Together with ISA version 6 becoming effective, we are going to also implement some changes to TISAX Assessment Objectives and the respective TISAX Labels. This affects the existing “Info High” and “Info Very High” labels. The changes for these “Info” labels follow the path already laid out described in the article New TISAX labels for availability.
In the beginning of the year, ENX has introduced new labels for availability to TISAX. This was the beginning of a split of the “Info” (“Info High” and “Info Very High”) labels. With the release of ISA 6 we will now conclude the split and introduce “Confidential” and “Strictly Confidential” as the logical addition to the already existing “availability” labels.
These new Labels will become mandatory for all new TISAX Assessments that are ordered after April 1st 2024. Assessments that have been started according to the...
Today, a new Version 6 of ISA has been published and is now available for download. ISA 6 is the newest major revision of the ISA Catalogue that defines the baseline and best practices for information and cyber security of organizations in the automotive industry.
ISA 6 significantly improves requirements on incident and crisis management, adds new controls and requirements to strengthen resilience to Ransomware and APT further, and reconfirmed its applicability to shopfloor IT and OT by mapping and referencing the ISA/IEC 62443-2 standard.
ISA 6 will become mandatory for all new TISAX Assessments that are ordered after April 1st 2024. Audits that have been started according to the old ISA 5.1 standard (including corrective-action-plan assessments, follow-ups, and scope-extension-assessments) can still be completed using the old standard.
TRUSTED INFORMATION SECURITY ASSESSMENT EXCHANGE
TISAX is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants.
If you want to process sensitive information from your customers or evaluate the information security of your own suppliers, TISAX supports you in reducing efforts.
Registration of a TISAX Participant and at least one TISAX Assessment Scope.
After a successful registration you can choose a TISAX audit provider for your TISAX assessment.
Undergoing a TISAX assessment.
Exchange of the TISAX assessment results with existing and potential partners within TISAX.
TISAX participants can embody two roles: providing and/or accessing assessment information. Active participants are assessed and provide the respective assessment result to other participants via TISAX Exchange. Passive participants can request assessment results of other participants through TISAX Exchange and access those results via the ENX Portal when the request has been confirmed. Every participant can assume both roles at the same time as required. TISAX does not differentiate between these roles.
TISAX MAIN FEATURES
Utilization at eye level:
Each participant decides for himself to whom results will be revealed and to what degree of detail. At the same time, the participating company can also use its own results for its own risk Management.
Recognition of TISAX assessments and their regular three-year validity help to avoid effort as well as duplicate assessments.
Standardized exchange mechanism:
Central exchange processes provide uniform proof of information security.
Free choice of audit provider:
TISAX creates competition among audit providers and allows a joint recognition of assessment results between TISAX participants.
TISAX AUDIT PROVIDER
TISAX enables that audit providers offer mutually accepted assessments based on the VDA ISA catalogue in competition. This means that every participant can select an audit provider and expect standardized assessment results which are accepted by other participants throughout the industry.
EXCHANGING ASSESSMENT RESULTS
The exchange of assessment results within TISAX is merely exclusive for registered participants and only takes place after explicit release of the results by the assessed company for an inquiring company in form of standardized summaries (TISAX Report).
Information Security Assessment
The Information Security Assessment (ISA) s an information security requirements catalogue based on key aspects of the international standard ISO/IEC 27001. It is used by companies both for internal purposes as well as assessments by suppliers and service providers who process sensitive information from their respective companies.
GOVERNANCE BY ENX
ENX maintains the audit provider criteria and assessment requirements (TISAX ACAR). It approves audit providers and monitors the quality of implementation as well as the assessment results. ENX is supported by the TISAX Committee, consisting of representatives of manufacturers, suppliers and associations. Legally, the control function is protected by a contract structure in which ENX holds contracts with all stakeholders, including the audit providers and the participants. This ensures that the results correspond to the desired objectivity and quality. The rights and duties of all participants – small or large – are respected...Read more