ISA Catalog 6.0: All You Need to Know About the TISAX®️ Update

In this guide, we will dive into the key changes in the final update and how they will impact your organization. We also cover what DQS has planned to address these changes and how we are adjusting our auditors’ training to continue providing valuable audits for your organization.

Key Highlights:

• Introduction of Lead Auditor Assignments
• Transition to English
• Labels for Confidentiality and Availability
• Transition Timeline

Lead Auditor Assignments

One of the biggest advancements in the new ISA Catalog is the introduction of Lead Auditor Assignments, an essential element that enhances the precision and effectiveness of audits. Under this new framework, a Lead Auditor is assigned to a specific assessment level. Consequently, ENX has officially recognized the terms ‘TISAX®️ Lead Auditor (AL2)’ and ‘TISAX®️ Lead Auditor AL3’, expressly denoting the auditors who possess the qualifications for specific assessment levels.

Transition To English and Global Perspective

One of the most crucial shifts in the new publication of this transition is the shift to English as the primary language for ISA catalog 6.0. Not only does this emphasize a global perspective, but it also reflects international collaboration among automotive manufacturers. With this transition, working groups for both the ISA catalog and TISAX®️ have been established in the United States, further highlighting the collective advancement of the ISA catalog worldwide.

Continuing Emphasis on Information Security & Cybersecurity

In a rapidly evolving digital world, information security and cybersecurity become more and more crucial considerations. With the new release of TISAX®️ 6.0, the automotive industry continues to put a strong emphasis on these aspects, recognizing the growing concerns by customers and stakeholders to safeguard sensitive information. The TISAX®️ assessment draws from the principles of ISO 27001, a globally recognized framework for information security management systems. By integrating the fundamentals of the ISO 27001 standard, the industry not only adapts to the digital era but also proactively addresses evolving cyber threats.

Goodbye to Label “Information Security”

The main changes concern the "Information Security" label. In the future, the label "Information security high" will be replaced by the two labels "Confidentiality high" and "Availability high". The same applies to the label "Information security very high", which will be replaced in future by the labels "Confidentiality strict" and "Availability very high". This happens automatically for all clients that already have “Information Security” labels in the TISAX®️ platform.

For “Confidentiality” and “Availability” labels the same set of basic requirements must be met. In addition, there are specific requirements per label for high and very high protection needs. The abbreviations (C, I, and A) are used for Confidentiality, Integrity, and Availability. These abbreviations, alongside the supplementary requirements for high and very high protection needs, will facilitate the clear identification of the specific requirements corresponding to each label. This enhances audit clarity, guaranteeing precise evaluation of control measures, thereby enhancing the effectiveness of security and compliance assessments.

Welcome to Label “Availability”

If a company is considered important in the supply chain, it will have to fulfill the requirements for the "Availability high" or "Availability very high" labels in the future. As a result, Operational Technology (OT) systems used in manufacturing and other areas will also become an increased focus of the assessment. This is achieved through references to the IEC 62443 standard and the resulting new requirements in the ISA Catalog. As a result, industrial communication networks and industrial automation and control systems (IACS) are included in future TISAX® assessments. At the same time, companies in this category are entrusted with sensitive information related to development and production and must demonstrate that they are able to adequately protect this information. Therefore, many requirements overlap with those of the “Confidentiality high” or “Confidentiality strict” labels. Some aspects of including OT systems are:

• Safety and Operational Continuity: Operational Technology systems play a crucial role in production facilities, where automated systems like IACS are central. Ensuring the availability of these systems is not only about productivity but also safety. Employees often work in close proximity to these automated systems, and any sort of malfunction could pose serious safety risks. For example incorrectly calibrated OT sensors or controls can endanger individuals and valuable equipment.
• Risk Management: With the inclusion of OT in the assessment scope, companies must consider specific risks associated with these systems. OT systems should be managed, classified, and monitored to address emerging risks effectively. Persons responsible for these tasks must be assigned.
• Access Control: Access to OT networks by service providers for maintenance is a critical concern. Proper access controls and detailed logs are essential to maintain the security and integrity of OT systems.
• Personnel Competence: Employees responsible for operating OT systems must be properly trained, competent, and informed about the potential risks of operation. HR considerations, including background checks for sensitive positions, become crucial due to the criticality of these systems.
• Lifecycle Management: Effective management of OT systems throughout their lifecycle, including repair, disposal, and transportation, is crucial to mitigate the risks associated with local device data and access.
• Security Measures: OT must be protected against potential attacks through a robust security solution, such as antivirus software, firewalls, and the reduction of exposed interfaces and services.
• Auditing and Vulnerability Assessment: Regular internal system audits are required to check the hardening of OT systems and identify known vulnerabilities.
• Network Segmentation: Networks should be properly segmented by purpose to safeguard IT and OT environments from each other.
• Backup and Recovery: Comprehensive backup and recovery plans are essential to ensure operational continuity and data protection in OT systems.
• Service Levels and Monitoring: Adequate service levels and availability definitions must be in place and continuously monitored for OT network services.
• External Suppliers: If external service providers utilize OT devices, information security with respect to access accounts and other information stored on the device must be regulated for the external provider.

Additionally, a welcome to "Label Confidentiality"

If a company is not highly relevant for the supply chain, but is entrusted with sensitive information, it must still demonstrate that it can adequately protect that information. The labels "Confidentiality high" or "Confidentiality strict" are used to select those requirements of the ISA Catalog that focus on these protection goals.

Key Benefits of New Labeling System:

• Protection Objectives: The main purpose of the selective assessment described above is to ensure that companies must only fulfill the requirements of the ISA Catalog that are relevant to them.
• Auditing Precision: With a clear understanding of the new classification system, auditors can more accurately assess and verify the effectiveness of controls related to each protection objective. The new labeling system removes ambiguity, making it easier to assign controls to specific objectives, contributing to more efficient and streamlined audits.
• Client Benefits: Clients will also benefit from these new labels as they bring additional clarity and understanding of how controls align with their organization’s protection objectives.

The requirements of the new labels, while not entirely new, pose challenges for manufacturing companies. as OT systems must now be subjected to management practices in a similar way to that is generally required for IT systems in TISAX®. The vastness of production environments and the numerous access points to Operational Technology network infrastructures make it crucial to address these issues. Preparedness is key as the industry adapts to this expanded focus.

Adjustments to the DQS Audit Process

DQS is ready to support your organization with a seamless upgrade process or partner with you if you are getting audited for the first time.

As a result of these changes, we are committed to providing thorough and beneficial audits to our customers and are in the process of providing additional training to our auditors to ensure they are fully prepared to audit according to the new requirements.

Transition Timeline & Important Dates

The old TISAX®️ assessment will be carried out until March 31st, 2024, using the old ISA version 5.1. On or after April 1st, 2024, all TISAX®️ assessments will be conducted according to the new version of ISA version 6.0. Any audit activities that depend on existing audits, such as corrective action plan assessments, follow-ups, or scope extension assessments, will be conducted using the version the original audit was conducted to.

The release of the final ISA Catalog 6.0 is a significant event in the evolving world of automotive standards and compliance. This update signifies a continued commitment to excellence, precision, and the increasing importance of information security. With the introduction of Lead Auditor assignments, refined labeling for confidentiality and availability, and a broader scope encompassing Operational Technology (OT) systems, the automotive sector continues to evolve to higher standards in quality and security.