Instructions
This gap analysis document provides a simple framework for evaluation the current status of a Tisax VCSA.
The status column is marked by one of the following identifiers:
- P : Pass; There are no major non-conformities and no minor non-conformities for every applicable control question for the selected audit objectives.
- CP : Conditional Pass ; Indicates one or more minor-non-conformities, but no major-non-conformities.
- F : Fail ; Indicates one or more major-non-conformities.
The evidence shall be provided by the target user, while optional comment maybe added by the target user or the assessor.
Reference: The full TISAX VCSA assessment is available for download in ENX website here.
Part 1: Requirements
1. Organizational Cybersecurity
| Requirement |
Status (P, CP, F) |
Evidence |
Comments |
| 1.1 Are cybersecurity policies managed? |
|
|
|
| 1.2 Are vehicle related cybersecurity processes managed within the organization? |
|
|
|
| 1.3 Are processes established to organize cybersecurity responsibilities? |
|
|
|
| 1.4 Are processes established to manage project dependent cybersecurity? |
|
|
|
| 1.5 Assessments |
|
|
|
| 1.6 Incident and Crisis Management |
|
|
|
2. Human Resources - Cybersecurity Culture
| Requirement |
Status (P, CP, F) |
Evidence |
Comments |
| 2.1 Are cybersecurity culture and cybersecurity awareness established, implemented, and maintained? |
|
|
|
3. Risk Management
| Requirement |
Status (P, CP, F) |
Evidence |
Comments |
| 3.1 Are processes and methods established to perform threat analysis and risk assessment (TARA) to determine cybersecurity risks for an item/components across the vehicle lifecycle? |
|
|
|
| 3.2 Are processes established to treat cybersecurity risks for an item across the vehicle lifecycle? |
|
|
|
| 3.3 Are processes established to transparently communicate cybersecurity risks? |
|
|
|
4. Internal Assessments
| Requirement |
Status (P, CP, F) |
Evidence |
Comments |
| 4.1 Are processes established to review the effectiveness of CSMS within the organization? |
|
|
|
5. Concept and Product development Phase
| Requirement |
Status (P, CP, F) |
Evidence |
Comments |
| 5.1 Are processes established to define the item and specify cybersecurity requirements? |
|
|
|
| 5.2 Are processes established to verify the fulfilment of cybersecurity requirements on components during the development phase? |
|
|
|
| 5.3 Are processes established that validate cybersecurity goal and claims on item level during the development phase? |
|
|
|
6. Post-Development Phase (excluding operations and maintenance)
| Requirement |
Status (P, CP, F) |
Evidence |
Comments |
| 6.1 Are processes established for the release of an item or component for post-development phases? |
|
|
|
| 6.2 Are processes established to apply cybersecurity requirements during production phase? |
|
|
|
7. Operations Security
| Requirement |
Status (P, CP, F) |
Evidence |
Comments |
| 7.1 Are processes established to monitor cyber security information and to identify cybersecurity events from the monitored information? |
|
|
|
| 7.2 Are processes established to evaluate cybersecurity events? |
|
|
|
| 7.3 Are processes established to identify and analyse vulnerabilities? |
|
|
|
| 7.4 Are processes established to manage identified vulnerabilities? |
|
|
|
| 7.5 Are processes established for updates to items or components? |
|
|
|
| 7.6 Are processes established for communicating end of cybersecurity support for an item/component to customer? |
|
|
|
| 7.7 Are processes established to make available cybersecurity requirements for decommissioning? |
|
|
|
8. Incident Management
| Requirement |
Status (P, CP, F) |
Evidence |
Comments |
| 8.1 Is a process established to respond to cybersecurity incidents? |
|
|
|
| 8.2 Is a process established to validate the effectiveness and adequacy of the response to a cybersecurity incident? |
|
|
|
9. Supply Chain Relationships
| Requirement |
Status (P, CP, F) |
Evidence |
Comments |
| 9.1 Are processes established to manage dependencies between the auditee organization and its VCS relevant suppliers? |
|
|
|