Back to Course

VDA/ISA TISAX controls and description of implementation

0% Complete
0/88 Steps
  1. 1. Information security policies and organization
    1.1 Information security policies
    1 Topic
  2. 1.2 Organization of information security
    4 Topics
  3. 1.3 Asset management
    3 Topics
  4. 1.4 Information security risk management
    1 Topic
  5. 1.5 Assessments
    2 Topics
  6. 1.6 incident management
    1 Topic
  7. 2. Human resources
    2.1 Human resources
    4 Topics
  8. 3. Physical security and business continuity
    3.1 Physical security and business continuity
    4 Topics
  9. 4. Identity and access management
    4.1 Identity management
    3 Topics
  10. 4.2 Access management
    1 Topic
  11. 5. IT security/ cyber security
    5.1 Cryptography
    2 Topics
  12. 5.2 Operations security
    7 Topics
  13. 5.3 System acquisitions, requirement management and development
    4 Topics
  14. 6. Supplier relationships
    6.1 Supplier relationships
    2 Topics
  15. 7. Compliance
    7.1 Compliance
    2 Topics
  16. 8. Prototype protection
    8.1 Physical and environmental security
    8 Topics
  17. 8.2 Organizational requirements
    7 Topics
  18. 8.3 Handling of vehicles, components and parts
    2 Topics
  19. 8.4 Requirements for trial vehicles
    3 Topics
  20. 8.5 Requirements for events and shootings
    2 Topics
  21. 9. Data protection
    9.1 Data protection
    4 Topics
Lesson 2, Topic 1
In Progress

1.2.1 To what extent is information security managed within the organization?

Jonas December 18, 2020
Lesson Progress
0% Complete
Only if information security is part of the strategic goals of an organization, information security can be implemented in an organization in a sustainable manner. The information security management system (ISMS) is a control mechanism used by the organization’s management to ensure that information security is the result of sustainable management rather than that of mere coincidence and individual effort.
Here it should be clearly defined which locations, departments, networks, resources or processes are included and which are not. Additional the management should be informed about the ISMS.
+ The scope of the ISMS (the organization managed by the ISMS) is defined.
+ The organization’s requirements for the ISMS are determined.
+ The organizational management has commissioned and approved the ISMS.
+ The ISMS provides the organizational management with suitable monitoring and control means (e.g. management review).
+ Applicable controls have been identified (e.g. ISO 27001 Statement of Applicability, completed ISA Questionary).
+ The effectiveness of the ISMS is regularly reviewed by the management.
Can be fulfilled as follows:
The scope of the ISMS is defined. Often this simply applies to the whole company, but there are also outsourced processes that do not work with information worth protecting and can therefore also be excluded.
By the standard point 1.1.1 the requirements of the company should already be defined.
You should carry out a management review at least once a year and on an ad hoc basis in order to provide management with appropriate information about the ISMS.
During the ISMS implementation you should fill in the VDA ISA catalogue (description of the implementation, assessment of the maturity level and the reference documents).
The norm chapter does not define should requirements for this chapter.
This means no additional steps for you.
High protection:
The norm chapter does not define should requirements for this chapter.
This means no additional steps for you.
Very high protection:
The norm chapter does not define additional measures if you are targeting a security level very high.
This means no additional steps for you.

Description of implementation:

  • The scope of the ISMS is defined and described. The ISMS meets the requirements of the VDA ISA catalogue (V5.0.3). (see scope)
  • The organisation’s requirements for the ISMS are also established and defined. (see information security policy; chapters 1.1 & 1.2).
  • Through the release of the two guiding documents, the ISMS is mandated and defined by the organisation’s top management.
  • Reporting to top management takes place at least once a year through the management review. However, the top management is also informed of event-related situations. This also includes a review of the effectiveness of the ISMS.
  • The system documentation is on the intranet, has been released and is managed.
  • Applicable controls were determined using VDA ISA 5.0 and are documented. (see completed VDA ISA catalogue).

Reference documents:

  • Definition of Scope
  • Information security policy
  • Management review