In the context of the TISAX® (Trusted Information Security Assessment Exchange) procedure, which is based on the VDA ISA (German Association of the Automotive Industry Information Security Assessment), the term ‘regular’ plays a crucial role. This article is aimed at companies that are looking for a TISAX label and their consultants. It highlights the specific meaning and interpretation of the term ‘regular’ in the TISAX context and is supplemented by practical implementation tips.

Definition of ‘regular’ in the TISAX context

It was already established in 2019 that the term ‘regular’ in the TISAX procedure does not imply fixed time intervals, but rather refers to the recurring activity. This definition enables companies to adapt the frequency of the measures in question to their specific requirements and risks, particularly given that the VDA ISA on which the assessment is based contains requirements with and without specific timeframes. For requirements without a specific timeframe, companies can therefore define a frequency that meets their individual needs. This flexibility allows for an efficient and risk-oriented design of the control measures.

Example: Checking access rights

A specific example from the VDA ISA illustrates how to deal with specific time requirements:

In this context, the VDA ISA provides guidance on the frequency. Companies should adhere to it or be able to provide a coherent explanation of why they deviate from it.

Risk-oriented approach

A risk-based approach is essential when determining review intervals. Companies should consider the following aspects:

• Criticality of systems and data

• Frequency of changes in the organizational structure

• Employee turnover

• Industry compliance requirements

• Results of previous reviews

Note: To meet the requirements, companies can also use modern technical solutions that enable continuous control for certain topics in the VDA ISA. The use of such technologies makes it possible to switch from rigid inspection cycles to a dynamic, risk-based approach and to reduce operational efforts. 

💡 If you want to learn more about this, feel free to contact me on LinkedIn: https://www.linkedin.com/in/borgers/

Best practices for implementation

To meet the TISAX requirements, the following best practices are recommended:

• Documentation: Frequency decisions should be thoroughly documented.

• Adaptability: Intervals should be reviewed regularly and adjusted if necessary.

• Automation: Processes for verifying access rights and accounts should be automated wherever possible.

• Training: Administrators should be trained to detect anomalies.

• Integration into business processes: Reviews should be integrated into existing processes.

• Escalation processes: Clear escalation processes, e.g. within the incident management process, should be defined in the event of irregularities.

Challenges and solutions

Companies may face the following challenges:

• Resource bottlenecks: Automation technologies and risk prioritization provide relief.

• Complexity of the IT landscape: Centralized identity management systems can help.

• Dynamic corporate structures: Integration of HR systems with IAM solutions for automatic updating in the event of personnel changes.

• Compliance: A comprehensive compliance strategy, especially in the area of conflicts of interest, is necessary.

The role of the auditor

The role of the auditor is also crucial when it comes to interpreting and implementing the term ‘regular’. In the TISAX process, the auditor is responsible for evaluating the frequencies and measures chosen by the company and assessing their appropriateness in the context of information security and the objective stated in the VDA ISA.

TISAX Participant Handbook: Chapter 5.2.2.6

„Important note:  It is very important for you to understand that you have to interpret each requirement in the context and spirit of the objective. Even fulfilling a requirement to the letter doesn’t guarantee that the audit provider confirms that you fulfil it in the context and spirit of the objective (column J).  The requirements and their wording are based on a theoretical implementation by a fictional average company of unknown size.  The audit provider has to always weigh the objective against the unique implementation at your company. What is appropriate for the average company might not be sufficient in your particular situation.“

Quelle: https://www.enx.com/handbook/#ID8926 (Link date 30.08.2024)

For requirements with specific time frames, such as the example of the quarterly review of access rights, the auditor checks whether the frequency chosen by the company meets or at least comes as close as possible to this requirement, so that information security is not compromised and the prescribed objective in column J is achieved.

In cases where no specific frequency is indicated in the VDA ISA, it is the auditor's responsibility to assess whether the frequency chosen by the company is appropriate and sufficient to fulfil the requirement and achieve the prescribed objective in column J. To do this, the auditor takes into account various factors such as the size of the company, the type of information processed, the risk environment and the technical solutions implemented. The auditor also checks whether the company has sufficiently documented and justified its decisions regarding the frequencies. A well-documented risk analysis and clear justifications for the chosen frequencies can help the auditor assess the appropriateness of the measures.

It is important to emphasise that the TISAX auditor not only checks compliance with requirements, but also always verifies the achievement of the objective stated in column J of the VDA ISA.