top of page
IMG_1102_edited_edited.png

Available at any time and free of charge,
the online ISMS ConsultantGPT for quick progress:

Search
Writer's pictureMarc Borgers
Jul 28

VDA ISA: Must and Should Requirements


AutomotiveIndustry, information security, compliance, VDAISA, automotive industry, TISAX, security standards, must requirements, should requirements, ISO27001, risk management, data protection, contract conformity, security level, cybersecurity, ITSecurity, automotivesecurity, freelancertips, information protection, data integrity, security compliance, corporate security, IT compliance, security requirements, audit, certification, process security, business security, cyberrisk, IT governance, security specifications, ISO standards, digital security, security management, security processes, security assessment, regulatory compliance, digital protection, IT standards, protective measures, security label, cyber security awareness

In today's business world, information security and compliance are not only important for internal security, but are often also required by law. The VDA ISA (Association of the Automotive Industry - Information Security Assessment) offers companies in the automotive industry a structured basis for meeting the required security standards. The VDA ISA distinguishes between must and should requirements, which represent different degrees of bindingness. But what exactly do these categories mean, and how should companies deal with them?


Security assessment, information security, compliance, VDAISA, automotive industry, TISAX, security standards, must requirements, should requirements, ISO27001, risk management, data protection, contract conformity, security level, cyber security, ITSecurity, automotive security, freelancer tips, information protection, data integrity, security compliance, corporate security, IT compliance, security requirements, audit, certification, process security, business security, cyber risk, IT governance, security specifications, automotive industry, ISO standards, digital security, security management, security processes, regulatory compliance, digital protection, IT standards, protective measures, security label, cyber security awareness

Must-have requirements: Strict specifications


Must-have requirements are mandatory and must be implemented without exception. They define basic security measures that are necessary to achieve and maintain a certain level of security. Failure to meet these requirements can have serious consequences, both in terms of security risks and compliance with regulations and contracts.



Should-requirements: Flexibility with care


These measures must always be implemented unless there are compelling reasons for an exception. In the case of exceptions, companies must assess the resulting risks and, if necessary, take alternative measures to ensure information security. It is important that the information security objectives are achieved even if the measure specified in the VDA ISA is not literally implemented.


Security label, information security, compliance, VDAISA, automotive industry, TISAX, security standards, must requirements, should requirements, ISO27001, risk management, data protection, contract conformity, security level, cyber security, ITSecurity, automotive security, freelancer tips, information protection, data integrity, security compliance, corporate security, IT compliance, security requirements, audit, certification, process security, business security, cyber risk, IT governance, security specifications, automotive industry, ISO standards, digital security, security management, security processes, security assessment, regulatory compliance, digital protection, IT standards, protective measures, cyber security awareness

In addition to must and should, there are also additional requirements for high and very high protection needs. Both are must requirements.



A practical example: The photographer


The TISAX® process is often compared with ISO 27001 certifications. Both have similarities, but also significant differences. After a successful ISO 27001 audit, a certificate is issued for the management system, while TISAX® labels are awarded that attest to a specific level of security. ISO 27001 does not recognize this specified level of security, and with TISAX®, financial considerations play a different role in the context of appropriateness.



Information security, compliance, VDAISA, automotive industry, TISAX, security standards, must requirements, should requirements, ISO27001, risk management, data protection, contract conformity, security level, cyber security, ITSecurity, automotive security, freelancer tips, information protection, data integrity, security compliance, corporate security, IT compliance, security requirements, audit, certification, process security, business security, cyber risk, IT governance, security specifications, automotive industry, ISO standards, digital security, security management, security processes, security assessment, regulatory compliance, digital protection, IT standards, cyber security awareness, protective measures, security label

Let's imagine a freelance photographer who specializes in photographing vehicles that have not yet been released and is therefore to be commissioned by the automobile manufacturers as a service provider. Suddenly the word TISAX® appears in the request and the photographer has to deal with the implementation of the VDA ISA. From his point of view, many of the requirements contained therein are not financially justifiable, which is why he decides to delete the costly requirements. This is because his ISO 27001 consultant told him that he should pay particular attention to appropriateness when implementing them. In concrete terms, this means that the vehicles supplied by the manufacturer are parked on the side of the road and only covered with a tarpaulin, instead of complying with the contractual requirements and those contained in the VDA ISA.


Here the photographer makes several mistakes:


  • Breach of contract: The driver must not violate contractually agreed requirements. In addition to the general measures in the VDA ISA, automobile manufacturers also specify specific rules for dealing with such vehicles in their contracts.

  • Assumption of risk: He must not accept risks to third-party property based on his own decisions, particularly if this results in a significant immediate risk to information security.

  • Cost argument: Financial considerations do not justify omitting required safety measures.


Even if he decided to postpone the implementation of the measures until the first order had been received, it would not be possible to obtain a label. This is because the audit only examines implemented measures and the functioning of the processes. Measures that have not yet been implemented can only be assessed negatively and processes that are not being implemented can have their maturity level reduced.



Attestation instead of certificate


The label is intended to be objective proof that all TISAX® participants can rely on. If a corresponding TISAX® label is present, this means that the associated security requirements, procedures and processes are fully implemented, available, trained and documented.




Telephone2trans.png

You have questions?

Sometimes a direct conversation is simply unbeatable. Please do not hesitate to arrange a free initial conversation via our telephone calendar!

IMG_1092.png
bottom of page