Lesson 1, Topic 1
In Progress

Continuous self-assessment

Whether your ISMS continues to be compliant must be checked by means of controls. This also serves to identify possible improvements of the processes or to record possible optimizations to promote the ISMS. The document template Management Review can help here, for example, as it is used to coordinate the appropriateness and effectiveness of the ISMS with the company management. The ISO/ISB provides or is responsible for all necessary information. It should take place at least once a year and, most importantly, before the TISAX examination, as this is where the proof of the management review is provided.

Furthermore, the VDA ISA Catalogue can also help to keep control of the ISMS by using it as a checklist and checking whether there are any points where changes have been made or are planned.

You should use the above mentioned control mechanisms and constantly try to optimize your procedures, processes and the ISMS to keep your ISMS up to date

TISAX Self-Assessment

As described above, TISAX is intended to be a self-assessment, which is then reviewed by the testing service providers. Depending on the assessment level of your exam, random samples or a thorough checklist examination of all controls will follow

Note: The tests at TISAX are generally very intensive and deep. Especially in the exam with assessment level 3 each control is discussed intensively.

In their VDA ISA catalog, they evaluate the controls they need and thus the maturity level of their ISMS. Do this to the best of your knowledge and belief. The following six evaluation options are available:

  • Maturity level 0 – Incomplete: No existing or incomplete process available.
  • Maturity level 1 – Performed: The result shows that the process works, but there is no documentation and no knowledge of why the process works.
  • Maturity level 2 – Controlled: The processes are documented and work, but there are several processes for the same goal.
  • Maturity level 3 – Established: The process works and there is up-to-date and maintained documentation. (in general target maturity level)
  • Maturity level 4 – Predictable: The process works and is measured. An up-to-date and maintained documentation is available for this purpose.
  • Maturity level 5 – Optimizing: The process works and is measured. An up-to-date and maintained documentation is available for this purpose. In addition, dedicated employees are responsible for continuous improvement.

Note: In the VDA ISA catalogue there is a tab for this purpose called “Maturity level”. There it is described in more detail what is meant by the respective degree of maturity.

They evaluate the degree of maturity directly in the controls or requirements or measures, i.e. under information security and, if applicable, prototype protection and data protection. This will then provide you with a maturity level and a network diagram, where you can see at a glance where you have or have not met the requirements.

VDA ISA Catalogue 5.0 – Shipping in the automotive industry

If you have given a control a maturity level of 5, it will be reduced to maturity level 3, since you need maturity level 3 in all necessary controls and no compensation is possible through a better maturity level.

Example: If you have a maturity level of 5 in the control “To what extent are the guidelines for information security in place” and only a maturity level of 1 in the control “To what extent is information security managed in the organization”, then the overall result is not 3, but a maturity level of 3 for the first control and a maturity level of 1 for the second control. You would not achieve an overall maturity level of 3. In summary, you can have maturity level 5 in each control, but as long as there is a control with a maturity level 0, 1 or 2, you will not reach the overall maturity level of 3.

Below the network diagram you will find a list of all controls and their target maturity levels (usually target maturity level 3) and their self-assessed maturity levels.

VDA ISA Catalogue 5.0 – Shipping in the automotive industry

If your evaluation result is 10% below the maximum achievable result, the overall test result will be a minor deviation.
If your evaluation result is 30% below the maximum achievable result, the overall test result will be a major deviation.

You should take deviations seriously and try to close them. As soon as you have reached the target maturity level in your self-assessment and feel that you are in a good position, you should be tested.