2027 Changes for TISAX®

The VDA® has announced the successor of ISA 6 (official announcement by the VDA®) - it is now named ISA 2027, the questionnaire behind every TISAX® assessment. Every change is here: marked, classified, searchable.

44 of 46 controls in information security were edited - 25 with requirement changes.

Prototype protection is fully restructured, data protection stays unchanged. For what this means for your assessment, read the analysis.

Get notified when ISA 2027 takes effect

All 2027 Changes for TISAX® 80 → 78 controls51 Major21 Minor14 None

Information Security (Ch. 1-7)

Chapter 1IS Policies and Organization13 changesMajor
1.1.1To what extent are information security policies available?Major
Rating (Major):
  • moved should → must: “+ The policies are made available to employees in a suitable form (e.g...”
  • moved should → must: “+ Employees and external business partners are informed of any changes...”
  • removed (must): “- The requirements are adapted to the organization’s goals,”
Control question
To what extent are information security policies available?
Objective
The organization needs at least one information security policy. ThisA good policy reflects the importance and significance of information security and is adapted to meet the needs of the organization. Additional policies may be appropriate depending on the size and structure of the organization.
Requirements (must)
+ The requirements for information security have been determineddetermined, documented and documented:
- The requirements are
adapted to the organization’s goals,goals.
-+ A policy is preparedexists, and is releasedapproved by the organization.organization’s management.
+ The policy includes objectives and the significance of information security within the organization.
+ The policies are made available to employees in a suitable form (e.g., intranet).
+ Employees and external business partners are informed of any changes relevant to them.
Requirements (should)
+ The information security requirements are based on the strategy of the organization,organization. legislationLegislation and contracts are considered in the policy.
+ The policy indicates consequences in case of non-conformance.
+ Other relevant security policies are established.
+ Periodic review and, if required, revision of the policies are established.
+ The policies are made available to employees in a suitable form (e.g. intranet).
+ Employees and external business partners are informed of any changes relevant to them.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
+ Policies are published and implemented in the entire assessment scope.
1.2.1To what extent is information security managed within the organization?Minor
Control question
To what extent is information security managed within the organization?
Objective
OnlyOrganizations ifcreate sustainable information security isby including it as a part of thetheir strategic goals of an organization, information security can be implemented in an organization in a sustainable manner.goals. The information security management system (ISMS) is a control mechanism used by the organization’s management to ensure that information security is the result of sustainable management rather than that of mere coincidence and individual effort.
Requirements (must)
+ The scope of the ISMS (the organization managed by the ISMS) is defined.
+ The organization's requirements for the ISMS are determined.
+ The organizational management has commissioned and approved the ISMS.
+ The ISMS provides the organizationalorganization’s management with suitable monitoring and control means (e.g.(e.g., management review).
+ Applicable controls have been determined (e.g.(e.g., ISO 27001 Statement of Applicability, or completed ISA catalogue).
+ The effectiveness of the ISMS is regularly reviewed by the management.
Requirements (should)
None
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
+ The management system is approved by an entity that has the necessary authority for the entire assessment scope (i.e., all locations within the scope).
1.2.2To what extent are information security responsibilities organized?Major
Rating (Major):
  • new (should): “+ Security-relevant roles that are not part of the ISMS and are releva...”
  • removed (should): “- Other relevant security roles are considered.”
Control question
To what extent are information security responsibilities organized?
Objective
A successful ISMS requires clear responsibilities within the organization.
Requirements (must)
+ Responsibilities for information security within the organization are defined, documented, and assigned.
+ The responsible employees are defineddefined, qualified, and qualifiedempowered for their task.
+ The required resources are available.
+ The contact persons are known within the organization and to relevant business partners.
Requirements (should)
+ There is a definition and documentation of an adequate information security structure within the organization.
-+ OtherSecurity-relevant roles that are not part of the ISMS and are relevant for information security roles are considered.considered
Additional: high protection needs
+ An appropriate organizational separation of responsibilities should be established in order to avoid conflict of interests (separation(segregation of duties). (C, I, A)
Additional: very high protection needs
None
Additional: SGA
+ A named person with overall responsibility for the management system exists and is available.
1.3.1To what extent are information assets identified and recorded?Major
Rating (Major):
  • moved must → should: “- A person responsible for these information assets is assigned,”
  • removed (must): “- A person responsible for these supporting assets is assigned.”
Control question
To what extent are information assets identified and recorded?
Objective
It is important for each organization to knowunderstand thewhat information constitutingis itscritical essentialto assetstheir (e.g.business’ function (e.g., business secrets, critical business processes, know-how, patents).
They
This areinformation is referred to as “information assets.”

To protect this
information assets.sustainably, Ana proper inventory ensuresof thatboth the organization obtains an overview of its information assets.assets Moreover, it is important to knowand the supporting assets (e.g.(e.g., IT systems, services/IT services, employees) processingis these information assets.essential.
Requirements (must)
+ Information assets and other assets where security is relevant to the organization are identified and recorded.
- A person responsible for these information assets is assigned.
+ The supporting assets processing the information assets are identified and recorded:
- A person responsible for these supporting assets is assigned.
recorded.
Requirements (should)
+ A catalogue of the relevant information assets exists:exists. The following aspects are considered:
- The corresponding supporting assets are assigned to each relevant information asset,
- A person responsible for these information assets is assigned,
-
The catalogue is subject to regular review.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
1.3.2To what extent are information assets classified and managed in terms of their protection needs?Minor
Control question
To what extent are information assets classified and managed in terms of their protection needs?
Objective
The objective of classifying information assets is the consistent determination of their protection needs. ForOnce thisan purpose,organization determines the value theof an information hasasset, forand its protection needs, the organizationasset iscan determined based on the protection goals of information security (confidentiality, integrity, and availability) andbe classified according to aits classificationconfidentiality, scheme.integrity, and availability. This enables the organization to implement adequate protective measures.
Requirements (must)
+ A consistent scheme for the classification of information assets regarding the protection goal of confidentiality is available.
+ Evaluation of the identified information assets is carried out according to the defined criteriacriteria, and assigned to the existing classification scheme.
+ Specifications for the handling of supporting assets (e.g.(e.g., identification, correct handling,usage, transport, storage, return, deletion/disposal) depending on the classification of information assets are in place and implemented.
Requirements (should)
+ The protection goals of integrity and availability are taken into consideration.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
1.3.3To what extent is it ensured that only evaluated and approved external IT services are used for processing the organization’s information assets?Minor
Control question
To what extent is it ensured that only evaluated and approved external IT services are used for processing the organization’s information assets?
Objective
Particularly in the case ofObtaining external IT services that can be used at relatively low cost or free of charge, there is an increased risk that procurement and commissioning will be carried out without appropriateproper consideration of the information security requirementsplaces andan organization at risk of cyber incidents. This is particularly common with IT services available online at little to no cost, as users may be able to obtain these services without following proper approval processes that securityconsider thereforeinformation is not ensured.security.
Requirements (must)
+ External IT services are not used without explicit assessment and implementation of the information security requirements:requirements. The following aspects are considered:
- AAvailability of a risk assessment of the external IT services is available,services,
- Legal, regulatory, and contractual requirements are considered.requirements.
+ The external IT services have been harmonized with the protection need of the processed information assets.
Requirements (should)
+ Requirements regarding the procurement, commissioning and release associated with the use of external IT services are determined and fulfilled.
+ A procedure for release in consideration of the protection need is established.
+ External IT services and their approval are documented.
+ It is verified at regular intervals that only approved external IT services are used.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
1.3.4To what extent is it ensured that only evaluated and approved software is used for processing the organization’s information assets?Minor
Control question
To what extent is it ensured that only evaluated and approved software is used for processing the organization’s information assets?
Objective
Information processing is mostly done using of specific software. Security issues in software willplace easilyan becomeorganization’s ainformation riskat risk. Therefore, organizations should oversee and appropriately manage the software their work force uses for the information processed. Accordingly, software must be appropriately managed.processing.
Requirements (must)
+ Software is approved before installation or use. The following aspects are considered:
- Limited approval for specific use-cases or rolesroles,
- Conformance to the information security requirementsrequirements,
- Software use rights and licensing licensing,
- Source / reputationSource/reputation of the softwaresoftware.
+ Software approval also applies to special purpose software such as maintenance toolstools.
Requirements (should)
+ The types of software such as firmware, operating systems, applications, libraries, device drivers to be managed are determined.
+ Repositories of managed software exist
+ The software repositories are protected against unauthorized manipulation
+ Approval of software is regularly reviewed
+ Software versions and patch levels are known
Additional: high protection needs
None
Additional: very high protection needs
+ Additional requirements for software use (e.g., need for control or monitoring of usage) are determined (if any) (C, I, A)
Additional: SGA
None
1.4.1To what extent are information security risks managed?Major
Rating (Major):
  • removed (should): “- A plan of measures or an overview of their state of implementation i...”
Control question
To what extent are information security risks managed?
Objective
Information security risk management aims at the timely detection, assessment and addressing of risks in order to achieve the protection goals of information security. It thus enables the organization to establish adequate measures for protecting its information assets under consideration of the associated prospects and risks. It is recommended to keep the information security risk management of an organization as simple as possible such as to enable its effective and efficient operation.
Requirements (must)
+ Risk assessments are carried out both at regular intervals and in response to events.
+ Information security risks are appropriately assessed (e.g.(e.g., for probability of occurrence and potential damage).
+ Information security risks are documented.
+ A responsible person (risk owner) is assigned to each information security risk. This person is responsible for the assessment and handling of the information security risks.
Requirements (should)
+ A procedure is in place defining how to identify, assess and address security risks within the organization.
+ Criteria for the assessment and handling of security risks exist.
+ Measures for handling security risks and the persons responsible for these are specified and documented:
-
documented, Aa plan of measures or an overview of their state of implementation is followed.
+ In case of changes to the environment (e.g.(e.g., organizational structure, location, changes to regulations), reassessment is carried out in a timely manner.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
1.5.1To what extent is compliance with information security ensured in procedures and processes?Minor
Control question
To what extent is compliance with information security ensured in procedures and processes?
Objective
It is not sufficient to only define information security requirements and to prepare and publish policies. It is important to regularly review their effectiveness.
Requirements (must)
+ Observation of policies is verified throughout the organization.
+ Information security policies and procedures are reviewed at regular intervals.
+ Measures for correcting potential non-conformities (deviations) are initiated and pursued.
+ Compliance with information security requirements (e.g.(e.g., technical specifications) is verified at regular intervals.
+ The results of the conducted reviews are recorded and retained.
Requirements (should)
+ A plan for content and framework conditions (time schedule, scope, controls) of the reviews to be conducted is provided.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
+ Internal controls are implemented for all entities within the assessment scope.
-+ The implementation of all applicable security requirements and control objectives are included.
+ Suitably qualified and appropriate information security audit responsibilities and resources are defined.
+ A detailed internal audit plan and schedule is defined and followed. The following aspects are considered:
- The entire assessment scope is covered
- Internal audits are conducted regularly
- Results of internal audits are tracked within the ISMS structures
1.5.2To what extent is the ISMS reviewed by an independent authority?Minor
Control question
To what extent is the ISMS reviewed by an independent authority?
Objective
As an essential control mechanism, assessingAssessing the effectiveness of the ISMS from merely an internal point of view is insufficient. Additionally,It is important that an independent and therefore objective assessment shall beis obtained at regular intervals and in case ofafter fundamental changes.
Requirements (must)
+ Information security reviews are carried out by an independent and competent body at regular intervals and in case ofafter fundamental changes.
+ Measures for correcting potential deviations are initiated and pursued.
Requirements (should)
+ The results of conducted reviews are documented and reported to the management of the organization.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
+ In case of fundamental changes, audits are conducted by an independent and appropriately qualified entity (i.e., external entities or special internal departments which are objective, competent and free from undue influence (independent)
-+ Findings and implementation of corrective actions is tracked by the independent entity.
1.6.1To what extent are information security relevant events or observations reported?Major
Rating (Major):
  • new (should): “- Availability and communication of a security event report channel fo...”
  • removed (should): “- An externally accessible way to report security events exists and is...”
Control question
To what extent are information security relevant events or observations reported?
Objective
Potential security events or observations are detected by anyone. It is vital that anyone can and knows when and how to report anything that one has observed and that has potential security implications (observations) or events so that the experts can decide if and how it needs to be handled.
Requirements (must)
+ A definition for a reportable security event or observation exists and is known by employees and relevant stakeholders. The following aspects are considered:
- Events and observations related to personnel (e.g., misconduct / misbehaviour)
- Events and observations related to physical security (e.g., intrusion, theft, unauthorized access to security zones, vulnerabilities in the security zones)
- Events and observations related to IT and cyber security (e.g., vulnerable IT-systems, detected successful or unsuccessful attacks)
- Events and observations related to suppliers and other business partners (e.g., any incidents that can have negative effect on the security of own organization)
+ Adequate mechanisms based on perceived risks to report security events are defined, implemented, and known to all relevant potential reporters
+ Adequate channels for communication with event reporters exist.
Requirements (should)
+ A common point of contact for event reporting exists.
+ Different reporting channels according to perceived severity exist (i.e., real time communication for significant events / emergencies in addition to asynchronous mechanisms such as tickets or email)email). are available.available
+ Employees are obligedobligated and trained to report relevant events.
+ Security event reports fromcan also be submitted by external partiesparties. The following aspects are considered.considered:
- AnAvailability externallyand accessiblecommunication wayof toa security event report securitychannel eventsfor existsexternal and is communicated,parties,
- Timely Reactionprocessing toof security event reports from external parties are definedparties.
+ Mechanism to -to, and information how to -to, report incidents is accessible by all relevant reporters.
+ A feedback procedure to reporters is established.
Additional: high protection needs
None
Additional: very high protection needs
+ Tests and exercises of event and observation reporting are conducted regularly. (C, I, A)
Additional: SGA
None
1.6.2To what extent are reported security events managed?Major
Rating (Major):
  • new (should): “+ A strategy for reporting potentially criminal aspects of security in...”
  • removed (should): “+ A strategy for filing official reports and searching prosecution of...”
Control question
To what extent are reported security events managed?
Objective
Once security events are reported, it is vital that the handling of the events is managed. This means to ensure that the type and criticality of the reported event as well as the persons responsible are quickly identified to ensure that time-critical aspects can be handled in time. Once identification is done, ensuring that the responsible persons become aware and deal with the event within a reasonable time frame is necessary. Furthermore, if the event affects multiple different persons, or management also include coordinating communication is a important part of event management. Finally, if there are external (contractual or regulatory) reporting requirements, its important to ensure that these are also fulfilled in a professional way.
Requirements (must)
+ Reported events are processed without undue delay.
+ An adequate reaction to reported security events is ensured.
+ Lessons learned are incorporated into continuous improvement.
Requirements (should)
+ During processing, reported events are categorized (e.g. by responsibility into personnel, physical and cyber), qualified (e.g.(e.g., not security relevant, observation, suggested security improvement, security vulnerability, security incident) and prioritized (e.g.(e.g., low, moderate, severe, critical).
+ Responsibilities for handling of events based on their category are defined and assigned. The following aspects are considered:
- Coordination of incidents and vulnerabilities across multiple categoriescategories,
- Qualification and resourcesresources,
- ContactCommunication mechanismsmethods based on type and priority (e.g., non-time-critical communication, time-critical communication, emergency communication)communication),
- Absence-managementAbsence-management.
+ A strategy for filing official reports and searching prosecution ofreporting potentially criminally relevantcriminal aspects of security incidents exists.to relevant authorities when necessary or appropriate. (C, I, A)A).
Additional: high protection needs
+ Maximum response times based on class, category and severity are defined. (C, I, A)
+ EventEvents not processed appropriately according to their priority are escalated. The following aspects are considered: (C, I, A)
- Conditions and thresholds such as(e.g., maximum reaction timestime before escalation are definedescalation),
- Mechanisms, processes, and contacts for escalation are definedescalation,
- Escalation paths up to the organization’s top management is definedmanagement.
+ Lawful, regulatory, and contractual reporting obligationsobligations, and respective contact information are known. (C, I, A)
+ A communication strategy for security related events exist.exists. The following aspects are considered: (C, I, A)
- To whom to communicate (e.g., shareholders, affected business partners and customers, other shareholders, general public)public),
- When to communicatecommunicate,
- Responsibilities for communicationcommunication,
- Authorization and approval of communicationcommunication,
- Legal and regulatory restrictions of communicationcommunication,
- What to communicate (e.g.(e.g., prepared templates and building blocks for specific scenarios)scenarios),
- How to communicate (e.g., communication channels)channels).
+ Procedures for response to supplier security incidents are established. The following aspects are considered: (C, I, A)
- Analysis of the impact on the own organization and invocation of appropriate internal mechanismsmechanisms.
- The need for reporting according to own reporting procedures
Additional: very high protection needs
+ Handling of events in different categories and priorities is regularly tested. The following aspects are considered: (A)
- Exercise or simulation of rarely occurring categories and prioritiespriorities,
- Exercise or simulation include escalation mechanismsmechanisms.
Additional: SGA
+ Standard mechanisms to report and track relevant security events are established.
1.6.3To what extent is the organization prepared to handle crisis situations?Major
Rating (Major):
  • new (high protection needs): “+ A communication strategy for crisis situations exists. The following...”
  • new (high protection needs): “+ Relevant different potential crisis scenarios are identified. The fo...”
  • new (high protection needs): “- Crisis situations with unavailability of key personnel (e.g. Health...”
  • new (high protection needs): “- Crisis situations with unavailable of key physical resources (e.g. f...”
  • new (high protection needs): “- Crisis situations with outage oaf key infrastructure (e.g. outage of...”
  • new (high protection needs): “+ Necessary resources and information to handle crisis (e.g. communica...”
  • new (high protection needs): “+ A communication strategy for crisis situations exists. The following...”
  • new (high protection needs): “- To whom to communicate (e.g., shareholders, affected business partne...”
  • new (high protection needs): “- When to communicate”
  • new (high protection needs): “- Responsibilities for communication”
  • new (high protection needs): “- Authorization and approval of communication”
  • new (high protection needs): “- Legal and regulatory restrictions of communication (e.g., stock corp...”
  • new (high protection needs): “- What to communicate (e.g., prepared templates for statements, contac...”
  • new (high protection needs): “- Communication channels (e.g., Media channels, social media)”
  • new (high protection needs): “- Instruments to monitor communication”
  • new (high protection needs): “- Instructions and procedures for employees (in case of direct communi...”
  • new (high protection needs): “+ The efficiency, feasibility, and appropriateness of the crisis plann...”
  • new (high protection needs): “+ Spot based testing of crisis planning is conducted ((e.g., simulatio...”
  • removed (must): “- The required resources are available.”
  • removed (should): “+ Methods to detect crisis situations are established.”
Control question
To what extent is the organization prepared to handle crisis situations?
Objective
A crisis situation occurs Ifif exceptional situations (e.g.(e.g., natural disasters, physical attacks, pandemics, exceptional social situations, cyber-attacks causing major infrastructure failures) are severely disrupting key business operations. In such cases, the main priority of the organization is to handle the situation as gracefullyeffectively as possible and recover as quickly as possible. To achieve that and since time is of the essence, switching to a crisis management mode executing pre-planned procedures having specific distribution of responsibilities and structures enables an organization to deal with such a situation is the usual approach.
Requirements (must)
+ An appropriate planningplan to react to and recover from crisis situations exists.
-
exists Theand the required resources are available.
+ Responsibilities and authority for crisis management within the organization are defined, documented, and assigned.
+ The responsible employees are defined and qualified for their task.
Requirements (should)
+ Methods to detect crisis situations are established.
-
General indications for the existence or imminence of a crisis situation and specific predictable crisis are identifiedidentified.
+ A procedure to invoke and/or escalate crisis management is in place.
+ Strategic goals and their priority in crisis situations are defined and known to relevant personnel. The following aspects are considered:
- Ethical priorities (e.g., protection of life and health)health),
- Core business processes (e.g., processes that ensure the survival of the organization)organization),
- Appropriate information securitysecurity.
+ A crisis management team is defined and approved. The following aspects are considered:
- Management commitmentcommitment,
- Composition (e.g., participation of all major functions of the organization including organization leadership (management board), business operations (production), HR, information security, corporate security, corporate emergency services, IT/cyber security, communication, finance) finance),
- Structure and rolesroles,
- Competences of membersmembers,
- Expectation and authorityauthority,
- Decision making proceduresprocedures.
+ Crisis policies and procedures are defined and approved. The following aspects are considered:
- Exceptional authorities and decision-making processes can be assigned beyond the crisis management teamteam,
- Primary and backup means of communicationcommunication,
- Emergency operating proceduresprocedures,
- ExceptionalCrisis-specific organizational structures (e.g., reporting, information gathering, decision making)making),
- ExceptionalCrisis-specific functions, responsibilities, and authority (including reporting)reporting),
- ExceptionalCrisis tools tools.
+ Crisis planning is reviewed and updated regularly.
Additional: high protection needs
+ Relevant different potential crisis scenarios are identified.
The following aspects are considered:
- Crisis situations with unavailability of key personnel (e.g. Health crisis, Kidnapping / accidents affecting organization leadership),
- Crisis situations with unavailable of key physical resources (e.g. fire or natural disasters at specific sites),
- Crisis situations with outage of key infrastructure (e.g., outage of key communication channels, complete outage of IT infrastructure).
+ Necessary resources and information to handle crisis (e.g., communication infrastructure, availability of necessary information such as contact information and relevant risks in different crisis situations) are identified. Appropriate measures to ensure availability of infrastructure or fallback planning and information considering different crisis scenarios are in place. (A)
+ A communication strategy for crisis situations exists. The following aspects are considered: (A)
- To whom to communicate (e.g., shareholders, affected business partners and customers, other shareholders, general public),
- When to communicate,
- Responsibilities for communication,
- Authorization and approval of communication,
- Legal and regulatory restrictions of communication (e.g., stock corporation regulations),
- What to communicate (e.g., prepared templates for statements, contact information and building blocks for specific scenarios),
- Communication channels (e.g., Media channels, social media),
- Methods to monitor communication,
- Instructions and procedures for employees (in case of direct communication approaches such as direct contact of employees by business partners).
+ The efficiency, feasibility, and appropriateness of the crisis planning is evaluated regularly. (A)
+ Spot based testing of crisis planning is conducted ((e.g., simulation, table-top-exercises involving key personnel)(A)
+ Relevant different potential crisis scenarios are identified. The following aspects are considered: (A)
- Crisis situations with unavailability of key personnel (e.g. Health crisis, Kidnapping / accidents affecting organization leadership):
- Crisis situations with unavailable of key physical resources (e.g. fire or natural disasters at specific sites)
- Crisis situations with outage ofoaf key infrastructure (e.g. outage of key communication channels, complete outage of IT infrastructure)
+ Necessary resources and information to handle crisis (e.g. communication infrastructure, availability of necessary information such as contact information and relevant risks in different crisis situations) are identified. (A)
- Appropriate measures to ensure availability of infrastructure or fallback planning and information considering different crisis scenarios are in place
+ A communication strategy for crisis situations exist.exists. The following aspects are considered: (A)
- To whom to communicate (e.g., shareholders, affected business partners and customers, other shareholders, general public)
- When to communicate
- Responsibilities for communication
- Authorization and approval of communication
- Legal and regulatory restrictions of communication (e.g., stock corporation regulations)
- What to communicate (e.g.(e.g., prepared templates for statements, contact information and building blocks for specific scenarios)
- Communication channels (e.g., Media channels, social media)
- Instruments to monitor communication
- InstructionInstructions and procedures for employees (in case of direct communication approaches such as direct contact of employees by business partners)
+ The efficiency, feasibility, and appropriateness of the crisis planning is evaluated regularly. (A)
+ Spot based testing of crisis planning is conducted ((e.g., simulation, table-top-exercises involving key personnel)personnel). (A)
Additional: very high protection needs
+ Crisis exercises and simulations involving all relevant persons, including decision makers are conducted regularly. (A)
Additional: SGA
None
1.2.3To what extent are information security requirements considered in projects?None
Control question
To what extent are information security requirements considered in projects?
Objective
For project implementation, it is important to consider the information security requirements. This applies to projects within the organization regardless of their type. By appropriately establishing the information security process in the project management procedures of the organization, any overlooking of requirements is prevented.
Requirements (must)
+ Projects are classified while taking into account the information security requirements.
Requirements (should)
+ The procedure and criteria for the classification of projects are documented.
+ During an early stage of the project, risk assessment is conducted based on the defined procedure and repeated in case of changes to the project.
+ For identified information security risks, measures are derived and considered in the project.
Additional: high protection needs
+ The measures thus derived are reviewed regularly during the project and reassessed in case of changes to the assessment criteria. (C, I, A)
Additional: very high protection needs
None
Additional: SGA
None
Chapter 2Human Resources4 changesMajor
2.1.1To what extent is the qualification of employees for sensitive work fields ensured?Minor
Control question
To what extent is the qualification of employees for sensitive work fields ensured?
Objective
Competent, reliable and trustworthy employees are aessential key tofor information security within the organizationorganization. Therefore, it is important to check the qualifications of potential employees (e.g.(e.g., applicants) to an appropriate extent.
Requirements (must)
+ Sensitive work fields and jobs are determined.
+ The requirements for employees with respect to their job profiles are determined and fulfilled.
+ The identity of potential employees is verified (e.g.(e.g., checking identity documents).
Requirements (should)
+ The personal suitability of potential employees is verified by means of simple methods (e.g.(e.g., job interview).
+ An extended suitability verification depending on the respective work field and job is conducted.conducted (e.g.(e.g., assessment centre, psychological analysis, checking of references, certificates and diploma, checking of certificates of conduct, checking of professional and private background).
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
2.1.2To what extent is all staff contractually bound to comply with information security policies?Minor
Control question
To what extent is all staff contractually bound to comply with information security policies?
Objective
Organizations are subject to legislation, regulations and internal policies. Already when hiring staff, it must be ensured that employees commit to compliance with the policies and are aware of the consequences of misconduct.
Requirements (must)
+ A non-disclosure obligation is in effect.
+ An obligation to comply with the information security policies is in effect.
Requirements (should)
+ A non-disclosure obligation beyond the employment contract or order is in effect.
+ Information security aspects are considered in the employment contracts of the staff.
+ A procedure for handling violations of said obligations is described.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
2.1.3To what extent is staff made aware of and trained with respect to the risks arising from the handling of information?Minor
Control question
To what extent is staff made aware of and trained with respect to the risks arising from the handling of information?
Objective
If the requirements and risks of information security are not known to the employees, there is a risk of misconduct resulting in damage to the organization. Therefore, it is important that information security is internalized and practiced as a natural part of their work.
Requirements (must)
+ Employees are trained and made aware.
Requirements (should)
+ A concept for awareness and training of employees is prepared. As a minimum, theThe following aspects are considered:
- Information security policy,
- ReportsReporting of information security events,
- Reaction to occurrence of malware,
- Policies regarding user accounts and login information (e.g.(e.g., password policy),
- Compliance issues of information security,
- Requirements and procedures regarding the use of non-disclosure agreements when sharing information requiring protection,
- Use of external IT services.
+ Target groups for training and awareness measures (i.e., people working in specific risk environments such as managers including organizational leaders, administrators, employees having access to customer networks, personnel in areas of manufacturing) are identified and considered in a training concept.
+ The concept has been approved by the responsible management.
+ Training and awareness measures are carried out both at regular intervals and in response to events.
+ Participation in training and awareness measures is documented.
+ Contact persons for information security are known to employees.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
2.1.4To what extent is mobile work regulated?Major
Rating (Major):
  • new (must): “- Behavior in private surroundings (e.g., working in a dedicated offic...”
  • new (must): “- Behavior in public surroundings (e.g., during travels, shared office...”
  • new (must): “- Measures to ensure a secure access to organization’s IT-services.”
  • removed (must): “- Behavior in private surroundings,”
  • removed (must): “- Behavior in public surroundings,”
  • removed (must): “+ The organization’s network is accessed via a secured connection (e.g...”
Control question
To what extent is mobile work regulated?
Objective
Working outside the specifically defined security zones (teleworking)(mobile work) creates risks requiring corresponding protective measures.
Requirements (must)
+ The requirements for teleworkingmobile work are determined and fulfilled. The following aspects are considered:
- Behavior in private surroundings (e.g., working in a dedicated office at home or in a coworking space),
- Behavior in public surroundings (e.g., during travels, shared office in a coworking space),

- Secure handling of and access to information (in both electronic and paper form) while considering the protection needs and the contractual requirements applying to private (e.g. home office) and public surroundings (e.g. during travels),
- Behavior in private surroundings,
- Behavior in
public surroundings,
- Measures for protectionProtection from theft (e.g. in public surroundings),surroundings.
+ - TheMeasures to ensure a secure access to organization’s network is accessed via a secured connection (e.g. VPN) and strong authentication.IT-services.
Requirements (should)
+ The following aspects are considered:
- Measures for travelling (e.g.(e.g., viewing by authorities),
- Measures for travelling to security-critical countries.
+ Employee awareness.
Additional: high protection needs
+ Protective measures against overhearing and viewing are implemented. (C)
Additional: very high protection needs
None
Additional: SGA
None
Chapter 3Physical Security3 changesMajor
3.1.1To what extent are security zones managed to protect information assets?Minor
Control question
To what extent are security zones managed to protect information assets?
Objective
Security zones provide physical protection of information assets. The more sensitive the information assets to be processed are the more protective measures are required.
Requirements (must)
+ A security zone concept including the associated protective measures based on the requirements for the handling of information assets is in place:place. The following aspects are considered:
- Physical conditions (e.g.(e.g., premises / buildings / spaces) are considered in the definition of security zones,
- This also includes deliveryDelivery and shipping areas.
+ The defined protective measures are implemented.
+ The code of conduct for security zones is known to all persons involved.
Requirements (should)
+ Procedures for allocation and revocation of access rights are established.
+ Visitor management policies (including registration and escorting of visitors) are defined.
+ Policies for carrying along and using mobile IT devices and mobile data storage devices (e.g.(e.g., registration before they are carried along, identification obligations) are defined and implemented.
+ Network/infrastructure components (own or customer networks) are protected against unauthorized access.
+ External properties used for storing and processing information assets are considered in the security zone concept (e.g. storage rooms, garages, workshops, test tracks, data processing centres).
Additional: high protection needs
+ Protective measures against simple overhearing and viewing are implemented. (C)
Additional: very high protection needs
None
Additional: SGA
None
3.1.3To what extent is the handling of supporting assets managed?Minor
Control question
To what extent is the handling of supporting assets managed?
Objective
During their lifecycle (e.g.(e.g., usage, disposal), supporting assets are subject to risks such as loss, theft or unauthorized viewing.
Requirements (must)
+ The requirements for the handling of supporting assets (e.g.(e.g., transport, storage, repair, loss, return, disposal) are determined and fulfilled.
Requirements (should)
None
Additional: high protection needs
+ Supporting assets are protected. Disposal of supporting assets is conducted in accordance with one of the relevant standards (e.g. ISO 21964, at least Securitysecurity Levellevel 4). (C)
Additional: very high protection needs
None
Additional: SGA
None
3.1.4To what extent is the handling of mobile IT devices and mobile data storage devices managed?Major
Rating (Major):
  • removed (should): “+ Users are informed of missing data protection on mobile devices.”
  • removed (high protection needs): “- Where this is technically not feasible, information is protected by...”
Control question
To what extent is the handling of mobile IT devices and mobile data storage devices managed?
Objective
Mobile IT devices (e.g.(e.g., notebooks, tablets, smartphones) and mobile data storage devices (e.g.(e.g., SD cards, hard drives) are generally used not only on the premises of an organization, but also in mobile applications. This presents an increased risk withof respectloss, totheft, e.g. loss or theft.etc.
Requirements (must)
+ The requirements for mobile IT devices and mobile data storage devices are determined and fulfilled. The following aspects are considered:

- Encryption,
- Access protection (e.g.(e.g., PIN, password),
- Marking (also considering requirements for use in the presence of customers).
Requirements (should)
+ Registration of the IT devices.
+ Users are informed of missing data protection on mobile devices.
Additional: high protection needs
+ General encryption of mobile data storage devices or the information assets stored thereon: (C, I)
-
thereon. Where this is technically not feasible, information is protected by similarly effective measures. (C, I)
Additional: very high protection needs
None
Additional: SGA
None
3.1.2Superseded by 1.6.3, 5.2.8 and 5.2.9None
Control question
Superseded by 1.6.3, 5.2.8 and 5.2.9
Chapter 4Identity and Access Management4 changesMajor
4.1.1To what extent is the use of identification means managed?Major
Rating (Major):
  • removed (high protection needs): “+ The validity of identification means is limited to an appropriate pe...”
Control question
To what extent is the use of identification means managed?
Objective
To check the authorization for both physical access and electronic access, means of identification such as keys, visual IDs, or other physical access devicesdevices, as well as cryptographic tokens are often used. TheThese security features are only reliable if the use of such identification means is handled adequately.
Requirements (must)
+ The requirements for the handling of identification means over the entire lifecycle are determined and fulfilled. The following aspects are considered:
- Creation, handover, return and destruction,
- Validity periods,
- Traceability,
- Handling of loss.
Requirements (should)
+ Identification means can be produced under controlled conditions only.
Additional: high protection needs
+ The validity of identification means is limited to an appropriate period. (C, I, A)
+ A strategy of blocking or invalidation of identification means in case of loss is prepared and implemented as far as possible. (C, I, A)
Additional: very high protection needs
None
Additional: SGA
None
4.1.2To what extent is the user access to IT services and IT systems secured?Minor
Control question
To what extent is the user access to IT services and IT systems secured?
Objective
Only securely identified (authenticated) users are to gain access to IT systems. For this purpose, the identity of a user is securely determined by suitable procedures.
Requirements (must)
+ The procedures for user authentication have been selected based on a risk assessment. Possible attack scenarios have been considered (e.g.(e.g., direct accessibility via the internet).
+ State of the art procedures for user authentication are applied.
Requirements (should)
+ The user authentication procedures are defined and implemented based on the business-related and security-relevant requirements:
-+ Users are authenticated at least by means of strong passwords according to theproven stateand ofwidely theaccepted art.practices.
+ Superior procedures are used for the authentication of privileged user accounts (e.g.(e.g., Privilegedprivileged Accessaccess Management,management, two-factor authentication).
Additional: high protection needs
+ Depending on the risk assessment, authentication procedure and access control have been enhanced by supplementary measures (e.g.(e.g., continuous access monitoring with respect to irregularities or use of strong authentication, automatic logout, disabling in case of inactivity, or brute force prevention). (C, I, A)
Additional: very high protection needs
+ Before gaining access to data of very high protection needs, users are authenticated by means of strong authentication (e.g.(e.g., two-factor authentication) according to the state of the art. (C, I)
Additional: SGA
None
4.1.3To what extent are user accounts and login information securely managed and applied?Major
Rating (Major):
  • new (must): “- Requirements for the quality of authentication information (e.g., le...”
  • removed (must): “- under observation of legal parameters”
  • removed (must): “+ The login information (e.g. passwords) of a personalized user accoun...”
Control question
To what extent are user accounts and login information securely managed and applied?
Objective
Access to information and IT systems is provided via validated user accounts assigned to a person. It is important to protect login information and to ensure the traceability of transactions and accesses.
Requirements (must)
+ The creating, changing, and deleting of user accounts is conducted.
+ Unique and personalized user accounts are used.
+ The use of “collective“shared accounts” is regulated (e.g.(e.g., restricted to cases where traceability of actions is dispensable).
+ User accounts are disabled immediately after the user has resigned from or left the organization (e.g.(e.g., upon termination of the employment contract).
+ User accounts are regularly reviewed.
+ The login information is provided to the user in a secure manner.
+ A policy for the handling of login information is defined and implemented. The following aspects are considered:
- No disclosure of login information to third parties
-
information, not even to persons of authority
-
authority, underwithin observationthe limits of legalapplicable parameterslaw,
- No writing down or unencrypted storing of login informationinformation,
- Immediate changing of login information whenever potential compromising is suspectedsuspected,
- No use of identical login information for business and non-business purposespurposes,
- Changing of temporary or initial login information following the 1st login login,
- Requirements for the quality of authentication information (e.g.(e.g., length of password, types of characters to be used).
+ The login information (e.g. passwords) of a personalized user account must be known to the assigned user only.
Requirements (should)
+ A basic user account with minimum access rights and functionalities is existent and used.
+ Default accounts and passwords pre-configured by manufacturers are disabled (e.g.(e.g., by blocking or changing of password).
+ User accounts are created or authorized by the responsible body.
+ Creating user accounts is subject to an approval process (four-eyes principle).
+ User accounts of service providers are disabled upon completion of their task.
+ Deadlines for disabling and deleting user accounts are defined.
+ The use of default passwords is technically prevented.
+ Where strong authentication is applied, the use of the medium (e.g.(e.g., ownership factor) is secure.
+ User accounts are reviewed at regular intervals. This also includes user accounts in customers' IT systems.
+ Interactive login for service accounts (technical accounts) is technically prevented.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
4.2.1To what extent are access rights assigned and managed?Major
Rating (Major):
  • removed (very high protection needs): “+ Prevention of unauthorized persons gaining access and information (p...”
Control question
To what extent are access rights assigned and managed?
Objective
The management of access rights ensures that only authorized users have access to information and IT services. For this purpose, access rights are assigned to user accounts.
Requirements (must)
+ The requirements for the management of access rights (authorization) are determined and fulfilled. The following aspects are considered:
- Procedure for application, verification, and approval,
- Applying the minimum (“need-to-know”/"least privilege") principle.principle,
- Access rights are revoked when no longer neededneeded.
+ The access rights granted for normal and privileged user accounts and technical accounts are reviewed at regular intervals also within IT systems of customers.
Requirements (should)
+ Strategies for authorizing access to information are prepared.
+ Authorization roles are used.
+ Rights are allocated on a need-to-use basis and according to the role and/or area of responsibility.
+ Normal user accounts are not granted privileged access rights.
+ The user’s access rights of a user account are adaptedupdated after the useruser’s hasresponsibilities have changed (e.g.(e.g., to another field of responsibility).
Additional: high protection needs
+ The access rights are approved by the responsible internal Information Officer. (C, I, A)
Additional: very high protection needs
+ Prevention of unauthorized persons gaining access and information (privileged users): (C)
-
Information is stored in encrypted form at content level (e.g.(e.g., file level).
-
level) to prevent unauthorized persons from gaining access and information (privileged users). Where encryption is not feasible, information shall be protected by similarly effective measures. (C)
+ Existing access rights are regularly reviewed at shorter intervals (e.g.(e.g., quarterly)quarterly). (C)
Additional: SGA
None
Chapter 5IT Security/ Cyber Security15 changesMajor
5.1.1To what extent is the use of cryptographic procedures managed?Major
Rating (Major):
  • removed (must): “- to the extent legally feasible.”
  • removed (should): “+ Preparation of technical rules containing requirements for encryptio...”
  • removed (should): “+ An emergency process for restoring key material is established.”
Control question
To what extent is the use of cryptographic procedures managed?
Objective
When using cryptographic procedures, methods it is important to consider risks in the field of availability (lost key material) as well as those risks that arise due to incorrectly applied procedures methods in the fields of integrity and confidentiality (poor algorithms/protocols or insufficient key strengths).
Requirements (must)
+ All cryptographic procedures used (e.g.(e.g., encryption, signature, and hash algorithms, protocols) provide the security required by the respective application field according to the recognized industry standard,
-
standard to the extent legally feasible.
Requirements (should)
+ Preparation of technical rules containing requirements for encryption in order to protect information according to its classification.
+ A concept for the application of cryptography is defined and implemented. The following aspects are considered:
- Cryptographic procedures, methods,
- Key strengths,
- Procedures for the complete lifecycle of cryptographic keys, including generation, storage, archiving, retrieval, distribution, deactivation, renewal, and deletion.
+ An emergency process for restoring key material is established.
Additional: high protection needs
+ Key sovereignty requirements (particularly in case of external processing) are determined and fulfilled. (C, I)
Additional: very high protection needs
None
Additional: SGA
None
5.1.2To what extent is information protected during transfer?Major
Rating (Major):
  • new (should): “- Using a secured connection (e.g. VPN).”
  • removed (high protection needs): “- Where encryption is not feasible, information must be protected by s...”
Control question
To what extent is information protected during transfer?
Objective
When being transferred via public or private networks, information can in some circumstances be read or manipulated by unauthorized third parties. Therefore, requirements regarding the protection needs of the information must be determined and implemented by taking suitable measures during such transfer.
Requirements (must)
+ The network services used to transfer information are identified and documented.
+ Policies and procedures in accordance with the classification requirements for the use of network services are defined and implemented.
+ Measures for the protection of transferred contents against unauthorized access are implemented.
Requirements (should)
+ Measures for ensuring correct addressing and correct transfer of information are implemented.
+ Electronic data exchange is conducted using content or transport encryption according to the respective classification.
+ Remote access connections areto verifiedthe toorganization’s network possess adequate security featuresfeatures. (e.g.,The encryption,following grantingaspects are considered:
- Encryption,
- Authentication strength,
- Granting
and termination of access)access and capabilities.capabilities,
- Using a secured connection (e.g. VPN).
Additional: high protection needs
+ Information is transported or transferred in encrypted form:form (C)
-
(at Whereleast encryptiontransport-encryption) is not feasible, information must beor protected by similarly effective measures. (C)
Additional: very high protection needs
+ Information is transported or transferred in content-encrypted form. (C)
Additional: SGA
None
5.2.1To what extent are changes managed?Major
Rating (Major):
  • new (should): “+ The potential impact on the information security of changes is asses...”
  • removed (should): “+ Changes are verified and assessed for their potential impact on the...”
Control question
To what extent are changes managed?
Objective
The objective is to ensure that information security aspects are considered in case of any changes to the organization, business processes and IT systems (Change Management) in order to prevent these changes from causing an uncontrolled reduction in the information security level.
Requirements (must)
+ Information security requirements for changes to the organization, business processes, IT systems are determined and applied.fulfilled.
Requirements (should)
+ A formal approval procedure is established.
+ Changes are verified and assessed for theirThe potential impact on the information security.security of changes is assessed.
+ Changes affecting the information security are subjected to planning and testing.
+ Procedures for fallback in fault cases are considered.
Additional: high protection needs
+ Compliance with the information security requirements is verified during and after the changes are applied. (C, I, A)
Additional: very high protection needs
None
Additional: SGA
None
5.2.2To what extent are development and testing environments separated from operational environments?Minor
Control question
To what extent are development and testing environments separated from operational environments?
Objective
The objective of separating the development, testing and operational environments is to ensure that the availability, confidentiality and integrity of productive data are maintained.
Requirements (must)
+ The IT systems have been subjected to risk assessment in order to determine the necessity of their separation into development, testing and operational systems.
+ A segmentation is implemented based on the results of risk analysis.
Requirements (should)
+ The requirements for development and testing environments are determined and implemented.fulfilled. The following aspects are considered:
- Separation of development, testing and operational systems,
- No development and system tools on operational systems (except those required for operation),
- Use of different user profiles for development, testing, and operational systems.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
5.2.3To what extent are IT systems protected against malware?Major
Rating (Major):
  • removed (should): “- Encrypted connections are considered.”
  • removed (should): “+ Case-related staff awareness measures.”
Control question
To what extent are IT systems protected against malware?
Objective
The aimobjective is to both technically and organizationally ensure the protection of IT systems against malware.
Requirements (must)
+ Requirements for protection against malware are determined.
+ Technical and organizational measures for protection against malware are defined and implemented.
Requirements (should)
+ Unnecessary network services are disabled.
+ Access to network services is restricted to necessary access by means ofthrough suitable protective measures (see examples).
+ Malware protection software is installed and updated automatically at regular intervals (e.g.(e.g., virus scanner).
+ Received files and software are automatically inspected for malware prior to their execution (on-access scan).
+ The entire data contents of all systems is regularly inspected for malware.
+ Data transferred by central gateways (e.g.(e.g., e-mail, internet, third-party networks) is automatically inspected by means of protection software:software. The following aspects are considered:
- Encrypted connectionsconnections,
-
areEncrypted considered.content.
+ Measures to prevent protection software from being deactivated or altered by users are defined and implemented.
+ Case-related staff awareness measures.
+
For IT systems operated without the use of malware protection software, alternative measures (e.g.(e.g., special resilience measures, few services, no active users, network isolation) are implemented.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
5.2.4To what extent are event logs recorded and analysed?Major
Rating (Major):
  • new (high protection needs): “+ Events related to establishing and terminating remote access session...”
  • removed (high protection needs): “+ Cases of access during connection and disconnection of external netw...”
Control question
To what extent are event logs recorded and analysed?
Objective
Event logs support the traceability of events in case of a security incident. This requires that events necessary to determine the causes are recorded and stored. In addition, the logging and analysis of activities in accordance with applicable legislation (e.g.(e.g., Data Protection or Works Constitution Act) is required to determine which user account has made changes to IT systems.
Requirements (must)
+ Information security requirements regarding the handling of event logs are determined and fulfilled.
+ Security-relevant requirements regarding the logging of activities of system administrators and users are determined and fulfilled.
+ The IT systems used are assessed regarding the necessity of logging.
+ When using external IT services, information on the monitoring options is obtained and considered in the assessment.
+ Event logs are checked regularly for rulepolicy violations and noticeable problems in compliance with the permissible legal and organizational provisions.
Requirements (should)
+ A procedure for the escalation of relevant events to the responsible body (e.g.(e.g., security incident report, data protection, corporate security, IT security) is defined and established.
+ Event logs (contents and meta data) are protected against alteration. (e.g.(e.g., by a dedicated environment).
+ Adequate monitoring and recording of any actions on the network that are relevant to information security are established.
Additional: high protection needs
+ Information security requirements relevant to the security during the handling of event logs, e.g.e.g., contractual requirements, are determined and implemented. (C, I, A)
+ CasesEvents ofrelated to establishing and terminating remote access duringsessions connection(e.g., and disconnection of external networks (e.g.for remote maintenance) are logged.maintenance). (C, I, A)
Additional: very high protection needs
+ Logging of any access to data of very high protection needs as far as technically feasible and as permissible according to legal and organizational provisions. (C, I)
Additional: SGA
None
5.2.5To what extent are vulnerabilities identified and addressed?Major
Rating (Major):
  • new (must): “and evaluated (e.g., Common Vulnerability Scoring System CVSS).”
  • new (must): “+ Risks arising from vulnerabilities are treated.”
Control question
To what extent are vulnerabilities identified and addressed?
Objective
Vulnerabilities increase the risk of IT systems being unable to meet the requirements for confidentiality, availability and integrity. Exploitation of vulnerabilities is among the possible ways for attackers to gain access to the IT system or to threaten its operating stability.
Requirements (must)
+ Information on technical vulnerabilities for the IT systems in use is gathered (e.g.(e.g., information from the manufacturer, system audits, CVS database)
and evaluated (e.g.(e.g., Common Vulnerability Scoring System CVSS)CVSS).
+ Potentially affected IT systems and software are identified, assessedidentified and anythe risk caused by the vulnerability is assessed.
+ Risks arising from
vulnerabilities are addressed.treated.
Requirements (should)
+ An adequate patch management is defined and implemented (e.g.(e.g., patch testing and installation).
+ Risk minimizing measures are implemented, as necessary.
+ Successful installation of patches is verified in an appropriate manner.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
5.2.6To what extent are IT systems and services technically checked (system and service audit)?Major
Rating (Major):
  • removed (very high protection needs): “+ IT systems and services are regularly scanned for vulnerabilities. (...”
Control question
To what extent are IT systems and services technically checked (system and service audit)?
Objective
The objective of technical checks is theto detectiondetect ofany statesissues which can jeopardize the availability,confidentiality, confidentialityintegrity or integrityavailability, of IT systems and services.
Requirements (must)
+ Requirements for auditing IT systems or services are determined.
+ The scope of the system audit is specified in a timely manner.
+ System or service audits are coordinated with the operator and users of the IT systems or services.
+ The results of system or service audits are stored in a traceable manner and reported to the relevant management.
+ Measures are derived from the results.results and are implemented in an appropriate timeframe.
Requirements (should)
+ System and service audits are planned taking into account any security risks they might cause (e.g.(e.g., disturbances).
+ Regular system or service audits are performedperformed. The following aspects are considered:
- Audits are carried out by qualified personnelpersonnel,
- If applicable, suitable tools (e.g.(e.g., vulnerability scanners) are used for system and service audits (if applicable)used,
- Audits are performed from the internet and the internal networknetwork.
+ Within a reasonable period following completion of the audit, a report is prepared.
Additional: high protection needs
+ For critical IT systems or services, additional system or service audit requirements have been identified and are fulfilled (e.g., service specific tests and tools and/or human penetration tests, risk-based time intervals)intervals). (A)
Additional: very high protection needs
+ IT systems and services are regularly scanned for vulnerabilities. (A)
-
Suitable protective measures must be implemented for systems and services that may not be scanned. (C, I, A)
Additional: SGA
None
5.2.7To what extent is the network of the organization managed?Major
Rating (Major):
  • new (high protection needs): “The following aspects are considered:”
Control question
To what extent is the network of the organization managed?
Objective
IT systems in a network are exposed to different risks or have different protection needs. In order to detect or prevent unintended data exchange or access between these IT systems, they are subdivided into suitable segments and access is controlled and monitored by means of security technologies.
Requirements (must)
+ Requirements for the management and control of networks are determined and fulfilled.
+ Requirements regarding network segmentation are determined and fulfilled.
Requirements (should)
+ Procedures for the management and control of networks are defined.
+ For a risk-based network segmentation,segmentation. theThe following aspects are considered:
- Limitations for connecting IT systems to the network,
- Use of security technologies,
- Performance, trust, availability, security, and safety considerations
- Limitation of impact in case of compromised IT systemssystems,
- Detection of potential attacks and lateral movement of attackersattackers,
- Separation of networks with different operational purpose (e.g.(e.g., test and development networks, office network, manufacturing networks)networks),
- The increased risk due to network services accessible via the internet,
- Technology-specific separation options when using external IT services,
- Adequate separation between own networks and customercustomer, networks while considering customer requirements
- Detection and prevention of data loss/leakageloss/leakage.
Additional: high protection needs
+ Extended requirements for the management and control of networks are determined and implemented. (C, I, A)
The following aspects are considered: (C, I, A)
- Authentication of IT systems on the network,
- Access to the management interfaces of IT systems is restricted.restricted,
- Specific risks (e.g.(e.g., wireless and remote access)access).
Additional: very high protection needs
None
Additional: SGA
None
5.2.8To what extent is continuity planning for IT services in place?Major
Rating (Major):
  • removed (should): “+ Continuity planning includes at least the following scenarios affect...”
  • removed (should): “+ Continuity planning considers the following cases”
Control question
To what extent is continuity planning for IT services in place?
Objective
ContinuityData (including contingency) planning forand IT services iscan partbecome ofunavailable anthrough overallevents programsuch foras achievinghardware continuityfailures, ofsoftware operationsdefects, foroperator organizationalerrors missionor attacks. Backup and businessrecovery criticalenables functions.organizations Actionsto addressedrecover infrom continuityrelevant planssituations includeand orderlylimit systempotential degradation,harm systemto shutdown,the fallbackorganization to a manualreasonable mode, alternate information flows, and operating in modes reserved for when a security incident occurs.amount.
Requirements (must)
+ Critical IT services are identified, and business impact is considered.
+ Requirements and responsibilities for continuity and recovery of those IT services are known to relevant stakeholders and fulfilled.
Requirements (should)
+ Critical IT systems are identifiedidentified. The following aspects are considered:
- theClassification of relevant systems are classified to have the appropriate protection needneed,
- -Implementation of adequate and appropriate security measures are implementedmeasures.
+ Continuity planning includesexists atand leastis theregularly reviewed and updated. The following scenariosaspects affectingare critical IT systems:
- (Distributed) Denial of Service attacks
- Successful ransomware attacks and other sabotage activities
considered:
- System failure
- Natural disaster
+ Continuity planning considers the following cases
- Alternative communication strategies, in case primary communication means are not available available,
- Alternative storage strategies, in case primary storage means are not availableavailable,
- Alternative power and networknetwork,
+ Continuity planning isincludes regularlyat reviewedleast (Distributed) Denial of Service attacks, successful ransomware attacks and updatedother sabotage activities, system failure scenarios, and natural disaster scenarios affecting critical IT systems.
Additional: high protection needs
+ Continuity planning includes predefined time frames (Recovery Time Objective) for resumption of operation in line with requirements. (A)
+ Appropriate SLAs with external service providers according to continuity planning are in place. (A)
+ Continuity plans include coordination of contractually agreed communication with business partnerspartners. (A)
+ Continuity planning is regularly tested including a full recovery and reconstitution of the system to a known state and compliance with defined target times. (A)
+ A backup and recovery strategy for critical IT services and information is defined and implemented. The(C, followingI, aspectsA)
+ Backups of critical IT services and information
are considered:
- Backups are
sufficiently protected against unauthorized modification or deletion by malicious software.software, (I, A)
-+ Backups of critical IT services and information are sufficiently protected against unauthorized access by malicious software or operatorsoperators. (C, I)
Additional: very high protection needs
+ Continuity planning is coordinated with the continuity plans of relevant external service providers. (A)
+ Continuance of essential mission and business functions with minimal or no loss of operational continuity is possible. The plan for continuance of essential mission and business functions considers the following aspects:aspects are considered:
- Alternate operation strategies and necessary separated standby systems to retain and/or resume operation to the extent possible if critical IT services become unavailable.unavailable, (A)
- Alternate storage and backup storage sites that(if they exist) must provide controls equivalent to that of the primary site.site, (C, I, A)
+ Continuity planning is tested regularly. TestsTest scenarios, results, and any lessons learned are documented.recorded. (I, A)
Additional: SGA
None
5.2.9To what extent is the backup and recovery of data and IT services ensured?Major
Rating (Major):
  • moved must → high protection needs: “The following aspects are considered:”
  • removed (should): “- Dependencies between IT services and the sequence for recovery are c...”
Control question
To what extent is the backup and recovery of data and IT services ensured?
Objective
Data and IT services can become unavailable through events such as hardware failures, software defects, operator errors or attacks. Backup and recovery enables organizations to recover from relevant situations and limit potential harm to the organization to a reasonable amount.
Requirements (must)
+ Backup concepts exist for relevant IT systems. The following aspects are considered:
-
Appropriate protective measures to ensure confidentiality, integrity, and availability for data backups.backups are considered.
+ Recovery concepts exist for relevant IT services.
Requirements (should)
+ A backup and recovery concept exists for each relevant IT service.
-
Dependencies between IT services and the sequence for recovery are considered.
Additional: high protection needs
+ Backup and recovery concepts are methodically reviewed at regular intervals. (A)
+ General restore capability is considered and tested (e.g., sample testing, test systems)systems). (I, A)
+ Backup and recovery concepts considerexist. the(A)
The
following aspects:aspects (A)are considered:
- Recovery Point Objective (RPO).(RPO),
- Recovery Time Objective (RTO).
- Required resources for recovery (considering capacity and performance incl. personnel and hardware).hardware),
- Avoidance of overload scenarios during recovery.recovery,
- Appropriate spatial redundancy (e.g., separate room, separate fire section, separate datacentre,data center, separate site).
Additional: very high protection needs
+ (Additional) Backups are performed via offline procedures, immutable backups or by using an isolated IAM technology.solution. (I, A)
+ Restore procedures are technically tested in a methodical way at regular intervals. (I, A)
+ Geographical redundancy is considered in data backup and recovery concepts. (A)
Additional: SGA
None
5.3.1To what extent is information security considered in new or further developed IT service?Major
Rating (Major):
  • new (should): “+ Test-systems are provided with protective measures comparable to tho...”
  • removed (should): “- Where productive data are used for testing purposes, it shall be ens...”
  • removed (very high protection needs): “- in case of significant changes”
  • removed (very high protection needs): “- or at regular intervals”
Control question
To what extent is information security considered in new or further developed IT systems?service?
Objective
Information security is an integral part of the entire lifecycle of IT systems.service. This particularly includes consideration of information security requirements in the development or acquisition of IT systems.service.
Requirements (must)
+ The information security requirements associated with the design and development of IT systemsservice are determined and considered.
+ The information security requirements associated with the acquisition or extension of IT systemsservice and IT components are determined and considered.
+ Information security requirements associated with changes to developed IT systemsservices are considered.
+ System approval tests are carried out under consideration of the information security requirements.
Requirements (should)
+ Requirement specifications are prepared. The following aspects are considered:
- The information security requirements. requirements,
- Vendor recommendations and best practices for secure configuration and implementationimplementation,
- Best practices and security guidelinesguidelines,
- Fail safe (designed to return to a safe condition in the event of a failure or malfunction)malfunction).
+ Requirement specifications are reviewed against the information security requirements.
+ The IT systemservice is reviewed for compliance with specifications prior to productive use.
+ The use of productiveproduction data for testing purposes is avoided as far as possible (if applicable, anonymization or pseudonymization):
-
pseudonymization). WhereThe productivefollowing dataaspects are used for testing purposes, it shall be ensured that the test system is provided with protective measures comparable to those on the operational system,considered:
- Requirements for the lifecycle of test data (e.g. deletion, maximum lifetime on the IT system),service),
- Case-related specifications for the generation of test data are defined.
+ Test-systems are provided with protective measures comparable to those in the operational environment where productive data are used for testing purposes.
Additional: high protection needs
None
Additional: very high protection needs
+ The security of purpose built software or significantly customized software is tested (e.g.(e.g., penetration testing) (C, I, A)
-
during commissioning
-
commissioning, in case of significant changes
-
changes, or at regular intervalsintervals. (C, I, A)
Additional: SGA
None
5.3.2To what extent are requirements for network services defined?Minor
Control question
To what extent are requirements for network services defined?
Objective
Network services have different requirements for information security, quality of data transfer or management. It is important to know thesethe criteria and the scope of use of the different network services.
Requirements (must)
+ Requirements regarding the information security of network services are determined and fulfilled.
Requirements (should)
+ A procedure for securing and using network services is defined and implemented.
+ The requirements are agreed in the form of SLAs.
+ Adequate redundancy solutions are implemented.
Additional: high protection needs
+ Procedures for monitoring the quality of network traffic (e.g.(e.g., traffic flow analyses, availability measurements) are defined and carried out. (A)
Additional: very high protection needs
None
Additional: SGA
None
5.3.3To what extent is the return and secure removal of information assets from external IT services regulated?Minor
Control question
To what extent is the return and secure removal of information assets from external IT services regulated?
Objective
In order to ensure control over the information assets as the information owner, it is necessary that the information assets can be safelysecurely removed or are returned, if required, when terminating the IT service.
Requirements (must)
+ A procedure for the return and secure removal of information assets from each external IT service is defined and implemented.
Requirements (should)
+ A description of the termination process is given, adapted to any changes, and contractually regulated.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
5.3.4To what extent is information protected in shared external IT services?Minor
Control question
To what extent is information protected in shared external IT services?
Objective
ClearA clear segregation between individual clientstenants must be ensured such asmaintained to alwaysensure protectthat owntheir information inis fully protected within external IT servicesservices, andpreventing tounauthorized prevent it from being accessedaccess by other organizations (clients).tenants.
Requirements (must)
+ Effective segregation (e.g.(e.g., segregation of clients)customers) prevents access to own information by unauthorized users of other organizations.
Requirements (should)
+ The provider’s segregation concept is documented and adapted to any changes. The following aspects are considered:
- Separation of data, functions, customer-specific software, operating system, storage system and network,
- Risk assessment for the operation of external software within the shared environment.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
Chapter 6Supplier Relationships3 changesMajor
6.1.1To what extent is information security ensured among contractors and cooperation partners?Major
Rating (Major):
  • new (high protection needs): “+ The supplier's level of compliance with the required evidence is doc...”
  • new (high protection needs): “+ The supplier's compliance with contractual agreements is checked, do...”
  • new (very high protection needs): “+ The adequate level of information security should be demonstrated by...”
  • new (very high protection needs): “+ Contractual obligations with customers regarding transparency of sup...”
  • removed (must): “+ Compliance with contractual agreements is verified.”
Control question
To what extent is information security ensured among contractors and cooperation partners?
Objective
An appropriate level of information security is also maintained while collaborating with cooperation partners and contractors.
Requirements (must)
+ Contractors and cooperation partners are subjected to a security risk assessmentassessment. with regard to information security.
+ An appropriate level of information security is ensured by contractual agreements with contractors and cooperation partners.
+ Where applicable, contractual agreements with clients and customers are passed on to contractors and cooperation partners.
+ Compliance with contractual agreements is verified.
Requirements (should)
+ Contractors and cooperation partners are contractually obligedobligated to pass on any requirements regarding an appropriate level of information security to their subcontractors.
+ Service reports and documents by contractors and cooperation partners are reviewed.
Additional: high protection needs
+ ProofEvidence is provided that the information security level of the supplier is adequate for the protection needs of the information (e.g.(e.g., checked questionnaire/self-assessment, attestation, certificate, attestation, internalsupplier audit). (C, I, A)
+ The supplier's level of compliance with the required evidence is documented, regularly and in case of changes (e.g., changes of requirements, change in supplier status, or supply chain structure) reviewed and monitored. (C, I, A)
+ The supplier's compliance with contractual agreements is checked, documented, regularly and in case of changes (e.g., changes of requirements, change in supplier status, or supply chain structure) reviewed and monitored. (C, I, A)
Additional: very high protection needs
None+ The adequate level of information security should be demonstrated by a third party audit (an adequate TISAX label or equivalent) or an adequate supplier audit covering agreed and applicable customer requirements. If an audit was not conducted, a risk-based decision must be made by the organization's management to continue doing business with the supplier. A record of this decision exists. (C, I, A)
+ Contractual obligations with customers regarding transparency of supply chain risks are fulfilled. (C, I, A)
Additional: SGA
None
6.1.2To what extent is non-disclosure regarding the exchange of information contractually agreed?Major
Rating (Major):
  • new (should): “+ Non-disclosure agreements include the persons/organizations involved...”
  • removed (should): “+ Non-disclosure agreements include the following information:”
  • removed (should): “- the persons/organizations involved,”
  • removed (should): “- the type of information covered by the agreement,”
  • removed (should): “- the subject of the agreement,”
  • removed (should): “- the validity period of the agreement,”
  • removed (should): “- the responsibilities of the obliged party.”
Control question
To what extent is non-disclosure regarding the exchange of information contractually agreed?
Objective
Non-disclosure agreements provide legal protection offor an organization’s information particularly where information is exchanged beyond the boundaries of the organization.
Requirements (must)
+ The non-disclosure requirements are determined and fulfilled.
+ Requirements and procedures for applying non-disclosure agreements are known to all persons passing on information in need of protection.
+ Valid non-disclosure agreements are concluded prior to forwarding sensitive information.
+ The requirements and procedures for the use of non-disclosure agreements and the handling of information requiring protection are reviewed at regular intervals.
Requirements (should)
+ Non-disclosure agreement templates are available and checked for legal applicability.
+ Non-disclosure agreements include the following information:
- the
persons/organizations involved,
-
the type of information covered by the agreement,
-
the subject of the agreement,
-
the validity period of the agreement,
-
agreement and the responsibilities of the obliged party.
+ Non-disclosure agreements include provisions for the handling of sensitive information beyond the contractual relationship.
+ Options of demonstrating compliance with specifications (e.g.(e.g., review by an independent third partythird-party or audit rights) are defined.
+ A process for monitoring the validity period of temporary non-disclosure agreements and initiating their extension in due time is defined and implemented.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
6.1.3To what extent are the responsibilities between external IT service providers and the own organization defined?moved 1.2.4 → 6.1.3Minor
Control question
To what extent are the responsibilities between external IT service providers and the own organization defined?
Objective
It is important,important that a common understanding of the division of responsibilities existsexists, and that the implementation of all security requirements isare ensured.implemented. Therefore, when using external IT service providers and IT services, the responsibilities regarding the implementation of information security measures are to be defined and verifiably documented.
Requirements (must)
+ The concerned services and IT services usedconcerned are identified.
+ The security requirements relevant to the IT service are determined:determined.
+ The organization responsible for implementing the requirement is defined and aware of its responsibility.
+ Mechanisms for shared responsibilities are specified and implemented.
+ The responsible organization fulfils its respective responsibilities.
Requirements (should)
+ In case of IT services, configuration has been conceived,conceptualized, implemented, and documented based on the necessary security requirements.
+ The responsible staff is adequately trained.
Additional: high protection needs
+ A list exists indicating the concerned IT services concerned and the respective responsible IT service providers. (C, I, A)
+ The applicability of the ISA controls has been verifiedevaluated and documented. (C, I, A)
+ The service configuration is included in the regular security assessments. (C, I, A)
+ Proof is provided that the IT service providers fulfil their responsibility. (C, I, A)
+ Integration into local protective measures (such as secure authentication mechanisms) is established and documented. (C, I, A)
Additional: very high protection needs
None
Additional: SGA
None
Chapter 7Compliance2 changesMinor
7.1.1To what extent is compliance with regulatory and contractual provisions ensured?Minor
Control question
To what extent is compliance with regulatory and contractual provisions ensured?
Objective
Non-compliance with legal, regulatory, or contractual provisions can create risks to the information security of customers and theorganization own organization.itself. Therefore, it is essential to ensure that these provisions are known and observed.
Requirements (must)
+ Legal, regulatory, and contractual provisions of relevance to information security (see examples) are determined at regular intervals.
+ Policies regarding compliance with the provisions are defined, implemented, and communicated to the responsible persons.
Requirements (should)
+ The integrity of records in accordance with the legal, regulatory, orand contractual provisions and business requirements is considered.
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None
7.1.2To what extent is the protection of personal data considered when implementing information security?Minor
Control question
To what extent is the protection of personally identifiablepersonal data considered when implementing information security?
Objective
Privacy and protection of personally identifiablepersonal data are considered in the implementation of information security as required by relevant national legislation and regulations, where applicable.
Requirements (must)
+ Legal and contractual information security requirements regarding the procedures and processes in the processing of personally identifiablepersonal data are determined.
+ Regulations regarding the compliance with legal and contractual requirements for the protection of personally identifiablepersonal data are defined and known to the entrustedinvolved persons.
+ Processes and procedures for the protection of personally identifiable datainformation are considered in the information security management system.
Requirements (should)
None
Additional: high protection needs
None
Additional: very high protection needs
None
Additional: SGA
None

Prototype Protection (Ch. 8)

Chapter 8Prototype protection28 changes8.1 (organizational) and 8.2 (physical) reorderedMajor
8.1.1To what extent are regulations for prototype protection defined within the organization and responsibilities established?newMajor
Control question
To what extent are regulations for prototype protection defined within the organization and responsibilities established?
Objective
Successful prototype protection requires regulations for implementation and clear responsibilities within the organization.
Requirements (must)
+ The organization has a released policy clearly defining the goals and specifications of prototype protection.
+ Periodic review and, if required, revision of the policy is established.
+ Responsibilities for prototype protection in the organization are defined, documented, and assigned.
+ The responsible employees are defined and qualified for their task.
+ The necessary resources are available.
+ The contact persons are known within the organization and relevant business partners.
Requirements (should)
+ An appropriate organizational separation of responsibilities should be established to avoid conflicts of interest (separation of functions).
8.1.2To what extent are order-specific requirements and specifications for handling prototypes regulated?newMajor
Control question
To what extent are order-specific requirements and specifications for handling prototypes regulated?
Objective
It is important that there is a common understanding of the division of responsibilities and that the implementation of all security requirements is ensured. Due to different client-specific requirements when dealing with prototypes, detailed coordination between the client and contractor is necessary in addition to the overarching implementation of measures to protect prototypes.
Requirements (must)
+ For each relevant order and associated prototypes, order-specific requirements are agreed with the customer and known to the relevant acting employees. The following aspects are considered:
- Security classification and associated security measures of the respective order,
- Specifications for camouflage, including specifications for changes to camouflage,
- Specifications and security concepts for the use of prototypes on test sites,
- Specifications for handling prototypes on public roads,
- Specifications and security concepts for events with prototypes,
- Specifications and security concepts for film/photo shoots with prototypes,
- Specifications for the transport of the prototypes (incl. logistics specifications),
- Requirements for the use of subcontractors,
- Specifications for handling prototype-relevant information on portable storage media.
Requirements (should)
None
8.1.3To what extent do employees and project members evidently participate in training and awareness measures regarding the handling of prototypes?moved 8.2.3 → 8.1.3Major
Rating (Major):
  • new (must): “+ Mandatory participation of all employees involved in the project in...”
  • removed (must): “+ Ensuring execution of trainings / awareness programs by the manageme...”
  • removed (must): “+ Ensuring knowledge among employees and project members regarding the...”
  • removed (must): “+ Mandatory participation of each employee and project member in the t...”
Control question
To what extent do employees and project members evidently participate in training and awareness measures regarding the handling of prototypes?
Objective
In trainings/awareness seminars on the subject of prototype protection, employees must obtain the necessary knowledge and skills for a security-conscious handling of vehicles, components and parts classified as requiring protection.
Requirements (must)
+ Ensuring execution of trainings/ awareness programs by the management.
+ Training of employees and project members when joining the project regarding the handling of prototypes.
+ Regular (at least annual) training of employees regarding the handling of prototypes.
+ EnsuringTraining knowledge amongof employees and project membersparticipants regardingin the respectivehandling protectionof needsprototypes andat the resultingstart measuresof within the company.projects.
+ Mandatory participation of eachall employeeemployees and project memberinvolved in the trainingsproject in the training and awarenessawareness-raising measures.
+ The completed measures are to be documented.
+ The training concept for prototype protection is an integral part of the general training concept (see also control question 2.1.3 Information Security).security).
Requirements (should)
None
Additional: high protection needs
None
8.1.4To what extent is the qualification of employees for working in prototype areas ensured?newMajor
Control question
To what extent is the qualification of employees for working in prototype areas ensured?
Objective
Competent, reliable and trustworthy employees are key to protecting prototypes in the organization. Therefore, it is important to check the suitability of potential employees (e.g. applicants) to an appropriate extent.
Requirements (must)
+ Sensitive work fields and jobs are determined.
+ The requirements for employees with respect to their job profiles are determined and fulfilled.
+ The identity of potential employees is verified (e.g. checking identity documents).
Requirements (should)
+ The personal suitability of potential employees is verified by means of simple methods (e.g. job interview).
8.1.5To what extent are non-disclosure agreements/obligations existent according to the valid contractual law?moved 8.2.1 → 8.1.5Major
Rating (Major):
  • removed (must): “+ A non-disclosure agreement:”
Control question
To what extent are non-disclosure agreements/obligations existent according to the valid contractual law?
Objective
When transmitting information classified as requiring protection, it must be ensured that external organizations are obliged to meet the information security requirements and that the related necessary measures are implemented. The necessary legal basis for this obligation is provided by non-disclosure agreements. Hence, it must be ensured that information classified as requiring protection is transmitted only if such a non-disclosure agreement has been entered and is legally effective.
Requirements (must)
+ ANon-disclosure non-disclosure agreement:
-
agreements between contractor and customer (company level),
-
and with all employees and project members (personal obligation).exist.
+ Country-specific legal provisions regarding data protection are to be observed.
Requirements (should)
None
Additional: high protection needs
None
8.1.6To what extent are requirements for commissioning subcontractors known and fulfilled?moved 8.2.2 → 8.1.6Major
Rating (Major):
  • removed (must): “- with all employees and project members of the subcontractor (persona...”
  • removed (must): “+ Proof of the subcontractor’s compliance with minimum requirements fo...”
Control question
To what extent are requirements for commissioning subcontractors known and fulfilled?
Objective
When involving subcontractors, the minimum requirements for prototype protection must be met.
Requirements (must)
+ Approval by the original customer.
+ contractuallyContractually valid non-disclosure agreementagreements exists:
-
exist between contractor and subcontractor (company level),
-
level) and with all employees and project members of the subcontractor (personal obligation).members.
+ Ensuring compliance with the security requirements of the actual customer (proof is obtained).
+ Proof of the subcontractor’s compliance with minimum requirements for prototype protection (e.g., certificate, attestation) is provided.
Requirements (should)
None
Additional: high protection needs
None
8.1.7To what extent is a process defined for granting access to security areas?moved 8.2.5 → 8.1.7Major
Rating (Major):
  • new (must): “+ There is a procedure in place for disabling lost/stolen access contr...”
Control question
To what extent is a process defined for granting access to security areas?
Objective
A process is defined for the protection against unauthorized access to security areas where vehicles, components or parts classified as requiring protection are manufactured, processed, or stored.
Requirements (must)
+ Responsibilities for access authorization are clearly specified and documented.
+ A process for new assignments, changes and revocations of access rights is in place.
+ Code of conduct in case of the loss/theft of access control means.means are defined and known to the employees.
+ There is a procedure in place for disabling lost/stolen access control mechanisms (i.e. disabling electronic badges, changing physical locks, etc.) as soon as possible.
Requirements (should)
None
Additional: high protection needs
None
8.1.8To what extent are regulations for visitor management (including registration and escorting of visitors) in place?moved 8.1.7 → 8.1.8Minor
Control question
To what extent isare aregulations documentedfor visitor management (including registration and escorting of visitors) in place?
Objective
Protection against unauthorized access to security areas where vehicles, components or parts classified as requiring protection are manufactured, processed, or stored, including traceable documentation.
Requirements (must)
+ Registration obligation for all visitors.
+ Documented non-disclosure obligation prior to access.
+ Publication of security and visitor regulations.
+ Country-specific legal provisions regarding data protection are to be observed.
Requirements (should)
None
Additional: high protection needs
None
8.1.9To what extent is a regulation for carrying along and using mobile video and photography devices in(to) defined security areas established?moved 8.2.7 → 8.1.9Major
Rating (Major):
  • new (must): “+ Rules for carrying (e.g. with / without sealing, etc.) are in place.”
  • new (must): “+ Rules for use (e.g. making phone calls, taking photos, using QR code...”
  • removed (must): “+ Specification for carrying along (e.g., sealed/unsealed, etc.).”
  • removed (must): “+ Specification for use (e.g., phone calls, photography, etc.).”
Control question
To what extent is a processregulation for carrying along and using mobile video and photography devices in(to) defined security areas established?
Objective
A process is definedregulation for the carrying along and usinguse of mobile videoimage and photographysound recording devices in(to)in security areas where vehicles, components or parts classified as requiringreqiring protection are manufactured, processed,processed or stored.stored Unauthorizedis defined. The unauthorised creation or transmissiondistribution of sound and image material must be is prevented.
Requirements (must)
+ SpecificationRules for carrying along(e.g. (e.g.,with sealed/unsealed,/ etc.).without sealing, etc.) are in place.
+ SpecificationRules for use (e.g.,(e.g. making phone calls, photography,taking etc.).photos, using QR codes, etc.) are in place.
Requirements (should)
None
Additional: high protection needs
None
8.1.10To what extent are regulations for image recording and handling of created image material existent?moved 8.2.6 → 8.1.10Major
Rating (Major):
  • new (must): “+ In areas where vehicles, components or parts classified as reqiring...”
  • new (must): “+ Release by the original client for image recordings of vehicles, com...”
  • new (must): “+ A clear documentation of the recordings carried out is available (in...”
  • new (must): “+ Determination by the original client for the classification of image...”
  • removed (must): “+ Specification for classification/categorization of image material.”
Control question
To what extent are regulations for image recording and handling of created image material existent?
Objective
Regulations for recording images of vehicles, components or parts classified as requiring protection must be defined in order to prevent unauthorized creation or transmission of such image material.
Requirements (must)
+ In areas where vehicles, components or parts classified as reqiring protection are located, there is a general ban on recording images.
+ Release by the original client for image recordings of vehicles, components or parts classified as in need of protection.
+ Approval proceduresprocess for image recording.
+ SpecificationA clear documentation of the recordings carried out is available (info who, when, what, where, with what).
+ Determination by the original client
for classification/categorizationthe classification of image material.material is obtained in the case of image recordings of vehicles, components or parts classified as reqiring protection.
+ Secure storage of image material.
+ Secure deletion/disposal of image material no longer required.
+ Secured transmission/shipping of image material to authorized recipients only.
Requirements (should)
None
Additional: high protection needs
None
8.1.11To what extent are incident management requirements regulated?newMajor
Control question
To what extent are incident management requirements regulated?
Objective
Incidents that could interrupt or jeopardize the continuous protection of vehicles, components and parts classified as in need of protection can occur despite the security measures that have been implemented. In this case, competent, swift action is required to minimize the damage caused and implement appropriate measures in a timely manner.
Requirements (must)
+ For each order and associated prototypes, procedures for dealing with incidents are agreed with the client and known to the relevant employees. The following aspects are considered:
- Breach of secrecy,
- Burglary,
- Theft,
- Breakdowns,
- Accidents,
- Fire,
- Irregularities in transport,
- Dealing with authorities and law enforcement officers,
- Damage to camouflage.
+ Handling of incidents with prototypes is - where relevant - also regulated beyond the order period.
+ General and client-specific reporting obligations and reporting channels are known (internal and client).
Requirements (should)
None
8.1.12To what extent is it ensured that vehicles, components and parts classified as in need of protection are documented and tracked in a comprehensible manner over newMajor
Control question
To what extent is it ensured that vehicles, components and parts classified as in need of protection are documented and tracked in a comprehensible manner over the entire processing period?
Objective
Continuous protection of vehicles, components and parts classified as in need of protection can only be ensured if their location and the department currently responsible for processing them can be traced at all times.
Requirements (must)
+ There must be a process/concept for the documentation of vehicles, components and parts classified as reqiring protection.
+ All vehicles, components and parts classified as in need of protection must be documented and changes must be traceable.
+ Documentation needs to be updated regularly.
Requirements (should)
None
8.1.13To what extent is it ensured that vehicles, components, parts and relevant tools classified as in need of protection that are no longer needed are disposed of/ newMajor
Control question
To what extent is it ensured that vehicles, components, parts and relevant tools classified as in need of protection that are no longer needed are disposed of/ recycled/ returned in accordance with the client's specifications?
Objective
It is important for every organization that vehicles, components and parts classified as in need of protection are disposed of, recycled or returned after the use phase according to a specified process. This is to prevent them from falling into unauthorized hands or being disposed of as "standard waste".
Requirements (must)
+ There is a concept for dealing with classified vehicles, components and parts and relevant tools reqiring protectionafter the use phase. The following aspects are considered:
- Specifications for disposal, recycling or return are obtained from the respective client,
- Instruction of affected employees about the requirements.
Requirements (should)
+ Proof of compliance with the specifications is available
8.2.1To what extent is a security concept available describing minimum requirements regarding the physical and environmental security for prototype protection?moved 8.1.1 → 8.2.1Minor
Control question
To what extent is a security concept available describing minimum requirements regarding the physical and environmental security for prototype protection?
Objective
The necessary measures for prototype protection must be applied to and implemented on properties and facilities of suppliers, development partners and service providers. A security concept must be established by the respective operator. Implementation and observation of the physical and environmental security measures defined in the security concept must be ensured by the responsible operator.
Requirements (must)
+ A security concept underis consideration of theestablished. The following aspects isare established: considered:
- stabilityStability of outer skin,
- viewView and sight protection,
- protectionProtection against unauthorized entry and access control,
- intrusionIntrusion monitoring,
- documentedDocumented visitor management,
- clientClient segregation.
Requirements (should)
+ Perimeter security.
Additional: high protection needs
None
Additional: very high protection needs
.
8.2.2To what extent is perimeter security existent preventing unauthorized access to protected property objects?moved 8.1.2 → 8.2.2Major
Rating (Major):
  • new (must): “+ The sum of the measures must be suitable to prevent unauthorised acc...”
  • new (should): “+ Appropriate measures are in place such as structural measures (e.g....”
  • removed (should): “+ Suitable barriers are in place such as:”
  • removed (should): “- artificial barriers (fence systems, walls),”
  • removed (should): “- technical barriers (detection),”
  • removed (should): “- natural barriers (growth, vegetation).”
Control question
To what extent is perimeter security existent preventing unauthorized access to protected property objects?
Objective
Unauthorized access to properties where vehicles, components or parts classified as requiring protection are manufactured, processed, or stored shall be prevented.
Requirements (must)
+ UnauthorizedUnauthorised access to properties is not possible.
+ The sum of the measures must be suitable to prevent unauthorised access to the protected objects of the property.
Requirements (should)
+ SuitableAppropriate barriersmeasures are in place such as:
-
as artificialstructural barriersmeasures (fence(e.g. fence systems, walls),
walls, -floor count,…), technical barriersmeasures (detection),
-
(e.g. detection, alarm system, technical access systems,...), or natural barriers (growth,(e.g. vegetation).vegetation, ...).
Additional: high protection needs
None
8.2.3To what extent is the outer skin of the protected objects/ security areas constructed such as to prevent removal or opening of outer-skin components using standmoved 8.1.3 → 8.2.3Major
Rating (Major):
  • new (must): “+ Easily accessible windows, doors, and other components are designed...”
  • new (should): “+ Solid construction (e.g. masonry, concrete, reinforced concrete, or...”
  • new (high protection needs): “DIN EN 1627 / RC2”
  • removed (should): “+ Solid construction (masonry, concrete, reinforced concrete, or prest...”
  • removed (should): “+ Windows and doors in the outer skin are to be built in compliance wi...”
Control question
To what extent is the outer skin of the protected buildingsobjects/ security areas constructed such as to prevent removal or opening of outer-skin components using standard tools?
Objective
Unauthorized access to buildings/securityobjects/ security areas where vehicles, components or parts classified as requiring protection are manufactured, processed or stored shall be prevented.
Requirements (must)
+ Unauthorized access to buildings/securityobjects/ security areas is not possible.
+ Easily accessible windows, doors, and other components are designed to prevent break-ins using simple tools such as screwdrivers and pliers for a minimum period of three minutes.
Requirements (should)
+ Solid construction (masonry,(e.g. masonry, concrete, reinforced concrete, or prestressed concrete).
+
Windows and doors inIf the outer skin areis not solid, risk mitigating measures must be in place and evidence of a risk-based decision to bemaintain builtan ininsubstantial compliancebarrier withmust RC2 or better.exist.
Additional: high protection needs
NoneDIN EN 1627 / RC2
8.2.4To what extent is view and sight protection ensured in defined security areas?moved 8.1.4 → 8.2.4Major
Rating (Major):
  • removed (high protection needs): “+ The spatial situation is also suitable for protecting vehicles class...”
Control question
To what extent is view and sight protection ensured in defined security areas?
Objective
It must be ensured that unauthorized viewing of vehicles, components or parts classified as requiring protection is prevented.
Requirements (must)
+ Unauthorized viewing of new developments needing high or very high protection is not possible.
Requirements (should)
+ Sight protection through relevant glass surfaces is ensured.
+ View into defined security areas through open doors/gates/windows is prevented.
Additional: high protection needs
+ The spatial situation is also suitable for protecting vehicles classified as requiring protection against unauthorized view.
8.2.4To what extent are security classifications of the project and the resulting security measures known?removedMajor
Control question
To what extent are security classifications of the project and the resulting security measures known?
Objective
It must be ensured that the security classification and requirements in relation to the project progress are known to and observed by each project member.
Requirements (must)
+ Ensuring that the security classification and requirements in relation to the project progress are made known to each project member.
+ Consideration of step-by-step plans, measures for secrecy and camouflage, development policies.
+ The requirements are considered as a requirement regarding the information security of the project (see Controls 1.2.3 and 7.1.1 Information Security).
Requirements (should)
None
Additional: high protection needs
None
8.2.5To what extent is the protection against unauthorized entry regulated in the form of access control?moved 8.1.5 → 8.2.5Major
Rating (Major):
  • new (must): “+ At least one of the following three requirements must be met: Mechan...”
  • new (high protection needs): “DIN 18251 (locks) or DIN EN 12209”
  • removed (must): “+ At least one of the following three requirements must be implemented...”
  • removed (must): “- mechanical locks with documented key assignment,”
  • removed (must): “- electronic access systems with documented authorization assignment,”
  • removed (must): “- personal access control including documentation.”
  • removed (high protection needs): “+ The spatial situation is also suitable for protecting vehicles class...”
Control question
To what extent is the protection against unauthorized entry regulated in the form of access control?
Objective
It must be ensured that all points of access to security areas where vehicles, components or parts classified as requiring protection are manufactured, processed, or stored are protected against unauthorized entry by appropriate adequateand effective measures.
Requirements (must)
+ At least one of the following three requirements must be implemented:
-
met: mechanicalMechanical lockssecurity locking units with documented key assignment,
-
or electronic access systems with documented authorization assignment,
-
or personal access control including documentation.documentation with access and exit times.
Requirements (should)
None
Additional: high protection needs
+DIN The18251 spatial(locks) situationor isDIN alsoEN suitable for protecting vehicles classified as requiring protection against unauthorized access.12209
8.2.6To what extent are the premises to be secured monitored for intrusion?moved 8.1.6 → 8.2.6Major
Rating (Major):
  • new (high protection needs): “DIN 77200, VdS 3138”
  • removed (must): “+ Intrusion monitoring of the premises to be secured is ensured:”
  • removed (must): “- or 24/7 guarding by a certified security service.”
Control question
To what extent are the premises to be secured monitored for intrusion?
Objective
It must be ensured that premises where vehicles, components or parts classified as requiring protection are manufactured, processed, or stored are monitored for intrusion. Timely alarm processing is ensured.
Requirements (must)
+ Intrusion monitoring of the premises to be secured is ensured:
-
An intrusion detection system exists which complies with DINEN50131 or conforms to VDS or similar and functions with alarm tracking to a certifiedqualified security service or control unitcenter (e.g.,(e.g. according to DIN 77200, VdS 3138),
-
or 24/7 guarding by a certifiedqualified security service.
+ Alarm plans are available.
+ Timely alarm processing is ensured.
Requirements (should)
None
Additional: high protection needs
NoneDIN 77200, VdS 3138
8.2.7To what extent is on-site client segregation existent?moved 8.1.8 → 8.2.7Major
Rating (Major):
  • new (must): “+ There is a spatial separation through personnel, organizational or t...”
  • removed (must): “+ Spatial separation by staff-related or technical measures is in effe...”
  • removed (high protection needs): “+ The spatial situation is also suitable for implementing client segre...”
Control question
To what extent is on-site client segregation existent?
Objective
In order to ensure protection of the client-specific know-how at all times, a clear segregation of clients must be ensured. This particularly involves protection against unauthorized viewing and access to areas where vehicles, components or parts classified as requiring protection are processed or stored.
Requirements (must)
+ SpatialThere is a spatial separation bythrough staff-relatedpersonnel, organizational or technical measures is in effect according to themeasures. The following aspects:aspects are considered:
- customers,Customers, and/or
- projects,Projects,
- whereWhere segregation is not in effect, explicit approval by the customer is required.
Requirements (should)
None
Additional: high protection needs
+ The spatial situation is also suitable for implementing client segregation for vehicles classified as requiring protection.
8.3.1To what extent are transports of vehicles, components or parts classified as requiring protection arranged according to the customer requirements?removedMajor
Control question
To what extent are transports of vehicles, components or parts classified as requiring protection arranged according to the customer requirements?
Objective
While being transported, vehicles, components and parts classified as requiring protection must be protected against unauthorized viewing, unauthorized image recording and access.
Requirements (must)
+ A process for obtaining customer-specific requirements for the transport of vehicles, components and parts classified as requiring protection is described and implemented.
+ The security requirements defined by the customer are known and observed.
+ The logistics/transport companies explicitly approved by the customer are commissioned.
+ A process for reporting any security-relevant events to the customer is described and implemented.
Requirements (should)
None
Additional: high protection needs
None
8.3.2To what extent is it ensured that vehicles, components, and parts classified as requiring protection are parked/stored in accordance with customer requirements?removedMajor
Control question
To what extent is it ensured that vehicles, components, and parts classified as requiring protection are parked/stored in accordance with customer requirements?
Objective
While being parked/stored, vehicles, components and parts classified as requiring protection must be protected against unauthorized viewing, unauthorized photography, and access.
Requirements (must)
+ The customer-specific requirements for parking/storage are verifiably known and observed.
Requirements (should)
None
Additional: high protection needs
None
8.4.1To what extent are the predefined camouflage regulations implemented by the project members?removedMajor
Control question
To what extent are the predefined camouflage regulations implemented by the project members?
Objective
It must be ensured, that the camouflage regulations are known to each project member and observed in order to guarantee adequate view protection of trial vehicles.
Requirements (must)
+ The requirements for using the respective camouflage are known to the project members.
+ Any changes to the camouflage are made upon documented agreement with the customer.
+ A process for the immediate reporting of any damages to the camouflage is described and implemented.
Requirements (should)
None
Additional: high protection needs
None
8.4.2To what extent are measures for protecting approved test and trial grounds observed/implemented?removedMajor
Control question
To what extent are measures for protecting approved test and trial grounds observed/implemented?
Objective
In order to maintain an undisturbed and secured trial operation on test and trial grounds, the respective protective measures defined by the customer must be observed.
Requirements (must)
+ A process for obtaining customer-specific requirements for the use of trial vehicles classified as requiring protection on test and trial grounds is described and implemented.
+ The following aspects must be known to users of test and trial grounds:
- a current list of customer-approved test and trial grounds
- code of conduct for ensuring undisturbed trial operation
- customer-defined protective measures These are implemented.
Requirements (should)
None
Additional: high protection needs
None
8.4.3To what extent are protective measures for approved test and trial drives in public observed/implemented?removedMajor
Control question
To what extent are protective measures for approved test and trial drives in public observed/implemented?
Objective
It must be ensured that the respective customer requirements for the operation of test vehicles classified as requiring protection on public roads are known and observed.
Requirements (must)
+ A process for obtaining customer-specific requirements for the operation of test vehicles classified as requiring protection on public roads is described and implemented.
+ Protective measures defined by the customer are known and observed.
+ The code of conduct in case of special incidents (e.g., breakdown, accident, theft...) is known and observed.
Requirements (should)
None
Additional: high protection needs
None
8.5.1To what extent are security requirements for presentations and events involving vehicles, components or parts classified as requiring protection known?removedMajor
Control question
To what extent are security requirements for presentations and events involving vehicles, components or parts classified as requiring protection known?
Objective
It must be ensured that the respective customer-specific security requirements for presentations and events involving vehicles, components or parts classified as requiring protection are known.
Requirements (must)
+ A process for obtaining customer-specific requirements for presentations and events involving vehicles, components or parts classified as requiring protection is described and implemented.
+ Established and customer-approved security concepts (organizationally, technically,
staff-related).
+ Code of conduct in case of special incidents.
Requirements (should)
None
Additional: high protection needs
None
8.5.2To what extent are the protective measures for film and photo shootings involving vehicles, components or parts classified as requiring protection known?removedMajor
Control question
To what extent are the protective measures for film and photo shootings involving vehicles, components or parts classified as requiring protection known?
Objective
It must be ensured that the respective customer-specific security requirements for film and photo shootings involving vehicles, components or parts classified as requiring protection are known.
Requirements (must)
+ A process for obtaining customer-specific requirements for film and photo shootings involving vehicles, components or parts classified as requiring protection is described and implemented.
+ Proof of approval for the presumably used premises.
+ Established and customer-approved security concepts (organizationally, technically,
staff-related).
+ Code of conduct in case of special incidents.
Requirements (should)
None
Additional: high protection needs
None

Data Protection (Ch. 9)

Chapter 9Data Protectionno changesNone
9.1.1To what extent do data protection policies exist?None
Control question
To what extent do data protection policies exist?
Objective
The organization needs at least one policy on privacy. This reflects the importance and significance of data protection and is adapted to the organization. Other policies may be appropriate depending on the size and structure of your organization.
Requirements (must)
+ A policy is created, regularly updated, and approved by the organization's management.
9.2.1To what extent are the responsibilities for data protection organized?None
Control question
To what extent are the responsibilities for data protection organized?
Objective
Successful data protection requires clear responsibilities in the organization.
Requirements (must)
+ A data protection officer is appointed, if required by Art. 37 GDPR
- Determination of whether the appointment of a data protection officer is voluntary or mandatory
- otherwise determination of a data protection function or comparable
+ Publication of contact details (e.g. on the Internet)
+ Integration into the organization's structure
+ Exercise of the control obligations as defined in Art. 39 (1) (b) GDPR and corresponding documentation
+ Documentation of the data protection status and report to organization's top management
+ Equipped with sufficient capacities and resources
- Determination of whether the data protection function is full-time or part-time
- adequate professional qualification
- regular professional training
- access to specialist literature
- support of the data protection officer by data protection coordinators in the companies organizational units, depending on the company size (e.g. marketing, sales, personnel, logistics, development, etc.)
9.3.1To what extent are processing activities identified and recorded?None
Control question
To what extent are processing activities identified and recorded?
Objective
The company fulfils its duty of accountability and transparency and thus creates an overview of the respective data processing.
Requirements (must)
+ If required by law, a register of processing activities as defined in Article 30 (1) and/or (2) GDPR (in the latter case only information relating to the order, expressly not other information/details on internal processing) exists and is up to date.
- Technical and organizational measures required for processing as required by the information security questionnaire are adequatly implemented for the processing activities
- There is a process description / sequence description with defined responsibilities.
9.4.1To what extent is adequate handling of high-risk processing activities ensured (data protection impact assessment)?None
Control question
To what extent is adequate handling of high-risk processing activities ensured (data protection impact assessment)?
Objective
The handling of high-risk processing is secured in cooperation with the service provider with appropriate measures to identify and, if necessary, reduce risks to the rights and freedoms of the data subjects.
Requirements (must)
+ Processing activities that require a data protection impact assessment are known.
+ Data protection impact assessments are carried out.
- Responsibilities/tasks and support possibilities in the context of data protection impact assessments are defined and known.
9.5.1To what extent is the transfer of data managed?None
Control question
To what extent is the transfer of data managed?
Objective
The company knows and secures data transmissions.
Requirements (must)
+ Appropriate processes and workflows for the transmission of data are implemented (e.g. valid contracts within the meaning of Art. 28 GDPR, suitable transfer instruments like standard contractual clauses, transfer impact assessments, adequacy decisions)
- Ensuring the consent or the right of objection of the person responsible for subcontracting
9.5.2To what extent are contractual obligations passed through to and enforced at subcontractors and cooperation partners?None
Control question
To what extent are contractual obligations passed through to and enforced at subcontractors and cooperation partners?
Objective
The company is aware of and secures data transfers to subcontractors.
Requirements (must)
+ Applicable contractual obligations to clients are passed on to subcontractors and cooperation partners (sub processors).
+ Compliance with contractual agreements is reviewed.
- Contact details of the contact persons of the subcontractor are available and up to date.
9.5.3To what extent are data transfers to third countries managed?None
Control question
To what extent are data transfers to third countries managed?
Objective
The company is aware of and secures data transfers to third countries.
Requirements (must)
+ Transfers to third countries are known and systematically recorded.
- e.g. through corresponding documentation in the processing directory
+ Sufficient guarantees (Chapter V GDPR, consideration of decisions of the ECJ on international data transfer, Transfer Impact Assessment in case of relevance, especially in the role of data exporter) are available for data transfers.
+ In the case of data transfers to third countries, it is determined whether the consent of the person responsible is to be obtained for each transfer to third countries.
9.6.1To what extent are data subject requests processed?None
Control question
To what extent are data subject requests processed?
Objective
The objective is to ensure the timely processing and fulfilment of data subject requests in order to secures the rights of data subjects guaranteed by law.
Requirements (must)
+ Requests from data subjects are processed in a timely manner.
- Procedures are in place to assist the controller in responding to data subject requests.
- Employees are trained to the effect that they must immediately contact the respective person responsible in the event of an incoming request from a data subject and coordinate the further procedure with this person.
9.6.2To what extent are data protection incidents processed?None
Control question
To what extent are data protection incidents processed?
Objective
The objective of processing data protection incidents is to ensure that possible damage to the data subjects is limited and that a recurrence is prevented. In addition, the legally required documentation and, if necessary, timely reporting to the supervisory authority must be ensured.
Requirements (must)
+ Data protection incidents (e.g. unauthorized access to personal data) are processed in a timely manner.
+ The requirements from 1.6 of the information security questionnaire also take into account data protection incidents or, alternatively, there is an emergency plan for dealing with data protection incidents.
+ In addition, procedures are established and documented to ensure the following aspects:
- immediate notification to the respective responsible person, as far as his order is affected
- Documentation of the incident handling activities
- Training of employees on the defined measures/processes
- Support of the respective controller in the processing of data protection incidents
9.7.1To what extent are employees obliged to maintain confidentiality?None
Control question
To what extent are employees obliged to maintain confidentiality?
Objective
Organizations are subject to laws, regulations, and internal policies. For employment (hiring/implementation/termination), it is important that employees commit to compliance with the guidelines.
Requirements (must)
+ Employees whose tasks include the processing of personal data are obliged to maintain confidentiality (even beyond the duration of the employment relationship) and to comply with applicable data protection laws.
- The obligation is documented
9.7.2To what extent are employees trained in data protection?None
Control question
To what extent are employees trained in data protection?
Objective
If the requirements and risks of data protection are not known to employees, there is a risk that employees will behave incorrectly and thus damage the organization. It is therefore important that data protection is internalized and lived as a natural part of their work.
Requirements (must)
+ Employees are trained and sensitized.
- Scope, frequency, and content of the training is determined according to the protection needs of the data
- Employees in critical areas (e.g. IT administrators) are instructed and trained specifically for their work (e.g. specific training courses or instructions, short videos, etc.).
9.8.1To what extent are instructions of processing relationships handled?None
Control question
To what extent are instructions of processing relationships handled?
Objective
The orderly and defined handling of instructions with regard to the processing of the controller is intended to ensure that the tasks of the processor are fulfilled, and that the processor fulfils the planned and contractually agreed obligations (in particular also to determine a possible exceeding of the contractually agreed framework).
Requirements (must)
+ The instructions by the controller regarding the processing of personal data are handled.
+ Procedures and measures are in place to ensure that:
- Received instructions are documented
- Instructions can be implemented (e.g. procedures for correcting, deleting, ...)
- Data is separated by client and specific order or project

The key facts

  • Naming convention: versions are now named by year (2027 instead of 7.0); catalog dated 2026-07-01.
  • Information security: 46 controls as before, but 44 of them were edited.
  • Prototype protection fully restructured: 5 sections become 2, 22 controls become 20.
  • Data protection: all 12 controls unchanged.
  • New mapping to NIST CSF 2.0 and ISO/IEC 27001:2022; several should-requirements are now mandatory.
  • The binding transition date is set by ENX® and is not part of the catalog.

How this comparison is built

We compare the official English catalog versions (ISA 6.0.3 and ISA 2027, 2026-07-01) automatically, line by line, across the requirement fields of every control. Major = at least one requirement added, removed, moved between must/should/protection-need levels, or an entirely new control. Minor = rewording only. None = unchanged. The reasoning is shown on each control; a chapter inherits the highest tier of its controls. Only the original catalogs are authoritative.

Christopher Eller
Christopher Eller
Founder of Valiido and TÜV® SÜD certified ISO® 27001 Auditor

Sources, license and marking

This comparison is based on the official English catalog versions ISA 6.0.3 (ENX® portal) and ISA 2027 (vda.de), © ENX Association, published by the VDA®, licensed under CC BY-ND 4.0 with the additional terms in Section 9 of the license included in the catalog. This side-by-side view is a modified version and has not been reviewed or approved by the licensor. Modifications made: extraction of the requirement columns, line-by-line juxtaposition of both versions, marking of changes, and our own classification (substantial/major/minor). Logos and figurative marks of the licensor are not included; redistribution is under the same license terms. No warranty - only the original catalogs are authoritative. Not included: maturity level, definitions and results tabs as well as support columns (examples, auditor questions, references). Valiido is independent and not affiliated with ENX® or VDA®; the trademarks belong to their respective owners.

Read the analysis: what changes in VDA® ISA 2027 for TISAX®

Start with TISAX® in Valiido today

Valiido is the ISMS software for TISAX®. All controls built in, instant AuditMagic checks. 98.7% pass on first attempt.

  • Guide for TISAX®
  • AuditMagic, instant + weekly report
  • 200+ ready records, ready to use
  • Consultant Support
Christopher Eller, founder of Valiido Christopher, Founder Questions? Message me.