FAQs

Self-learning webinar

Whether self-study via webinar is better or worse than classroom training can probably never be answered beyond doubt. Each person's personality is crucial here. And as we all know, our preferences are all too different.

Nevertheless, self-study offers some specific advantages over classroom training. Here are some of them:

1.   Repetition opportunities: Self-study allows learners to review learning material as needed. They can return to previously covered topics to deepen their understanding or reinforce specific concepts. This is especially useful when learning material is not immediately understood or to fill in gaps in knowledge or prepare for exams or certifications. A good example here is "Fundamentals of Statistical Process Control." The subject matter is difficult to understand, often the topic cannot be understood right away. Through the webinar, you can learn the content piece by piece.

What is the structure of ISO/IEC 27001?

ISO/IEC 27001 is a standard that defines the requirements for an information security management system (ISMS). It consists of various sections that cover the following:

1.   Scope: Describes the scope of the standard and defines its application to all types of organizations and information.

2.   Normative references: Contains a list of other relevant standards and documents referenced.

3.   Terms and Definitions: Defines the key terms and definitions used in the standard to ensure consistency of understanding.

4.   Context of the organization: Describes the requirements for the organization to define the context and framework for the ISMS. This includes internal and external influences, interested parties, and compliance obligations.

5.   Leadership: Emphasizes the importance of top management commitment to the ISMS and establishes requirements for leadership, policies, roles, and responsibilities.

6.     Planning: includes requirements for assessing risk, addressing risks and opportunities, setting objectives, and selecting appropriate controls.

7.   Support: Describes the requirements for resources, competence, awareness, communication, documentation, and control of documents.

8.   Operations: Establishes requirements for implementing risk treatment and conducting operations such as change management, security incident handling, and business continuity planning.

9.   Performance evaluation: Contains requirements for monitoring, measuring, analyzing, and evaluating the performance of the ISMS, including internal audits and management reviews.

10.  Improvement: Establishes requirements for continuous improvement of the ISMS based on the results of performance assessment, internal audits, and nonconformance handling.

The ISO/IEC 27001 standard provides a systematic method for establishing and maintaining an effective ISMS to ensure information security in organizations. It enables companies to identify risks, implement appropriate controls, and continuously improve information security.

What are the changes of the new ISO/IEC 27001:2022 volume?

In October 2022, the widely recognized international standard for information security, ISO 27001:2013, underwent an update and the new version, ISO/IEC 27001:2022, was published.

Over the past nine years, ISO 27001 has gained significant acceptance in various industries. Although the latest revision introduces only a few changes, it is crucial to closely examine and understand these modifications. In this discussion, we will explore all the changes in ISO 27001:2022 and compare them to the previous 2013 version.

Summary of Changes in ISO 27001:2022:

1.     No major changes to ISO 27001:2013 Mandatory Clauses 4 to 10: The essential requirements outlined in the mandatory clauses of ISO 27001:2013 remain largely unchanged in the 2022 version.

2.     Controls now grouped into 4 main domains: In ISO 27002:2022, which provides guidance on implementing the controls of ISO 27001, the controls have been restructured. Instead of the previous 14 categories, the controls are now grouped into 4 main domains: Organizational, People, Physical, and Technological.

3.     Hashtags for easier reference and navigation: To enhance usability and ease of reference, ISO 27002:2022 introduces the use of hashtags. These hashtags can aid in navigating and locating specific controls within the document.

4.     Decrease in the number of controls: The number of security controls in Annex A has been reduced from 114 in the 2013 version to 93 in the 2022 edition. This decrease is a result of merging certain controls while no controls were completely eliminated.

5.     Introduction of new Organizational and Physical controls: ISO 27002:2022 includes new controls in the domains of Organizational and Physical security. These additions aim to address emerging security challenges and align with the evolving landscape of information security.

Overall, the changes in ISO/IEC 27001:2022 primarily focus on the restructuring and consolidation of controls, making the standard more concise and user-friendly while adapting to the changing security landscape.

What do companies need to consider with TISAX?

Companies which deal or want to deal with the automotive industry should make a point of implementing an ISMS that is specifically tailored to the automotive industry, which is based on ISO 27001:2022 and meets additional data protection requirements and the protection of prototypes.

There are three basic assessment levels or requirement types within TISAX®. The level is based on the necessary protection requirements of the information that is exchanged between the individual companies. Depending on whether the need for protection of the information is classified as normal (level 1), high (level 2) or very high (level 3), different methods and efforts are important for the audit. The scope of the audit and the effort required increase with each level:

Level 1: Basic test: self-assessment. 

Level 2: A test provider accredited by the ENX Association joins the test; the test provider examines the self-assessment, performs a plausibility check and asks questions.

Level 3: The test provider checks the self-assessments and the management system on site. 

What does TISAX® stand for?

TISAX® (Trusted Information Security Assessment Exchange) is a framework developed specifically for the automotive industry to ensure that information security standards and data protection requirements are met in the supply chain. TISAX® includes a set of elements and requirements to ensure information security and data protection in the automotive industry. The main components of TISAX® include:

1. the requirements of information security of TISAX® are based on ISO/IEC 27001:2022 and extends these standards to include specific requirements for the automotive industry.

This includes the known control target of the ISO 27001:2022 confidentiality, integrity and availability of information as well as protection measures for personal data from the EU General Data Protection Regulation GDPR  and customer-specific requirements such as prototype protection.

Where are the differences between 27001:2022 and TISAX®?

1. requirements catalog

The basis of TISAX® is the VDA-ISA requirements catalog. This requirements catalog is based on the controls of ISO and adapts them to the suppliers of the automotive industry.

Added to this are...

• special requirements for processing personal data
• non-disclosure agreements
• Prototype protection

..., which are not included in ISO 27001:2022.

The Controls of VDA-ISA catalogue require specific evidence of implementation, while the measures in ISO 27001:2022 are more generic.

In the TISAX® requirements catalog, there is a difference between "must" and "should" as well as the requirements for "high protection needs" and "very high protection needs".

2. testing process

The ISO 27001:2022 certification requires an audit to demonstrate that compliance with the measures, requirements and requirement objectives have been effectively implemented.

TISAX® is focuses on the audit target objectives. 

There are 8 of them and at least one audit objective must be defined, but several can be attracted.

Depending on the audit objective, different ISMS processes and measures must be implemented.

Each audit objective is found in the VDA-ISA requirements catalog and is the benchmark for the ISMS.

In TISAX® certification, there are three different audit levels, the so-called assessment levels, with correspondingly different requirements for each level

Level 1 means self-assessment and is very rarely accepted.

Level 2 includes a document review with a remote audit

Level 3 also has document review, but is associated with an on-site audit.

In contrast to ISO 27001:2022, the TISAX® requirements catalog has a defined maturity level concept in 6 levels (from 0 to 5).

Each required measure must be completed with at least target maturity level 3.

APQP and Control Plan have evolved in response to industry changes — particularly in relation to technological advancements and vehicle complexity — with updates addressing increasing demands imposed by higher automation, autonomous driving, electrification, and the expanding definition of mobility.

Decoupling the two documents also emphasizes the importance of control plans in product development and will facilitate more timely updates as systems evolve.

Focusing on the "why" behind the "what" and "when," the APQP 3rd edition manual addresses how to improve successful new product launches, with updates to reflect agile product management, and new sections on sourcing, change management, APQP program metrics, risk assessment mitigation plans, and gated management.

Along with the removal of Control Plan content - now a standalone document - further revisions include new information on "part traceability," various checklists, and examples of several common analytical techniques used during the APQP process to help enhance your understanding.