How to Execute GAP-Analysis: VDA ISA Catalogue

GAP Analyse für TISAX
GAP Analyse für TISAX

You might be hearing the term GAP-Analysis and wondering which role it plays for TISAX®. Alternatively, you know very well what GAP-Analysis is but are not sure how you can use it for your TISAX® project. In both cases, you are more than welcome to enjoy our new blog post about GAP-Analysis: VDA ISA Catalogue.

What is a GAP-Analysis: TISAX® Fragenkatalog*? – Why is it important?

Great questions. Let’s start with the definition of a GAP-Analysis. It is a frequently used methodology, mostly by consultants. The goal of the GAP-Analysis is to find the GAP between the should situation and the as-is situation. Only then, the project plan can be outlined and the necessary corrective actions can be planned.

*Fragenkatalog is a German word for Questionerre. I wanted to use the German word in this blog post, as its commonly used in the industry.

If you don’t know where you are, it will be difficult to define the actions, and measures that you need to take for reaching your goals. The same applies to reaching your TISAX® Label. In VDA ISA Catalogue, there are controls divided into different sections as follows; Information Security Policies and Organization, HR, Physical Security and Business Continuity, Identity and Access Management, IT Security/Cyber Security, Supplier Relationships, and, Compliance.

Each of those controls should be graded regarding respecting maturity level. Maturity levels for TISAX® can be between 0 and 5. A 0 Maturity level is “Incomplete”, whereas a 6 Maturity level is Optimizing. Needless to say, incomplete is where almost no measures are taken. On the other hand, optimizing is where the processes are described, and executed and respective documentation is held accordingly. If you want to learn about the maturity levels of TISAX®, you can read our blog post here.

Once you define your maturity levels for each of the TISAX® controls, you can now define the corrective actions and measures. This gives you a clear understanding of how much resources must be put into the project.

What are the benefits of GAP-Analysis?

A thoroughly executed GAP-Analysis provides you with a clear understanding of where your TISAX® project stands. Thus preventing you to estimate arbitrary resources for your TISAX® project. On the other hand, it helps you to reflect on your company’s strengths and weaknesses regarding different TISAX® sections (mentioned above). For instance, your physical security measures can be well implemented. In addition to that, your HR processes can be in place and running seamlessly. However, a GAP-Analysis helps you to realize your IT-Security Processes are not mature enough, thus you might consider improving.

In order to get your TISAX® Label, as a rule of thumb, you need to have at least maturity level 3. Having said that, there are exclusions for this rule. Nevertheless, the maturity level is a good indicator of the remaining efforts of your company until the audit.

Think about the benefits mentioned above, even if you decide not to proceed further with your TISAX® project, you can have a great understanding of your organization’s Information and Physical Security status. You can always improve your processes accordingly.

How the outcome of the GAP-Analysis: VDA ISA Catalogue look like?

To start the GAP analysis, you need to go through each control listed in the VDA ISA catalogue. Please keep in mind that, there are must and should requirements, as well as specific requirements for Info High and Info Very High. Therefore, the prerequisite to start your GAP-Analysis is to make sure of;

  • Your scope and locations
  • Your TISAX® Assessment Level (AL2 or AL3)
  • Does your client require Info High or Info Very High?
  • Are any extra modules such as Data Protection or Prototype Protection needed?

It will be wise to agree with your client beforehand, on what is expected from you. Only then, you can get solid GAP-Analysis results. If you don’t know about the client’s requirements, you still can do the self-assessment to have a rough idea. More about TISAX® Self-Assessment is in this blog post.

Once you go through the controls and fill in respective maturity levels, you are ready to receive the first results. In the huge excel file – VDA ISA Catalogue, you can also see the graphical representation of the analysis.

GAP-Analysis: VDA ISA Catalogue
Source: VDA ISA Fragenkatalog

What should I do with the outcome? – Interpreting results

Before we dive into interpreting results, I wanted to emphasize that there are no good or bad results. Results are there to show you and your organization where you currently stand. What very important is, however, having a look at the results objectively. As you want to reach your goal: TISAX® Label, now is the time to plan.

Let’s assume that your company doesn’t have a Change Process and documentation in place. Thus, you have graded yourself with a maturity level of 1. As we know from TISAX® guidelines, we need to aim at least for a maturity level 3. Therefore, let’s have a look at maturity level 3: Established

A standard process integrated into the overall system is followed. Dependencies on other processes are documented and suitable interfaces are created. Evidence exists that the process has been used sustainably and actively over an extended period.

Source: ENX TISAX® Participant Handbook

So, what do you need to do now? Easy. First, you need to make sure that you defined a change process, and integrate it into your systems. Secondly, make sure that not only the process itself but also the process instances are documented. Last but not least, you need to have proof that you have applied the change process and executed it with proper documentation. For instance, you can make a change request, let’s say, a new software rollout, review the software, add it to your software list (IT Assets), and release the approved software. All documented. Voilá!

How VDA ISA Catalog is used to determine the maturity level?

As mentioned above, 6 different maturity levels are defined in the TISAX® participant handbook. While performing the GAP-Analysis you need to evaluate your companies, processes, policies, and documentation. Thus, deciding your maturity level accordingly. If you are not sure, grading one lower level will always give you a safety margin. It is wise not to estimate higher maturity levels, which can hinder you from taking necessary measures.

At the end of the day, the auditor will assess the controls objectively. If a control is not fully applied, or any critical prerequisites are missing, then this will result in a low maturity level. In fact, a 0 or a 1 maturity level for TISAX® is not acceptable. Thus, you have to make sure not only you need to get a maturity level of 3 on average, but also avoid maturity levels 0 and 1.

How can external help accelerate my success with VDA ISA Catalogue?

There are multiple options for how external (professional) help can accelerate your success with the GAP Analysis: VDA ISA Catalogue. First, the results and the precision of the average maturity level will be reliable. Secondly, an external consultant will provide an objective perspective to the analysis. In return, you will avoid overestimating your maturity level, therefore increasing your chances of failure. As well as, underestimating your maturity level, therefore assigning too many resources to the project.

In both cases, having a professional while executing your GAP Analysis will help significantly. In addition to that, your outcome will be better off, when you define the measures to be taken. Thus, your resource allocation will be respectively precise, not arbitrary,

How costly is the GAP-Analysis?

The costs of GAP-Analysis depend on your company size and your team. If you want to run the GAP-Analysis on your own, you need to consider the time spend trying to understand the VDA ISA Catalogue. On top of that, you need to make sure that you also understand the controls and their implications. Thus, you can roughly estimate 2 to 4 days, with 2 employees executing the Analysis.

Book a Workshop with us and Save Time&Money

Not to brag, but we run a TISAX® Workshop, where we help you with your GAP-Analysis. At the end of the workshop, you will not only receive the results but also your Roadmap for TISAX®, a comprehensive project plan, customized for your company. Here you can find the details of our Workshop for TISAX®.

External help will also decrease the time spent on the GAP-Analysis. A one-day workshop with preparation and a final report starting from 3.000€ can be estimated.

Wrapping-up

Whether you want to execute the GAP-Analysis on yourself, or you want to get external help onboard, the benefits of GAP-Analysis: VDA ISA Catalogue is enormous. At the same time, crucial for the success of your TISAX® project!

TISAX® ist eine eingetragene Marke der ENX Association. Die 360 Digitale Transformation steht in keiner geschäftlichen Beziehung zur ENX. Mit der Nennung der Marke TISAX® ist keine Aussage des Markeninhabers zur Geeignetheit der hier beworbenen Leistungen verbunden. TISAX® Assessments, zur Erlangung von Labels, werden nur von den auf der Homepage der ENX genannten Prüfdienstleistern durchgeführt.

About the Author

GAP-Analysis: VDA ISA Catalogue

Can Adiguzel is the founder of 360 Digital Transformation. He is a TISAX consultant and ISO 27001 Lead Auditor. He has been working in IT project management for more than 11 years. His passion is information security for SMEs and he helps SMEs overcome their information security challenges with a hands-on consulting approach.