2023-10-16 by Immo Wehrenberg ISA6
With TISAX, the automotive industry has set its standard for assessing the information and cyber security. It is optimized to the automotive industry need to scale to large multi-tier value creation networks and provides mutual recognition of assessment results.
TISAX as a risk-based and process-oriented management system approach for the supply chain was established in a very short time. With far more than 10,000 sites audited in over 75 countries, TISAX has become one of the most successfully established standards worldwide.
The basis of TISAX information and cyber security assessments of organizations is the ISA catalogue. Today, the new version 6 of ISA has been published and is now available for download. ISA 6 developed by our international expert is the newest major revision of the ISA catalogue. It defines the baseline and state of the art for information and cyber security of organizations from an automotive industry perspective.
ISA 6 comes with a large set of changes and improvements that are detailed in this posting. Most notably
Before we get into the details of ISA 6, we will make a short excursion to the transition.
We are well aware that introducing new controls and changes cannot take effect without sufficient prior notice. Both auditors and auditees need to familiarize themselves with the changes. For that, we provide a redline version of the ISA that contains a detailed change log and highlights all changes in red. You can download this version here.
Also, we understand that the process to familiarize may take time, especially if the new version has helped your organization to identify gaps that now need to be closed. We have set April 1st 2024 as the effective date for ISA 6 in TISAX. The rules for the transition defined around that effective date are the same as in previous changes:
Due to persistently high case numbers of ransomware attacks, the availability of information and information technology assets - including OT - has come into focus. They are vital to our industry's tightly integrated production and just-in-time processes.
Accordingly, strengthening the industry posture in this regard was at the heart of the working group’s effort. Since it would be short-sighted to assume that successful attacks will be completely preventable by defining security controls and requirements, the group focused not only on preventing successful attacks, but also on minimizing the impact of a successful attack and ensuring an effective and timely recovery.
To strengthen protection against such attacks, the working group has ensured that all requirements in ISA/IEC 62443-2-1 (“Security for industrial automation and control systems: Security program requirements for IACS asset owners”) are covered by ISA and that indeed all controls from ISA chapter 5 (IT and Cyber Security) are applicable. As an outcome, all relevant control questions in ISA now mapped to ISA/IEC 62443-2-1 and a few minor changes in requirements to perfectly align with the standard have been made.
Additionally, the Working Group ISA has reworked key sections of the ISA that are vital to prevent the attacks. This includes a completely new control, 1.3.4, that requires the secure management of software on clients as well as added requirements in 5.2.6 and 5.3.1.
Recognizing that attacks cannot be successfully prevented holistically, an approach to minimizing the impact of a successful attack is needed. A priority here is early detection that an attack has taken place. Key component is to have a working security event reporting. The new control 1.6.1 is designed to ensure that it is clear what needs to be reported and that appropriate reporting mechanisms are established.
Once an successful attack is detected, timely and coordinated response to the attack is key. The new control 1.6.2 is designed to ensure that security incidents are handled in an orderly, timely and professional manner and the organization has the chance to detect patterns of sophisticated attacks which are detected as isolated incidents. An important part of the response to the incidents is to also timely communicate to affected suppliers and customers in an appropriate and professional way.
Executing solid service continuity planning will significantly reduce the impact of an attack. Therefore, the new control 5.2.8 addresses the service-continuity planning. This includes not only redundant and independent key systems, but also includes fallback modes of operation to keep key business processes running while relevant IT infrastructure is unavailable.
In the worst case, an attack causes such a disruption to business operations that regular company processes are insufficient to deal with the situation. In ISA this is called a crisis. The new control 1.6.3 is dedicated to ensuring that an organization is sufficiently prepared to deal with such a crisis.
Regardless of whether the attack has escalated to a crisis or only affected isolated IT systems and business processes, recovery will be necessary to limit the impact of a successful attack. The new control 5.2.9 is designed to prepare an organization as best as possible to recover from a successful attack on IT Systems and Services by having a solid backup and recovery concept.
In total, six completely new control questions along with new requirements to existing controls have been introduced. At the same time, two ISA 5 controls for incident (1.6.1) and crisis (3.1.2) become obsolete and therefore no longer in ISA 6.
ISA Version 6 is the first version developed by an international team of experts from Europe and North America. This allowed us to integrate multiple perspectives on information and cyber security, but also mandated a switch of its main working language to English.
Therefore, the ISA 6’s leading language has become English. This means that if there are any differences in other language, you can always fall back to the English version which removes any doubts in case of translation inaccuracies.
Because it is now clear that the English version is the original source, we no longer need to have all translations personally quality assured and approved by the experts. In the past, this restricted possible translations to languages that experts had deep language understanding which effectively meant English and German were the only supported languages.
With that requirement out of the way, we will now be able to offer more translations of ISA. For now, we are planning to release translations in the following languages:
We remain open for further languages in case of demand.
With TISAX and the ISA, our objective is to improve the overall level of information and cyber security of the automotive industry. Performing security assessments is a very powerful tool that has achieved far more than 50.000 improvements (a.k.a. addressed non-conformities) throughout the years.
However, we also know that most of the improvement is not done in reaction to the assessment result, but instead while preparing for the assessment. At this point most of the processes are established or improved to become compliant with the requirements. And for non-information-security experts its often hard to understand what the abstract control questions and requirements mean in practice.
At the same time, every organization is different, and every organization needs to find a solution that works well for itself. Writing more concrete requirements is therefore no viable solution. To still give more guidance, ISA 5 already started to provide non-binding additional information and implementation examples for some of the controls. These texts are designed to help organizations in finding good and appropriate solutions for themselves. ISA 6 has built on the foundation laid down by ISA 5 and added such guidance for many more controls. This guidance was written by the most experienced TISAX auditors and reflects knowledge obtained from hundreds of TISAX Assessments.
At the same time, ISA is not the only source of good implementation guidance. A lot of publications that help organizations to improve their security posture exist. Two notable examples are the German BSI IT Grundschutz and the US NIST SP 800-52. We have added references to both standards in a new column “Reference to Implementation Guidance”. By following the references, organizations can find detailed implementation requirements that – if implemented correctly – should significantly contribute to becoming more secure and ISA compliant.
For ISA 6, the German Federal Office for Information Security (BSI) has provided a mapping from the ISA standard to their much more specific BSI Grundschutz Standard and Compendium.
For NIST SP 800-52, the same work has been done by north American experts within the ISA Working Group.
Every company that has a seat in the European Union must comply with the European General Data Protection Regulation (GDPR). This includes a requirement to ensure that every organization that processes personal data on behalf of itself (a “Processor”) also complies with key requirements from the GDPR.
ISA and TISAX are not designed to directly enforce compliance to laws or regulations. However, it is designed to help organizations to fulfil their regulatory requirements while reducing overhead. Accordingly, the data protection catalogue objective should help organizations to ensure that their processors fulfil the necessary requirements.
For that purpose, the data protection catalogue supplements the existing information security catalogue with requirements for processors. ISA Version 6 contains a completely rewritten data protection catalogue that should better support organizations to ensure GDPR compliance of their processors.
Not only the ISA is subject to a continuous improvement process, but other standards are also constantly being further developed. It is therefore important to keep an eye on these as well. Since the ISA is a control catalogue for an ISMS implementation, the working group is always closely observing the international standard on how to implement an information security management system for an organization, the ISO/IEC 27001. A new revision of ISO/IEC 27001 was published in 2022 and accordingly ISA 6 now contains references to the 2022-revision of ISO/IEC 27001.
Additionally, the internationalization of the working group has shifted the NIST Cyber Security Framework (CSF) into our view. We have learned that the NIST CSF aligns closely with ISA. ISA 6 now also comes with a new mapping to NIST CSF version 1.1.
Every ISA release comes with a lot of continuous improvement and maintenance. When we re-organized the ISA with version 5, we decided to allow optionally to use the old structure to simplify the transition. With Version 5 now more than a full 3-year validity cycle through and even ISO 27001 having moved on to a new structure, version 6 removes this legacy.
Also, our group continuously improves the clarity and precision of requirements. These are mostly small changes that should not create significant changes but make the catalogue more clear and easier to understand. Most notably, these changes can be seen in the definition and glossary tab where new words have been defined that are also used consistently throughout the catalogue.
Another point of improvement addresses the Simplified Group Assessment. To be applicable for an assessment according to the Simplified Group Assessment mechanism, the organization needs to proof that their information security management system is sufficiently centralized. To verify the needed centralization, auditors check a list of additional requirements for some of the ISA control questions. These additional requirements were previously separated from the ISA and could be found in the TISAX Specification of Assessments and the ENX SGA Handbook only. With ISA 6, these additional requirements are now directly integrated into the catalogue as a separate column, making it much more accessible to both auditors and auditees.
We will provide deep dives for relevant aspects in the following weeks, stay tuned for new info. If you have questions on the ISA release, please reach out to us at firstname.lastname@example.org. In case you have feedback to ISA 6, found mistakes or errors in the document or have suggestions for future ISA releases, please contact the working group under email@example.com.