TISAX®: New year, new label(s)?

Why is the VDA-ISA standard being revised?

According to the ENX working group responsible for VDA-ISA, changes in the threat landscape called for a standard revision. Up to now, the standard has focused mainly on industry espionage regarding information and cyber security. To prevent this kind of malicious action, the aspect of confidentiality has been defined as a dedicated assessment objective. Recently, however, with the massive rise in ransomware attacks, a new focus on availability has been added.

The reason: If, for example, an extortion Trojan were to shut down the business operations of a supplier, certain parts would quickly become unavailable. This, in turn, would have serious consequences for manufacturers' production capabilities.

Which new labels are planned for TISAX^®?

The changes concern assessment objectives and labels for the “Information Security” criteria catalogue. At the moment, TISAX® distinguishes between two assessment levels (protection requirements): handling information with a “high” and a “very high” need for protection.

The two labels from current version 5 will soon become four labels in version 6 (see figure below), which has already been officially announced. The distinction between “high” and “very high” will remain. However, both levels will be available both for the aspect of “confidentiality” and for the aspect of “availability”.

In the end, there will be four new labels:

• Confidential
• High Availability
• Strictly confidential
• Very high availability

Which requirements need to be met for the new labels for a certification on TISAX^®?

The exact requirements and the questions with which they will be integrated into the VDA-ISA questionnaire have not been made public yet.

The ENX working group responsible for the updates is expected to present their proposals before the end of Q1 2023. These proposals will likely be reviewed during the summer and be adopted in Q3 2023 at the earliest or in Q1 2024. We thus do not expect the new version 6 of the ISA questionnaire to come into force before the end of 2023, beginning of 2024.

How and when will the new labels be available to organisations?

If the schedule given above is met, the new labels for a certification on TISAX^® will not be issued until the end of 2023 or the beginning of 2024 at the earliest.

Good to know, however: Companies that are due for an audit for an assessment on TISAX^® in 2024 may already register for the new assessment objectives in the ENX portal and thus prepare their organisation for the assessment.

Regarding the “How”, everything stays the same: organisations choose their assessment scope according to the requirements given by their customers from the automotive industry. The audit providers carry out the assessment just as before, the first step being the self-assessment according to the ISA questionnaire. Depending on the assessment level, answers are verified by the audit providers either remotely with plausibility checks or in person during on-site audits.

Do all organisations need to re-certify because of the new labels?

No, all certifications on TISAX^® remain valid for three years regardless of the revisions made. Thus, there will be a transition period. As the ENX association has announced, labels that have already been issued will be automatically upgraded during this period.

In other words: if you meet the criteria for “High information security” and your label is still valid for a longer period, the ENX portal will list you with both labels - i.e. with “High information security” and “High availability” – starting at the time the VDA-ISA 6 comes into force. The same applies to the label with the former protection level “Information security very high”. All those who have it will – for the time being – automatically be given the new label.

How can DataGuard support us with the new requirements for the assessment on TISAX^®?

Our experts on the certification on TISAX^® monitor the developments closely and are always up to date. As soon as any new information is made public, we will help you prepare for the basics of the assessments with the new questionnaire. Of course, we also support you when selecting your assessment scopes for 2024, with your registration with the ENX portal and meeting implementation deadlines issued by your customers.

Get in touch with our experts to find out more. We are happy to help.

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.