Back to Course

VDA/ISA TISAX controls and description of implementation

0% Complete
0/88 Steps
  1. 1. Information security policies and organization
    1.1 Information security policies
    1 Topic
  2. 1.2 Organization of information security
    4 Topics
  3. 1.3 Asset management
    3 Topics
  4. 1.4 Information security risk management
    1 Topic
  5. 1.5 Assessments
    2 Topics
  6. 1.6 incident management
    1 Topic
  7. 2. Human resources
    2.1 Human resources
    4 Topics
  8. 3. Physical security and business continuity
    3.1 Physical security and business continuity
    4 Topics
  9. 4. Identity and access management
    4.1 Identity management
    3 Topics
  10. 4.2 Access management
    1 Topic
  11. 5. IT security/ cyber security
    5.1 Cryptography
    2 Topics
  12. 5.2 Operations security
    7 Topics
  13. 5.3 System acquisitions, requirement management and development
    4 Topics
  14. 6. Supplier relationships
    6.1 Supplier relationships
    2 Topics
  15. 7. Compliance
    7.1 Compliance
    2 Topics
  16. 8. Prototype protection
    8.1 Physical and environmental security
    8 Topics
  17. 8.2 Organizational requirements
    7 Topics
  18. 8.3 Handling of vehicles, components and parts
    2 Topics
  19. 8.4 Requirements for trial vehicles
    3 Topics
  20. 8.5 Requirements for events and shootings
    2 Topics
  21. 9. Data protection
    9.1 Data protection
    4 Topics
Lesson 4, Topic 1
In Progress

1.4.1 To what extent are information security risks managed?

Jonas December 18, 2020
Lesson Progress
0% Complete

Information security risk management aims at the timely detection, assessment and addressing of risks in order to achieve the protection objectives of information security. It thus enables the organization to establish adequate measures for protecting its information assets under consideration of the associated prospects and risks. It is recommended to keep the information security risk management of an organization as simple as possible such as to enable its effective and efficient operation.

Since you have already created an asset inventory with the most important company assets, you should assess them according to their risk in the risk management and treatment plan. There you should also initiate appropriate measures, if necessary, to minimise the risks.

+ Risk assessments are carried out both at regular intervals and in response to events.
+ Information security risks are assessed in a suitable manner according to e.g. probability of occurrence and potential damage.
+ Information security risks are documented.
+ A responsible person (risk owner) is assigned to each information security risk. This person is responsible for the assessment and handling of the information security risks.

Can be fulfilled as follows:
To be aware of the risks, they should be documented. The probabilities of occurrence are assessed and the potential damage that may occur if the risk materialises. The recommended scheme of ISO 27001 is used here. Here, both criteria are evaluated in levels 1-3. This then results in the risk class (1 -3). The management must decide whether risks are accepted or not, because, for example, a risk may be great but countermeasures may be too expensive or similar. If the risk is not accepted, countermeasures are directly defined there.
So you implement this as follows:
– Adapt the risk assessment to your company and evaluate the risks. Make sure that the risk management is in conformity with the asset inventory. Do this once a year and on an ad hoc basis, e.g. when you get new assets into the company. Assign a responsible person or department to each risk.

+ A procedure to identify, assess and address information security risks within the organization is in place.
+ Criteria for the assessment and handling of information security risks exist.
+ Measures for handling information security risks and the persons responsible for these are specified and documented.
  – A plan of measures or an overview of their state of implementation exists.
+ In case of changes to the environment (e.g. organizational structure, location, changes to regulations), reassessment is carried out in a timely manner.

Can be fulfilled as follows:
The assessment of risks should be defined so that it is not arbitrary. The template here is the assessment scheme according to ISO 27001, which we recommend. The treatment plan is directly included in the risk assessment. There, measures can be defined and by when they should be established, as well as who is responsible for their implementation.
So you implement this as follows:
– Read the risk management procedure and adapt it if deemed necessary. Have the document approved by management.
– Establish measures and determine who is responsible and the date by which the measures should be established.
– Adjust the risk assessment if there are major changes and document the date of the update.

Very high protection:
The norm chapter does not define additional measures if you are targeting a security level very high.

Description of implementation:

  • Risk assessments are carried out at least once a year, but also on an ad hoc basis at any time.
  • The classification of the risk class into classes 1 – 3 is done by means of assessing the possible damage and the probability of occurrence. These criteria are documented in the document “Risk management procedure”.
  • All risks are assessed, documented, described and measures are defined. There are assigned and documented responsibilities for the risks and the planned measures. The status (In planning, Completed or In progress) is also documented here, as well as the date by which the measure must be implemented.
  • There is a procedure for identifying, assessing and dealing with information security risks within the organisation.
  • A column is available in the risk assessment and treatment where the date after a reassessment is entered.

Reference documents:

  • Risk assessment and treatment plan
  • Risk management procedure