Introducing new TISAX Labels for confidentiality and availability

2022-10-28 by Immo Wehrenberg TISAX

Changes in the threat landscape

For a long time, information and cyber security requirements of the automotive industry were driven by the need to protect the invests in research and development from industrial espionage and leaking. This was true when the initial versions of the Information Security Assessment (ISA) were released by VDA, it was still true when TISAX officially started in 2017 and when ENX's Working Group (WG) ISA developed version 5.

While confidentiality is undoubtedly a big part of information security, information security also aims to protect the integrity and availability of information. While the baseline requirements and most of the so-called “additional requirements” included in ISA and TISAX target all three objectives, there were always some additional requirements solely targeted at confidentiality. Accordingly, TISAX was applied mostly to organizations and locations that handle confidential information.

Recently another significant threat has gained attention due to its impact every industry is facing – ransomware attacks. While this is also a threat to confidentiality, the damage by limitations to the ability to deliver caused by impacted availability might be even worse.

This impact is most relevant for production. Direct suppliers are at the heart of the production processes. Outages in production create the most damage up in the supply chain. In simple words: If required parts are missing due to an outage at the supplier, the customer cannot produce cars.

This puts a magnifying glass on compliance to information security requirements on this part of the industry. If you are a production parts supplier, it has become likely that customers approach you with a demand of proving information and cyber security. In many cases, TISAX is exactly what you need to answer this demand.

Splitting the TISAX Labels “Info High” and “Info Very High”

TISAX Assessment Objectives

TISAX uses the TISAX Assessment Objectives and TISAX Labels to configure the assessment and the assessment result to the risk profile of an organization.

More particular, TISAX Assessment Objectives define how the assessment is conducted (the TISAX Assessment Level as well as the requirements in scope of the assessment). With the new class of suppliers that now become part to focus, TISAX also gains a different risk profile that has its own specific set of requirements. This makes it necessary to make changes on how the current TISAX Assessment Objectives are organized.

Classifying additional requirements

Our Working Group ISA has verified that all baseline requirements ("must" and "should") are similarly valid for confidentiality, integrity, and availability. The existing additional requirements for high and very high protection have been marked concerning their relevance for each of the three types of protection and marked accordingly. You might have noticed a combination of the letters C, I, and A that appeared at the end of each additional requirements in ISA version 5.1. With “C” standing for Confidentiality, “I” for Integrity, and “A” for Availability, this is the result of this work.

Splitting the TISAX Assessment Objectives "Handling of Information with High Protection Needs" ("Info High") and "Handling of Information with Very High Information Needs" ("Info Very High")

With all these building blocks in place, we have everything to introduce the new TISAX Labels. The availability labels are ready in the ENX Portal for selection and from beginning of 2023 for your assessment.

As shown in the image, the current "Handling of Information with High Protection Need" ("Info High") label will be split into "Confidential" and "High Availability". Accordingly, the current "Handling of information with Very High Protection Need" will be split into "Strictly Confidential" and "Very High Availability".

The new setup of the objectives are as follows:

  • "Confidential" covers all baseline requirements, and all additional requirements for high protection need that are marked with a C.
  • "High Availability" covers all baseline requirements, and all additional requirements for high protection need that are marked with an A.
  • "Strictly Confidential" covers all baseline requirements, and all additional requirements for high and very high protection needs that are marked with a C.
  • "Very High Availability" covers all baseline requirements, and all additional requirements for high and very high protection needs that are marked with an A.

Please note that the new TISAX Labels are a subset of the original "Info High" and "Info Very High" label. The split does not introduce any new requirements or changes in the TISAX Assessment Level.

Since the “Confidentiality” labels are virtually identically with the old “Info” labels, we will keep those with its original name and complete the split in a second step. We will provide another update once that change is coming.

Transition into the new TISAX Labels

Accordingly, if you already have an "Info High" label, you will get the new "High Availability" assigned to your assessment result in the ENX Portal. This will happen automatically. There is no need for action on your side. Expect the same happening with the “Confidentiality” label once it becomes available.

The TISAX Audit Providers are now making all the preparations to be able to offer assessments according to the new TISAX Assessment Objectives If you are registering a new scope and are planning do the assessment next year, you can already select the new objectives. However, until the transition is completed (i.e., the confidentiality labels are implemented), you can still use the "Info High" and "Info Very High" TISAX Assessment Objectives.