The Core of TISAX®: Information Security Control Groups

After understanding the structure of the ISA catalogue and how maturity levels work, the next step is where most of the real work begins: the Information Security control groups.

This is the largest and most detailed part of the ISA catalogue. It defines the expectations auditors will evaluate when assessing your organization.

This Is Your Actual ISMS Under TISAX®

The Information Security section is not theoretical. It represents the operational core of your information security management system. If you are familiar with ISO/IEC 27001:2022 or ISO/IEC 27002, much of this will look familiar.

But there is a difference

TISAX® takes those concepts and applies them in a way that reflects:

• Automotive supply chain requirements

• Real-world collaboration between OEMs and suppliers

• Higher expectations around consistency and evidence

How the Control Groups Are Structured

The ISA catalogue organizes Information Security into control groups. Each group focuses on a specific domain and contains controls that are evaluated based on maturity. These groups are not independent, they form a connected system that auditors will evaluate as a whole.

Key Control Groups You Need to Understand

Security Policies and Governance

Defines how information security is managed at a strategic level.

This includes:

• Policies

• Objectives

• Management involvement

This is where the direction is set

Organizational Security

Focuses on structure and accountability.

Auditors will look for:

• Clearly defined roles

• Assigned responsibilities

• Ownership of security processes

If ownership is unclear, implementation will be inconsistent

Human Resources Security

Covers the lifecycle of employees and contractors.

This includes:

• Onboarding

• Security awareness and training

• Offboarding processes

This is often underestimated but frequently audited

Asset Management

Ensures that:

• Information

• Systems

• Devices

are identified, classified, and protected.

If you don’t know what you have, you cannot protect it

Access Control

Focuses on restricting access to:

• Systems

• Data

• Physical areas

Auditors will not only look at design, but also:

• Access reviews

• Role definitions

• Actual user permissions

Technical and Operational Security

This includes multiple areas such as:

• Cryptography

• Secure operations

• Communications security

This is where technical controls meet operational reality

System Development and Acquisition

Ensures security is considered when:

• Systems are developed

• Software is implemented

• External solutions are introduced

Security cannot be added later, it must be built in

Supplier Relationships

Recognizes that your security depends on others.

This includes:

• Supplier selection

• Contractual requirements

• Monitoring of third parties

This is increasingly critical in automotive environments

Incident Management and Business Continuity

Focuses on resilience.

Auditors will expect:

• Defined incident response processes

• Ability to detect and respond

• Business continuity planning

This is where your organization proves it can handle disruption

Compliance

Ensures alignment with:

• Legal requirements

• Contractual obligations

• Internal policies

This ties everything together

What Auditors Actually Evaluate

Auditors are not reviewing these control groups in isolation.

They are looking for:

• Consistency across all areas

• Alignment between policy and practice

• Evidence that controls are working

This is where maturity levels come back into play

You are not being evaluated on whether these controls exist, you are being evaluated on whether they work reliably.

Where Most Organizations Struggle

Not in understanding the topics, but in execution.

Typical issues include:

• Controls defined but not applied

• Inconsistent implementation across locations

• Lack of evidence

• Gaps between documentation and reality

This is where findings come from

How This Fits Into the Bigger Picture

The Information Security control groups are:

• The foundation of your TISAX® assessment

• The largest portion of your effort

• The main driver of audit results

And they are always evaluated in the context of:

• Selected objectives

• Required maturity levels

What Comes Next

Understanding the structure is one step.

The real value comes from translating these control groups into:

• Practical implementation

• Clear responsibilities

• Audit-ready evidence

That is where most organizations need to shift their focus

Final Thought

TISAX® Information Security controls are not new concepts, but the expectation is different. It is not enough to define them.

You need to:

• Implement them

• Apply them consistently

• Demonstrate them under audit conditions

That is where the difference is made

Continue the Work

If you are currently working through the ISA control groups, you are already in the execution phase of TISAX®.

At that point, one of the biggest challenges is not understanding the controls, but aligning scope, effort, and expectations internally, especially when it comes to leadership and budget decisions.

For teams that are still building that internal alignment, there is a structured TISAX® Starter Kit available. It is designed to help translate requirements into an executive-level discussion, including budget planning and readiness evaluation.

More details here:
https://payhip.com/b/CQSlY

If you are already in that phase, feel free to reach out directly.