From 2023, the TISAX labels "Handling of Information with High Protection Need" ("Info High") label will be split into "Confidential" and "High Availability". Accordingly, the current "Handling of information with Very High Protection Need" will be split into "Strictly Confidential" and "Very High Availability".

Context

While confidentiality is an important perspective of information security, information security also covers the protection of integrity and availability of information. In the past, TISAX was applied mostly to organizations and locations that handle confidential information.

Recently another significant threat has gained attention due to its impact – ransomware attacks. While this is also a threat to confidentiality, the availability might be even worse in terms of the impact to an organization's ability to deliver products or service. For example, an outage in a key supplier's production can create serious damages in the automotive supply chain. In many cases, TISAX is exactly what you need to address the risk.

 

Assessment Objectives and associated Additional Requirements

TISAX uses the Assessment Objectives and TISAX Labels to configure the assessment and the assessment result to the risk profile of an organization.

Since 2022, the new VDA ISA Catalog 5.1 has applied to all new TISAX® assessments. ISA has verified that all baseline requirements ("must" and "should") are similarly valid for confidentiality, integrity, and availability. A combination of the letters C, I, and A that appeared at the end of each additional requirements in ISA version 5.1, with “C” standing for Confidentiality, “I” for Integrity, and “A” for Availability.

 

Splitting the TISAX Assessment Objectives 

The current "Handling of Information with High Protection Need" ("Info High") label will be split into

  • "Confidential" and
  • "High Availability".

Accordingly, the current "Handling of information with Very High Protection Need" ("Info Very High") will be split into

  • "Strictly Confidential" and
  • "Very High Availability".

The new setup of the objectives are as follows:

  • "Confidential" covers all baseline requirements, and all additional requirements for high protection need that are marked with a C.
  • "High Availability" covers all baseline requirements, and all additional requirements for high protection need that are marked with an A.
  • "Strictly Confidential" covers all baseline requirements, and all additional requirements for high and very high protection needs that are marked with a C.
  • "Very High Availability" covers all baseline requirements, and all additional requirements for high and very high protection needs that are marked with an A.

Please note that the new TISAX Labels are a subset of the original "Info High" and "Info Very High" label. The split does not introduce any new requirements or changes in the TISAX Assessment Level.

Since the “Confidentiality” labels are virtually identically with the old “Info” labels, ENX will keep those with its original name and complete the split in a second step. ENX will provide another update once that change is coming.

 

Transition of New TISAX Labels

  • An organization with an "Info High" label will automatically get the new "High Availability" assigned to its assessment result in the ENX Portal.
  • Expect the same happening with the “Confidentiality” label once it becomes available.
  • As a TISAX Audit Provider, DQS is preparing to be able to offer assessments according to the new TISAX Assessment Objectives in 2023.
  • If you, as a Participant, are registering a new scope and are planning an assessment in 2023, you can already select the new objectives.
  • The new labels are ready in the ENX Portal for selection and from beginning of 2023 for assessment.
  • Until the transition is completed (i.e., the confidentiality labels are implemented), you can still use the "Info High" and "Info Very High" TISAX Assessment Objectives.

 

What is TISAX? 

TISAX® is the assessment procedure for the requirements of the “VDA Information Security Assessment” (VDA ISA), which suppliers or service providers in the automotive industry can use to ensure the security of information provided to them. TISAX® stands for Trusted Informa­tion Security Assessment eXchange and is used for audits of sup­pliers and service providers who work with sensitive information entrusted to them by their clients.

In addition to the classic Tier 1 supplier, TISAX® audits are also increasingly required from suppliers at other sub-levels – as well as from service providers in the areas of data process­ing or advertising.


DQS - The right partner for TISAX Audits 

DQS is a TISAX Audit Provider approved by ENX and can therefore perform TISAX® assessments worldwide. All DQS' TISAX® auditors are also approved auditors for ISO 27001.

Stay informed, sign up for DQS' newsletters and follow DQS at LinkedIn.

 

Referenced source: www.enx.com.

Author
Blog Author of DQS HK

DQS HK

Loading...