What is checked?
With its information security working group, the Verband der Automobilindustrie e.V. (VDA, German Association of the Automotive Industry) published a question catalog in 2008 with recommendations regarding information security measures based on the international standard ISO 2700x – the VDA Information Security Assessment.
In addition to addressing information security, the current version also contains the additional modules of prototype protection, data protection, as well as the connection of project areas. As a result, in the future there will be no need for company-specific "special catalogs" with the special requirements of individual OEMs.
The VDA Information Security Assessment contains the requirements which are checked as part of a TISAX® assessment. The area of information security always forms the basic assessment. The additional modules can then be added as an option, as required.
Assessment scope and assessment labels
The figure shows the modules and the applicable assessment methods according to TISAX®.
The more sensitive the information that you are processing within projects, the higher the level of protection you should select. The following can be used as a rule of thumb:
- Normal protection requirements = Assessment label for Assessment Level 1 – comparable with internal information
- High protection requirements = Assessment label for Assessment Level 2 – comparable with confidential information
- Very high protection requirements = Assessment label for Assessment Level 3 – comparable with classified information
The results of the assessment are valid for a maximum of 3 years and are accepted by the German OEMs.
TISAX® is a registered trademark of the ENX Association.