Better Understanding of how Information Security and Cybersecurity Compliance are Layered is Needed
This week I went to meet future clients at Design-2-Part, an established manufacturing show taking place every year in various parts of the country. A highly recommendable event to meet quality vendors for precision manufacturing in Automotive, Medtech, Aerospace, and all kinds of industries. Seeing the level of precision and innovation of the sample parts these vendors showcased was giving me new trust and confidence into American manufacturing!
I also went to raise awareness about TISAX®, the global Information Security standard specific for the Automotive Industry, seeing that implementation among American manufacturers and service providers is still trailing behind the rest of the world at an alarming rate.
Over the past years I have learned that when broaching the subject of TISAX®, it is best to open up generically with Information Security, Cybersecurity, and Compliance, since few people are even aware of the term TISAX® yet.
Once I introduced TISAX® in my conversations, however, several quickly replied, “We’re already working on CMMC.”
That response makes sense on the surface – both are Cybersecurity frameworks – but it misses an extremely critical point: they apply to different markets, cover different requirements, and often both are needed.
From Management Systems to Machine Controllers
It is absolutely critical to understand this:
International manufacturing supply chains operate under multiple overlapping and complementing layers of Cybersecurity and Information Security standards.
There is no one size fits all approach. Each such standard or framework serves a distinct purpose. Some of them focus on the organization, others on the factory floor, and others on the products themselves. And in some cases, all layers need to comply, and potentially to more than one standard.
Therefore, and without being overly dramatic: understanding which standard applies where is ultimately a business survival skill going forward.
The Governance Layer – Start Here!
Every Information and Cybersecurity journey begins with a Management System that defines the purpose, scope, ownership, activities, accountability, monitoring, and optimization while implementing and maintaining security efforts.
That’s often times ISO/IEC 27001, the universal foundation for an Information Security Management System (ISMS) – a structured, auditable standard to identify risks, manage them, and continually improve.
Some industries and regions, however, have chosen to deviate from ISO 27001 and developed their own standard for the governance layer of an ISMS:
- In the Automotive ecosystem for example, the TISAX® Assessment Scheme and Label takes that role almost everywhere in the world at this point. It builds directly on ISO 27001. Then it adds additional, industry-specific controls for prototype protection, physical security, and on top of that also maturity-level assessment – organizations have to show evidence of functional effectiveness of the implementation. TISAX® applies not only to Automotive suppliers, but also e.g. to service providers, software vendors, and logistics partners handling OEM-related data or other confidential information. Successful TISAX® assessments result in a TISAX® label, accepted across the automotive industry.
- In the U.S. as another example, the NIST Cybersecurity Framework (CSF 2.0) provides a structured governance framework but does not technically constitute an ISMS. Still, organizations often map its six functions – Govern, Identify, Protect, Detect, Respond, and Recover – to ISO/IEC 27001 management system requirements to achieve a complete governance layer.
Together, these define how security is managed through governance and risk processes, and connect that governance to defined control catalogs that specify what must be implemented.
The Control Layer – What You Actually Do
Governance alone isn’t enough. Organizations implement their ISMS using a defined set of controls: the practical safeguards. That’s where for example NIST SP 800-53 and the CIS Controls v8 come in. They outline detailed technical and procedural measures for access control, monitoring, incident response, and supply-chain security that map neatly into ISO 27001 and TISAX® control expectations.
The Sector and Regulatory Layer – Who You Answer To
But wait! There’s more!
Different markets impose different Cybersecurity obligations. Here’s where the complexity – and opportunity – begins. Just because we have determined with our ISMS how an organization may maintain security, that does not make the product itself secure, does it? And securing a Home Automation product like e.g. an Internet of Things (IoT) smart ceiling fan probably doesn’t require the same level of scrutiny that the guidance system for an air-to-air missile better have, right?
That’s why different markets have developed a number of complementing standards and frameworks that expand an organization’s security efforts onto its products and product-related processes.
How the Layers Interconnect
- ISO 27001 / TISAX® / NIST CSF form the organizational governance layer.
- NIST 800-53 / CIS Controls provide the technical control layer.
- IEC 62443 / 800-82 / 27019 protect the factory and OT (Operational Technology) layer.
- UNECE R155 / ISO 21434 / CRA secure the product and lifecycle layer.
- NIS2 and CMMC define the regulatory enforcement layer – making any of the above no longer optional but mandated by law. (Note: CRA is as of 2027 also mandated by EU law).
Each layer enforces the next: from policies, to production systems, to the connected devices leaving your facility.
Why Does This All Matter?
Pursuing Information and Cybersecurity for one’s own benefit, Business Continuity, and competitive edge necessitates clear understanding of how the various requirements apply layer by layer, case by case, product by product, market by market, region by region.
Imagine your company makes an electronic component marketed to e.g. both Defense and Automotive customers. You may very likely face CMMC on one contract and TISAX® on another – and meeting neither compliance would substitute meeting the other.
And if you sell smart controllers or networked components into Europe, the Cyber Resilience Act will require lifetime vulnerability management, updates, and secure design proof.
And if your organization operates industrial control systems or critical services, NIS2 or IEC 62443 coverage may become mandatory under EU or state-level law.
None of this is duplication, but rather convergence. Cybersecurity has evolved from solely being IT hygiene to a multi-layered structure spanning governance, operations, and products, defined in detail based on specific markets and regions.
The Takeaway
Treat ISO 27001, CSF – or TISAX® if you’re in the automotive sphere – as your management backbone. Use NIST 800-53 or CIS Controls to define your control set. Secure your production environment with IEC 62443 and NIST 800-82. Then add the sector and regional layers your markets demand – CMMC for U.S. defense, TISAX® again for automotive suppliers and service providers. Then roll out product specific requirements like UNECE R155 / ISO 21434 for automotive vehicles, and CRA / NIS2 for the EU’s digital and operational products.
Compliance isn’t one standard, if seen comprehensively. It’s a system of interlocking layers – from management systems to machine controllers, and from the factory floor to the final product. Only by dissecting the applicability will organizations succeed in maintaining future-proof business continuity.
Our team at Granite State InfoSec Consulting LLC is ready and able to help navigate these standards and frameworks with your organization.
#TISAX #ISMS #InfoSec #InformationSecurity #CyberSecurity #ISO27001 #RiskManagement #Automotive #GSInfoSec #NIST #CMMC #CRA #CyberResilience
