March 13, 2024

In this episode, John Verry talks with Alex Häusler, Global Product Performance Manager at TÜV SÜD, about the updates to the TISAX (Trusted Information Security Assessment Exchange) standard from version 5.1 to 6. Alex highlights key changes, including:

  • Increased emphasis on availability and confidentiality.
  • TISAX’s role in securing internal operations and the automotive supply chain.
  • Differences in assessment levels and the flexibility of the new simplified group assessment.

 

Alex (01:47.769)
Hi John, it’s Hoyslop, but it’s a terrible name for English speaking people.

John Verry (01:54.328)
But is it a good name for German speaking people?

Alex (01:57.305)
Yeah, it’s also somewhat complicated, especially if you have to spell it. So there are a lot of chances to make mistakes with it.

John Verry (02:05.502)
Yeah, I do have to admit I misspelled it the first time that I was, when I went to generate the podcast template, I had it misspelled. So for anyone who is watching this, if you’re seeing just a static picture of me, that’s because the team decided that my face looked too beat up to actually show. If you actually see me, I apologize. I’m getting some treatment for some skin damage that’s making me look pretty ugly right now.

So I don’t know if you’re seeing me or not, but if you are, I apologize. So Alex, I always like to start simple. Tell us a little bit about who you are and what is it that you do every day.

Alex (02:44.441)
Okay, so I’m Alexander Häusler, working for Tuftsuit Management Service, GmbH, for more than 10 years now, and I’m the so-called global product performance manager for IT certification and related assessments. So everything that’s around ISO 27K, 20K, T-Zaks, all those nice standards that you can name, this is something that I’m taking care of on a daily basis, and I try to…

align our global business on what we’re doing and what we’re not doing. Maybe this is what I’m doing on a day-to-day base. And maybe for this podcast on T-Zex, it might be interesting that I have almost 15 years of automotive experience as well.

John Verry (03:29.359)
that it is highly relevant to our conversation today. Before we get down to business, we always ask, what’s your drink of choice?

Alex (03:36.373)
It depends on the day or time of the day. So in the morning I usually have coffee and not only one, but maybe three or four. Depends on the amount of meetings and when it gets a little bit more comfortable, Lynchburg lemonade sounds like a good drink of choice.

John Verry (03:55.23)
and they don’t want to throw you out of Germany for not answering beer. I mean, seriously, I get on the phone with a German and he tells me Lynchburg Lemonade is with Jack Daniels, right? So that wasn’t the answer I expected, an Oktoberfest or if you’re going to go Orion Wine, but going with it, you got to be careful, they might kick you out of Germany for that one.

Alex (04:19.321)
I can still cope with it, so beer is not really mine, so I don’t know, never got really used to it.

Alex (04:28.758)
Whiskey is better!

John Verry (04:30.428)
All right. Listen, I’m an equal opportunity offender. I love good beer. I love good whiskey. I drink a lot of whiskey. I drink a lot of bourbon, so I’m right there with you. So today’s conversation is regards to an information security standard in which we see like a tremendous amount of momentum. We’re talking to clients all the time about it. And that’s called TSACs. T-I-S.

We did a podcast for anyone that’s listening. We did a podcast on this a year ago, episode 110. We’re revisiting the topic because recently T-SACS was updated from 5.1 to 6. What I wanted to do was drill in on the most significant changes, what it means those who are already certified or those that are looking to get certified. So setting a baseline for the conversation, what is T-SACS?

Alex (05:21.813)
me TSEC is different things. So first of all, it’s something that was done by the automotive industry for the automotive industry. So it’s really coming from that industry. So it’s on one hand, it’s a set of requirements. You have certain things that you need to do and those are all listed down in something that’s called VDA ISA, Information Security Assessment or Self-Assessment. So this is one part of TSEC.

On the other hand, TSEC is also something that you can use to secure your own company regarding information security, but you can also use it downstream your supply chain to make your supply chain more secure or more reliable. And also talking about security or about the different things a little bit later on, I’m sure we will dive into the different audit objectives and labels that are associated with the possibility along the supply chain.

And T-SACS is also the rules and guidelines on how to do the assessments according to this requirement or these requirements. And last but not least, it’s the T-SACS portal itself, where you can share your information on the assessments you’ve taken. So this is the point where every information regarding T-SACS can be seen by any participant that has been granted access to this information. So if you are a supplier and you want to do business with a new OEM,

You simply say, I already did my T-Zaks assessment. Here is the authorization to view my results. And that’s it. So it’s not a simple thing to, T-Zaks is more like a concept, I would say.

John Verry (07:05.75)
So in terms of what you mentioned automobiles and you mentioned OEMs, obviously this was pioneered, T-Sax is pioneered by the German automotive industry, VW, Porsche, Audi, Mercedes, BMW. Are there other participants now? I had heard rumors that some of the other car OEMs were going to get involved with it.

Alex (07:29.746)
You’re right. So at least some French manufacturers are participating as well. And also the US automotive manufacturers are in close cooperation, I would say. There are some that have their own standard, but they are accepting TSEC’s assessments as equivalent for their standard as well. So it’s getting international.

John Verry (07:55.65)
Yeah, and I think why, like you said, T-SACS is a little hard to explain. Much like ISO 27001, which it’s based on, it is both a selection of good practices and an attestation framework all rolled into one.

Alex (08:09.977)
Correct, with all the regulations and everything that you need.

John Verry (08:16.562)
So the most significant change, at least from my perspective to the standard as we moved to V6, is the changes that they made to the assessment objectives. You know, we went from 8 to 12. Can we drill in on what changed and why you think it changed?

Alex (08:31.317)
Yeah, sure. So let’s go to the why first. So I think it’s an adaption of T-SATs to what we have in reality. So looking at, or in the past, we had the pandemic, we had the ever-giving blocking the Suez Canal, we have the war in the Ukraine, and all those things that happened during the last few years.

And all of this was impacting somehow the automotive industry in a way that they didn’t imagine before. And that’s where they started thinking, hey, information security might not only be regarding confidentiality, but maybe availability is also something that we should be more interested in. And exactly this is why we now have or we will soon have those 12 audit objectives or labels.

two of them for confidentiality, two for availability, and then the other eight that we already had.

John Verry (09:36.514)
Yeah, so the availability, obviously, like you said, makes complete sense. You know, especially as most automotive manufacturers have some variation of just in time manufacturing, right? They don’t want to maintain large stocks of components. The availability makes complete sense to me. Probably was overdue. Great idea to expand there. Question for you. Why do you think that they added the two confidentiality tags when info high and info very high, right? Previous assessment objectives.

effectively addressed confidentiality to a reasonable level. Why do you think they differentiated that?

Alex (10:13.197)
think it’s because we already are the availability labels were already introduced. And so, information high and information very high were not really suitable anymore because these availability aspects had already been gone into something different. And now it’s just consequently moving along or moving forward saying, okay, we don’t talk about information security as a whole, we talk about confidentiality. We talk about availability. We talk about.

prototypes, we talk about data protection. So I think it’s just the consequent way forward saying, okay, we want to be more precise or offer the OEMs or in general, the customers to be more detailed in what they want from their supply chain. So if you only have information security, the other party must do everything, confidentiality, integrity, availability. There is no…

differences really possible. And now with those differential labels, you can say, okay, this is someone he’s delivering parts for my production. So I want him to be on the high availability ranking. Oh, this other one, he’s supplying me with the development thing. So I want him to be on the strictly confidential part. So he might be off for two weeks, no problem. So no need for high availability. So it’s really…

John Verry (11:38.062)
Gotcha.

Alex (11:40.781)
trying to make it more fit to the needs of the supply chain, I guess.

John Verry (11:46.462)
Right. So for example, a bolt manufacturer availability is important. Confidentiality is not where someone who’s doing engineering on an advanced braking system. Availability is not very important, but confidentiality obviously would be.

Alex (12:04.761)
Correct. That’s what I would assume. That’s why they moved or moved to those additional or changed labels.

John Verry (12:05.846)
Okay.

John Verry (12:13.078)
That makes a lot of sense. So I’m glad you used, and you went right into my next question, because we started by talking about assessment objectives, and then you started blending objectives and labels, which confuses the heck out of me. There was talk in the, what’s new in V6 or something like that. They had something on the TSAC’s website.

that they were going to get rid of objectives. However, if you go to the participant handbook, they’re still labeled assessment objectives. Is there a difference between assessment objectives and labels, and if so, what they are? And if there’s not, why are we using two terms?

Alex (12:56.109)
Yeah, a really good and tricky question. I’m falling in this trap again and again, again. So from my point of view, it’s just two sides of a coin. So if we’re looking at an audit and TSEC assessments are nothing else than an audit, you usually have audit objectives. This is what you are looking for. This is a set of requirements you want to check. So this is audit objectives. And then…

John Verry (13:00.958)
I’m sorry.

Alex (13:25.429)
as a result of a normal audit, you would have certificates. And with TSACS, the end or the result of a assessment is no certificate, but it’s labels. So from my point of view, or I would explain it. So you start with audit objectives, you do the assessment and you achieve your labels. And as you might not achieve all the object or fulfill all the objectives, audit objectives, you could have different labels than the audit objectives you were starting with.

But at the end, you might be happy with those labels you achieved. So therefore I would say it’s okay to talk about audit objectives and labels. So one is the starting point and the other is just the result.

John Verry (14:09.504)
That’s the best explanation I’ve heard, thank you. That makes sense, that at least makes sense to me.

John Verry (14:19.374)
So you mentioned the audit, but you don’t necessarily have to undergo an audit to participate in TSEC. So let’s talk about that. There are different assessment levels in V6. I didn’t see anything change, but maybe you did. So and at the same time, we talk about whether there were changes or not. Can you briefly touch on the difference between the different assessment levels?

Alex (14:43.673)
Sure. Generally speaking, we have three assessment levels in TSEC defined. Two of them are more important. One, maybe not so important, but we will, or I will explain it. So they are numbered from one to three. So AL1 is the basic level. So you just do your self evaluation, answering the questions within the VDA ISA, giving your idea of how you implemented it. And that’s it. There is nobody checking it.

verifying that you entered correct things, it’s just a pure self-assessment. So basically this is what you do when you start with T-ZARC or do it along the way when you want to check, hey, where I am in my process. But on the other hand, this is also the starting point for AL2 and AL3 assessments as well. And for the so-called simplified group assessment, it could also be interesting to have a closer look or at AL1 assessment.

Then after the pure self-assessment, the AL1, we have AL2, which is primarily a plausibility check, so the customer or audit, he fills in the VDA ISA, but not only with his explanation, but also he has to provide the documentation of his information security management system. He has to provide documents, records, evidences that what he

said he would be doing, he’s doing. Then he’s compiling a good package for the auditor for review. And then the auditor will just take this package and review it for plausibility. So is what is written plausible? Is it somehow in line with the evidences that the customer provided? And is the self-evolution or the evolution of the process maturity level also in line with all those things? And this is what

the auditor is doing, he’s not talking and examining all the things by himself. He’s relying on what the auditee provides as evidences and information. The only thing that will happen is there will be some kind of a short interview with the responsible for information security to clarify open questions that the auditor might have, but there will be no interview. So it’s really not so easy to compile everything that an auditor can

Alex (17:10.605)
go through it all alone and find all the things that he needs. And then we have the AL3 assessment, which is then, I would say, a normal audit like we know it from ISO 27K or any other. So the auditor goes on site, talks to the people, makes his notes, takes any selects, evidences, samples, and then he’s doing everything on site. So that’s what he’s doing. He’s interviewing the people, he’s looking for evidences.

that’s maybe the easiest part of the assessment then, or the easiest assessment level, because the auditor will ask you for what he’s looking for. And maybe something, I’m not sure if it’s really a new thing, but there is also the AL 2.5 in the participant handbook. And AL 2.5 might be a good option for companies that are not so experienced

assessments because what is done with an AL 2.5, you don’t have to compile everything and send it to the auditor, but the auditor will do online sessions with the customer asking him the questions like he would do on site, but only on a remote basis. So the amount of time you invest in the audit itself, it might be a little bit longer, but you don’t need that much time for preparation. So.

If you don’t know how to prepare a good set of documents and evidences, AL 2.5 might be something interesting to look at as a customer.

John Verry (18:44.878)
Yep. Yeah. And 2.5 was in the 5.1 as well. It was one of those ones that always confused me a little bit until you kind of dug into it a little bit. It actually makes, I think, I think you’re right. It makes a lot of sense for a lot of organizations that are a little uncomfortable knowing exactly, you know, what does this mean and what should I provide? Because when you’re having that conversation with the assessor, you have that ability to have a bit of give and take to get that clarification.

One quick question for you. In terms of an ISO 27001, we have a registrar. What is the appropriate name for the assessor in TSEC?

Alex (19:28.012)
You mean the organization?

John Verry (19:30.238)
No, the Tuvsud. When Tuvsud is doing it, are you a registrar? We use different terms in different attestations. We have three PAOs, we have C3 PAOs, we have registrars, we got CPA firms. What does TSEC’s call the auditors? What’s the official name?

Alex (19:32.121)
person.

Alex (19:47.437)
So the auditors I think are called auditors and the company itself is called the TSEX audit service provider.

John Verry (19:50.91)
I’m going to go to bed.

John Verry (19:56.862)
Okay, good.

Alex (19:59.496)
XAP is the abbreviation used sometimes.

John Verry (20:02.898)
Okay, and then just for anyone listening, TuvSUD is one of the, I would say, one of the premier providers of TSAC services. We have a number of clients that actually use TuvSUD. So just so you know that. So you touched on something which we’ve had a number of conversations on with clients recently that is a little bit confusing, getting the clarification that you need. That’s the concept of a simplified group assessment.

Where this comes into play is for an organization that doesn’t have one or two locations, but we’re working with clients now that have 15 or 20 manufacturing plants across the US. Traditionally, the TSACS assessment is done on a per facility basis. So tell me about simplified group assessments. When can and should a company use it and when can’t and shouldn’t they use it?

Alex (20:57.049)
tricky question. So there is no simple answer to it. So first of all, what is a simplified group assessment? A simplified group assessment means you’re not checking all the locations with the same intensity, but you have a little bit of, yeah, let’s say you have an intensive so-called precondition check where the auditor checks, okay, is this company already…

equipped with a good information security management system. Are there the information security processes, policies, tools and things in place? If this precondition check comes to the conclusion, yes, it seems like this company has everything that’s needed to have a centrally administered information security management system. And when we don’t need to check all the locations because they are having a good internal audit program, for example, then…

the auditor will build up some kind of picture in his mind, giving all the answers that he received for the VDA ISA. And then he will go to a certain number of sample locations and verify if the picture in his mind that he has from the precondition check matches with the location he’s actually auditing. If this is good, everything’s fine. And he will then go on. And then there are some remaining locations where the assessment will only

be a really light check, maybe even only requiring AL1 assessments being done by the company itself. So significant less effort. So the more locations you have, the more attractive a simplified group assessment might be because first you have to invest a little bit more in this precondition check, but then you will have less efforts in the remaining locations. But as I said,

John Verry (22:49.026)
So in order.

Alex (22:54.19)
The prerequisite is the organization needs to have already information security procedures, policies, processes in place. Otherwise, a simplified group assessment is likely to end up in a nonconformity because not everything is matching the picture that was drawn in the main location.

John Verry (23:18.978)
So let me see if I understand that. So let’s take a client that already has a robust implementation of ISO 27001, and they’re already undergoing an ISO 27001 assessment across all of these locations, right? That would be evidence of a robust information security program, with processes intended to validate the operation of said controls and the effectiveness of said controls over the broad cross section of the organization. That might be a precondition that you would look at, and say, okay, these guys are likely

qualify for a simplified group assessment.

Alex (23:53.405)
So it’s a good indicator that they are capable of doing something like a centralized information security management system But it’s not mandatory to have a 27k certification So you could also prove it by having a long record of internal audits and things like this. It’s the Complete picture and the precondition check will then show is this client really? Suitable for the SGA or is it better to go for a normal?

John Verry (24:23.81)
So under ISO 27001, with multiple locations, a registrar has an obligation to go to each of those locations if they’re listed on the certificate, specifically if they’re listed on the certificate, at least once during the three-year certification cycle. Does the same hold true for the audit firm in TSEC?

Alex (24:48.757)
It’s a little bit different, I would say. So as we don’t have those surveillance audits in TSACs, it’s a little bit hard to really go by every location, but there will be for sure those sample locations. And then a short check of the remaining locations. And this is why ENX is so, or is emphasizing on this precondition check and on the sample locations to say, okay, you really have to be

thorough or intensely auditing those things in order to make a good validation of what the other locations might do. And this is really then the difference, I would say. So you don’t have to be on site. You don’t have to have every single thing audited in every location, but you have to have a good picture and a good, let’s say not feeling, but a good sense for the information security management system.

done by the customer, by the ODT.

John Verry (25:50.722)
Okay, so let’s touch on that concept of a TSACS label. How long does that TSACS label actually last for then? You said that we don’t have the annual reassessments.

Alex (26:04.301)
Correct. So TSEC labels are generally valid for 36 months. And they start with the last day of the audit. And this is a hard deadline. So really 36 months after the label will disappear from the database. There are certain things. So something that’s called temporary labels. So if you have any minor nonconformities detected,

temporary labels, they are valid for a certain period, depending on the severity or the time you need for the correct infection. So generally speaking, you should finish your correct infections within three months. There might be an extension to six months with good reasons. And if you want to go over six months and up to nine months, you really need really, really good…

Yeah, reasons why you would need so long for getting rid of the non-conformity. So maximum label validity of the temporary labels is nine months and overall validity is 36 months.

John Verry (27:17.422)
Does the organization that has the TSACS labels have any obligation between, for those 36 months, to provide any other additional information to validate that the information security program is still operating effectively?

Alex (27:33.337)
the obligation is to inform the audit provider if there are, it’s called significant changes. And as you can imagine, this is not a defined term. So it’s always a little bit tricky to really say, okay, what needs to be addressed to the audit service provider? But to be honest, so better ask than be sorry. So if you’re changing some major things in your information security management system,

talk to your auditor or your T-Sex audit service provider, informing them and then you are out. So you said, I’ve changed something. What do I need to, or do you need to do anything or is my, or are my labels still valid? So talking to your audit service provider is always a good idea in these cases, I guess.

John Verry (28:24.446)
outside of significant changes there’s no obligation to provide any evidence between for those for those 36 months. In practice

Alex (28:32.085)
Only if you would like to say change your location, then you would have to do something, but no obligations to send in anything or, but after the three years, somebody will come again and check what did you do during those three years? So didn’t you do anything like internal audits or independent reviews? If you haven’t done anything like this over those three years, then the next set of labels will be

unlikely to be achieved.

John Verry (29:03.051)
Right, so.

In practice, the vendor risk management practices of most major organizations require some form of yearly validation of cybersecurity posture. So the audit organization, as an example, has no obligation. Do you see in practice that, let’s say, Porsche Audi VW is going to, on an annual basis, through their regular vendor due diligence, make any requests?

to these companies with regards to their security posture.

Alex (29:38.029)
we haven’t heard anything like this. So they are, at least from what we hear, they believe in the labels. And I think that’s maybe also something that they, or as the industry wanted it to be that way, they accepted for this specific thing.

John Verry (29:55.886)
Right, okay. So on the SGA, right, I would think that the audit objectives, the assessment objectives or the labels, whichever way we want to look at it, would have an impact on that as, so as an example, information, information very high, even confidentiality, we find that those practices are generally governed

by a security program that’s global in nature. However, when we get down into, let’s say, prototypes, maybe this, and that’s a lot more reliant on physical security, and physical security is often unique per location. So does the assessment objectives influence that concept of SGA’s? Because I would assume that we’ve got to do due diligence, especially for prototype vehicles.

I would assume that we have to do due diligence of probably each location, independent of whether we use an SGA.

Alex (31:00.777)
That’s correct. So first of all, all the locations that are within the scope of an SGA need to have the same objectives. So there can’t be different sets of objectives for different locations. So it has to be the same objectives, but this is true for every scope. You can only register a scope with one set of objectives and this applies then to all the locations and as you rightly said, prototypes, you will have to have an onsite visit.

John Verry (31:31.134)
Okay. And actually, that gets into it like a real weird, like you could, you’d want to, you know, if you were 50 or 100 plants, you’d want to go single group if you could, simplified group, which would mean you’d want the same audit objectives. But if this facility over here never processes that, let’s say, doesn’t do prototypes, you’d almost be better off having, bringing prototype into play there and then asserting that it’s not relevant. But now I’m getting into like.

The interesting nature, like if we could prove that no prototype, that we had the process in place at this facility, that if a prototype vehicle came, we would follow it, but prototypes never go to that plant, would you still have to go there as an auditor?

Alex (32:17.933)
I would try to solve it a little bit differently because with the new VDA6 coming into play, or at least at the moment already, you could do prototypes without any other objectives being necessary. So you could have your whole group assessed according to, for example, strictly confidential.

And this would be your SGA. And then you would have two or three locations that additionally have, or you would have two or three additional scopes saying, Hey, I need prototype protection or test vehicles in this location and that location. So you would have some kind of, yeah. The best of both worlds.

John Verry (32:53.639)
Oh cool.

John Verry (33:08.574)
So you would do a simplified group assessment for all the commonality, and then you would do individual for where there were deltas. Very cool, I didn’t know you could do that.

Alex (33:19.357)
It depends on the concrete circumstances, but this is something you should really talk with your audit service provider about it. So there are certain things that you can discuss and for sure there are certain solutions to it, but it really depends on the actual customer, his setup and things like this, what is the best way forward. So talking to the…

audit service provider when you think about an SGA is one of the best advices you can give.

John Verry (33:52.726)
Yeah, well listen, that holds true. People have a tendency not to talk to their audit service provider across all of the frameworks. Whenever you’re making a major decision with regards to your cybersecurity program, consulting with the, and people think, oh, I’m not allowed to talk to them, they’re not allowed to give you consultative guidance, but they can provide clarification. So we always recommend to our clients that they have a good, strong relationship with their ISO 27001 registrar.

or the CPA firm conducting their SOC 2, or the 3PA, or C3PO, whoever it might be. And we often will engage them as their consultant working on behalf of them, helping them build out a program. And they’ll be like, wait a second, you’re not allowed to talk to them? We’re like, of course we can. They just are not allowed to provide consultative guidance. They can’t tell you how to do something, but they can give you clarification on what you need to do. So I think your advice is fantastic. And if we were working with a client and we were talking about SGA.

I would recommend, hey, have you already selected your audit service provider? Let’s engage them in this conversation because at the end of the day, we might have an idea how to do it, but you might not agree with it as the audit service provider. Or you might look at it and say, hey, you could have done it. I would accept it this way and you could have saved us time and money.

Alex (35:05.165)
This is exactly the case way. Talking to your T-SACS audit service provider or whoever is doing any assessment for you on the how is so important. So they cannot, as you said, they cannot tell you how to do certain things, but on the general processes, they can really give you good guidance on how to structure something and what is feasible and what is not feasible.

So like scoping in 27K, better you talk beforehand other than during stage one and then saying, oh, five people is not possible out of 6,000. We have to go back to the drawing board and give you a new quotation. Sorry for that.

John Verry (35:51.002)
Or even worse, you’ve built a cybersecurity based around a scope that’s not certifiable. But you always tell people, like, let’s get the ladder against the right wall before we climb it. Right? You don’t want to get to the top of the ladder and find out you’re against the wrong wall. So when does the formal transition to v6 happen?

Alex (36:08.333)
So the official date is April 1st or March 31st, depending on how you want to read it. So this is when VDA6 or ISO6 is becoming effective. So this is then the date where every, or the decisive date. So, and if you’re looking at the customer, so if you’ve ordered your assessment before that date, you can still do VDA 5.0 or 5.1.

the old version. But if you’re accepting the order after the 31st of March, then you have to go for version 6. So this is the decisive date. And if you want to go for v6 before the 1st of April, you can place your order according to v6. But the assessment provider is not able to do an assessment because the

John Verry (36:49.102)
So, gotcha.

Alex (37:07.586)
The ISA is not already available, so you could place your order, but the audit must start after 1st of April.

John Verry (37:16.118)
Gotcha. Just out of curiosity, is there any formal guidance on if I order a version 5 on March 31st, do I have to conduct that audit before a certain date?

John Verry (37:33.806)
Probably, but you don’t know.

Alex (37:33.976)
I think there is…

I think there is no official given final date, but I assume that other audit service providers will have some kind of internal deadline as well saying, okay, I want to have those new assessment finished until somewhere in 2024, because it doesn’t make any sense to have V5 audits being done in 2025 or even.

late 2024. So I think most of the audit service providers will say there is an internal deadline and there must be good reasons not going for the new version after a certain point in time.

John Verry (38:18.454)
Right, further I would assume that the OEM might have a concern as well. And at the end of the day, if your T-SAC is labeled but the entity you want to do business with isn’t happy with the label because it’s old, that’s probably going to get you in trouble.

Alex (38:36.358)
you won’t have any labels until the assessment is done. So if you, so.

John Verry (38:40.874)
Right. No, I just meant that if you tried to push the envelope and got a TSACS 5 in early 2025, if someone would do it, you go to Audi with that and they go, nope, we’re not taking it. We want six. You’re a year past, almost a year past the deadline. What happens if you’re already TSACS certified and your audit is coming up, where are the lines there? Are they the same?

Alex (39:07.727)
It, so you mean if you already have your labels?

John Verry (39:13.294)
So I’m up for recertification. And let’s say my recertification date is April 15th. So I should recertify. So anyone that is certified that’s got a certification date coming up anytime in the next couple of years should begin their transition to TSAC 6, that means, correct?

Alex (39:20.917)
the same rules apply.

Alex (39:31.833)
Correct. Yep. The only difference or the only thing is assessments that have already been started and have not finished because the follow-up is missing or something like this, you are still able to finish the assessment with the old version even beyond April 1st. So that’s possible. And you can also do scope extensions based on the version of the ICER that was in place at the time when your initial assessment took place.

John Verry (40:04.41)
We beat this up pretty good. Is there anything we missed from your perspective?

Alex (40:10.353)
I think we touched most of the points, maybe just two little things to add here. Once, or one thing is, I think the new VDA ISA was designed with the mindset of giving guidance to the users because now we find those standards and also references to guidance standards. So this is one thing that I wanted to add

the ISA 6 is now really packed with the references to other standards where you can see how to implement it. And maybe something that is not a big deal at the end of the day, but it’s giving a good signal at least VDA ISA 6 is the first ISA version that was developed and published in English as the main language. So

Alex (41:10.578)
a clear indicator for T-SACs getting international. So really it’s now English as the main language and the other languages are then translated from this English version and not like in the past, German as leading language. No, it’s now it’s really English as the leading language.

John Verry (41:29.654)
Yeah, and for anyone who doesn’t know what the V-Day ISA is, that is an Excel workbook. That is the set of controls that are specified, you know, broken down into an information section, a prototype section, and the privacy section. We never touched on privacy in this conversation, but those are the three areas that get covered. And then real quick, we might as well just briefly touch on privacy. Generally speaking, we don’t see too much about privacy except for people doing more like marketing and things of that nature.

that are providing services that would logically have personal information. And usually that would be with regards to, let’s say, a customer of the OEMs. Although we do have one customer right now, and I’m not quite sure why, that is being asked for privacy despite the fact that they only handle parts.

Alex (42:22.301)
it’s exactly one of the problems that the suppliers are struggling with and we as audit service providers are struggling as well. Sometimes the OEMs or people upstream your supply chain don’t know exactly what they want. So there is some kind of regulation saying, we need those T-SACS labels from our suppliers and then every supplier is asked for these labels.

never or not taking into account if this makes sense or not. So I try to have this conversation in the earlier days and saying, okay, hey, you’re just welding something or are you just working on the chassis? So what kind of personal information do you get from the OEM? We don’t know, but the OEM asked us to go for the privacy label. So, and now it’s the common practice to say, okay,

then we will go for the labels for privacy as well and ask the questions that are in there.

John Verry (43:28.578)
So as an auditor though. Right, but here’s a question for you. So as an auditor, what private information are you looking to see they have controls over? If they’re not getting any from, you know, any on the customers, then the only thing they would be getting is like the email addresses and contact information of the people they’re interfacing with. So I guess we could look at that. Or is there an expectation that you’re looking at the personal information relating to the people who work for the organization? Like how do you scope that? Like from a auditor’s perspective,

What are you validating? Which personal information?

Alex (44:03.225)
We are looking what is there and then trying to say, okay, is this company handling private or personal identified information in a correct way? So nevertheless, if it’s coming from the OEM, as you said, the email address or the own employees data. So generally speaking, it should be some kind of interlinked and I assume that a company would not use totally different sets of rules

personal data coming from one source or personal information coming from another source. So we would look for how does this company generally work with personal information.

John Verry (44:44.318)
You know, there’s an interesting, perhaps, the OEMs are a little smarter than we are. And perhaps they’re looking at the existence of a privacy program as having value from an availability perspective, because an organization that has a privacy program is less likely to have a GDPR judgment or a California Consumer Privacy Act by the attorney general of the state.

So it’s less likely they’re gonna have a problem that would disrupt their ability to service them. The other thing which I can think of as well is that if the OEM, excuse me, if the entity has facilities as an example in California, they have an increased obligation under that to protect the employees data. And then I would assume the same holds true, of course, in each of the individual EU member states. Right, so if you have a facility

France that’s producing a component. Yes, you’re not sharing private information with the OEM. However, you have an obligation under GDPR to protect the data of your employees. So maybe that’s the thought process. I never thought of that.

Alex (45:57.369)
Maybe or it’s just the, yeah.

procurement departments not really realizing the differences between the different objectives and what they really need. So hope the split of information handling labels into availability and confidentiality doesn’t cause those kinds of problems. So we are not seeing multiplying the problem of not being able to distinguish which labels to go for.

John Verry (46:28.066)
Yeah, and then one of our consultants who’s very knowledgeable on T-SACs, has been through all the training and stuff, he shared a document with me. It’s a copy of the VDA-ISA-6 and it’s all redlined as to what’s the difference between five and six. I don’t know if that’s something that was specifically produced by T-SACs themselves or if we produced it or if you got it from some other source, but if you’re moving from five, one to six…

If you can find a copy of that document or you want to reach out to us, it’s really, really good because you can see, all right, what do I need to update to be able to get my six attestation?

Alex (47:10.581)
If you have something like this available, this is really a helpful tool, that’s for sure. Yeah.

John Verry (47:27.385)
Yeah, yeah,

John Verry (47:44.758)
I didn’t look at it yet. I mean, I scanned it, but I didn’t have a chance to dig into it.

Alex (47:44.95)
Okay. Okay, there.

That’s a good excuse because I just wanted to ask what did you do on Saturday and Sunday? You would still have two days to look into it. Just kidding.

John Verry (47:57.192)
Yeah, I knew you were going there. I knew you were going there and I got ahead of you. You see that?

Alex (48:02.958)
It’s always good to be ahead of your T-Sex audit service provider. It helps you.

John Verry (48:05.246)
Yeah, I can tap dance with the best of them, Alex. I’ve gotten myself in and out of a lot of trouble over my career. So, and you just saw me tap dance. We didn’t migrate. I lied completely about that. All right, so I’ll ask you one last question. You know, and if you’re not prepared for it, we’ll get rid of it. What fictional character or real-world person you think would make an amazing or horrible CISO and why?

Alex (48:29.169)
Um, if you ask me for the amazing seesaw, I think, uh, Mr. Spock might be a good candidate for it. So logical thinking and tracking risks to actions sounds something like a good Caesar should have. And on the other hand, if you want this, uh, horrible seesaw, um, Garfield pizza is not the solution to every security problem.

John Verry (48:54.99)
And so now you’re talking about, so first off, Spock, and he could also do the Vulcan mind meld with the CXO organization and know exactly what he needed to do from an information security perspective. Garfield, listen, now you stepped on something you shouldn’t have stepped on. You shouldn’t have gone Garfield. Garfield was lasagna more than pizza, just so you know. When I was, I’ll tell you a funny story. So I used to love the comic strip Garfield when I was in high school and going into college. So what happened was is I…

Alex (49:14.573)
You’re right. It was the sun, yeah.

John Verry (49:24.738)
I was going to college and my going away party and my grandmother bought me a Garfield Comforter. So here I am, young buck, heading off to college and everyone in the room gasped like, oh my God, like, hope he doesn’t. And I was like, this is awesome. And I took it to college. And then what started to happen is, you know, like, it became a thing. So anyway, I was a huge Garfield fan. I felt compelled to.

defend Garfield and point out that lasagna was what he was really into.

Alex (49:58.217)
You’re right, I was not paying too much attention. So, I’m sorry for this mistake. And Mr. Spock, but just adding to Mr. Spock, maybe, yeah, but being logical is only one part of a good CSO. So sometimes you don’t have all the information that you need to come to the best decisions. And then you need trust in your people and your organization. So maybe this is something Mr. Spock might be lacking. So…

John Verry (50:03.877)
I’m going to go to bed.

Alex (50:26.361)
Trust in people and processes in the organization is also something very helpful as a CSO.

John Verry (50:33.31)
Amen. Thank you, sir. Oh, wait, I forgot to ask if somebody wants to get in touch with you or wants to get in touch for to have sued to take advantage of your ISO 27001 services or your T-SAC services, how would they go about doing that?

Alex (50:49.561)
So the easiest way is to go on our website and use the contact us forms that are available all over the place, or you can write me on LinkedIn. So that’s also possible.

John Verry (51:00.734)
Awesome. Thank you, sir. It’s been fun. Appreciate it.

Alex (51:05.017)
Thanks for inviting me to this nice podcast and it was fun indeed.

John Verry (51:11.269)
Then we hit the mark.