Information Security Management – A Straightforward Take

In this latest blog post we discuss what a management system is, and how we use it to direct, monitor, and improve the implementation of Information Security measures.

Today we wanted to recognize for a moment that clarity matters, and help to understand what a Management System really is, and how it drives the purposeful management of Information Security.

In short: a Management System is simply a structured set of policies, processes, procedures, lists, resources, and defined roles – working together toward a specific goal.

That goal might be defined and coherent Quality (ISO 9001), mindful Environmental Sustainability (ISO 14001), or – what we’re talking about here in our Breech Brief Weekly newsletter – necessary Information Security (ISO 27001, TISAX®, NIST CSF, etc.).

When we talk about an Information Security Management System (ISMS), we’re not just talking about IT or some servers in the basement. It’s about the entire organization – including every department or business partner who handles information in any shape or form.

Regarding TISAX® that means not just automakers (OEMs) and their system and part suppliers, but also:

  • Automation and capital equipment suppliers – the companies building manufacturing machinery, assembly equipment, welding robots, production lines, carrier and inspection equipment, etc.
  • Service providers – design and simulation houses, virtual and physical prototyping shops, visualization studios, marketing agencies, logistics and material handling firms, legal teams, and more.

All of them handle sensitive information: design data, prototype specs, manufacturing know-how, customer contracts, supplier pricing, and more.

An ISMS makes sure that each of these areas (whether they’re internal or external partners):

  • Know exactly what information assets they have.
  • Understand the risks to those assets.
  • Evaluate how severe these risks are and how likely to threaten the information assets.
  • Decide what measures to take to reduce or manage those risks.
  • Have clear plans to discover and handle incidents (so if something goes wrong, they don’t panic – they act in a planned manner).
  • Monitor and report on all this to management, so leadership knows what’s really happening.

And for effectiveness and compliance, this is not a one-time exercise. Just like with any Management System, It’s a continuous improvement loop: Plan → Do → Check → Act (PDCA). You plan your controls, you implement them, you check how well they work, and you adjust.

Then you do it all again. And again. And again. Because nothing is ever perfect, and the assets, risks, and threats change along the way.

Common risks an ISMS (like TISAX®) helps you tackle

  • Leaked CAD files or design data.
  • Early exposure of prototype or pre-series data before official launches.
  • Unsecured demo cells or prototype areas at trade shows and customer visits.
  • Ransomware attacks locking down production systems or operational processes.
  • Compromised supplier or partner access credentials.
  • Unauthorized changes to robot programs or PLC code, leading to defects, damages, or shutdowns.
  • Lost or mishandled data during field service or maintenance (e.g., USB drives, backups).
  • Social engineering attacks (someone pretending to be HR to steal personal identifiable information).

TISAX® specifically is simply a specialized flavor of ISO 27001, tailored for the highly tiered, complex supplier structure of the automotive industry. It offers additional requirements (“controls”) specific to the way the automotive world shares huge volumes of critical information across several layers of the supply chain. If you currently supply anything to an OEM or major supplier, from robotics cells to dashboard prototypes and facility services, chances are already committed to TISAX® compliance in your contractual agreements. Your client just didn’t get around to looking at you yet! Your next bid cycle might not be so lucky…

In closing: an ISMS (and TISAX®) is your organization-wide safety net for information. It’s not just a set of documents to keep auditors happy. It’s about protecting the designs you worked so hard on, the data that keeps your operations running, the personal identifiable information of your employees, and the trust that makes your customers pick up the phone again next time.

That’s it. No capital technology investment, no complex software implementation, no lipstick on a pig – just a practical, structured way to stay secure and stay in business.

#TISAX #ISMS #InfoSec #InformationSecurity #CyberSecurity #ISO27001 #RiskManagement #Automotive #GSInfoSec #NIST #CMMC #CRA #CyberResilience

Picture of Wolf von Schoen (Editor)

Wolf von Schoen (Editor)

Wolfram von Schoen is a German-American automation engineer and information security professional with 30+ years of experience in industrial operations, product development, and business systems consulting. He is the founder and president of the Granite State InfoSec Companies, specializing in Information Security Management Systems like ISO/IEC 27001 and TISAX®, and Business Continuity Management. A third term elected water commissioner and active Rotarian, he lives in New Hampshire and enjoys the outdoors and motorcycling.
Get in Touch