Safety and Standards

Information Security

Information protection and risk management: Security requirements in the automotive industry/ ISO 2700x

Information security requirements

Protecting business processes and information, sometimes under difficult conditions, is a key task for the corporate management. To date no standard requirements have been drawn up for protection measures.

Increasing corporate globalization brings additional demands. When business processes are networked beyond company borders, a similar level of protection is required for all those involved.

In the automotive industry in particular, such networking harbors not only a large number of opportunities; at the same time it makes users more vulnerable and more susceptible to both external and internal threats.



Based on the previous Version 3.0.2 from January 2017, the catalog has been developed and now contains additional controls for the use of cloud services/cloud service providers. The description of the maturity level model has also been revised and the requirements for maturity level 1 have been reworded and clustered accordingly. The current Version 4.0.4 of the document, dated June 12, 2018, is now available in German and English.

Based on the results of the Working Group “Information Security,” the VDA has recommended its members to bring their information protection into line with the international standard ISO 2700x (formerly BS 7799).

The VDA supports its member companies in this process of alignment, with the documents “Communiqué on Information Protection” and the “Information Security Assessment” (see Further Information).

Harmonization of security levels

One key element in achieving a needs-oriented level of information security is the classification and labeling of information. A comparison within the automotive industry revealed differences between the companies both regarding the number and the designation of the classification levels. In recent months the VDA’s Information Security working group has developed a standard scheme for classifying information which has been published now as a White Paper. In conjunction with the requirements of the VDA’s Information Security Assessment (VDA ISA), it helps to prevent misunderstandings and risks during the exchange of information and thus fosters appropriate information handling.

The VDA recommends its members to use this White Paper for orientation and to implement the described scheme for information classification in the companies.

Nach oben springen