Information security inside companies

    The German Association of the Automotive Industry (VDA) has drawn up measures for protecting data and prototypes. The current, fifth version of the ISA catalog is available in German and English

    The German Association of the Automotive Industry (VDA) has drawn up measures for protecting data and prototypes. The current, fifth version of the ISA catalog is available in German and English


    Business processes depend mainly on information and information systems as well as their secure processing. Information security is more than just securing the technical infrastructure – it also means securing the entire information flow. This is a central task for corporate management.

    The networking and globalization of the digital future within the automotive industry has numerous advantages, yet the internal and external risks for companies are also increasing. To counter these, suitable protective measures must be introduced. The digitalization of business processes across company boundaries therefore requires a comparable level of information security for all those involved, one which is guaranteed along the entire value chain.

    Experts from the automotive industry work together in the VDA's Information Security working group to develop common standards and appropriate protective measures. One major result of this cooperation is an industry standard for information security assessments, the VDA Information Security Assessment (ISA) catalog.

    The VDA recommends that companies involved in the automotive industry's value chain establish information security based on this VDA ISA.

    Further details of the recommendations regarding information security are available here:


    Information security – Recommendations of the 2nd law

    The first IT security law was published in 2015. At that time, only critical service areas were defined. With the IT Security Act 2.0, the legislature is taking a more holistic approach for the first time. On May 27, 2021, the German government published the "Second Act to Increase the Security of Information Technology Systems" (IT Security Act 2.0, IT-SIG 2.0). New additions are companies of significant economic importance as well as those suppliers working for such companies and who can also demonstrate a unique selling proposition.

    However, the exact audience has yet to be determined in the form of a separate legal ordinance. The VDA working group on information security has published a recommendation for the German automotive industry on how to deal with the IT-SIG 2.0, as the industry, as a provider of digital services and with companies in the special public interest, is expected to fall under this regulation.

    VDA ISA catalog version 5.1

    The updated Version 5.1 of the VDA ISA catalog is available in German and English.

    It contains industrywide approved requirements for information security and is the basis for assessments to determine the level of information security (Information Security Assessments).

    The VDA ISA catalog is also the basis for the TISAX industry model, which ensures cross-company recognition of information security assessment results. The VDA has called in the ENX Association as a neutral body to manage and support the TISAX model. Further information can be found here.

    The VDA ISA catalog was fundamentally revised in 2020 and optimized both in terms of structure and content. The focus was on making work with the catalog simpler and more efficient, thus reducing effort for companies and auditors. With version 5.1, in addition to linguistic corrections, the protection goals with regard to requirements for high and very high protection needs in the "Information Security" spreadsheet were supplemented. There were no changes to requirements.

    In establishing and maintaining an appropriate level of information security, the member companies are supported by the document "Recommendation on Information Security" and the VDA ISA catalog.

    Minimum requirements for prototype protection

    Additional requirements must be fulfilled when dealing with prototypes. Prototypes here means vehicles, components, and parts that are classified for non-disclosure and have yet to be presented to the public by an automobile manufacturer and/or published in a suitable form.

    The objective of prototype protection is to establish appropriate measures and to regularly review their effectiveness.

    The following document lists the minimum requirements for prototype protection. The requirements are also part of the VDA ISA catalog.

    A catalog of minimum requirements for prototype protection is available in both English and German.

    Risk management in information security

    A project group of the VDA working group on Information Security has created a white paper on "Information Security Risk Management".

    The aim of this white paper is to sensitize companies in the automotive industry to risk-oriented information security management and to enable them to establish effective risk management. Furthermore, the white paper is intended to support companies in the preparation or execution of a TISAX assessment to fulfill the requirements of the corresponding control of the VDA ISA in its current version 5.0.

    The essential process stages of information security risk management are presented in compact form, while the concrete steps of assessing, treating, and monitoring information security risks are described in detail.

    At the same time, all process steps are illustrated using two consistent examples, contributing to a better understanding of the topic.

    The VDA recommends its member companies to use the white paper as a guide.

    Harmonization of security levels

    One fundamental element in achieving a needs-oriented level of information security is the classification of information. A comparison within the automotive industry revealed differences between companies regarding both the number and the designation of the classification levels. 

    The VDA's Information Security working group has developed a standardized scheme for classifying information, which is published as a white paper. In conjunction with the requirements of the VDA ISA, it helps to avoid misunderstandings and risks when exchanging information and thus allows the appropriate handling of such.

    The VDA recommends its member companies use this white paper for orientation and to implement the scheme for information classification so described within their companies.

    Coordination Unit for Security & Data

    Martin Lorenz

    Acting head of Department

    Read on