Netwrix software for TISAX compliance

The EU-wide audit and exchange mechanism TISAX is based on a catalog of requirements for information security in the automotive industry, which includes important audit criteria such as data protection and the integration of third parties. The industry-specific framework for the verification of information security of suppliers, automobile manufacturers, original equipment manufacturers, and partners was developed by the German Association of the Automotive Industry (VDA) on behalf of the ENX Association:

1. General Aspects

• 1.2 To what extent is a process for the identification, assessment, and treatment of information security risks defined, documented, and implemented?
• 1.3 To what extent is the effectiveness of the ISMS ensured?

6. Organization of Information Security

• 6.3 To what extent is there a policy for the use of mobile devices and their remote access to the organization's data?

8. Management of organization-owned assets

• 8.2 To what extent is information classified according to its need for protection, and are there rules for labeling, handling, transportation, storage, retention, deletion, and disposal?

9. Access Control

• 9.1 To what extent are there regulations and procedures regarding user access to network services, IT systems, and IT applications?
• 9.2 To what extent are procedures for registering, modifying, and deleting users implemented, and in particular, is there a confidential handling of login information?
• 9.3 To what extent is the assignment and use of privileged user and technical accounts regulated and reviewed?
• 9.4 To what extent are there mandatory rules for the user regarding the creation and handling of confidential login credentials?
• 9.5 To what extent is access to information and applications restricted to authorized individuals?

12. Operational Security

• 12.1 To what extent are changes to the organization, business processes, information processing facilities, and systems controlled and implemented with regard to their relevance to security?
• 12.5 To what extent are event logs, which may include user activities, exceptions, errors, and security events, generated, retained, reviewed, and protected against changes?
• 12.6 To what extent are the activities of system administrators and operators logged, the storage of the logs secured against changes, and regularly reviewed?
• 12.7 To what extent are information about technical vulnerabilities of IT systems obtained promptly, assessed, and appropriate measures taken (e.g., Patch Management)?
• 12.8 To what extent are audit requirements and activities planned and coordinated to review IT systems, and subsequently technically inspect the IT systems (system audit)?

13. Communication Security

• 13.1 To what extent are networks managed and controlled to protect information in IT systems and applications?
• 13.4 To what extent are information protected during exchange or transmission?

14. Acquisition, development, and maintenance of systems

• 14.2 To what extent are security-relevant aspects considered in the software development process (including Change Management)?
• 14.3 To what extent is it ensured that test data are carefully created, protected, and used in a controlled manner?

16. Information Security Incident Management

• 16.1 To what extent are responsibilities, procedures, reporting channels, and criticality levels defined for dealing with information security events or vulnerabilities?
• 16.2 To what extent are information security events processed?

18. Compliance

• 18.1 To what extent is compliance with legal (country-specific) and contractual provisions ensured (e.g., protection of intellectual property, use of encryption techniques, and protection of records)?

Depending on the configuration of your IT systems, your internal procedures, the nature of your business activities, and other factors, Netwrix Auditor may also be able to comply with TISAX requirements not listed above.