Lesson 1, Topic 1
In Progress

GAP analysis, risk assessment and ISO

GAP analysis

All measures (controls) from the VDA ISA 5.0 catalogue and the “Information Security” tab should be implemented at least in your company. Here, direct reference is made to the scope you have chosen, in that you then only have to cover information security or, for example, still have to implement the measures for prototype protection. In total there are 41 controls in the Information Security tab, 22 controls in the Prototype Protection tab and 4 controls in the Data Protection tab. The controls of the prototype protection are divided into the different test targets. This is broken down in the following table:

Audit targetApplicable chapters of the VDA ISA Catalogue
Protection for components and
Components of prototypes
Proto Parts
Protection for prototype vehicles
Proto Vehicles
Protection for test vehicles
Test vehicles
Protection for prototypes during events, film & photo shootings
Events & Shootings

The VDA ISA Catalogue therefore provides you with a flow chart on the one hand and on the other hand you can carry out the GAP analysis directly. You can also use the catalogue to see and plan where you currently stand and how much you still have ahead of you.

Risk assessment, risk management and risk treatment

Since an ISMS is usually risk-based, i.e. all rules are oriented to the given risk, there should be a risk management system which also contains a risk assessment and a treatment plan. Risk management is concerned in particular with the identification of potential risks and their evaluation with regard to information security. This enables a risk-based weighing of the dangers and the appropriate countermeasures to be taken. In addition, there is a better overview of costs and restrictions that may exceed the benefits.

Tip: Form a risk assessment team. As a result, more risks are often discovered and the different perspectives keep you close to the practice, so that your view of the risks is also sharpened.

The documents “Risk Management Procedure” accompanied by the table “Risk Assessment and Treatment Plan” offer you a simple method to identify, assess and treat your risks. In the process descriptions, you should define the risk classes and describe how to deal with the risks.

Appointment of the Information Security Officer (ISO/ISB)

The Information Security Officer has a great responsibility and should therefore have the following skills:

  • Required expertise
  • Leadership Competence
  • Social Competence
  • Entrepreneurial competence

Its tasks include the following:

  • Implementation of internal audits
  • Staff training
  • Contact person for problems and questions
  • Support of the management by consulting
  • Implementation of current regulations and measures
  • Development of security concepts
  • Provide employees with knowledge and information

They can appoint the Information Security Officer (ISO) and ensure his or her contractual compliance. A suitable document template is available in the toolkit entitled “Appointment Information Security Officer“. There the tasks are listed again and then the document is signed by the management and the new ISO.