Neuerungen 2027 für TISAX®
Der VDA® hat den Nachfolger von ISA 6 angekündigt (zur offiziellen Mitteilung des VDA®) - er heißt jetzt ISA 2027 und ist der Fragenkatalog hinter jedem TISAX®-Assessment. Hier steht jede Änderung: markiert, eingestuft, durchsuchbar.
44 von 46 Controls der Informationssicherheit wurden überarbeitet - 25 mit Anforderungsänderungen.
Der Prototypenschutz ist komplett neu strukturiert, der Datenschutz bleibt unverändert. Was das für Ihr Assessment bedeutet: zur Analyse.
Informiert werden, sobald ISA 2027 in Kraft tritt
Informationssicherheit (Kap. 1-7)
1.1.1To what extent are information security policies available?Major
- verschoben should → must: „+ The policies are made available to employees in a suitable form (e.g...“
- verschoben should → must: „+ Employees and external business partners are informed of any changes...“
- gestrichen (must): „- The requirements are adapted to the organization’s goals,“
- The requirements are
+ The policy includes objectives and the significance of information security within the organization.
+ The policies are made available to employees in a suitable form (e.g., intranet).
+ Employees and external business partners are informed of any changes relevant to them.
+ The policy indicates consequences in case of non-conformance.
+ Other relevant security policies are established.
+ Periodic review and, if required, revision of the policies are established.
+ The policies are made available to employees in a suitable form (e.g. intranet).
+ Employees and external business partners are informed of any changes relevant to them.
1.2.1To what extent is information security managed within the organization?Minor
+ The organization's requirements for the ISMS are determined.
+ The organizational management has commissioned and approved the ISMS.
+ The ISMS provides the
+ Applicable controls have been determined
+ The effectiveness of the ISMS is regularly reviewed by the management.
1.2.2To what extent are information security responsibilities organized?Major
- neu (should): „+ Security-relevant roles that are not part of the ISMS and are releva...“
- gestrichen (should): „- Other relevant security roles are considered.“
+ The responsible employees are
+ The required resources are available.
+ The contact persons are known within the organization and to relevant business partners.
1.3.1To what extent are information assets identified and recorded?Major
- verschoben must → should: „- A person responsible for these information assets is assigned,“
- gestrichen (must): „- A person responsible for these supporting assets is assigned.“
They
To protect this information
- A person responsible for these supporting assets is assigned.
- The corresponding supporting assets are assigned to each relevant information asset,
- A person responsible for these information assets is assigned,
- The catalogue is subject to regular review.
1.3.2To what extent are information assets classified and managed in terms of their protection needs?Minor
+ Evaluation of the identified information assets is carried out according to the defined
+ Specifications for the handling of supporting assets
1.3.3To what extent is it ensured that only evaluated and approved external IT services are used for processing the organization’s information assets?Minor
-
- Legal, regulatory, and contractual
+ The external IT services have been harmonized with the protection need of the processed information assets.
+ A procedure for release in consideration of the protection need is established.
+ External IT services and their approval are documented.
+ It is verified at regular intervals that only approved external IT services are used.
1.3.4To what extent is it ensured that only evaluated and approved software is used for processing the organization’s information assets?Minor
+ Software approval also applies to special purpose software such as maintenance
+ Repositories of managed software exist
+ The software repositories are protected against unauthorized manipulation
+ Approval of software is regularly reviewed
+ Software versions and patch levels are known
1.4.1To what extent are information security risks managed?Major
- gestrichen (should): „- A plan of measures or an overview of their state of implementation i...“
+ Information security risks are appropriately assessed
+ Information security risks are documented.
+ A responsible person (risk owner) is assigned to each information security risk. This person is responsible for the assessment and handling of the information security risks.
+ Criteria for the assessment and handling of
+ Measures for handling security risks and the persons responsible for these are specified and
-
+ In case of changes to the environment
1.5.1To what extent is compliance with information security ensured in procedures and processes?Minor
+ Information security policies and procedures are reviewed at regular intervals.
+ Measures for correcting potential non-conformities (deviations) are initiated and pursued.
+ Compliance with information security requirements
+ The results of the conducted reviews are recorded and retained.
+ Suitably qualified and appropriate information security audit responsibilities and resources are defined.
+ A detailed internal audit plan and schedule is defined and followed. The following aspects are considered:
- The entire assessment scope is covered
1.5.2To what extent is the ISMS reviewed by an independent authority?Minor
+ Measures for correcting potential deviations are initiated and pursued.
1.6.1To what extent are information security relevant events or observations reported?Major
- neu (should): „- Availability and communication of a security event report channel fo...“
- gestrichen (should): „- An externally accessible way to report security events exists and is...“
- Events and observations related to personnel
- Events and observations related to physical security (e.g., intrusion, theft, unauthorized access to security zones, vulnerabilities in the security zones)
- Events and observations related to IT and cyber security (e.g., vulnerable IT-systems, detected successful or unsuccessful attacks)
- Events and observations related to suppliers and other business partners (e.g., any incidents that can have negative effect on the security of own organization)
+ Adequate mechanisms based on perceived risks to report security events are defined, implemented, and known to all relevant potential reporters
+ Adequate channels for communication with event reporters exist.
+ Different reporting channels according to perceived severity
+ Employees are
+ Security event reports
-
- Timely
+ Mechanism
+ A feedback procedure to reporters is established.
1.6.2To what extent are reported security events managed?Major
- neu (should): „+ A strategy for reporting potentially criminal aspects of security in...“
- gestrichen (should): „+ A strategy for filing official reports and searching prosecution of...“
+ An adequate reaction to reported security events is ensured.
+ Lessons learned are incorporated into continuous improvement.
+ Responsibilities for handling of events based on their category are defined and assigned. The following aspects are considered:
- Coordination of incidents and vulnerabilities across multiple
- Qualification and
-
-
+ A strategy for
+
- Conditions and thresholds
- Mechanisms, processes, and contacts for
- Escalation paths up to the organization’s top
+ Lawful, regulatory, and contractual reporting
+ A communication strategy for security related events
- To whom to communicate (e.g., shareholders, affected business partners and customers, other shareholders, general
- When to
- Responsibilities for
- Authorization and approval of
- Legal and regulatory restrictions of
- What to communicate
- How to communicate (e.g., communication
+ Procedures for response to supplier security incidents are established. The following aspects are considered: (C, I, A)
- Analysis of the impact on the own organization and invocation of appropriate internal
- The need for reporting according to own reporting procedures
- Exercise or simulation of rarely occurring categories and
- Exercise or simulation include escalation
1.6.3To what extent is the organization prepared to handle crisis situations?Major
- neu (hoher Schutzbedarf): „+ A communication strategy for crisis situations exists. The following...“
- neu (hoher Schutzbedarf): „+ Relevant different potential crisis scenarios are identified. The fo...“
- neu (hoher Schutzbedarf): „- Crisis situations with unavailability of key personnel (e.g. Health...“
- neu (hoher Schutzbedarf): „- Crisis situations with unavailable of key physical resources (e.g. f...“
- neu (hoher Schutzbedarf): „- Crisis situations with outage oaf key infrastructure (e.g. outage of...“
- neu (hoher Schutzbedarf): „+ Necessary resources and information to handle crisis (e.g. communica...“
- neu (hoher Schutzbedarf): „+ A communication strategy for crisis situations exists. The following...“
- neu (hoher Schutzbedarf): „- To whom to communicate (e.g., shareholders, affected business partne...“
- neu (hoher Schutzbedarf): „- When to communicate“
- neu (hoher Schutzbedarf): „- Responsibilities for communication“
- neu (hoher Schutzbedarf): „- Authorization and approval of communication“
- neu (hoher Schutzbedarf): „- Legal and regulatory restrictions of communication (e.g., stock corp...“
- neu (hoher Schutzbedarf): „- What to communicate (e.g., prepared templates for statements, contac...“
- neu (hoher Schutzbedarf): „- Communication channels (e.g., Media channels, social media)“
- neu (hoher Schutzbedarf): „- Instruments to monitor communication“
- neu (hoher Schutzbedarf): „- Instructions and procedures for employees (in case of direct communi...“
- neu (hoher Schutzbedarf): „+ The efficiency, feasibility, and appropriateness of the crisis plann...“
- neu (hoher Schutzbedarf): „+ Spot based testing of crisis planning is conducted ((e.g., simulatio...“
- gestrichen (must): „- The required resources are available.“
- gestrichen (should): „+ Methods to detect crisis situations are established.“
-
+ Responsibilities and authority for crisis management within the organization are defined, documented, and assigned.
+ The responsible employees are defined and qualified for their task.
-
+ A procedure to invoke and/or escalate crisis management is in place.
+ Strategic goals and their priority in crisis situations are defined and known to relevant personnel. The following aspects are considered:
- Ethical priorities (e.g., protection of life and
- Core business processes (e.g., processes that ensure the survival of the
- Appropriate information
+ A crisis management team is defined and approved. The following aspects are considered:
- Management
- Composition (e.g., participation of all major functions of the organization including organization leadership (management board), business operations (production), HR, information security, corporate security, corporate emergency services, IT/cyber security, communication,
- Structure and
- Competences of
- Expectation and
- Decision making
+ Crisis policies and procedures are defined and approved. The following aspects are considered:
- Exceptional authorities and decision-making processes can be assigned beyond the crisis management
- Primary and backup means of
- Emergency operating
-
-
-
+ Crisis planning is reviewed and updated regularly.
The following aspects are considered:
- Crisis situations with unavailability of key personnel (e.g. Health crisis, Kidnapping / accidents affecting organization leadership),
- Crisis situations with unavailable of key physical resources (e.g. fire or natural disasters at specific sites),
- Crisis situations with outage of key infrastructure (e.g., outage of key communication channels, complete outage of IT infrastructure).
+ Necessary resources and information to handle crisis (e.g., communication infrastructure, availability of necessary information such as contact information and relevant risks in different crisis situations) are identified. Appropriate measures to ensure availability of infrastructure or fallback planning and information considering different crisis scenarios are in place. (A)
+ A communication strategy for crisis situations exists. The following aspects are considered: (A)
- To whom to communicate (e.g., shareholders, affected business partners and customers, other shareholders, general public),
- When to communicate,
- Responsibilities for communication,
- Authorization and approval of communication,
- Legal and regulatory restrictions of communication (e.g., stock corporation regulations),
- What to communicate (e.g., prepared templates for statements, contact information and building blocks for specific scenarios),
- Communication channels (e.g., Media channels, social media),
- Methods to monitor communication,
- Instructions and procedures for employees (in case of direct communication approaches such as direct contact of employees by business partners).
+ The efficiency, feasibility, and appropriateness of the crisis planning is evaluated regularly. (A)
+ Spot based testing of crisis planning is conducted ((e.g., simulation, table-top-exercises involving key personnel)(A)
+ Relevant different potential crisis scenarios are identified. The following aspects are considered: (A)
- Crisis situations with unavailability of key personnel (e.g. Health crisis, Kidnapping / accidents affecting organization leadership):
- Crisis situations with unavailable of key physical resources (e.g. fire or natural disasters at specific sites)
- Crisis situations with outage
+ Necessary resources and information to handle crisis (e.g. communication infrastructure, availability of necessary information such as contact information and relevant risks in different crisis situations) are identified. (A)
- Appropriate measures to ensure availability of infrastructure or fallback planning and information considering different crisis scenarios are in place
+ A communication strategy for crisis situations
- To whom to communicate (e.g., shareholders, affected business partners and customers, other shareholders, general public)
- When to communicate
- Responsibilities for communication
- Authorization and approval of communication
- Legal and regulatory restrictions of communication (e.g., stock corporation regulations)
- What to communicate
- Communication channels (e.g., Media channels, social media)
- Instruments to monitor communication
-
+ The efficiency, feasibility, and appropriateness of the crisis planning is evaluated regularly. (A)
+ Spot based testing of crisis planning is conducted ((e.g., simulation, table-top-exercises involving key
1.2.3To what extent are information security requirements considered in projects?None
+ During an early stage of the project, risk assessment is conducted based on the defined procedure and repeated in case of changes to the project.
+ For identified information security risks, measures are derived and considered in the project.
2.1.1To what extent is the qualification of employees for sensitive work fields ensured?Minor
+ The requirements for employees with respect to their job profiles are determined and fulfilled.
+ The identity of potential employees is verified
+ An extended suitability verification depending on the respective work field and job is
2.1.2To what extent is all staff contractually bound to comply with information security policies?Minor
+ An obligation to comply with the information security policies is in effect.
+ Information security aspects are considered in the employment contracts of the staff.
+ A procedure for handling violations of said obligations is described.
2.1.3To what extent is staff made aware of and trained with respect to the risks arising from the handling of information?Minor
- Information security policy,
-
- Reaction to occurrence of malware,
- Policies regarding user accounts and login information
- Compliance issues of information security,
- Requirements and procedures regarding the use of non-disclosure agreements when sharing information requiring protection,
- Use of external IT services.
+ Target groups for training and awareness measures (i.e., people working in specific risk environments such as managers including organizational leaders, administrators, employees having access to customer networks, personnel in areas of manufacturing) are identified and considered in a training concept.
+ The concept has been approved by the responsible management.
+ Training and awareness measures are carried out both at regular intervals and in response to events.
+ Participation in training and awareness measures is documented.
+ Contact persons for information security are known to employees.
2.1.4To what extent is mobile work regulated?Major
- neu (must): „- Behavior in private surroundings (e.g., working in a dedicated offic...“
- neu (must): „- Behavior in public surroundings (e.g., during travels, shared office...“
- neu (must): „- Measures to ensure a secure access to organization’s IT-services.“
- gestrichen (must): „- Behavior in private surroundings,“
- gestrichen (must): „- Behavior in public surroundings,“
- gestrichen (must): „+ The organization’s network is accessed via a secured connection (e.g...“
- Behavior in private surroundings (e.g., working in a dedicated office at home or in a coworking space),
- Behavior in public surroundings (e.g., during travels, shared office in a coworking space),
- Secure handling of and access to information (in both electronic and paper form) while considering the protection needs and the contractual requirements applying to private
- Behavior in private surroundings,
- Behavior in
-
- Measures for travelling
+ Employee awareness.
3.1.1To what extent are security zones managed to protect information assets?Minor
- Physical conditions
-
+ The defined protective measures are implemented.
+ The code of conduct for security zones is known to all persons involved.
+ Visitor management policies (including registration and escorting of visitors) are defined.
+ Policies for carrying along and using mobile IT devices and mobile data storage devices
+ Network/infrastructure components (own or customer networks) are protected against unauthorized access.
+ External properties used for storing and processing information assets are considered in the security zone concept (e.g. storage rooms, garages, workshops, test tracks, data processing centres).
3.1.3To what extent is the handling of supporting assets managed?Minor
3.1.4To what extent is the handling of mobile IT devices and mobile data storage devices managed?Major
- gestrichen (should): „+ Users are informed of missing data protection on mobile devices.“
- gestrichen (hoher Schutzbedarf): „- Where this is technically not feasible, information is protected by...“
+ Users are informed of missing data protection on mobile devices.
-
3.1.2Superseded by 1.6.3, 5.2.8 and 5.2.9None
4.1.1To what extent is the use of identification means managed?Major
- gestrichen (hoher Schutzbedarf): „+ The validity of identification means is limited to an appropriate pe...“
4.1.2To what extent is the user access to IT services and IT systems secured?Minor
+ State of the art procedures for user authentication are applied.
+ Superior procedures are used for the authentication of privileged user accounts
4.1.3To what extent are user accounts and login information securely managed and applied?Major
- neu (must): „- Requirements for the quality of authentication information (e.g., le...“
- gestrichen (must): „- under observation of legal parameters“
- gestrichen (must): „+ The login information (e.g. passwords) of a personalized user accoun...“
+ Unique and personalized user accounts are used.
+ The use of
+ User accounts are disabled immediately after the user has resigned from or left the organization
+ User accounts are regularly reviewed.
+ The login information is provided to the user in a secure manner.
+ A policy for the handling of login information is defined and implemented. The following aspects are considered:
- No disclosure of login
-
-
- No writing down or unencrypted storing of login
- Immediate changing of login information whenever potential compromising is
- No use of identical login information for business and non-business
- Changing of temporary or initial login information following the 1st
- Requirements for the quality of authentication information
+ The login information (e.g. passwords) of a personalized user account must be known to the assigned user only.
+ Default accounts and passwords pre-configured by manufacturers are disabled
+ User accounts are created or authorized by the responsible body.
+ Creating user accounts is subject to an approval process (four-eyes principle).
+ User accounts of service providers are disabled upon completion of their task.
+ Deadlines for disabling and deleting user accounts are defined.
+ The use of default passwords is technically prevented.
+ Where strong authentication is applied, the use of the medium
+ User accounts are reviewed at regular intervals. This also includes user accounts in customers' IT systems.
+ Interactive login for service accounts (technical accounts) is technically prevented.
4.2.1To what extent are access rights assigned and managed?Major
- gestrichen (sehr hoher Schutzbedarf): „+ Prevention of unauthorized persons gaining access and information (p...“
+ The access rights granted for normal and privileged user accounts and technical accounts are reviewed at regular intervals also within IT systems of customers.
+ Authorization roles are used.
+ Rights are allocated on a need-to-use basis and according to the role and/or area of responsibility.
+ Normal user accounts are not granted privileged access rights.
+ The user’s access rights
-
-
+ Existing access rights are regularly reviewed at shorter intervals
5.1.1To what extent is the use of cryptographic procedures managed?Major
- gestrichen (must): „- to the extent legally feasible.“
- gestrichen (should): „+ Preparation of technical rules containing requirements for encryptio...“
- gestrichen (should): „+ An emergency process for restoring key material is established.“
-
- Cryptographic
- Key strengths,
- Procedures for the complete lifecycle of cryptographic keys, including generation, storage, archiving, retrieval, distribution, deactivation, renewal, and deletion.
+ An emergency process for restoring key material is established.
5.1.2To what extent is information protected during transfer?Major
- neu (should): „- Using a secured connection (e.g. VPN).“
- gestrichen (hoher Schutzbedarf): „- Where encryption is not feasible, information must be protected by s...“
+ Policies and procedures in accordance with the classification requirements for the use of network services are defined and implemented.
+ Measures for the protection of transferred contents against unauthorized access are implemented.
+ Electronic data exchange is conducted using content or transport encryption according to the respective classification.
+ Remote access connections
- Encryption,
- Authentication strength,
- Granting and termination of
- Using a secured connection (e.g. VPN).
-
5.2.1To what extent are changes managed?Major
- neu (should): „+ The potential impact on the information security of changes is asses...“
- gestrichen (should): „+ Changes are verified and assessed for their potential impact on the...“
+
+ Changes affecting the information security are subjected to planning and testing.
+ Procedures for fallback in fault cases are considered.
5.2.2To what extent are development and testing environments separated from operational environments?Minor
+ A segmentation is implemented based on the results of risk analysis.
- Separation of development, testing and operational systems,
- No development and system tools on operational systems (except those required for operation),
- Use of different user profiles for development, testing, and operational systems.
5.2.3To what extent are IT systems protected against malware?Major
- gestrichen (should): „- Encrypted connections are considered.“
- gestrichen (should): „+ Case-related staff awareness measures.“
+ Technical and organizational measures for protection against malware are defined and implemented.
+ Access to network services is restricted to necessary access
+ Malware protection software is installed and updated automatically at regular intervals
+ Received files and software are automatically inspected for malware prior to their execution (on-access scan).
+ The entire data contents of all systems is regularly inspected for malware.
+ Data transferred by central gateways
- Encrypted
-
+ Measures to prevent protection software from being deactivated or altered by users are defined and implemented.
+
+
5.2.4To what extent are event logs recorded and analysed?Major
- neu (hoher Schutzbedarf): „+ Events related to establishing and terminating remote access session...“
- gestrichen (hoher Schutzbedarf): „+ Cases of access during connection and disconnection of external netw...“
+ Security-relevant requirements regarding the logging of activities of system administrators and users are determined and fulfilled.
+ The IT systems used are assessed regarding the necessity of logging.
+ When using external IT services, information on the monitoring options is obtained and considered in the assessment.
+ Event logs are checked regularly for
+ Event logs (contents and meta data) are protected against alteration.
+ Adequate monitoring and recording of any actions on the network that are relevant to information security are established.
+
5.2.5To what extent are vulnerabilities identified and addressed?Major
- neu (must): „and evaluated (e.g., Common Vulnerability Scoring System CVSS).“
- neu (must): „+ Risks arising from vulnerabilities are treated.“
and evaluated
+ Potentially affected IT systems and software are
+ Risks arising from vulnerabilities are
+ Risk minimizing measures are implemented, as necessary.
+ Successful installation of patches is verified in an appropriate manner.
5.2.6To what extent are IT systems and services technically checked (system and service audit)?Major
- gestrichen (sehr hoher Schutzbedarf): „+ IT systems and services are regularly scanned for vulnerabilities. (...“
+ The scope of the system audit is specified in a timely manner.
+ System or service audits are coordinated with the operator and users of the IT systems or services.
+ The results of system or service audits are stored in a traceable manner and reported to the relevant management.
+ Measures are derived from the
+ Regular system or service audits are
- Audits are carried out by qualified
- If applicable, suitable tools
- Audits are performed from the internet and the internal
+ Within a reasonable period following completion of the audit, a report is prepared.
-
5.2.7To what extent is the network of the organization managed?Major
- neu (hoher Schutzbedarf): „The following aspects are considered:“
+ Requirements regarding network segmentation are determined and fulfilled.
+ For a risk-based network
- Limitations for connecting IT systems to the network,
- Use of security technologies,
- Performance, trust, availability, security, and safety considerations
- Limitation of impact in case of compromised IT
- Detection of potential attacks and lateral movement of
- Separation of networks with different operational purpose
- The increased risk due to network services accessible via the internet,
- Technology-specific separation options when using external IT services,
- Adequate separation between own networks and
- Detection and prevention of data
The following aspects are considered:
- Authentication of IT systems on the network,
- Access to the management interfaces of IT systems is
- Specific risks
5.2.8To what extent is continuity planning for IT services in place?Major
- gestrichen (should): „+ Continuity planning includes at least the following scenarios affect...“
- gestrichen (should): „+ Continuity planning considers the following cases“
+ Requirements and responsibilities for continuity and recovery of those IT services are known to relevant stakeholders and fulfilled.
-
+ Continuity planning
- (Distributed) Denial of Service attacks
- Successful ransomware attacks and other sabotage activities
- Natural disaster
+ Continuity planning considers the following cases
- Alternative storage strategies, in case primary storage means are not
- Alternative power and
+ Continuity planning
+ Appropriate SLAs with external service providers according to continuity planning are in place. (A)
+ Continuity plans include coordination of contractually agreed communication with business
+ Continuity planning is regularly tested including a full recovery and reconstitution of the system to a known state and compliance with defined target times. (A)
+ A backup and recovery strategy for critical IT services and information is defined and implemented.
+ Backups of critical IT services and information are
- Backups are
+ Continuance of essential mission and business functions with minimal or no loss of operational continuity is possible. The
- Alternate operation strategies and necessary separated standby systems to retain and/or resume operation to the extent possible if critical IT services become
- Alternate
+ Continuity planning is tested regularly.
5.2.9To what extent is the backup and recovery of data and IT services ensured?Major
- verschoben must → hoher Schutzbedarf: „The following aspects are considered:“
- gestrichen (should): „- Dependencies between IT services and the sequence for recovery are c...“
-
+ Recovery concepts exist for relevant IT services.
-
+ General restore capability is considered and tested (e.g., sample testing, test
+ Backup and recovery concepts
The following
- Recovery Point Objective
- Recovery Time Objective (RTO).
- Required resources for recovery (considering capacity and performance incl. personnel and
- Avoidance of overload scenarios during
- Appropriate spatial redundancy (e.g., separate room, separate fire section, separate
+ Restore procedures are technically tested in a methodical way at regular intervals. (I, A)
+ Geographical redundancy is considered in data backup and recovery concepts. (A)
5.3.1To what extent is information security considered in new or further developed IT service?Major
- neu (should): „+ Test-systems are provided with protective measures comparable to tho...“
- gestrichen (should): „- Where productive data are used for testing purposes, it shall be ens...“
- gestrichen (sehr hoher Schutzbedarf): „- in case of significant changes“
- gestrichen (sehr hoher Schutzbedarf): „- or at regular intervals“
+ The information security requirements associated with the acquisition or extension of IT
+ Information security requirements associated with changes to developed IT
+ System approval tests are carried out under consideration of the information security requirements.
- The information security
- Vendor recommendations and best practices for secure configuration and
- Best practices and security
- Fail safe (designed to return to a safe condition in the event of a failure or
+ Requirement specifications are reviewed against the information security requirements.
+ The IT
+ The use of
-
- Requirements for the lifecycle of test data (e.g. deletion, maximum lifetime on the IT
- Case-related specifications for the generation of test data are defined.
+ Test-systems are provided with protective measures comparable to those in the operational environment where productive data are used for testing purposes.
-
-
-
5.3.2To what extent are requirements for network services defined?Minor
+ The requirements are agreed in the form of SLAs.
+ Adequate redundancy solutions are implemented.
5.3.3To what extent is the return and secure removal of information assets from external IT services regulated?Minor
5.3.4To what extent is information protected in shared external IT services?Minor
6.1.1To what extent is information security ensured among contractors and cooperation partners?Major
- neu (hoher Schutzbedarf): „+ The supplier's level of compliance with the required evidence is doc...“
- neu (hoher Schutzbedarf): „+ The supplier's compliance with contractual agreements is checked, do...“
- neu (sehr hoher Schutzbedarf): „+ The adequate level of information security should be demonstrated by...“
- neu (sehr hoher Schutzbedarf): „+ Contractual obligations with customers regarding transparency of sup...“
- gestrichen (must): „+ Compliance with contractual agreements is verified.“
+ An appropriate level of information security is ensured by contractual agreements with contractors and
+ Where applicable, contractual agreements with clients and customers are passed on to contractors and
+ Compliance with contractual agreements is verified.
+ Service reports and documents by contractors and
+ The supplier's level of compliance with the required evidence is documented, regularly and in case of changes (e.g., changes of requirements, change in supplier status, or supply chain structure) reviewed and monitored. (C, I, A)
+ The supplier's compliance with contractual agreements is checked, documented, regularly and in case of changes (e.g., changes of requirements, change in supplier status, or supply chain structure) reviewed and monitored. (C, I, A)
+ Contractual obligations with customers regarding transparency of supply chain risks are fulfilled. (C, I, A)
6.1.2To what extent is non-disclosure regarding the exchange of information contractually agreed?Major
- neu (should): „+ Non-disclosure agreements include the persons/organizations involved...“
- gestrichen (should): „+ Non-disclosure agreements include the following information:“
- gestrichen (should): „- the persons/organizations involved,“
- gestrichen (should): „- the type of information covered by the agreement,“
- gestrichen (should): „- the subject of the agreement,“
- gestrichen (should): „- the validity period of the agreement,“
- gestrichen (should): „- the responsibilities of the obliged party.“
+ Requirements and procedures for applying non-disclosure agreements are known to all persons passing on information in need of protection.
+ Valid non-disclosure agreements are concluded prior to
+ The requirements and procedures for the use of non-disclosure agreements and the handling of information requiring protection are reviewed at regular intervals.
+ Non-disclosure agreements include the
- the
-
-
-
-
+ Non-disclosure agreements include provisions for the handling of sensitive information beyond the contractual relationship.
+ Options of demonstrating compliance with specifications
+ A process for monitoring the validity period of temporary non-disclosure agreements and initiating their extension in due time is defined and implemented.
6.1.3To what extent are the responsibilities between external IT service providers and the own organization defined?verschoben 1.2.4 → 6.1.3Minor
+ The security requirements relevant to the IT service are
+ The organization responsible for implementing the requirement is defined and aware of its responsibility.
+ Mechanisms for shared responsibilities are specified and implemented.
+ The responsible organization fulfils its respective responsibilities.
+ The responsible staff is adequately trained.
+ The applicability of the ISA controls has been
+ The service configuration is included in the regular security assessments. (C, I, A)
+ Proof is provided that the IT service providers fulfil their responsibility. (C, I, A)
+ Integration into local protective measures (such as secure authentication mechanisms) is established and documented. (C, I, A)
7.1.1To what extent is compliance with regulatory and contractual provisions ensured?Minor
+ Policies regarding compliance with the provisions are defined, implemented, and communicated to the responsible persons.
7.1.2To what extent is the protection of personal data considered when implementing information security?Minor
+ Regulations regarding the compliance with legal and contractual requirements for the protection of
+ Processes and procedures for the protection of personally identifiable
Prototypenschutz (Kap. 8)
8.1.1To what extent are regulations for prototype protection defined within the organization and responsibilities established?neuMajor
+ Periodic review and, if required, revision of the policy is established.
+ Responsibilities for prototype protection in the organization are defined, documented, and assigned.
+ The responsible employees are defined and qualified for their task.
+ The necessary resources are available.
+ The contact persons are known within the organization and relevant business partners.
8.1.2To what extent are order-specific requirements and specifications for handling prototypes regulated?neuMajor
- Security classification and associated security measures of the respective order,
- Specifications for camouflage, including specifications for changes to camouflage,
- Specifications and security concepts for the use of prototypes on test sites,
- Specifications for handling prototypes on public roads,
- Specifications and security concepts for events with prototypes,
- Specifications and security concepts for film/photo shoots with prototypes,
- Specifications for the transport of the prototypes (incl. logistics specifications),
- Requirements for the use of subcontractors,
- Specifications for handling prototype-relevant information on portable storage media.
8.1.3To what extent do employees and project members evidently participate in training and awareness measures regarding the handling of prototypes?verschoben 8.2.3 → 8.1.3Major
- neu (must): „+ Mandatory participation of all employees involved in the project in...“
- gestrichen (must): „+ Ensuring execution of trainings / awareness programs by the manageme...“
- gestrichen (must): „+ Ensuring knowledge among employees and project members regarding the...“
- gestrichen (must): „+ Mandatory participation of each employee and project member in the t...“
+ Training of employees and project members when joining the project regarding the handling of prototypes.
+
+ Mandatory participation of
+ The completed measures are to be documented.
+ The training concept for prototype protection is an integral part of the general training concept (see also control question 2.1.3 Information
8.1.4To what extent is the qualification of employees for working in prototype areas ensured?neuMajor
+ The requirements for employees with respect to their job profiles are determined and fulfilled.
+ The identity of potential employees is verified (e.g. checking identity documents).
8.1.5To what extent are non-disclosure agreements/obligations existent according to the valid contractual law?verschoben 8.2.1 → 8.1.5Major
- gestrichen (must): „+ A non-disclosure agreement:“
-
-
+ Country-specific legal provisions regarding data protection are to be observed.
8.1.6To what extent are requirements for commissioning subcontractors known and fulfilled?verschoben 8.2.2 → 8.1.6Major
- gestrichen (must): „- with all employees and project members of the subcontractor (persona...“
- gestrichen (must): „+ Proof of the subcontractor’s compliance with minimum requirements fo...“
+
-
-
+ Ensuring compliance with the security requirements of the actual customer (proof is obtained).
+ Proof of the subcontractor’s compliance with minimum requirements for prototype protection (e.g., certificate, attestation) is provided.
8.1.7To what extent is a process defined for granting access to security areas?verschoben 8.2.5 → 8.1.7Major
- neu (must): „+ There is a procedure in place for disabling lost/stolen access contr...“
+ A process for new assignments, changes and revocations of access rights is in place.
+ Code of conduct in case of the loss/theft of access control
+ There is a procedure in place for disabling lost/stolen access control mechanisms (i.e. disabling electronic badges, changing physical locks, etc.) as soon as possible.
8.1.8To what extent are regulations for visitor management (including registration and escorting of visitors) in place?verschoben 8.1.7 → 8.1.8Minor
+ Documented non-disclosure obligation prior to access.
+ Publication of security and visitor regulations.
+ Country-specific legal provisions regarding data protection are to be observed.
8.1.9To what extent is a regulation for carrying along and using mobile video and photography devices in(to) defined security areas established?verschoben 8.2.7 → 8.1.9Major
- neu (must): „+ Rules for carrying (e.g. with / without sealing, etc.) are in place.“
- neu (must): „+ Rules for use (e.g. making phone calls, taking photos, using QR code...“
- gestrichen (must): „+ Specification for carrying along (e.g., sealed/unsealed, etc.).“
- gestrichen (must): „+ Specification for use (e.g., phone calls, photography, etc.).“
+
8.1.10To what extent are regulations for image recording and handling of created image material existent?verschoben 8.2.6 → 8.1.10Major
- neu (must): „+ In areas where vehicles, components or parts classified as reqiring...“
- neu (must): „+ Release by the original client for image recordings of vehicles, com...“
- neu (must): „+ A clear documentation of the recordings carried out is available (in...“
- neu (must): „+ Determination by the original client for the classification of image...“
- gestrichen (must): „+ Specification for classification/categorization of image material.“
+ Release by the original client for image recordings of vehicles, components or parts classified as in need of protection.
+ Approval
+
+ Determination by the original client for
+ Secure storage of image material.
+ Secure deletion/disposal of image material no longer required.
+ Secured transmission/shipping of image material to authorized recipients only.
8.1.11To what extent are incident management requirements regulated?neuMajor
- Breach of secrecy,
- Burglary,
- Theft,
- Breakdowns,
- Accidents,
- Fire,
- Irregularities in transport,
- Dealing with authorities and law enforcement officers,
- Damage to camouflage.
+ Handling of incidents with prototypes is - where relevant - also regulated beyond the order period.
+ General and client-specific reporting obligations and reporting channels are known (internal and client).
8.1.12To what extent is it ensured that vehicles, components and parts classified as in need of protection are documented and tracked in a comprehensible manner over neuMajor
+ All vehicles, components and parts classified as in need of protection must be documented and changes must be traceable.
+ Documentation needs to be updated regularly.
8.1.13To what extent is it ensured that vehicles, components, parts and relevant tools classified as in need of protection that are no longer needed are disposed of/ neuMajor
- Specifications for disposal, recycling or return are obtained from the respective client,
- Instruction of affected employees about the requirements.
8.2.1To what extent is a security concept available describing minimum requirements regarding the physical and environmental security for prototype protection?verschoben 8.1.1 → 8.2.1Minor
8.2.2To what extent is perimeter security existent preventing unauthorized access to protected property objects?verschoben 8.1.2 → 8.2.2Major
- neu (must): „+ The sum of the measures must be suitable to prevent unauthorised acc...“
- neu (should): „+ Appropriate measures are in place such as structural measures (e.g....“
- gestrichen (should): „+ Suitable barriers are in place such as:“
- gestrichen (should): „- artificial barriers (fence systems, walls),“
- gestrichen (should): „- technical barriers (detection),“
- gestrichen (should): „- natural barriers (growth, vegetation).“
+ The sum of the measures must be suitable to prevent unauthorised access to the protected objects of the property.
-
-
8.2.3To what extent is the outer skin of the protected objects/ security areas constructed such as to prevent removal or opening of outer-skin components using standverschoben 8.1.3 → 8.2.3Major
- neu (must): „+ Easily accessible windows, doors, and other components are designed...“
- neu (should): „+ Solid construction (e.g. masonry, concrete, reinforced concrete, or...“
- neu (hoher Schutzbedarf): „DIN EN 1627 / RC2“
- gestrichen (should): „+ Solid construction (masonry, concrete, reinforced concrete, or prest...“
- gestrichen (should): „+ Windows and doors in the outer skin are to be built in compliance wi...“
+ Easily accessible windows, doors, and other components are designed to prevent break-ins using simple tools such as screwdrivers and pliers for a minimum period of three minutes.
+
8.2.4To what extent is view and sight protection ensured in defined security areas?verschoben 8.1.4 → 8.2.4Major
- gestrichen (hoher Schutzbedarf): „+ The spatial situation is also suitable for protecting vehicles class...“
+ View into defined security areas through open doors/gates/windows is prevented.
8.2.4To what extent are security classifications of the project and the resulting security measures known?gestrichenMajor
+ Consideration of step-by-step plans, measures for secrecy and camouflage, development policies.
+ The requirements are considered as a requirement regarding the information security of the project (see Controls 1.2.3 and 7.1.1 Information Security).
8.2.5To what extent is the protection against unauthorized entry regulated in the form of access control?verschoben 8.1.5 → 8.2.5Major
- neu (must): „+ At least one of the following three requirements must be met: Mechan...“
- neu (hoher Schutzbedarf): „DIN 18251 (locks) or DIN EN 12209“
- gestrichen (must): „+ At least one of the following three requirements must be implemented...“
- gestrichen (must): „- mechanical locks with documented key assignment,“
- gestrichen (must): „- electronic access systems with documented authorization assignment,“
- gestrichen (must): „- personal access control including documentation.“
- gestrichen (hoher Schutzbedarf): „+ The spatial situation is also suitable for protecting vehicles class...“
-
-
-
8.2.6To what extent are the premises to be secured monitored for intrusion?verschoben 8.1.6 → 8.2.6Major
- neu (hoher Schutzbedarf): „DIN 77200, VdS 3138“
- gestrichen (must): „+ Intrusion monitoring of the premises to be secured is ensured:“
- gestrichen (must): „- or 24/7 guarding by a certified security service.“
-
-
+ Alarm plans are available.
+ Timely alarm processing is ensured.
8.2.7To what extent is on-site client segregation existent?verschoben 8.1.8 → 8.2.7Major
- neu (must): „+ There is a spatial separation through personnel, organizational or t...“
- gestrichen (must): „+ Spatial separation by staff-related or technical measures is in effe...“
- gestrichen (hoher Schutzbedarf): „+ The spatial situation is also suitable for implementing client segre...“
-
-
-
8.3.1To what extent are transports of vehicles, components or parts classified as requiring protection arranged according to the customer requirements?gestrichenMajor
+ The security requirements defined by the customer are known and observed.
+ The logistics/transport companies explicitly approved by the customer are commissioned.
+ A process for reporting any security-relevant events to the customer is described and implemented.
8.3.2To what extent is it ensured that vehicles, components, and parts classified as requiring protection are parked/stored in accordance with customer requirements?gestrichenMajor
8.4.1To what extent are the predefined camouflage regulations implemented by the project members?gestrichenMajor
+ Any changes to the camouflage are made upon documented agreement with the customer.
+ A process for the immediate reporting of any damages to the camouflage is described and implemented.
8.4.2To what extent are measures for protecting approved test and trial grounds observed/implemented?gestrichenMajor
+ The following aspects must be known to users of test and trial grounds:
- a current list of customer-approved test and trial grounds
- code of conduct for ensuring undisturbed trial operation
- customer-defined protective measures These are implemented.
8.4.3To what extent are protective measures for approved test and trial drives in public observed/implemented?gestrichenMajor
+ Protective measures defined by the customer are known and observed.
+ The code of conduct in case of special incidents (e.g., breakdown, accident, theft...) is known and observed.
8.5.1To what extent are security requirements for presentations and events involving vehicles, components or parts classified as requiring protection known?gestrichenMajor
+ Established and customer-approved security concepts (organizationally, technically,
staff-related).
+ Code of conduct in case of special incidents.
8.5.2To what extent are the protective measures for film and photo shootings involving vehicles, components or parts classified as requiring protection known?gestrichenMajor
+ Proof of approval for the presumably used premises.
+ Established and customer-approved security concepts (organizationally, technically,
staff-related).
+ Code of conduct in case of special incidents.
Datenschutz (Kap. 9)
9.1.1To what extent do data protection policies exist?None
9.2.1To what extent are the responsibilities for data protection organized?None
- Determination of whether the appointment of a data protection officer is voluntary or mandatory
- otherwise determination of a data protection function or comparable
+ Publication of contact details (e.g. on the Internet)
+ Integration into the organization's structure
+ Exercise of the control obligations as defined in Art. 39 (1) (b) GDPR and corresponding documentation
+ Documentation of the data protection status and report to organization's top management
+ Equipped with sufficient capacities and resources
- Determination of whether the data protection function is full-time or part-time
- adequate professional qualification
- regular professional training
- access to specialist literature
- support of the data protection officer by data protection coordinators in the companies organizational units, depending on the company size (e.g. marketing, sales, personnel, logistics, development, etc.)
9.3.1To what extent are processing activities identified and recorded?None
- Technical and organizational measures required for processing as required by the information security questionnaire are adequatly implemented for the processing activities
- There is a process description / sequence description with defined responsibilities.
9.4.1To what extent is adequate handling of high-risk processing activities ensured (data protection impact assessment)?None
+ Data protection impact assessments are carried out.
- Responsibilities/tasks and support possibilities in the context of data protection impact assessments are defined and known.
9.5.1To what extent is the transfer of data managed?None
- Ensuring the consent or the right of objection of the person responsible for subcontracting
9.5.2To what extent are contractual obligations passed through to and enforced at subcontractors and cooperation partners?None
+ Compliance with contractual agreements is reviewed.
- Contact details of the contact persons of the subcontractor are available and up to date.
9.5.3To what extent are data transfers to third countries managed?None
- e.g. through corresponding documentation in the processing directory
+ Sufficient guarantees (Chapter V GDPR, consideration of decisions of the ECJ on international data transfer, Transfer Impact Assessment in case of relevance, especially in the role of data exporter) are available for data transfers.
+ In the case of data transfers to third countries, it is determined whether the consent of the person responsible is to be obtained for each transfer to third countries.
9.6.1To what extent are data subject requests processed?None
- Procedures are in place to assist the controller in responding to data subject requests.
- Employees are trained to the effect that they must immediately contact the respective person responsible in the event of an incoming request from a data subject and coordinate the further procedure with this person.
9.6.2To what extent are data protection incidents processed?None
+ The requirements from 1.6 of the information security questionnaire also take into account data protection incidents or, alternatively, there is an emergency plan for dealing with data protection incidents.
+ In addition, procedures are established and documented to ensure the following aspects:
- immediate notification to the respective responsible person, as far as his order is affected
- Documentation of the incident handling activities
- Training of employees on the defined measures/processes
- Support of the respective controller in the processing of data protection incidents
9.7.1To what extent are employees obliged to maintain confidentiality?None
- The obligation is documented
9.7.2To what extent are employees trained in data protection?None
- Scope, frequency, and content of the training is determined according to the protection needs of the data
- Employees in critical areas (e.g. IT administrators) are instructed and trained specifically for their work (e.g. specific training courses or instructions, short videos, etc.).
9.8.1To what extent are instructions of processing relationships handled?None
+ Procedures and measures are in place to ensure that:
- Received instructions are documented
- Instructions can be implemented (e.g. procedures for correcting, deleting, ...)
- Data is separated by client and specific order or project
Das Wichtigste in Kürze
- Namenskonvention: Versionen heißen jetzt nach Jahr (2027 statt 7.0); Stand des Katalogs: 01.07.2026.
- Informationssicherheit: 46 Controls wie bisher, aber 44 davon wurden angefasst.
- Prototypenschutz komplett neu strukturiert: aus 5 Abschnitten werden 2, aus 22 Controls werden 20.
- Datenschutz: alle 12 Controls unverändert.
- Neues Mapping auf NIST CSF 2.0 und ISO/IEC 27001:2022; einzelne Soll-Anforderungen sind jetzt Pflicht.
- Den verbindlichen Umstellungstermin legt ENX® fest; er ist im Katalog nicht enthalten.
Wie dieser Vergleich entsteht
Wir vergleichen die offiziellen englischen Katalog-Fassungen (ISA 6.0.3 und ISA 2027 vom 01.07.2026) automatisiert Zeile für Zeile über die Anforderungsfelder aller Controls. Major = mindestens eine Anforderung neu, gestrichen, zwischen must/should/Schutzbedarf verschoben oder ein komplett neues Control. Minor = nur Umformulierung. None = unverändert. Die Begründung steht an jedem Control; ein Kapitel erbt die höchste Stufe seiner Controls. Maßgeblich sind ausschließlich die Originalkataloge.
Quellen, Lizenz und Kennzeichnung
Grundlage dieses Vergleichs sind die offiziellen englischen Katalog-Fassungen ISA 6.0.3 (ENX®-Portal) und ISA 2027 (vda.de), © ENX Association, veröffentlicht durch den VDA®, lizenziert unter CC BY-ND 4.0 mit den zusätzlichen Bedingungen in Section 9 der im Katalog enthaltenen Lizenz. Diese Gegenüberstellung ist eine modifizierte Fassung und wurde vom Lizenzgeber weder geprüft noch freigegeben. Vorgenommene Änderungen: Auszug der Anforderungsspalten, zeilenweise Gegenüberstellung beider Versionen, Markierung von Änderungen und eine eigene Einstufung (erheblich/major/minor). Logos und Bildmarken des Lizenzgebers sind nicht enthalten; die Weitergabe erfolgt zu denselben Lizenzbedingungen. Ohne Gewähr - maßgeblich sind ausschließlich die Originalkataloge. Nicht abgebildet: Reifegrad-, Definitions- und Ergebnis-Tabs sowie Hilfsspalten (Beispiele, Auditorfragen, Referenzen). Valiido ist unabhängig und steht in keiner Verbindung zu ENX® oder VDA®; die Marken gehören ihren jeweiligen Eigentümern.
Die Analyse dazu lesen: Was sich im VDA® ISA 2027 für TISAX® ändert
Starten Sie heute mit TISAX® in Valiido
Valiido ist die ISMS-Software für TISAX®. Alle Controls eingebaut, AuditMagic prüft sofort. 98,7 % bestehen im ersten Anlauf.
- Guide für TISAX®
- AuditMagic, sofort + Wochenbericht
- 200+ fertige Datensätze, sofort einsetzbar
- Berater-Unterstützung