Information Security

Business processes depend mainly on information and information systems and their secure processing. Information security is more than just securing the technical infrastructure - it means security of the entire information flow. This is a central task of corporate management.

The networking and globalization of the digital future in the automotive industry has numerous advantages, but the internal and external risks for companies are also increasing. In order to counter these, suitable protective measures must be established. The digitization of business processes across company boundaries therefore requires a comparable level of information security for all those involved, which is guaranteed throughout the entire value chain.

Experts from the automotive industry work together in the VDA's Information Security Working Group to develop common standards and appropriate protective measures. A major result of this cooperation is an industry standard for information security assessments, the VDA Information Security Assessment (ISA) catalogue.

The VDA recommends that companies involved in the automotive industry's value chain establish information security based on VDA ISA.

The current VDA ISA catalogue in version 5.0 is available in German and English (released July 2020). The VDA ISA catalogue, version 5.0 will be used for new TISAX assessments from October 1st, 2020. Until then, the previous VDA ISA catalogue, version 4.1.1, is still valid. For ongoing TISAX assessments the previous catalogue, version 4.1.1, can also be used (until March 31st 2021).

The VDA ISA catalogue is the basis for the TISAX model, which guarantees cross-company recognition of assessment results.

The VDA has consulted the ENX Association as an independent authority for the control and support of the TISAX model. Further information is available at https://portal.enx.com/en-us//

VDA Information Security Assessment: VDA ISA catalogue available in version 5.0

The VDA ISA catalogue was fundamentally revised in 2020 and optimized both structurally and in terms of content. The focus was on making working with the catalogue easier and more efficient, thus reducing the workload for companies and auditors.

All requirements of the "Information Security" module were checked with regard to the current state of the art and for appropriateness. Some redundancies were also removed and the VDA ISA catalogue was developed into a comprehensive tool.

The modules "Prototype protection" and "Data protection" were also adapted to the new structure of the catalogue.

In establishing and maintaining an appropriate level of information security, the member companies are supported by the document "Recommendation Information Security" and the VDA ISA catalogue (see below "Further Publications").

Minimum requirements for prototype protection

Additional requirements must be fulfilled when handling prototypes. Prototypes are vehicles, components and parts which are classified for non-disclosure and which have not yet been presented to the publicity by an automobile manufacturer and/or published in another suitable form.

The objective of prototype protection is to establish appropriate measures for the protection of prototypes and to regularly review the effectiveness of these measures.

The following document lists the minimum requirements for prototype protection. The requirements are also part of the VDA ISA catalogue.

Information Security Risk Management

A project group of the VDA Working Group “Information Security” created a white paper about "Information Security Risk Management".

The objective of this white paper is to sensitize companies in the automotive industry to a risk-oriented information security management and to enable them to establish effective information security risk management. Furthermore, the white paper should support companies in the preparation or execution of a TISAX assessment to fulfill the requirements of the corresponding control of the VDA ISA in the current version 5.0.

The essential process steps of information security risk management are presented in compact form and the concrete steps of assessing, treating and monitoring information security risks are described in detail.

In parallel, all process steps are illustrated using two consistent examples. This should contribute to a better understanding of the topic.

The VDA recommends its member companies to use the white paper as a guide.

Harmonization of security levels

One key element in achieving a needs-oriented level of information security is the classification and labeling of information. A comparison within the automotive industry revealed differences between the companies both regarding the number and the designation of the classification levels. In recent months the VDA’s Information Security working group has developed a standard scheme for classifying information which has been published now as a White Paper. In conjunction with the requirements of the VDA’s Information Security Assessment (VDA ISA), it helps to prevent misunderstandings and risks during the exchange of information and thus fosters appropriate information handling.

The VDA recommends its members to use this White Paper for orientation and to implement the described scheme for information classification in the companies.