ISA 6.0 Valid for TISAX Audits from April 1, 2024

CONTENT

Increasing threats require adjustments to the ISA catalog

"Availability" label: extension to production facilities

"Confidentiality" label: protection of sensitive information

What do the new requirements mean for a future TISAX® audit?

ISO 27001 and IEC 62443 as a solid foundation

ISA catalog 6.0 changes 2024: Conclusion

TISAX 6.0 - background

Increasing threats require adjustments to the ISA catalog

In view of the great importance and complexity of supply chains, end-to-end information and cyber security plays a key role in the automotive industry. After all, suppliers are closely involved in the development and production processes. This means that they often have access to highly sensitive, sensitive information - and must have a high level of resilience. Geopolitical tensions and the increasing digitalization and networking of the supply chain are leading to increasing risks for information security.

As a consequence of these dynamics, the existing VDA ISA catalog 5.1 has been updated. Version 6.0 was published in English on October 16, 2023 and made available for download.

The new ISA question catalog 6.0 marks a significant milestone for TISAX®. This leads to adjustments in the requirements for audit providers set out in the TISAX® ACAR 2.2 regulations. The switch to English as the main language of the ISA 6.0 catalog underlines the global perspective and the joint efforts to further develop the requirements catalog in global working groups.

New labels replace the familiar "information security" label

The main changes in the Information Security Assessment (ISA) catalog 6.0 concern the "Information Security" module and the associated label system from TISAX®. In future, the familiar "Information Security" label will be completely replaced by the two labels "Availability" and "Confidentiality".

"Availability" label in ISA catalog 6.0: extension to production facilities

In the new ISA catalog, the labels "Availability high" and "Availability very high" have been made more specific. As a result, OT (Operational Technology) systems will become more of a focus for future audits.

The increasing networking of production environments, i.e. Industrial Automation Control Systems (IACS) and their networks, results in a number of new challenges for information security. Production facilities span extremely extensive networks with a multitude of specialized technologies and protocols.

In many aspects, they differ fundamentally from IT systems: Production environments are generally designed to run for many years and once they are running smoothly, they are left as undisturbed as possible except for regular maintenance and repair work. This means that outdated operating systems, communication protocols or encryption algorithms, for example, are still being used on many components.

For a long time, automatic patch and update processes were undesirable or at least viewed critically. The fear was far too great that the complex production process could get out of sync and cause considerable economic losses. The large-scale, distributed systems and communication networks, to which many employees can gain access, also offer multiple physical points of attack.

The reliability and availability of automated production systems are not only extremely important from a business perspective, but also because deviations in the process can cause considerable damage and financial losses.

In order to integrate all these OT-specific aspects into the ISA catalog 6.0, ENX and VDA have oriented themselves to the internationally valid IEC 62443 series of standards and in particular to sub-section 2-1.

"Confidentiality" label: Protection of sensitive information

If a company is entrusted with sensitive information, it must prove that it can protect this information appropriately. The "Confidentiality high" or "Confidentiality strict" labels are used to select those requirements of ISA Catalog 6.0 that contribute to this protection objective.

What does this mean for a future TISAX® audit?

The new labels allow auditing according to the possible roles that a supplier plays in the supply chain. If a supplier has been identified as particularly important for the supply chain, it can use the "Availability" label to prove its reliability. If a supplier is entrusted with particularly sensitive information, it can use the "Confidentiality" label to prove that it has taken appropriate precautions to protect this information. If a supplier assumes responsibility for both roles, it can be audited for both labels.

The same set of basic requirements must be met for both labels. In addition, there are specific requirements for high and very high protection needs for each label. This means that the audit is carried out depending on the label.

A transition of the label system will also be made in the^TISAX® database. In future, the label "Information security high" will be replaced by the two combined labels "Availability high" and "Confidentiality high". The same applies to the "Information security very high" label, which will be replaced by the "Availability very high" and "Confidentiality strict" labels in future. This will happen automatically for all participants who already have an "information security" label in the^TISAX® platform.

The main purpose of the selective audits described above is to ensure that companies only have to meet the requirements of the ISA questionnaire 6.0 that are relevant to them. At the same time, new challenges arise for manufacturing companies, as OT systems must now be subject to management in a similar way to that already generally required for TISAX® IT systems.

Depending on the individual case, companies must therefore expect additional requirements that need to be tightened up in the information security management system (ISMS) and can lead to greater expense.

New requirements in version 6.0

• Security and operational continuity: OT plays a crucial role in production facilities in which automated systems such as IACS are of central importance. Ensuring the availability of these systems is not just about productivity, but also about safety. Employees often work in close proximity to these automated systems, and any kind of malfunction could pose a serious safety risk. For example, incorrectly calibrated OT sensors or controls can put people and valuable equipment at risk.
• Risk management: With the inclusion of OT in scope, companies need to consider the specific risks associated with these systems. OT systems should be regulated, classified and monitored in such a way that emerging risks can be effectively countered. Responsible persons must be appointed for these tasks.
• Access control: The access of service providers to OT networks for maintenance purposes is a critical issue. Proper access controls and detailed protocols are essential to maintain the security and integrity of OT systems.
• Staff competence: Staff responsible for the operation of OT systems must be adequately trained, competent and aware of the potential risks of operation. Personnel considerations, including background checks for sensitive positions, are crucial due to the criticality of these systems.
• Lifecycle Management: Effective management of OT systems throughout their lifecycle, including repair, transport and disposal, is critical to minimize the risks associated with local device data and access.
• Security measures: OT must be protected from potential attacks by robust security solutions, such as anti-virus software, firewalls or the reduction of open interfaces and services.
• Audits and vulnerability assessment: Regular technical system audits are required to check the hardening of OT systems in accordance with the manufacturer's specifications and to identify known vulnerabilities.
• Network segmentation: Networks should be appropriately segmented according to purpose and risk - also to protect IT and OT environments from each other.
• Backup and recovery: Comprehensive backup and recovery plans are essential to ensure business continuity in OT systems.
• Service levels and monitoring: Appropriate service levels and availability definitions must be in place and continuously monitored for OT network services.
• External providers: If external service providers use OT devices, the level of information security regarding access and other information stored on the device must be regulated for the external provider.

ISO 27001 and IEC 62443 as a solid foundation

An ISMS in accordance with ISO 27001 is already a legal requirement in some regulated industries. In many industries, it is also officially or unofficially a basic compliance requirement for concluding service or similar agreements.

As the ISA questionnaire 6.0 is also based on this standard, a certified information security management system already forms a good basis for a TISAX® audit. However, TISAX® requires a specific implementation of the ISMS with detailed "shall" and "should" requirements, plus additional requirements for a high or very high level of protection.

In addition to the ISMS, the IEC 62443 standard and the resulting new requirements in the ISA catalog provide a robust basis. Subsection 2 of the standard describes the structure of a management system for industrial cyber security. Subsection 2-1 covers, among other things, the establishment of a security program for industrial automation and control systems.

When drafting these areas, the IEC (International Electrotechnical Commission) was again guided by the ISO 27001 standard, many of whose processes and mechanisms can also be applied to control systems. This means that industrial communication networks and automation and control systems (IACS) are included in the audit.

ISA Catalog 6.0: What deadlines apply for users?

The changeover to the ISA audit catalog 6.0 will take place on April 1, 2024. Anyone who commissions a TISAX® assessment up to and including March 31 can still be audited according to the old ISA catalog 5.1. Assessments commissioned from April 1 of next year may only be carried out in accordance with the new version 6.0 of the ISA catalog.

On the one hand, this means that the assessment will be more complex from April 2024, but on the other hand, the increased security level will be worthwhile for your company. It is important that you prepare for the new requirements at an early stage and implement them conscientiously in order to benefit from the increased confidence in the new TISAX® label.

All audit activities that depend on existing assessments, such as Corrective Action Plan Assessments, Follow-Ups, Scope Extension Assessments or Simplified Group Assessments, will continue to be carried out in accordance with the ISA version according to which the original assessment was carried out.

ISA Catalog 6.0 Amendments 2024: Conclusion

The release of ISA Catalog 6.0 is a significant event in the evolving world of automotive standards and compliance. This update represents a continued commitment to excellence, precision and the increasing importance of information security in the automotive industry. With the introduction of the changed confidentiality and availability labels and a broader scope encompassing Operational Technology (OT) systems, the automotive sector continues to evolve towards higher standards of quality and security.

DQS is approved by ENX as an assessment service provider and can therefore carry out TISAX® assessments worldwide. We have TISAX® auditors who are also approved for the international standard for information security ISO 27001. This means that both standards can be assessed by DQS at the same time and with less additional effort. We look forward to talking to you.

Note: Access to TISAX® is via participant registration, which must be carried out online on the ENX portal. This is the prerequisite for being able to commission an approved assessment service provider such as DQS.

^TISAX® 6.0 - background information

^TISAX® is based on the VDA ISA catalog developed by the German Association of the Automotive Industry (VDA), a comprehensive questionnaire that is essentially based on the so-called "controls", the reference measures from Annex A of the information security standard ISO 27001, and is adapted to other automotive-specific requirements.

The information security standard has since been revised and published as the new ISO/IEC 27001:2022 on October 25, 2022. Annex A in particular is affected by the revision. A corresponding adaptation to the new controls has also been made with ISA version 6.0.

^TISAX® is primarily aimed at companies that want or need to demonstrate a certain level of information security and availability for a collaboration with a (participating) automotive manufacturer. The ENX Association, based in Frankfurt am Main and Paris, is responsible for implementing and monitoring the procedure. ENX is an association of European automotive manufacturers, suppliers and four national automotive associations, including the German ENX founder VDA.

Trust and expertise

Our texts and brochures are written exclusively by our standards experts or long-standing auditors. If you have any questions about the text content or our services to our author, please contact us.