Cross-Norm Mapping: ISO 27001 ↔ VDA ISA ↔ NIS2
Use this table to add cross-references (norm_refs) when enriching controls.
ISO 27001 Annex A → VDA ISA Mapping
| ISO 27001 |
Topic |
VDA ISA Chapter |
| A.5.01-A.5.08 |
Policies, Roles, Segregation, Management |
1.1 IS-Richtlinien, 1.2 Organisation |
| A.5.09-A.5.13 |
Asset Management, Acceptable Use |
1.3 Asset-Management |
| A.5.14-A.5.18 |
Information Transfer, Access Control |
2.1 Zugangskontrolle |
| A.5.19-A.5.23 |
Supplier Relationships |
4.1 Lieferanten-IS |
| A.5.24-A.5.28 |
Incident Management |
1.6 Vorfallmanagement |
| A.5.29-A.5.30 |
Business Continuity |
1.5 Betriebskontinuitaet |
| A.5.31-A.5.36 |
Legal, Compliance, Review |
1.4 Compliance |
| A.5.37 |
Documented Procedures |
1.1 IS-Richtlinien |
| A.6.01-A.6.08 |
People Security |
1.2 Organisation, 3.1 Personalsicherheit |
| A.7.01-A.7.14 |
Physical Security |
2.2 Physische Sicherheit |
| A.8.01-A.8.12 |
Technology Controls (Config, Access) |
2.1 Zugangskontrolle, 5.1 Systemhärtung |
| A.8.13-A.8.16 |
Backup, Redundancy, Logging |
5.2 Betrieb, 5.3 Netzwerk |
| A.8.17-A.8.22 |
Clock Sync, Privileged Access, Network |
5.3 Netzwerk, 5.4 Kryptografie |
| A.8.23-A.8.34 |
Development, Testing, Change Mgmt |
5.5 Entwicklung, 5.6 Aenderungsmanagement |
ISO 27001 Annex A → NIS2 Mapping
| ISO 27001 |
NIS2 Article |
Topic |
| A.5.01-A.5.08 |
Art. 21(2)(a) |
Policies, governance |
| A.5.24-A.5.28 |
Art. 21(2)(b) |
Incident handling |
| A.5.29-A.5.30 |
Art. 21(2)(c) |
Business continuity |
| A.5.19-A.5.23 |
Art. 21(2)(d) |
Supply chain security |
| A.8.01-A.8.34 |
Art. 21(2)(e) |
Network & info system security |
| A.5.31-A.5.36 |
Art. 21(2)(f) |
Vulnerability assessment |
| A.5.09-A.5.13 |
Art. 21(2)(g) |
Cybersecurity practices |
| A.8.22-A.8.25 |
Art. 21(2)(h) |
Cryptography, encryption |
| A.6.01-A.6.08 |
Art. 21(2)(i) |
HR security, access control |
| A.8.01-A.8.05 |
Art. 21(2)(j) |
Multi-factor authentication |
| Art. 23 |
Art. 23 |
Incident reporting obligations |
VDA ISA Chapters Overview
| Chapter |
Topic |
ISO 27001 Annex A |
| 1.1 |
IS-Richtlinien und Organisation |
A.5.01-A.5.08 |
| 1.2 |
Organisation der IS |
A.5.02-A.5.06, A.6 |
| 1.3 |
Asset-Management |
A.5.09-A.5.13 |
| 1.4 |
Compliance |
A.5.31-A.5.36 |
| 1.5 |
Betriebskontinuitaet |
A.5.29-A.5.30 |
| 1.6 |
Vorfallmanagement |
A.5.24-A.5.28 |
| 2.1 |
Zugangskontrolle |
A.5.14-A.5.18, A.8.01-A.8.05 |
| 2.2 |
Physische Sicherheit |
A.7 |
| 3.1 |
Personalsicherheit |
A.6 |
| 4.1 |
Lieferanten-IS |
A.5.19-A.5.23 |
| 5.1 |
Systemhaertung |
A.8.06-A.8.12 |
| 5.2 |
Betrieb |
A.8.13-A.8.16 |
| 5.3 |
Netzwerk |
A.8.17-A.8.22 |
| 5.4 |
Kryptografie |
A.8.22-A.8.25 |
| 5.5 |
Entwicklung |
A.8.23-A.8.30 |
| 5.6 |
Aenderungsmanagement |
A.8.31-A.8.34 |
Usage in Controls
When enriching an ISO 27001 control:
1. Look up the VDA ISA mapping in this table
2. If a VDA ISA chapter maps to this control, add VDA ISA to norm_refs
3. Mention the cross-reference in the Beschreibung: "Korrespondierende VDA ISA Kontrolle: X.Y"
4. If NIS2 also maps, add NIS2 to norm_refs