2023-10-17 by Immo Wehrenberg ISA6
Together with ISA version 6 becoming effective, we will also implement some changes to TISAX Assessment Objectives and the respective TISAX Labels. This affects the existing “Info High” and “Info Very High” labels as well as the prototype protection labels. The changes for the “Info” labels follow the path already laid out in New TISAX labels for availability.
In the beginning of 2023, ENX has introduced new labels for availability to TISAX. This was the beginning of a split of the “Info” (“Info High” and “Info Very High”) labels. We have made that split to acknowledge that the security requirement profile for providing production parts or key infrastructure for production is very different to handling customer’s trade secrets appropriately.
Since ISA 6 comes with additional requirements targeted to reduce availability risks and as such are targeted to those production parts and infrastructure providers, we will now conclude the split and introduce “Confidential” and “Strictly Confidential” as the logical addition to the already existing “availability” labels.
Before we get into the details, we will make a short excursion to the transition. Since the changes are closely related to the ISA 6 release, we have also set April 1st 2024 as the effective date for the new labels. This is perfectly in line with the release of ISA version 6. The rules for the transition defined around that effective date are the same as in previous changes:
In contrast to the availability labels, that are designed for production parts suppliers and infrastructure providers that we need to keep our industry’s production running, confidentiality labels are designed for those suppliers, that handle our trade secrets that keep our industry competitive.
ISA 6 adds significant additional requirements to keep the supply chain and the necessary underlying infrastructure reliable and secure. Fulfilling some of those requirements requires significant resources. Committing those resources is appropriate if the impact of an outage is having a high impact up in the supply chain.
However, in many cases trade secrets are shared outside of an environment where such a level of availability is needed. This is why we need a differentiation between companies that are necessary to keep production running and companies that protect trade secrets. This allows us to target requirements that lead to keep the production running to production parts suppliers and target requirements that keep trade secrets secure to companies that handle trade secrets. Splitting the Info Labels into Confidentiality and Availability does exactly this.
The first step of the change was already implemented at the beginning of 2023. We are now taking the second step of the split. The new confidentiality labels follow the same logic as the availability labels and cover a subset of the requirements of the old “Info” labels.
As the “Info” and availability labels, the confidentiality labels do refer to the “Information Security” tab of ISA and include all baseline requirements (“must” and “should”). In this regard, all these labels are 100% identical, these baseline requirements are always applicable for any of the confidentiality and availability TISAX Labels.
On top of that, the confidentiality labels include all additional requirements (for high and very high protection need) that are tagged with the letter “C” for confidentiality. This is fully analogue to the availability labels, that require the letter “A” for availability.
If we take the new ISA 6 control 1.6.3 as an example, all additional requirements (high and very high) are tagged with an “A” only. Since the tag does not contain a C these requirements are not applicable for confidentiality. This means, if you only select “Confidential” TISAX Assessment Objective, the auditor will not document any non-conformities regarding those requirements.
A different example is control 4.2.1, where the requirement is tagged with “C”, “I”, and “A”. Since this tag includes a “C”, these requirements are applicable for an assessment that includes confidentiality.
We want to keep TISAX as simple as possible. Every TISAX Assessment Objective and every TISAX Label is one more thing that a participant needs to understand. This is why we try to keep the number of TISAX Labels to a minimum. With confidentiality and availability combined being identical to the Info labels, retiring the label is possible without any drawbacks. Accordingly, we have decided to retire the Info TISAX Assessment Objectives.
You might have already noticed that the introduction of new and retirement of the old labels will not introduce additional assessment efforts.
In fact, an assessment according to “Info Very High” would have been 100% identical to an assessment that combines both “Strictly Confidential” and “Very High Availability”.
If any confidentiality or availability labels are used without their respective counterparts, the number of requirements to be assessed effectively decrease which will lead to slightly less assessment effort.