
23.13.3 To what extent are groups of information services, users and information systems segmented within the network?
(Reference to ISO 27001: Control A.13.1.3)
Objective: IT systems on the network have different protection needs. Thus, IT systems directly connected to the internet are generally
exposed to different threats than IT systems on the office net. In order to detect and prevent undesired data exchange
between IT systems of different protection needs, corresponding groups must be designed on the network and these must
be segregated from other groups.
Requirements: This must include:
+ Requirements regarding network segmentation are defined.
+ Rules and procedures for network segmentation are defined and implemented.
505025421.xlsx /
Printed on: 01/06/2021 Page 26 of 37
Connection to 3rd parties (23)
Information Security Assessment -
Zusatzanforderungen Prototypenschutz
Company: 0
Location: 0
Date: 12/30/1899
Maturity
level
In case a question does not apply, please insert n.a. (not applicable).
Level 0-5;
n.a.
25 Prototype Protection
25.1.2 To what extent is perimeter security existent preventing unauthorized access to protected objects of the
properties?
(Reference to ISO 27001: Control A.11.1.1)
25.1.3 To what extent is the outer skin of protected buildings constructed such as to prevent removal or opening of outer-
skin components using standard tools?
(PT module; no reference to ISO 27001)
25.1.4 To what extent is a view and sight protection ensured in defined protection areas?
(PT module; no reference to ISO 27001)
25.1.5 To what extent is the protection against unauthorized entry regulated in the form of an access control?
(Reference to ISO 27001: Control A.11.1.1, A.11.1.2 and A.11.1.3)
25.1.6 To what extent is a functioning intrusion detection system implemented on the premises to be secured?
(Reference to ISO 27001: Control A.11.1.2)
505025421.xlsx /
Printed on: 01/06/2021 Page 27 of 37
Prototype protection (25)
Information Security Assessment -
Zusatzanforderungen Prototypenschutz
Company: 0
Location: 0
Date: 12/30/1899
Maturity
level
In case a question does not apply, please insert n.a. (not applicable).
Level 0-5;
n.a.
25.2.1 To what extent are non-disclosure agreements/obligations existent according to the valid contractual law?
(Reference to ISO 27001: Control A.13.2.4)
25.2.2 To what extent are requirements for commissioning subcontractors known and fulfilled?
(Reference to ISO 27001: Control A.13.2.4, A.15.1.1, A.15.1.2 and A.15.1.3)
25.2.3 To what extent are the employees and project members evidently trained for and made aware of risks associated
with handling prototypes?
(Reference to ISO 27001: Control A.7.2.1 and A.7.2.2)
25.2.4 To what extent are security classifications of the project and the resulting measures for protection known?
(Reference to ISO 27001: Control A.8.2.2)
25.2.5 To what extent is a process defined for allocation of access to defined security areas?
(Reference to ISO 27001: Control A.11.1.2)
25.2.6 To what extent are regulations for image recording and handling of created image material existent?
(Reference to ISO 27001: Control A.11.1.5)
25.2.7 To what extent is a process for carrying along and using mobile video and photography devices in(to) defined
security areas established?
(Reference to ISO 27001: Control A.11.1.5)
505025421.xlsx /
Printed on: 01/06/2021 Page 28 of 37
Prototype protection (25)
Information Security Assessment -
Zusatzanforderungen Prototypenschutz
Company: 0
Location: 0
Date: 12/30/1899
Maturity
level
In case a question does not apply, please insert n.a. (not applicable).
Level 0-5;
n.a.
25.3.1 To what extent are the predefined regulations for camouflage implemented by the project members?
(PT module; no reference to ISO 27001)
25.3.2 To what extent are transports in need of protection arranged according to the specifications of the customer?
(PT module; no reference to ISO 27001)
25.3.3 To what extent is it ensured that vehicles, components or parts which require confidentiality are parked/stored in
accordance with customer requirements?
(PT module; no reference to ISO 27001)
25.3.4 To what extent are security requirements of approved test and trial grounds observed/implemented?
(PT module; no reference to ISO 27001)
25.3.5 To what extent are security requirements for approved test and trial drives in public observed/implemented?
(PT module; no reference to ISO 27001)
25.3.6 To what extent are security requirements for presentations and events with scope/contents subject to
confidentiality implemented?
(PT module; no reference to ISO 27001)
25.3.7 To what extent are security requirements for film and photo shootings with scope/contents subject to
confidentiality implemented?
(Reference to ISO 27001: Control A.11.1.5)
505025421.xlsx /
Printed on: 01/06/2021 Page 29 of 37
Prototype protection (25)
Control 7.2 Awareness and training of employees 9.2 User registration 12.1 Change management 12.3 Protection against malware
Effectiveness of
Coverage degree of Effectiveness of Coverage degree Coverage degree Coverage degree Coverage degree
ID Collective accounts Change - error rate updating Endpoint
awareness measures awareness measures review “user accounts” review “authorizations” Change Management Endpoint Security
Security
to be determined
individually (0-20…low, 20- to be determined
to be determined to be determined to be determined
50 medium, 50+ high) individually (e.g. Green: >
to be determined individually (e.g. Green: > individually (e.g. Green: > to be determined to be determined individually (e.g. target:
possible characteristic for 90%, Yellow: 70-90%, Red:
individually (e.g. Green: > 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: individually (e.g. Green: < individually (e.g. Green: > 100% after max. 30
Threshold levels 90%, Yellow: 70-90%, Red:
comparability of business
< 70%, special case of < 70%, special case of
Number red: > 0,Green = 0 < 70%, special case of
10%, Yellow: 10-30%, Red: 90%, Yellow: 70-90%, Red: minutes,
units: in relation to the systems relevant to financial
< 70%) systems relevant to financial systems relevant to financial > 30%) < 70%) Green: > 90%, Yellow: 70-
number of employees e.g. reporting: target coverage
reporting: target coverage reporting: target coverage 90%, Red: < 70%)
unit: incidents/100 100%
employees
Frequency to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined
(measurement) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. monthly) individually (e.g. annually)
HR - Training Department -
Data Owner, User Data Owner, User IT Operations, Change IT Operations, Change AV Management, IT AV Management, IT
Interfaces IKS - Internal Audit Incident Management
Management, supervisors Management, supervisors
User Management
Management Management Operations Operations
Department
E-learnings, classroom User directory, authorization User directory, authorization User directory, authorization
Incident Mgt. Tool, Ticket Project Management, Project Management,
Components training, training plan, management tool, IAM management tool, IAM management tool, IAM AV console, CMDB AV console, CMDB
System, ISMS Tool Change Management Change Management
training register platform, CMDB platform platform
Data archiving 5 years 5 years 10 years 10 years 5 years 10 years 5 years 5 years 5 years
505025421.xlsx /
Printed on: 01/06/2021 Page 30 of 37
KPIs
12.7 Detection of vulnerabilities
12.4 Backup 16.2 Processing of information security incidents 5.1 Information security policy 6.2 Information security in projects
(Patch management)
4 4 4 3 3
COVERAGE COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE COVERAGE COVERAGE
Creation degree of
Detection rate of Timely processing of Actuality of required Coverage degree of
Degree of backup Degree of restoration Coverage degree Patch Effectiveness of patch required
Backup effectiveness information security information security policies/documentation information security in
coverage test coverage Management installation policies/documentation
incidents incidents s projects
s
The contemporary
Information security Information security
A regular review of backup Backup quality must be A comprehensive patch installation of patches
A regular and complete incidents have to be incidents have to be
functionality (e.g. by ensured by correlating management protects the ensures the security of
backup provides protection detected and timely handled prioritized and handled Under an ISMS, For the ISMS, the prepared
restoring data or systems) is controls. Measures are e.g. company against the systems and applications Information security topics
against the loss of data, e.g. in order to protect the accordingly depending on mandatory/voluntary policies/documentations
essential for the availability data restore, system impacts of malware and and therefore reduces the shall be addressed during
in case of a system failure company from damages. their criticality. The KPI policies/documentations shall be reviewed for their
of business information. restoration. exploits. The KPI measures window of vulnerability for projects.
or malware infection. The KPI measures the measures the appropriate shall be prepared. actuality.
The KPI measures the The KPI measures the the inclusion of systems and the company. The KPI
The KPI measures the compliance of the incident timely handling of
degree of the restore test number of incorrect data applications in the Patch measures recording of the
degree of backup coverage. reporting process between information security
coverage. restores. Management process. target and actual state of
the involved interfaces. incidents.
Patches.
to be determined
individually (e.g. according
to category maximum
to be determined to be determined
to be determined to be determined periods for solution:
individually (e.g. Green: = individually (e.g. target: to be determined to be determined to be determined
individually (e.g. Green: > individually (e.g. Green: > -PRIO 1: days
100% (of systems to be Number Red: > 0,Green = 0 100% after max. 10 days, Number Red: < 1,Green = 1 individually (target coverage individually (target coverage individually (target coverage
90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: -PRIO 2: weeks
secured), Yellow: 70-99%, Green: > 90%, Yellow: 70- = 100 %) = 100 %) = 100 %)
< 70%) < 70%) -PRIO 3: months
Red: < 70%) 90%, Red: < 70%)
unsolved incidents within
period, e.g. Green: < 2%,
Yellow: 2-5%, Red: > 5%)
Quotient: number of
Quotient: number of Quotient: number of Quotient: number of information security
Quotient: number of For each individual criticality Quotient: number of policies Quotient: number of
systems covered with systems with tested currently patched time comparison incidents reported in the Quotient: number of existing
restorations with errors/total level: reviewed according to projects considering
backups/total number of restoration from systems/total number of average actual rollout state incident policies/population of
number of all restoration all unsolved incidents within cycle/population of policies security/total number of
systems (adjusted for backup/total number of all systems (adjusted for vs. target state management/number of all necessary policies
tests defined period/all incidents to be reviewed relevant projects
authorized exceptions) systems with backup authorized exceptions) incidents (of the surveying
unit)
to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined
individually (e.g. annually) individually (e.g. monthly) individually (e.g. annually) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually)
IT, CERT, Incident IT, CERT, Incident Information Security, Information Security,
Backup process, IT Backup process, IT Backup process, IT Patch/Change Patch/Change Project customer, project
Management, Helpdesk, Management, Helpdesk, Corporate Security, IT Corporate Security, IT
Operations Operations Operations Management, IT Operations Management, IT Operations management office (PMO)
Service Management Service Management Security, HR, Business Security, HR, Business
Change Management Change Management Contents derived from the Contents derived from the
console, software console, software Incident Management Incident Management Statement of Applicability Statement of Applicability Overview of projects per
Backup software, CMDB Backup software, CMDB Backup software, CMDB
distribution platform, CMDB, distribution platform, CMDB, System/Workflow System/Workflow (SoA) and documented in (SoA) and documented in PMO
WSUS WSUS accordance with ISO 27001 accordance with ISO 27001
10 years 10 years 10 years 5 years 5 years 10 years 10 years 5 years 5 years 5 years
505025421.xlsx /
Printed on: 01/06/2021 Page 31 of 37
KPIs
11.3 Protection measures in
6.2 Information security in projects 6.3 Mobile devices 11.1 Security zones the delivery and shipping 12.5 Event logging 12.6 Logging administrative activities
area
3 3 3 2 3 2
EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS
Effectiveness of
Protective measures - Implementation of Coverage degree of Coverage degree of
Coverage degree of implementation of Implementation degree Coverage degree
implementation in protective measures for event logs on security- Functioning log activity admin logs on security- Functioning log activity
mobile device security mobile device security of zone concept review “Authorizations”
projects zone concept critical systems critical systems
measures
Information Security,
IT Security, Information IT Security, Information Information Security, Information Security, Corporate Security, Local IT, Information Local IT, Information Local IT, Information Local IT, Information
Corporate Security, IT
Security Security, Corporate Security Corporate Security Corporate Security Logistics, authorities Security, Compliance Security, Compliance Security, Compliance Security, Compliance
Security
to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined
individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually) individually (e.g. annually)
to be determined to be determined
to be determined individually (e.g. Green: > individually (e.g. Green: >
to be determined to be determined to be determined to be determined Number of incorrect admin
individually (e.g. Green: > 90%, Yellow: 70-90%, Red: Number of incorrect logs 90%, Yellow: 70-90%, Red:
individually (target coverage individually (target coverage individually (target coverage individually (target coverage logs
90%, Yellow: 70-90%, Red: < 70%, special case of Red: > 0,Green = 0 < 70%, special case of
= 100 %) = 100 %) = 100 %) = 100 %) Red: > 0,Green = 0
< 70%) systems relevant to billing: systems relevant to billing:
target coverage target coverage
Quotient: number of
employees working in the
Quotient: number of Quotient: number of Quotient: number of mobile Quotient: number of Quotient: number of delivery and shipping area Quotient: number of logged Quotient: number of logged
projects considering protected mobile devices protected in a properties with zone adequately secured who are subject to regular security-critical number of incorrectly written security-critical number of incorrectly written
security aspects/total devices/total number of timely manner/total number concept/population of zones/population of all access rights systems/total number of logs systems/total number of admin logs
number of relevant projects mobile devices of mobile devices properties zones reviews/population of security-critical systems security-critical systems
employees working in the
delivery and shipping area
to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined
individually (e.g. annually) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. annually) individually (e.g. quarterly) individually (e.g. annually) individually (e.g. annually) individually (e.g. quarterly) individually (e.g. annually) individually (e.g. quarterly)
Plant security, local security Plant security, local security IT, System Owner, Data IT, System Owner, Data
Project customer, project Logistics, Access IT, System Owner, Data IT, System Owner, Data
IT operation, IT Security IT operation, IT Security functions, specialized functions, specialized Owner, Risk Owner, User Owner, Risk Owner, User
management office (PMO) Management Owner, Risk Owner Owner, Risk Owner
departments departments Management Management
to be defined individually (if to be defined individually (if to be defined individually (if to be defined individually (if
5 years 5 years 5 years 5 years 5 years 10 years
relevant to billing: 10 years) relevant to billing: 10 years) relevant to billing: 10 years) relevant to billing: 10 years)
505025421.xlsx /
Printed on: 01/06/2021 Page 32 of 37
KPIs
14.1 Requirements for the
13.5 Non-disclosure
12.8 System audits 13.2 Network services acquisition of information 14.2 Security during the software development process 18.4 Effectiveness review
agreements
systems
2 3 3 3 3 3
COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS COVERAGE EFFEKTIVENESS
Coverage degree of
Effectiveness of risk Timely elimination of
Coverage degree Coverage degree of risk Effectiveness of risk activities to eliminate
Coverage degree Effectivity of system Effectiveness of Coverage degree non- handling in information vulnerabilities
review service level assessment in software handling in vulnerabilities
system audits audit implementation observing SLAs disclosure agreements service acquisition determined during
agreements (SLA) development process development process determined during
processes audits
audits
Weaknesses identified in
The protection of Information security risks Weaknesses identified in
the course of information
IT systems processing or Measures resulting from Regular verifications of the information confidentiality associated with the Risks identified in the the course of information
Risks identified during the security audits (internal and
storing information of high those audits shall be SLAs for network services The agreed measures shall be subject to applications to be process of software security audits (internal and
acquisition process are external) shall be eliminated
or very high protection implemented in time in ensure consideration of resulting from SLAs shall be contractual agreement developed shall be development are treated in external) are eliminated
treated in a timely and in a consequent and
needs shall be subjected to order to eliminate current security implemented. where at least confidential identified as early as a timely and effective within the deadlines agreed
effective manner. traceable manner. Findings
audits at regular intervals. vulnerabilities. requirements at all times. information is exchanged possible in the process of manner. (with the audited
shall not remain
with external partners. software development. departments).
unaddressed.
Weaknesses identified in
Security risks are All weaknesses identified in
All relevant systems are All requirements resulting A non-disclosure agreement Risks identified in Security risks are taken into the course of audits are
All measures are All SLAs include the current addressed in the the course of audits are
subject to audits at regular from the SLAs are has been entered with all acquisition are handled in account in the software eliminated within the
implemented in time security requirements development process in an traced and assigned to
intervals implemented external partners an effective manner development process defined time and in an
effective manner activities
effective manner
to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined
individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: > individually (e.g. Green: >
90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red: 90%, Yellow: 70-90%, Red:
< 70%) < 70%) < 70%) < 70%) < 70%) < 70%) < 70%) < 70%) < 70%) < 70%)
to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined to be determined
individually (e.g. monthly) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. monthly) individually (e.g. quarterly) individually (e.g. quarterly) individually (e.g. quarterly)
individually (e.g. quarterly) individually (e.g. quarterly)
Internal Auditors, Internal Auditors,
Acquisition, Information Procurement, specialized Procurement, specialized Procurement, specialized
Audit Management, IT Audit Management, IT Local IT, Information Local IT, Information Information Security, IT, Information Security, IT,
Security, specialized departments (requisitioner), departments (requisitioner), departments (requisitioner),
Operation, System Owner Operation, System Owner Security Security specialized departments specialized departments
department IT IT IT
(Auditees) (Auditees)
5 years 5 years 5 years 5 years 5 years 5 years 5 years 5 years 10 years 10 years
505025421.xlsx /
Printed on: 01/06/2021 Page 33 of 37
KPIs
Security zones
Zone White (public) Green (controlled zone) Yellow (restricted zone) Red (high risk zone)
Explanation Areas of public character, which are permanently or temporarily accessible to everyone. Area with technical or organizationally controlled safety measures, not Area with additional safety measures, restrictive, protection of special Area with the highest security requirements, protection of sensitive
Areas with low risk without particularly sensitive values. None or only preventive safety freely accessible, usually internal scopes scopes, limited number of persons, usually confidential scopes as well. values strictly regulated access rights, usually secret scopes.
requirements. Domestic authority exists. (e.g. visitors' parking space, connecting routes)
Aspect
Accessibility No special requirements Values cannot be viewed freely, Clean Desk Temporary measures (according to the risk analysis) for sight Permanent sight protection/noise reduction
protection/noise reduction
Visitor requirements Appropriate signs Only registered visitors, explicit reference to confidentiality/non- Restricted group of visitors, written confirmation of the non-disclosure, Only in exceptional cases: additionally to “Yellow” four-eyes principle,
disclosure in permanent personal escort by own staff householder’s consent
Driving on/parking Permitted Vehicles are allowed to drive on/park only after registration. Special restrictions Special restrictions
Access control and None Area must be protected against unauthorized access (personnel or Monitoring the entering/exiting of the zones via online access reader, Monitoring the entering/exiting of the zones via online access reader
protection technical measures) compensating locking system with limited circle
Monitorings If required, camera surveillance (prevention of damage to property) Camera surveillance and/or patrolling (prevention of unauthorized Camera surveillance, motion detection at least in the access areas or Camera surveillance, glass breakage detector, windows with sight
penetration) easily accessible areas (e.g., ground floor windows) protection, double illumination with motion detectors, central circuit,
intrusion detection system installed by professionals
Resistance values . Fences 2.2m with anti-climbing protection and undermine At least RC 2 or compensating measures At least RC 2 (resistance time 5 minutes) with additional measures
protection/building shell consisting of windows, doors, walls, roofs
Response time (alarm to . 30 minutes 10 minutes 5 minutes
visual inspection and
acknowledgment)
Photography/use of optics . No internal information, otherwise only using business devices No use of private devices, business devices only in case of No private devices, business devices in exceptional cases only Four-
professional assignment eyes principle, approval by company management
Optics
Zone Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Explanation Areas of public character, which are permanently or temporarily accessible to everyone. Area with technical or organizationally controlled security measures, Area with additional security measures, restrictive, protection of special Area with the highest security requirements, protection of sensitive
Areas with low risk without particularly sensitive values. None or only preventive safety not freely accessible, usually internal scopes scopes, limited number of persons, usually confidential scopes as well. values strictly regulated access rights, usually secret scopes.
requirements. Subject to householders rights (e.g. visitors' parking space, connecting
routes)
Aspect “carrying along” Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Company owned devices No special requirements Carrying along unsealed devices allowed Carrying along unsealed devices allowed Carrying along sealed devices allowed
(independent from Mobile Carrying along unsealed devices forbidden
Device Management
(MDM))
Private devices of No special requirements Carrying along unsealed devices allowed Carrying along unsealed devices allowed Carrying along sealed devices allowed
company employees Carrying along unsealed devices forbidden
(wearables with optics as
well)
Devices of contractors No special requirements Carrying along unsealed devices allowed Carrying along sealed devices allowed Carrying along even sealed devices forbidden
and visitors (wearables Carrying along unsealed devices forbidden
with optics as well)
Aspect “use” Public area Green (photo-security area 1) Photo-security area 2 Photo-security area 3
Video telephony/video No special requirements Allowed in all areas Allowed in office workplaces and meeting rooms, otherwise upon In defined meeting rooms with permanently installed equipment,
conferencing (without approval otherwise upon approval
recording)
Photography/video No special requirements - No use of private devices or devices of contractors/visitors - No use of private devices or devices of contractors/visitors - No use of private devices or devices of contractors/visitors
recordings - Allowed with company owned devices allowed with company owned devices upon approval - Allowed in exceptional cases upon approval (e.g. four-eyes
principles, consent of the management)
Recording of persons and Declaration of consent required Declaration of consent required Declaration of consent required - Allowed only in exceptional cases upon approval
sound recording with - Declaration of consent required
company owned devices
Personnel
Type of employment
Standard validation Certificate of good conduct/criminal record certificate Intensive verifications of the CV, references Validation of certificates, diplomas and vocational training
relationship
Ordinary X
employee/worker
505025421.xlsx /
Printed on: 01/06/2021 Page 34 of 37
References
Head of department
IT department X X
employees with special
access rights
Department Manager X X X
General Manager,
Directors, Executive X X X X
Assistants, Security
Manager
Off-Premises workplace
temporary working environment (e.g. hotel) regular alternative working environment (in particular home
office)
Confidentiality of the
information
Highest protection class Paper: principally not Paper: principally not
“secret”
Local data storage: principally not Local data storage: principally not
Remote Access: principally not Remote Access: principally not
Medium protection class Paper: continuously under personal control Paper: principally only temporarily
“confidential”
Local data storage: strongly encrypted or Mobile Device Management (MDM) Local data storage: strongly encrypted or Mobile Device
active (remote deletion on demand) Management (MDM) active (remote deletion on demand)
Remote Access: strongly authenticated & strongly transport encrypted, integrity Remote Access: strongly authenticated & strongly transport
of the access device ensured, data “non-permanent” encrypted, integrity of the access device ensured, data “non-
permanent”
Lowest protection class Paper: under personal control Paper: in office furniture with special closing
“internal”
Local data storage: encrypted or Mobile Device Management (MDM) active Local data storage: encrypted or Mobile Device Management
(remote deletion on demand) (MDM) active (remote deletion on demand)
Remote Access: strongly authenticated & strongly transport encrypted, integrity Remote Access: strongly authenticated & strongly transport
of the access device ensured, data “non-permanent” encrypted, integrity of the access device ensured, data “non-
permanent”
Protection classes
Description
Normal The potential damage is marginal, short-term nature, and limited to a single
High entity.
The potential damage is significant or medium-term nature or is not limited to a
single entity.
Very high The potential damage threatens the existence of the company or long-term
nature or is not limited to a single entity.
505025421.xlsx /
Printed on: 01/06/2021 Page 35 of 37
References
Information Security Assessment -
Glossary
GWP = Generic Work Product = a general result that arises from the execution of the process
PA = Process Attributes = a measurable characteristic to a process capability that is
applicable for each process.
Evaluation basis:
Cutback result
In the “Result with cutback to target level”, the cutback of achieved results to the target
maturity level ensures that “overachieved” controls do not compensate underachieved
controls in the overall result.
Maximum score:
The variations in the maximum score arise when individual controls are marked with “n.a.”
(not applicable) and therefore the average value of the target maturity levels changes.
Spider diagram:
All results are shown without cutback. The line for the target maturity level considers controls
that were marked as n.a.
505025421.xlsx /
Gedruckt am: 01/06/2021 Seite 36 von 37
Glossar
1.0 First release (Initial build)
2.1.3 Spider diagram shows result without cutback to target maturity levels
Control 13.5 revised
Control 7.1 maturity level 1 revised
Controls 9.4 and 9.5 reference revised
505025421.xlsx /
Gedruckt am: 01/06/2021 Seite 37 von 37
Change history