The new TISAX® labels: what to consider

• Changed conditions - new requirements
• Why were the new^TISAX® Availability and Confidentiality labels introduced?
• The new^TISAX® labels at a glance
• Which^TISAX® labels companies need
• Assessment objectives, labels and assessment levels - a quick explanation of the differences
• For certifications according to the old ISA catalog, a GAP analysis is required
• The new^TISAX® labels - Conclusion
• DQS is your reliable partner

Why were the new TISAX® labels Availability and Confidential introduced?

Suppliers and service providers are closely involved in automotive manufacturers' development and production processes - but sometimes fulfill very different roles: Some companies are entrusted with highly sensitive information but ultimately have no further involvement in actual production. Others supply fundamentally important components for vehicle production but have no insight into the business secrets of the commissioning company.

To better reflect these different roles, the old label "information security" has been split into two new labels - "availability" and "confidential." Suppliers and service providers no longer necessarily have to meet all the requirements of ISA catalog 6.0, as each label only represents a subset. This division is intended to reduce the burden on companies and make the audit process more efficient.

However, it should be noted that the Information Security Assessment (ISA) catalog has been expanded to include several additional requirements given the changed threat landscape. In addition to protecting secrets, the ability to deliver - keyword: just-in-time production - should also be ensured, as this is increasingly at risk from ransomware attacks. The new requirements, therefore, also include more robust protective measures for OT systems.

The new TISAX® labels at a glance

For companies entrusted with sensitive information, i.e., business secrets or personal data, there are now the "Confidential" and "Strictly Confidential" labels. The "High Availability" and "Very High Availability" labels are aimed at suppliers who play an essential role in the company's ability to deliver.

The measures that must be implemented for the new TISAX® labels - in addition to the basic requirements - are clearly marked in the ISA assessment catalog 6.0: For confidential with a "C", for availability with an "A". Many requirements are marked with both letters and, therefore, apply to both new labels.

"Confidential"

The "Confidential" label focuses on protecting confidential information, the unauthorized disclosure of which can have considerable negative consequences such as loss of reputation, criminal prosecution, or financial damage.

In the controls of the ISA catalog, 28 specific requirements are defined in the column "Additional requirements for high protection needs" and marked with a "C," which must be fulfilled for this label.

The following controls deserve special attention due to their implementation effort (requirements in brackets):

• 3.1.3 (Protect and securely dispose of information on supporting devices such as printers, shredders, cameras, or paper)
• 3.1.4 (Encrypting data on mobile devices)
• 5.1.1 (Legal protection of control over own data through contracts, specifications, assurances, especially for external data processing)
• 5.1.2 (Encrypting the digital transport routes for information)

The controls mentioned here are only marked with a "C", not an "A". This means that they are only relevant for confidentiality. These requirements would, therefore, not have to be fulfilled in an audit process that only aims to label availability.

"Strictly Confidential"

The "Strictly Confidential" label focuses on protecting strictly confidential and secret information, the unauthorized disclosure of which can have catastrophic or even life-threatening consequences such as serious reputational damage, severe criminal consequences, or very high financial losses.

In the controls of the ISA questionnaire, nine specific requirements are defined in the "Additional requirements for very high protection needs" column and marked with a "C", which must be fulfilled for this label - in addition to those for the "Confidential" label.

The following controls require special attention due to their implementation effort:

• 1.6.1 (Conduct and provide evidence of regular exercises to manage information security incidents)
• 4.1.2 (Two-factor authentication - or higher - for access to information with very high protection requirements)
• 4.2.1 (Encrypting information with particularly high protection requirements; quarterly review of assigned access rights for appropriateness)
• 5.1.2 (Encrypting the content of information for digital transport)
• 5.2.4 (Logging access to information with particularly high protection requirements)
• 5.2.8 (Data backup concept with alternative locations for storage and backup storage)
• 5.3.1 (Checking the security of software developed in-house or for the customer - during implementation, in the event of changes, and at regular intervals)

It is also essential to note the clear distinction from the labels for availability: Specifically, the requirements listed here for controls 4.1.2, 4.2.1, 5.1.2, and 5.2.4 are only marked with a "C". This means they are only relevant for an audit process for the "Strictly Confidential" label.

"High Availability"

Companies require the "High Availability" label if the availability of their own products or services directly impact the production or delivery capability of dependent companies, and failures lead to considerable damage. Common examples are just-in-time suppliers of production materials or highly specialized suppliers of services or raw materials that cannot be replaced promptly.

In the controls of the ISA catalog 6.0, 36 requirements are defined in the column "Additional requirements for high protection needs", which are marked with an "A" and must therefore be fulfilled for this label.

The following controls require particular attention in the implementation effort:

• 1.6.3 (Preparing for crisis situations: Crisis scenarios, contacts, communication strategy, regular simulation of crises)
• 5.2.8 (Measures to prevent disruptions caused by internal threats - such as the protection of backups - and external service outages, e.g., through appropriate SLAs)
• 5.2.9 (Backup and recovery concept: regular checking of backups and test recovery)
• 5.3.2 (Monitoring of network traffic, availability analyses of central services)

The requirements mentioned here are only marked with an "A", i.e., they are only relevant for availability. Therefore, they do not need to be met in an audit process that only aims to label confidentiality.

"Very High Availability"

Companies require the "Very High Availability" label if the short-term availability of their own products or services severe affects the production or delivery capability of dependent companies and failures lead to considerable damage. A typical example is just-in-time suppliers, whose failure would result in a rapid and extensive production shutdown with a very long restart time.

In the controls of the ISA catalog, 13 requirements are defined in the column "Additional requirements for very high protection needs". These requirements are marked with an "A" and must therefore be fulfilled for this label - in addition to those for the "High Availability" label.

The following controls require special attention due to their implementation effort:

• 1.6.1 (Conducting and providing evidence of regular exercises to manage information security incidents
• 1.6.2 (Performing even rare types of information security incidents)
• 1.6.3 (Conduct and provide evidence of regular exercises to manage crisis situations)
• 5.2.6 (Regular fully automated system analysis of IT systems, taking into account OT/industrial control systems)
• 5.2.8 (Data backup concept with alternative locations for storage and backup storage; coordination of own contingency plans with the contingency plans of external service providers; backup strategies with replacement systems and replacement locations for storage and backups to maintain business processes)
• 5.2.9 (Regular testing of the data backup concept; geographically distributed backup locations; backup systems that are as isolated as possible with technically unalterable backups)
• 5.3.1 (Checking the security of software developed in-house or for the customer - during implementation, in the event of changes, and at regular intervals)

The requirements of controls 1.6.2, 1.6.3, 5.2.6, and 5.2.9 listed here are only checked during an audit process for the "Very High Availability" label and are therefore not relevant for the TISAX label for confidentiality.

Generally, the two labels for "Availability" increase the focus on maintaining production capabilities (OT). The company's internal knowledge of OT manufacturer recommendations, OT risks, and security measures for OT networks, and OT management will receive greater attention in the audit.

Which TISAX® labels companies need

The question of which labels are needed in practice naturally depends first and foremost on a company's role in the supply chain. At each stage of the supply chain, companies must ask themselves which suppliers they depend upon and which suppliers are entrusted with sensitive information.

Accordingly, the supplier management required by TISAX® at each stage leads to role-specific label requirements cascading down the supply chain. The exchange mechanism, in which a supplier can refer to existing labels to prove compliance with requirements, is particularly useful here. The results of the assessments can be made available to any interested party.

Suppose a company prophylactically demands both new labels, even though there is no need for the confidentiality or availability label. In that case, it is definitely worth having another discussion about the mutual understanding of roles in view of the potentially significantly higher implementation costs.
The connection between the TISAX® label and assessment levels must also be taken into account: The "Very high availability" and "Strictly confidential" labels can only be awarded through an assessment at level 3, i.e., through an on-site assessment.

Assessment objectives, labels, and assessment levels - a quick explanation of the differences

In the previous section, we used several terms that we will briefly explain and differentiate from each other here:

• TISAX® assessment objective: based on the specifications of their manufacturing partners, suppliers use the assessment objectives to determine which requirements they must fulfill in the audit.
• TISAX® label: After passing an audit, companies receive the TISAX® label for the selected assessment objective in the ^TISAX® database as confirmation that they have fulfilled the requirements.
• TISAX® Level: Fulfillment of the requirements is assessed differently depending on the assessment level. Level 1 is purely a self-assessment. At Level 2, the self-assessments are checked for plausibility by an external auditor, supplemented by remote interviews. At Level 3, the auditor checks the effectiveness on site.

For certifications according to the old ISA catalog, a GAP analysis is required

Important for companies that are still certified under the old "Info" label:

• To make the transition phase as uncomplicated as possible, companies with the "Info High" label have automatically been assigned the "Confidential" and "High Availability" labels until their expiry date.
• Similarly, the "Info Very High" label was converted into the "Strictly Confidential" and "Very High Availability" labels.

This also applies to audit processes whose offers were accepted before April 1, and subsequent scope extensions, both of which may still be carried out in accordance with the old ISA catalog 5.1.

However, it should be noted that the relevant companies must be certified in accordance with the then-valid ISA audit catalog once their TISAX® labels, which are valid for three years, have expired. The new certification must be available as soon as the old label expires. Those responsible are therefore well advised to carry out a gap analysis at an early stage in order to implement the adjustments to the information security management system (ISMS) in good time and be prepared for the next TISAX® audit.

For this gap analysis, the ENX Association has provided a dedicated catalog of requirements in which all changes between ISA 5.1 and ISA 6.0 are listed and marked in red. This allows companies to see which new requirements have been added at a glance. What needs to be taken into account: This is an auxiliary document. For the audit, companies should always download the latest version of the ISA audit catalog from the ENX website.

The following changes are particularly noticeable:

• The new Control 1.3.4 may require investment in new software, for example for license management.
• The extensively modified Controls 1.6.1 and 1.6.2 now require a coordinated and regularly tested incident response.
• Control 3.1.2 has been replaced by the new controls 1.6.3, 5.2.8 and 5.2.9, which impose a number of new requirements regarding crisis handling, business continuity management, and data backup.

The new TISAX® labels - Conclusion

The new labels for confidentiality and availability should ensure greater efficiency in TISAX® certification in the future, as the audits are now carried out on a role-specific basis. This means that suppliers and service providers no longer have to implement every requirement in the catalog. However, it is noticeable that more requirements must be met for the availability label than for confidentiality. This is due to the new focus on ensuring delivery capability and securing OT environments, which has been included in all controls of the current ISA catalog.

The revised and partially expanded catalog also contains several new requirements, some of which can only be met with some effort and the corresponding lead time. Therfore, an early gap analysis is recommended for companies with certifications according to the old catalog, as they "only" received the new labels through the automatic conversion of the old label for information security.

Particular challenges arise for customers who have received their labels in the past as part of a rotating sampling procedure (Rotating SGA). For cost reasons, these companies would like to switch to the actual sampling procedure (sample-based SGA) in the last year of label validity. Therefore, they must complete the Rotating SGA Assessment in the third year, convert their ISMS to the new ISA catalog and complete the Sample-based SGA Assessment before the label expires in order to be able to extend the label seamlessly.

DQS is your reliable partner

TISAX® - just like ENX VCS for Vehicle Cyber Security - was developed by the ENX Association. DQS is approved by ENX as an assessment service provider and can therefore carry out assessments worldwide - and is also TISAX® -certified itself. And because many of our TISAX® auditorsare also accredited for the international standard for information security ISO 27001, we can assess both standards at the same time and with less additional effort. We look forward to talking to you.

Note: Access to TISAX® is via participant registration, which must be carried out online on the ENX portal. This is the prerequisite for being able to commission an approved assessment service provider such as DQS.

Trust and expertise

Our texts and brochures are written exclusively by our standards experts or long-standing auditors. If you have any questions about the text content or our services to our author, please contact us.