TISAX

Initial treatment of identified technical vulnerabilities

Critical

High

Normal

Low

Selecting and tracking data sources for vulnerability information

Critical

High

Normal

Low

Process for managing technical vulnerabilities

Critical

High

Normal

Low

5.2.6: IT System Management

Objective: The objective of technical checks is the detection of states which can jeopardize the availability, confidentiality or integrity of IT systems and services.

Requirements (must): Requirements for auditing IT systems or services are determined.
The scope of the system audit is specified in a timely manner.
System or service audits are coordinated with the operator and users of the IT systems or services.
The results of system or service audits are stored in a traceable manner and reported to the relevant management.
Measures are derived from the results.

Requirements (should): System and service audits are planned taking into account any security risks they might cause (e.g. disturbances).
Regular system or service audits are performed
- carried out by qualified personnel
- suitable tools (e.g. vulnerability scanners) are used for system and service audits (if applicable)
- performed from the internet and the internal network
Within a reasonable period following completion of the audit, a report is prepared.

Related tasks

Defining IT system auditing requirements

Critical

High

Normal

Low

Data system management

Protection of data systems during audit-related testing

Critical

High

Normal

Low

Data system management

5.2.7: Network management

Objective: IT systems in a network are exposed to different risks or have different protection needs. In order to detect or prevent unintended data exchange or access between these IT systems, they are subdivided into suitable segments and access is controlled and monitored by means of security technologies.

Requirements (must): Requirements for the management and control of networks are determined and fulfilled.
Requirements regarding network segmentation are determined and fulfilled.

Requirements (should): Procedures for the management and control of networks are defined.
For a risk-based network segmentation, the following aspects are considered:
- Limitations for connecting IT systems to the network,
- Use of security technologies,
- Performance, trust, availability, security, and safety considerations
- Limitation of impact in case of compromised IT systems
- Detection of potential attacks and lateral movement of attackers
- Separation of networks with different operational purpose (e.g. test and development networks, office network, manufacturing networks)
- The increased risk due to network services accessible via the internet,
- Technology-specific separation options when using external IT services,
- Adequate separation between own networks and customer networks while considering customer requirements
- Detection and prevention of data loss/leakage

Related tasks

Detailed procedures for the management, control and segmentation of networks

Critical

High

Normal

Low

Network areas and structurally secure network design

Critical

High

Normal

Low

Management of filtering and monitoring systems

Critical

High

Normal

Low

Equipment maintenance and safety

Documentation of other protected assets

Critical

High

Normal

Low

5.2.8: IT service continuity planning

Objective: Continuity (including contingency) planning for IT services is part of an overall program for achieving continuity of operations for organizational mission and business critical functions. Actions addressed in continuity plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when a security incident occurs.

Requirements (must): Critical IT services are identified, and business impact is considered.
Requirements and responsibilities for continuity and recovery of those IT services are known to relevant stakeholders and fulfilled.

Requirements (should): Critical IT services are identified, and business impact is considered.
Requirements and responsibilities for continuity and recovery of those IT services are known to relevant stakeholders and fulfilled.

Related tasks

Ensuring coverage of critical scenarios and aspects in continuity plans

Critical

High

Normal

Low

Creating and documenting continuity plans

Critical

High

Normal

Low

Regular testing and review of continuity plans

Critical

High

Normal

Low

Defining the organization's continuity strategy

Critical

High

Normal

Low

Identifying and testing the continuity capabilities required from ICT services

Critical

High

Normal

Low

Identifying critical functions and related assets

Critical

High

Normal

Low

5.2.9: Backup and recovery management

Objective: Data and IT services can become unavailable through events such as hardware failures, software defects, operator errors or attacks. Backup and recovery enables organizations to recover from relevant situations and limit potential harm to the organization to a reasonable amount.

Requirements (must): Backup concepts exist for relevant IT systems. The following aspects are considered:
- Appropriate protective measures to ensure confidentiality, integrity, and availability for data backups.
Recovery concepts exist for relevant IT services.

Requirements (should): A backup and recovery concept exists for each relevant IT service.
- Dependencies between IT services and the sequence for recovery are considered.

Related tasks

Encryption of backup data

Critical

High

Normal

Low

Encryption

Regular testing, evaluation, and recovery instructions for backups

Critical

High

Normal

Low

Defining a backup strategy

Critical

High

Normal

Low

Documenting and delegating ownership of own backup processes

Critical

High

Normal

Low

Determining responsibilities for backing up important information assets

Critical

High

Normal

Low

Identifying and testing the continuity capabilities required from ICT services

Critical

High

Normal

Low

5.3.1: Information Security in new systems

Objective: Information security is an integral part of the entire lifecycle of IT systems. This particularly includes consideration of information security requirements in the development or acquisition of IT systems.

Requirements (must): The information security requirements associated with the design and development of IT systems are determined and considered.
The information security requirements associated with the acquisition or extension of IT systems and IT components are determined and considered.
Information security requirements associated with changes to developed IT systems are considered.
System approval tests are carried out under consideration of the information security requirements.

Requirements (should): Requirement specifications are prepared. The following aspects are considered:
- The information security requirements.
- Vendor recommendations and best practices for secure configuration and implementation
- Best practices and security guidelines
- Fail safe (designed to return to a safe condition in the event of a failure or malfunction)
Requirement specifications are reviewed against the information security requirements.
The IT system is reviewed for compliance with specifications prior to productive use.
The use of productive data for testing purposes is avoided as far as possible (if applicable, anonymization or pseudonymization):
- Where productive data are used for testing purposes, it shall be ensured that the test system is provided with protective measures comparable to those on the operational system,
- Requirements for the lifecycle of test data (e.g. deletion, maximum lifetime on the IT system),
- Case-related specifications for the generation of test data are defined.

Related tasks

Ensuring the coverage of new IT system development requirements

Critical

High

Normal

Low

Secure development

Security rules for the development and acquisition of data systems

Critical

High

Normal

Low

General rules for the procurement of data systems

Critical

High

Normal

Low

Change management procedure for significant changes to data processing services

Critical

High

Normal

Low

Secure development

Protection and minimisation of test data

Critical

High

Normal

Low

Secure development

5.3.2: Network device requirements

Objective: Network services have different requirements for information security, quality of data transfer or management. It is important to know these criteria and the scope of use of the different network services.

Requirements (must): Requirements regarding the information security of network services are determined and fulfilled.

Requirements (should): A procedure for securing and using network services is defined and implemented.
+ The requirements are agreed in the form of SLAs.
+ Adequate redundancy solutions are implemented.

Related tasks

Redundancy solutions for networks

Critical

High

Normal

Low

Protection of wireless connections

Critical

High

Normal

Low

Multiple providers for critical network equipment

Critical

High

Normal

Low

Defined security arrangements for providing critical network equipment

Critical

High

Normal

Low

Defining standard templates for secure configurations

Critical

High

Normal

Low

5.3.3: Secure removal of IT assets from services

Objective: In order to ensure control over the information assets as the information owner, it is necessary that the information assets can be safely removed or are returned, if required, when terminating the IT service.

Requirements (must): A procedure for the return and secure removal of information assets from each external IT service is defined and implemented.

Requirements (should): A description of the termination process is given, adapted to any changes, and contractually regulated.

Related tasks

Process for secure information return or removal upon service termination

Critical

High

Normal

Low

Management of data sets

5.3.4: Information protection in external IT services

Objective: Clear segregation between individual clients must be ensured such as to always protect own information in external IT services and to prevent it from being accessed by other organizations (clients).

Requirements (must): Effective segregation (e.g. segregation of clients) prevents access to own information by unauthorized users of other organizations.

Requirements (should): The provider’s segregation concept is documented and adapted to any changes. The following aspects are considered:
- Separation of data, functions, customer-specific software, operating system, storage system and network,
- Risk assessment for the operation of external software within the shared environment.

Related tasks

Ensuring sufficient client data segregation and protection in external IT services

Critical

High

Normal

Low

Cloud service management

6.1.1: Partner Information security

Objective: An appropriate level of information security is also maintained while collaborating with cooperation partners and contractors.

Requirements (must): Contractors and cooperation partners are subjected to a risk assessment with regard to information security.
An appropriate level of information security is ensured by contractual agreements with contractors and cooperation partners.
Where applicable, contractual agreements with clients are passed on to contractors and cooperation partners.
Compliance with contractual agreements is verified.

Requirements (should): Contractors and cooperation partners are contractually obliged to pass on any requirements regarding an appropriate level of information security to their subcontractors.
Service reports and documents by contractors and cooperation partners are reviewed.

Related tasks

Data processing agreement analysis for most important system providers

Critical

High

Normal

Low

Criteria for suppliers of high priority data systems

Critical

High

Normal

Low

Criteria for high priority partners

Critical

High

Normal

Low

Defining supplier types that can access confidential data

Critical

High

Normal

Low

Agreements and monitoring

Data processing partner listing and owner assignment

Critical

High

Normal

Low

Cyber security in contracts

6.1.2: Non-disclosure agreement management

Objective: Non-disclosure agreements provide legal protection of an organization’s information particularly where information is exchanged beyond the boundaries of the organization.

Requirements (must): "+ The non-disclosure requirements are determined and fulfilled.
+ Requirements and procedures for applying non-disclosure agreements are known to all persons passing on information in need of protection.
+ Valid non-disclosure agreements are concluded prior to forwarding sensitive information.
+ The requirements and procedures for the use of non-disclosure agreements and the handling of information requiring protection are reviewed at regular intervals."

Requirements (should): Non-disclosure agreement templates are available and checked for legal applicability.
Non-disclosure agreements include the following information:
- the persons/organizations involved,
- the type of information covered by the agreement,
- the subject of the agreement,
- the validity period of the agreement,
- the responsibilities of the obliged party.
Non-disclosure agreements include provisions for the handling of sensitive information beyond the contractual relationship.
Options of demonstrating compliance with specifications (e.g. review by an independent third party or audit rights) are defined.
A process for monitoring the validity period of temporary non-disclosure agreements and initiating their extension in due time is defined and implemented.

Related tasks

Ensuring necessary aspects in personnel's non-disclosure or confidentiality agreements

Critical

High

Normal

Low

Reviewing confidentiality agreements

Critical

High

Normal

Low

Cyber security in contracts

Maintaining confidentiality agreements

Critical

High

Normal

Low

Cyber security in contracts

Inventory and documentation of data processing agreements

Critical

High

Normal

Low

Data transfer and disclosure

Cyber security management

7.1.1: Compliance management

Objective: Non-compliance with legal, regulatory, or contractual provisions can create risks to the information security of customers and the own organization. Therefore, it is essential to ensure that these provisions are known and observed.

Requirements (must): Legal, regulatory, and contractual provisions of relevance to information security (see examples) are determined at regular intervals.
Policies regarding compliance with the provisions are defined, implemented, and communicated to the responsible persons.

Requirements (should): The integrity of records in accordance with the legal, regulatory, or contractual provisions and business requirements is considered.

Related tasks

Ensuring record integrity related to security requirements

Critical

High

Normal

Low

Identification, documentation and management of other information security requirements

Critical

High

Normal

Low

Cyber security management

Informing and data subject requests

7.1.2: Protection of personal data

Objective: Privacy and protection of personally identifiable data are considered in the implementation of information security as required by relevant national legislation and regulations, where applicable.

Requirements (must): Legal and contractual information security requirements regarding the procedures and processes in the processing of personally identifiable data are determined.
Regulations regarding the compliance with legal and contractual requirements for the protection of personally identifiable data are defined and known to the entrusted persons.
Processes and procedures for the protection of personally identifiable data are considered in the information security management system.

Requirements (should): -

Related tasks

Process for receiving and handling data subject requests

Critical

High

Normal

Low

Management and documentation of data breaches

Critical

High

Normal

Low

Data breach management

Personnel guidelines for safe processing of personal and confidential data

Critical

High

Normal

Low

Processing principles and accountability

Privacy notices -report publishing and maintenance

Critical

High

Normal

Low

Informing and data subject requests

Appointment, tasks and position of a Data Protection Officer (DPO)

Critical

High

Normal

Low

Processing principles and accountability

Documentation of personal data processing purposes for data stores

Critical

High

Normal

Low

Privacy by design and default

9.1: Data Protection Policies

Related tasks

Privacy and Data Protection policy -report publishing, informing and maintenance

Critical

High

Normal

Low

Privacy by design and default

9.1.1: Data Protection policies

Objective: The organization needs at least one policy on privacy. This reflects the importance and significance of data protection and is adapted to the organization. Other policies may be appropriate depending on the size and structure of your organization.

Requirements (must): A policy is created, regularly updated, and approved by the organization's management.

Related tasks

Privacy and Data Protection policy -report publishing, informing and maintenance

Critical

High

Normal

Low

9.2.1: Data protection responsibilities

Objective: Successful data protection requires clear responsibilities in the organization.

Requirements (must): A data protection officer is appointed, if required by Art. 37 GDPR
- Determination of whether the appointment of a data protection officer is voluntary or mandatory
- otherwise determination of a data protection function or comparable
Publication of contact details (e.g. on the Internet)
Integration into the organization's structure
Exercise of the control obligations as defined in Art. 39 (1) (b) GDPR and corresponding documentation
Documentation of the data protection status and report to organization's top management
Equipped with sufficient capacities and resources
- Determination of whether the data protection function is full-time or part-time
- adequate professional qualification
- regular professional training
- access to specialist literature
- support of the data protection officer by data protection coordinators in the companies organizational units, depending on the company size (e.g. marketing, sales, personnel, logistics, development, etc.)

Related tasks

Appointment, tasks and position of a Data Protection Officer (DPO)

Critical

High

Normal

Low

Notification of the Data Protection Officer

Critical

High

Normal

Low

Data protection monitoring and control plan

Critical

High

Normal

Low