TISAX® Demystified – Episode 1

TISAX® Demystified Blog Ep. 1: Leadership, Scope, Ownership, Resources, Policy, Monitoring, Continuous Improvement ensure a functional Information Security Management System.

𝗧𝗜𝗦𝗔𝗫® 𝗗𝗲𝗺𝘆𝘀𝘁𝗶𝗳𝗶𝗲𝗱 – 𝗘𝗽𝗶𝘀𝗼𝗱𝗲 𝟏

It All Starts at the Top: Why You Need a Security Gameplan

TISAX® doesn’t start with firewalls, backups, or fancy tech.
It starts with structure, ownership, and leadership – exactly what Chapter 1 of the VDA ISA catalog is about.

If your organization can’t answer who is in charge of information security, what the rules are, and how the system is monitored, you’re already off course.

𝗪𝗵𝗮𝘁 𝗧𝗵𝗶𝘀 𝗖𝗵𝗮𝗽𝘁𝗲𝗿 𝗖𝗼𝘃𝗲𝗿𝘀

VDA ISA Chapter 1 focuses on the organizational backbone of your Information Security Management System (ISMS).

𝗛𝗲𝗿𝗲’𝘀 𝘄𝗵𝗮𝘁 𝗶𝘁 𝗱𝗲𝗺𝗮𝗻𝗱𝘀 – 𝗶𝗻 𝗽𝗹𝗮𝗶𝗻 𝗘𝗻𝗴𝗹𝗶𝘀𝗵:
• Policy: You need a documented security policy. Not just something copied from the internet – a real one, aligned with your risks and business model.
• Roles & Responsibilities: Someone – not everyone – must be clearly responsible. Typically, that means appointing an Information Security Officer (ISO).
• Resources: The ISO needs time, budget, and authority. No part-time token role.
• Escalation Paths: When something goes wrong, who gets the call? And what’s the process?
• Leadership Review: Top management must regularly review the ISMS. Not once every three years.
• Continuous Improvement: You’re expected to evaluate, adapt, and improve. Yes, that means documentation.

𝗥𝗲𝗮𝗹-𝗪𝗼𝗿𝗹𝗱 𝗥𝗲𝗱 𝗙𝗹𝗮𝗴𝘀 𝗪𝗲 𝗦𝗲𝗲
• “Our IT manager is also our security officer, backup admin, and janitor.”
• “We have a policy… somewhere.”
• No evidence that leadership has ever looked at security metrics.
• Security tasks are split across departments with no coordination or accountability.

𝗪𝗵𝗮𝘁 𝗧𝗜𝗦𝗔𝗫® 𝗪𝗮𝗻𝘁𝘀 𝘁𝗼 𝗦𝗲𝗲
• A signed, risk-based security policy, reviewed annually at minimum
• A named, resourced Information Security Officer, with a defined role
• Documented escalation procedures and reporting paths
• Formal ISMS management review by top leadership – with meeting minutes
• Evidence of continuous improvement (review cycles, updates, corrective actions)

𝗜𝗳 𝗬𝗼𝘂 𝗢𝗻𝗹𝘆 𝗗𝗼 𝗢𝗻𝗲 𝗧𝗵𝗶𝗻𝗴

Put someone in charge. Document it.
Give them the responsibility and the resources to build an actual system.
Then make sure top management doesn’t just delegate it and disappear – they need to stay engaged.

𝗡𝗲𝘅𝘁 𝘂𝗽:
Episode 2 – “Who’s Driving the Security Bus?”
We’ll break down how to assign roles without turning security into everyone’s problem (and no one’s job).

Picture of Wolf von Schoen (Editor)

Wolf von Schoen (Editor)

Wolfram von Schoen is a German-American automation engineer and information security professional with 30+ years of experience in industrial operations, product development, and business systems consulting. He is the founder and president of the Granite State InfoSec Companies, specializing in Information Security Management Systems like ISO/IEC 27001 and TISAX®, and Business Continuity Management. A third term elected water commissioner and active Rotarian, he lives in New Hampshire and enjoys the outdoors and motorcycling.
Get in Touch