TISAX: new Catalogue ISA v6 available

This post is more for me to quicker find the details.

Source: ISA Version 6 Now Available · ENX Portal

Here is a summary

  • ISA 6: The latest version of the ISA catalogue, published in October 2023, with many changes and improvements to address the challenges and needs of the industry.Download here.
  • Key changes in ISA 6: New and revised controls to strengthen protection, detection, response, recovery, and service continuity against cyber attacks, especially ransomware; new translations and references to other standards; more guidance and examples for implementation; updated data protection catalogue; removal of legacy structure and requirements.
  • Transition to ISA 6: A redline version of ISA 6 is available for download; the effective date for ISA 6 in TISAX is April 1st 2024; the transition rules are the same as in previous changes. Download here.

 

More details

ISA 6 comes with a large set of changes and improvements that are detailed in this posting. Most notably

  1. Changes with more focus on IT- and OT availability of production suppliers,
  2. Leading language is now English, multiple translations planned,
  3. Addition of further implementation guidance,
  4. Completely revised data protection catalogue,
  5. New references to ISO/IEC 27001:2022 and NIST Cyber Security Framework Version 1.1, and
  6. Further continuous improvement and maintenance.

 

When does v6 start to be used?

  1. New TISAX Assessment Proceedings ordered until March 31st, 2024, will be conducted using ISA version 5.
  2. New TISAX Assessment Proceedings ordered from April 1st, 2024, will be conducted using ISA version 6.
  3. Assessment activities related to an existing assessment such as corrective action plan assessments, follow-ups or scope extensions will be conducted using the same version as the original assessment.

Resilience

The working group has ensured that all requirements in ISA/IEC 62443-2-1 are covered by ISA and that all controls from ISA chapter 5 are applicable. As an outcome, all relevant control questions in ISA now mapped to ISA/IEC 62443-2-1 and a few minor changes in requirements to perfectly align with the standard have been made. Additionally, the Working Group ISA has reworked key sections of the ISA that are vital to prevent the attacks. This includes a completely new control, 1.3.4, that requires the secure management of software on clients as well as added requirements in 5.2.6 and 5.3.1

Detection

The new control 1.6.1 is designed to ensure that it is clear what needs to be reported and that appropriate reporting mechanisms are established.

The text also mentions that recognizing that attacks cannot be successfully prevented holistically, an approach to minimizing the impact of a successful attack is needed.

Response

The new version of ISA, ISA 6, has introduced several new controls and requirements to minimize the impact of a successful attack and ensure an effective and timely recovery.

  • Control 1.6.2 is designed to ensure that security incidents are handled in an orderly, timely and professional manner and the organization has the chance to detect patterns of sophisticated attacks which are detected as isolated incidents.
  • Control 5.2.8 addresses service-continuity planning, including fallback modes of operation to keep key business processes running while relevant IT infrastructure is unavailable.
  • Control 1.6.3 is dedicated to ensuring that an organization is sufficiently prepared to deal with a crisis.

 

Recovery

The new control 5.2.9 is designed to prepare an organization to recover from a successful attack on IT Systems and Services by having a solid backup and recovery concept.

In total, six completely new control questions along with new requirements to existing controls have been introduced.

Two ISA 5 controls for incident (1.6.1) and crisis (3.1.2) become obsolete and therefore no longer in ISA 6.

Recovery is necessary to limit the impact of a successful attack, regardless of whether the attack has escalated to a crisis or only affected isolated IT systems and business processes.


© Copyright 2023 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

Related Posts

How to Configure the Most Secure Settings for Microsoft Defender

Q: write an article describing most secure settings of Microsoft Defender A: Microsoft Defender is a comprehensive security solution that protects your Windows devices from various threats, such as malware, ransomware, phishing, and more. Microsoft Defender includes several features and settings that you can customize to enhance your security and privacy. In this article, we […]

Quoted in the IT Business Edge

http://www.itbusinessedge.com/cm/blogs/poremba/trustworthy-ssl-certificates/?cs=42832 As Sorin Mustaca, manager of international software development at Avira, explained to me: A Certificate Authority is, by common understanding, an entity having a trust level beyond any doubt. This means that in the case of digital certificates, a CA can generate certificates which are trusted by all parties involved in a communication. Any […]

Discover more from Sorin Mustaca on Cybersecurity

Subscribe now to keep reading and get access to the full archive.

Continue reading