TISAX

Management commitment to cyber security management and management system

Critical

High

Normal

Low

Maintaining chosen theme-specific policy documents

Critical

High

Normal

Low

1.2.1: Scope of Information Security management

Objective: Only if information security is part of the strategic goals of an organization, information security can be implemented in an organization in a sustainable manner. The information security management system (ISMS) is a control mechanism used by the organization’s management to ensure that information security is the result of sustainable management rather than that of mere coincidence and individual effort.

Requirements (must): The scope of the ISMS (the organization managed by the ISMS) is defined.
The organization's requirements for the ISMS are determined.
The organizational management has commissioned and approved the ISMS.
The ISMS provides the organizational management with suitable monitoring and control means (e.g. management review).
Applicable controls have been determined (e.g. ISO 27001 Statement of Applicability, completed ISA catalogue).
The effectiveness of the ISMS is regularly reviewed by the management.

Requirements (should): -

Related tasks

Regular internal monitoring of the implementation of the information security management system

Critical

High

Normal

Low

Implementation and documentation of management reviews

Critical

High

Normal

Low

Creating and maintaining a statement of applicability

Critical

High

Normal

Low

ISMS description and maintenance

Critical

High

Normal

Low

1.2.2: Information Security Responsibilities

Objective: A successful ISMS requires clear responsibilities within the organization.

Requirements (must):"+ Responsibilities for information security within the organization are defined, documented, and assigned.
The responsible employees are defined and qualified for their task.
The required resources are available.
The contact persons are known within the organization and to relevant business partners."

Requirements (should): There is a definition and documentation of an adequate information security structure within the organization. Other relevant security roles are considered.

Related tasks

Description of cyber security structure

Critical

High

Normal

Low

Defining security roles and responsibilities

Critical

High

Normal

Low

Amount, competence and adequacy of key cyber security personnel

Critical

High

Normal

Low

Keeping contact with relevant authorities

Critical

High

Normal

Low

Adequacy of digital security resourcing

Critical

High

Normal

Low

1.2.3: Information Security requirements in projects

Objective: For project implementation, it is important to consider the information security requirements. This applies to projects within the organization regardless of their type. By appropriately establishing the information security process in the project management procedures of the organization, any overlooking of requirements is prevented.

Requirements (must): Projects are classified while taking into account the information security requirements.

Requirements (should): The procedure and criteria for the classification of projects are documented.
During an early stage of the project, risk assessment is conducted based on the defined procedure and repeated in case of changes to the project.
For identified information security risks, measures are derived and considered in the project.

Related tasks

Procedure for classification of projects

Critical

High

Normal

Low

Process for including information security aspects in project management

Critical

High

Normal

Low

1.2.4: Definition of responsibilities with service providers

Objective: It is important, that a common understanding of the division of responsibilities exists and that the implementation of all security requirements is ensured. Therefore, when using external IT service providers and IT services, the responsibilities regarding the implementation of information security measures are to be defined and verifiably documented.

Requirements (must): The concerned services and IT services used are identified.
The security requirements relevant to the IT service are determined:
The organization responsible for implementing the requirement is defined and aware of its responsibility.
Mechanisms for shared responsibilities are specified and implemented.
The responsible organization fulfils its respective responsibilities.

Requirements (should): "+ In case of IT services, configuration has been conceived, implemented, and documented based on the necessary security requirements.
The responsible staff is adequately trained.

Related tasks

Monitoring suppliers' compliance with security requirements

Critical

High

Normal

Low

Data processing partner listing and owner assignment

Critical

High

Normal

Low

Communicating responsibilities to suppliers

Critical

High

Normal

Low

Defining standard templates for secure configurations

Critical

High

Normal

Low

Network security

Configuration management and change log

Critical

High

Normal

Low

Network security

Monitoring configurations

Critical

High

Normal

Low

Network security

Identifying critical IT partners

Critical

High

Normal

Low

Supplier security

Processing principles and accountability

1.3.1: Identification of information assets

Objective: It is important for each organization to know the information constituting its essential assets (e.g. business secrets, critical business processes, know-how, patents). They are referred to as information assets. An inventory ensures that the organization obtains an overview of its information assets. Moreover, it is important to know the supporting assets (e.g. IT systems, services/IT services, employees) processing these information assets.

Requirements (must): Information assets and other assets where security is relevant to the organization are identified and recorded.
- A person responsible for these information assets is assigned.
The supporting assets processing the information assets are identified and recorded:
- A person responsible for these supporting assets is assigned.

Requirements (should): A catalogue of the relevant information assets exists:
- The corresponding supporting assets are assigned to each relevant information asset,
- The catalogue is subject to regular review.

Related tasks

Data store listing and owner assignment

Critical

High

Normal

Low

Data system listing and owner assignment

Critical

High

Normal

Low

Data system management

Documentation of data sets for data stores

Critical

High

Normal

Low

Management of data sets

Documentation of assets inventories outside the ISMS

Critical

High

Normal

Low

Management of data sets

Documentation of other protected assets

Critical

High

Normal

Low

Equipment maintenance and safety

Listing offered digital services and naming owners

Critical

High

Normal

Low

Cloud service management

Non-electronic data and copies

1.3.2: Classification of information assets

Objective: The objective of classifying information assets is the consistent determination of their protection needs. For this purpose, the value the information has for the organization is determined based on the protection goals of information security (confidentiality, integrity, and availability) and classified according to a classification scheme. This enables the organization to implement adequate protective measures.

Requirements (must): A consistent scheme for the classification of information assets regarding the protection goal of confidentiality is available.
Evaluation of the identified information assets is carried out according to the defined criteria and assigned to the existing classification scheme.
Specifications for the handling of supporting assets (e.g. identification, correct handling, transport, storage, return, deletion/disposal) depending on the classification of information assets are in place and implemented.

Requirements (should): The protection goals of integrity and availability are taken into consideration.

Related tasks

Personnel guidelines for safe disposal of paper data

Critical

High

Normal

Low

Personnel guidelines for file usage and local data

Critical

High

Normal

Low

Management of data sets

Marking of equipment that needs safe disposal

Critical

High

Normal

Low

Process for secure disposal of removable media containing confidential information

Critical

High

Normal

Low

Removable media

Documentation of data classes for data sets

Critical

High

Normal

Low

Definition of data classifications and class-specific security procedures

Critical

High

Normal

Low

Personnel guidelines for reporting security incidents

Critical

High

Normal

Low

Processing principles and accountability

Personnel guidelines for safe processing of personal and confidential data

Critical

High

Normal

Low

Definitions and instructions on information classifications

Critical

High

Normal

Low

Prosessi ja ohjeistukset henkilöstölle salassapidettävän sähköisen tiedon turvallisesta tuhoamisesta

Critical

High

Normal

Low

Removable media

1.3.3: Use of approved external IT services

Objective: Particularly in the case of external IT services that can be used at relatively low cost or free of charge, there is an increased risk that procurement and commissioning will be carried out without appropriate consideration of the information security requirements and that security therefore is not ensured.

Requirements (must): External IT services are not used without explicit assessment and implementation of the information security requirements:
- A risk assessment of the external IT services is available,
- Legal, regulatory, and contractual requirements are considered.
The external IT services have been harmonized with the protection need of the processed information assets.

Requirements (should): Requirements regarding the procurement, commissioning and release associated with the use of external IT services are determined and fulfilled.
A procedure for release in consideration of the protection need is established.
External IT services and their approval are documented.
It is verified at regular intervals that only approved external IT services are used.

Related tasks

Management of procurement and use of external IT services

Critical

High

Normal

Low

Criteria for suppliers of high priority data systems

Critical

High

Normal

Low

Data system procurement

Minimum requirements for partner companies to gain access to different levels of information

Critical

High

Normal

Low

Supplier security

Criteria for high priority partners

Critical

High

Normal

Low

Supplier security

Data processing partner listing and owner assignment

Critical

High

Normal

Low

Documentation of other stakeholders

Critical

High

Normal

Low

Consideration of partner risks in information security risk management

Critical

High

Normal

Low

1.3.4: Use of approved software

Objective: Information processing is mostly done using of specific software. Security issues in software will easily become a risk for the information processed. Accordingly, software must be appropriately managed.

Requirements (must): Software is approved before installation or use. The following aspects are considered:
- Limited approval for specific use-cases or roles
- Conformance to the information security requirements
- Software use rights and licensing
- Source / reputation of the software
Software approval also applies to special purpose software such as maintenance tools

Requirements (should): The types of software such as firmware, operating systems, applications, libraries, device drivers to be managed are determined.
Repositories of managed software exist
The software repositories are protected against unauthorized manipulation
Approval of software is regularly reviewed
Software versions and patch levels are known

Related tasks

Approval process before deploying new software

Critical

High

Normal

Low

Data system management

Management process for approved software

Critical

High

Normal

Low

Data system management

1.4.1: Management of Information Security Risks

Objective: Information security risk management aims at the timely detection, assessment and addressing of risks in order to achieve the protection goals of information security. It thus enables the organization to establish adequate measures for protecting its information assets under consideration of the associated prospects and risks. It is recommended to keep the information security risk management of an organization as simple as possible such as to enable its effective and efficient operation.

Requirements (must): Risk assessments are carried out both at regular intervals and in response to events.
Information security risks are appropriately assessed (e.g. for probability of occurrence and potential damage).
Information security risks are documented.
A responsible person (risk owner) is assigned to each information security risk. This person is responsible for the assessment and handling of the information security risks.

Requirements (should): A procedure is in place defining how to identify, assess and address security risks within the organization.
Criteria for the assessment and handling of security risks exist.
Measures for handling security risks and the persons responsible for these are specified and documented:
- A plan of measures or an overview of their state of implementation is followed.
In case of changes to the environment (e.g. organizational structure, location, changes to regulations), reassessment is carried out in a timely manner.

Related tasks

Identification and documentation of cyber security risks

Critical

High

Normal

Low

Risk management procedure -report publishing and maintenance

Critical

High

Normal

Low

Taking the results of risk management into account in audit procedures

Critical

High

Normal

Low

Consideration of risk management results in continuity planning

Critical

High

Normal

Low

Assessment of the impact and likelihood of the risks and the scales used

Critical

High

Normal

Low

Approval of the risk management procedure description

Critical

High

Normal

Low

Evaluation of the information security measures defined in the risk management phase

Critical

High

Normal

Low

Continuous improvement of the risk management process

Critical

High

Normal

Low

1.5.1: Assessment of policies and requirements

Objective: It is not sufficient to define information security requirements and to prepare and publish policies. It is important to regularly review their effectiveness.

Requirements (must): Observation of policies is verified throughout the organization.
Information security policies and procedures are reviewed at regular intervals.
Measures for correcting potential non-conformities (deviations) are initiated and pursued.
Compliance with information security requirements (e.g. technical specifications) is verified at regular intervals.
The results of the conducted reviews are recorded and retained.

Requirements (should): A plan for content and framework conditions (time schedule, scope, controls) of the reviews to be conducted is provided.

Related tasks

Regular internal monitoring of the implementation of the information security management system

Critical

High

Normal

Low

Technical vulnerability management

Monitoring compliance with security guidelines

Critical

High

Normal

Low

Security guidelines

Regular monitoring of the vulnerability management process

Critical

High

Normal

Low

Executing and documenting internal audits

Critical

High

Normal

Low

Treatment process and documentation of identified non-conformities

Critical

High

Normal

Low

Internal audit procedure -report publishing and maintenance

Critical

High

Normal

Low

Maintaining chosen theme-specific policy documents

Critical

High

Normal

Low

1.5.2: External review of ISMS

Objective: As an essential control mechanism, assessing the effectiveness of the ISMS from merely an internal point of view is insufficient. Additionally, an independent and therefore objective assessment shall be obtained at regular intervals and in case of fundamental changes.

Requirements (must): Information security reviews are carried out by an independent and competent body at regular intervals and in case of fundamental changes.
Measures for correcting potential deviations are initiated and pursued.

Requirements (should): The results of conducted reviews are documented and reported to the management of the organization.

Related tasks

Regular external auditing of security practices

Critical

High

Normal

Low

Continuous improvement and documentation

Critical

High

Normal

Low

1.6.1: Reporting of security events

Objective: Potential security events or observations are detected by anyone. It is vital that anyone can and knows when and how to report anything that one has observed and that has potential security implications (observations) or events so that the experts can decide if and how it needs to be handled.

Requirements (must): "+ A definition for a reportable security event or observation exists and is known by employees and relevant stakeholders. The following aspects are considered:
- Events and observations related to personnel (e.g., misconduct / misbehaviour)
- Events and observations related to physical security (e.g., intrusion, theft, unauthorized access to security zones, vulnerabilities in the security zones)
- Events and observations related to IT and cyber security (e.g., vulnerable IT-systems, detected successful or unsuccessful attacks)
- Events and observations related to suppliers and other business partners (e.g., any incidents that can have negative effect on the security of own organization)
Adequate mechanisms based on perceived risks to report security events are defined, implemented, and known to all relevant potential reporters
Adequate channels for communication with event reporters exist.

Requirements (should): A common point of contact for event reporting exists.
Different reporting channels according to perceived severity exist (i.e., real time communication for significant events / emergencies in addition to asynchronous mechanisms such as tickets or email) are available.
Employees are obliged and trained to report relevant events.
Security event reports from external parties are considered.
- An externally accessible way to report security events exists and is communicated,
- Reaction to security event reports from external parties are defined
Mechanism to - and information how to - report incidents is accessible by all relevant reporters.
A feedback procedure to reporters is established.

Related tasks

Defining security events and incidents

Critical

High

Normal

Low

Internal communication in an incident situation

Critical

High

Normal

Low

Personnel guidelines for reporting security incidents

Critical

High

Normal

Low

Incident management resourcing and monitoring

Critical

High

Normal

Low

1.6.2: Management of reported events

Objective: Once security events are reported, it is vital that the handling of the events is managed. This means to ensure that the type and criticality of the reported event as well as the persons responsible are quickly identified to ensure that time-critical aspects can be handled in time. Once identification is done, ensuring that the responsible persons become aware and deal with the event within a reasonable time frame is necessary. Furthermore, if the event affects multiple different persons, or management also include coordinating communication is a important part of event management. Finally, if there are external (contractual or regulatory) reporting requirements, its important to ensure that these are also fulfilled in a professional way.

Requirements (must): Reported events are processed without undue delay.
An adequate reaction to reported security events is ensured.
Lessons learned are incorporated into continuous improvement.

Requirements (should): During processing, reported events are categorized (e.g. by responsibility into personnel, physical and cyber), qualified (e.g. not security relevant, observation, suggested security improvement, security vulnerability, security incident) and prioritized (e.g. low, moderate, severe, critical).
Responsibilities for handling of events based on their category are defined and assigned. The following aspects are considered:
- Coordination of incidents and vulnerabilities across multiple categories
- Qualification and resources
- Contact mechanisms based on type and priority (e.g., non-time-critical communication, time-critical communication, emergency communication)
- Absence-management
A strategy for filing official reports and searching prosecution of potentially criminally relevant aspects of security incidents exists. (C, I, A)

Related tasks

Process for categorization of security incidents

Critical

High

Normal

Low

Process for initiating data breach treatment

Critical

High

Normal

Low

Data breach management

The first level response process to security incidents

Critical

High

Normal

Low

Designation of an incident management team

Critical

High

Normal

Low

Treatment process and documentation of occurred security incidents

Critical

High

Normal

Low

Communicating the results of cyber security incident analysis

Critical

High

Normal

Low

Regular periodic analysis and learning of incidents

Critical

High

Normal

Low

Follow-up analysis for security incidents

Critical

High

Normal

Low

1.6.3: Crisis preparedness

Objective: A crisis situation occurs If exceptional situations (e.g. natural disasters, physical attacks, pandemics, exceptional social situations, cyber-attacks causing major infrastructure failures) are severely disrupting key business operations. In such cases, the main priority of the organization is to handle the situation as gracefully as possible and recover as quickly as possible. To achieve that and since time is of the essence, switching to a crisis management mode executing pre-planned procedures having specific distribution of responsibilities and structures enables an organization to deal with such a situation is the usual approach.

Requirements (must): An appropriate planning to react to and recover from crisis situations exists.
- The required resources are available.
Responsibilities and authority for crisis management within the organization are defined, documented, and assigned.
The responsible employees are defined and qualified for their task.

Requirements (should): Methods to detect crisis situations are established.
- General indications for the existence or imminence of a crisis situation and specific predictable crisis are identified
A procedure to invoke and/or escalate crisis management is in place.
Strategic goals and their priority in crisis situations are defined and known to relevant personnel. The following aspects are considered:
- Ethical priorities (e.g., protection of life and health)
- Core business processes (e.g., processes that ensure the survival of the organization)
- Appropriate information security
A crisis management team is defined and approved. The following aspects are considered:
- Management commitment
- Composition (e.g., participation of all major functions of the organization including organization leadership (management board), business operations (production), HR, information security, corporate security, corporate emergency services, IT/cyber security, communication, finance)
- Structure and roles
- Competences of members
- Expectation and authority
- Decision making procedures
Crisis policies and procedures are defined and approved. The following aspects are considered:
- Exceptional authorities and decision-making processes beyond the crisis management team
- Primary and backup means of communication
- Emergency operating procedures
- Exceptional organizational structures (e.g., reporting, information gathering, decision making)
- Exceptional functions, responsibilities, and authority (including reporting)
- Exceptional tools
Crisis planning is reviewed and updated regularly.

Related tasks

Establishing a crisis management team and process

Critical

High

Normal

Low

Creating and documenting continuity plans

Critical

High

Normal

Low

Addressing disasters in continuity planning

Critical

High

Normal

Low

Staff awareness of continuity plans

Critical

High

Normal

Low

Continuity of critical tasks in exceptional situations

Critical

High

Normal

Low

Identifying critical functions and related assets

Critical

High

Normal

Low

2.1.1: Competence of employees

Objective: Competent, reliable and trustworthy employees are a key to information security within the organization Therefore, it is important to check the qualifications of potential employees (e.g. applicants) to an appropriate extent.

Requirements (must): Sensitive work fields and jobs are determined.
The requirements for employees with respect to their job profiles are determined and fulfilled.
The identity of potential employees is verified (e.g. checking identity documents).

Requirements (should): The personal suitability of potential employees is verified by means of simple methods (e.g. job interview).
An extended suitability verification depending on the respective work field and job is conducted. (e.g. assessment centre, psychological analysis, checking of references, certificates and diploma, checking of certificates of conduct, checking of professional and private background).

Related tasks

Recognizing and listing sensitive work fields and jobs

Critical

High

Normal

Low

Changes in employment relationships

Screenings and background checks before recruitment

Critical

High

Normal

Low

Amount, competence and adequacy of key cyber security personnel

Critical

High

Normal

Low

General security competence and awareness of personnel

Critical

High

Normal

Low