2021-06-01 by Immo Wehrenberg TISAX
In order to prevent the spread of the coronavirus pandemic, companies in many places are once again required to carry out only absolutely essential work from their business premises and to allow all other employees to work from home.
This is also a legitimate approach from an information security perspective. Relocating the work to the home environment of your employees with adequate consideration of information security is possible in accordance with the TISAX requirements and in this case does not compromise your TISAX labels. For more information please refer to the document mentioned above (“Your ISMS and the Coronavirus”).
For more information please refer to Your ISMS and the Coronavirus
Naturally, the safety of the staff and the management of the situation should also be the top priority in the preparation of the assessment. As far as the situation allows, we recommend that the preparation for a TISAX assessment should continue to take place as planned.
Assessments in assessment level 2 can still take place without restrictions from TISAX‘ point of view. If an assessment has to be postponed due to limited availability of necessary persons for preparation and execution (e.g. due to work in crisis teams, crisis management or due to illness), the normal procedure for postponements applies.
There are no special regulations on the part of TISAX. ENX Association does not specify when a company is subject to which assessment. If business partners require a TISAX assessment as a prerequisite for information security clearances, the business partner decides how to deal with postponements (e.g. whether an exceptional clearance can be created).
Assessments in assessment level 3 can also continue to take place in principle. However, for various reasons it is often not possible to conduct them at present:
In this case we refer to 2.4 Pandemic workaround: “Assessment Level 2.5” as a possible alternative.
You have the option of conducting the assessment provisionally in assessment level 2 and extending it later to the actually planned assessment level 3. This means that in this specific case an assessment with very high protection need (label: "Info Very High") is carried out remotely as far as possible (assessment of all ISA Control requirements without consideration of the physical aspects in a so-called AL 2.5) and the physical security requirements will be checked in a later shortened on-site assessment.
In this case you will receive the Info High label in advance after successful completion of the remote assessment and the Info Very High label after the successful on-site assessment.
Please discuss this workaround with your interested or demanding business partners and inform that:
If you are in an assessment in assessment level 3 with several locations, we recommend that you split the locations that have not yet been assessed into a scope and then only conduct an assessment in assessment level 2 at these locations.
This will not result in any additional costs for registration. We will waive any additional scope registration fees that may arise for such temporarily registered scopes and their locations until the 31st of March 2021. Please inform us at the time of registration via firstname.lastname@example.org to avoid automated invoicing.
Should your already ordered assessment be postponed beyond the validity period of the existing assessment result due to the pandemic, please inform your audit provider in a timely manner with the request to extend the existing label. He will than contact us and we will evaluate to what extent the validity of the existing result can be extended in appropriate steps.
Please note that an extension of existing labels is only possible if the following conditions are met:
Since follow-up assessments do not usually require the personal presence of the auditor, assessments can still be conducted.
If the pandemic causes delays in the implementation of corrective actions, you should inform the audit provider of this in the form of an updated corrective action plan.
If the delay is judged by the auditor to be appropriate in light of the current situation, the auditor will report a new corrective action plan assessment with an updated “Latest corrective action due date” to us. This extends the validity of temporary labels accordingly.
Should the pandemic cause a postponement beyond the maximum period of nine months, please discuss this with your audit provider at an early stage. He will evaluate this accordingly and apply for an exemption to conduct a follow-up audit beyond the nine months.
In this situation, we will decide on a case-by-case basis to what extent an assessment can exceptionally be permitted after the nine-month period.
If you use TISAX as a tool to assess, evaluate and/or improve the information security of your supply chain, you will have to deal with the fact that the assessments, especially in assessment level 3, will have to be postponed for many of your suppliers and cooperation partners due to the current situation.
In the current situation, an assessment thats was not conducted does not allow for general conclusions to be drawn about poor preparation or implementation or a lack of will on the part of the business partner.
We recommend taking this into account in the risk assessment and checking, with an open mind, whether an assessment in assessment level 2 can be provisionally accepted (e.g. for six or twelve months).