TISAX Tabletop Exercises for EV Battery Suppliers: Ransomware Drill Scripts and AAR Templates with 2025 ENX Podcast Breakdown

TISAX Tabletop Exercises for EV Battery Suppliers: Ransomware Drill Scripts and AAR Templates (Plus a 2025 ENX Update Breakdown)

The plant manager’s voice is calm—too calm. “The MES screens just froze. And someone printed a ransom note on the label printer.”
In the war room, your IT lead is already arguing with engineering: shut down the line vs keep shipping. Meanwhile, procurement pings you: “The OEM wants an update in 30 minutes.”

That’s the moment TISAX stops being a catalog and becomes a capability: you either have rehearsed decisions, evidence, and escalation paths—or you improvise under pressure.

What you’ll learn

• How TISAX (Trusted Information Security Assessment Exchange) expectations translate into tabletop exercise design for EV battery suppliers
• A ransomware tabletop drill script with injects tailored to battery R&D, prototyping, and manufacturing IT/OT
• After-Action Review (AAR) templates that produce auditor-friendly corrective actions and evidence trails
• How to align exercises to TISAX assessment levels (AL2 vs AL3) and the VDA ISA structure
• A practical compliance update checklist you can use to filter industry news and webinars
• Tooling patterns (GRC + automation) that make evidence collection sustainable for the 3-year TISAX label cycle

---

TISAX for EV Battery Suppliers: what matters in 2025–2026 (and why ransomware tabletops help)

Answer-first: For EV battery suppliers, TISAX readiness hinges on proving that security controls are implemented, operated, and measurable—especially around incident management, availability, and protection of confidential/prototype information. Ransomware tabletop exercises are a high-leverage way to demonstrate operational maturity, not just documentation.

EV battery supply chains are uniquely “TISAX-intense” because you often have:

• High-value IP (cell chemistry, pack design, BMS firmware)
• Prototype handling (packs/modules moving between lab, test track, customer)
• Availability pressure (just-in-time production and logistics)

TISAX is governed by the ENX Association and uses the VDA Information Security Assessment (ISA) catalog as its normative requirements set. The ISA spans:

• Information security (ISO 27001-aligned controls)
• Prototype protection
• Data protection (GDPR-aligned expectations)

A tabletop exercise becomes TISAX-relevant when it produces:

• Evidence that your incident response process exists and works
• Clear role ownership, escalation, and decision logs
• Corrective actions tied back to ISA control questions and maturity levels

Evidence (approved source):

• ENX’s scheme differentiates AL2 (remote plausibility review) and AL3 (on-site verification), with AL3 including on-site inspection and interviews; AL2 is typically conducted via a remote plausibility check (document review and interview), while AL3 often runs two to four days (or more for complex scopes).
• TISAX labels are valid for three years, and the ISA includes maturity levels 0–5 to evaluate standardization and continuous improvement.

Key Takeaway (why this section matters):
A good tabletop isn’t “extra.” It is a structured way to generate maturity evidence for incident management, continuity, and governance—domains that auditors will probe deeply at AL2/AL3.

---

Scope it like an assessor: EV battery data flows, sites, and objectives (AL2 vs AL3)

Answer-first: Your tabletop should be scoped to the same “protection objects” and sites you register in the ENX Portal, because TISAX labels are issued per scope/location and shared via ENX. If you practice against the wrong scope, you create impressive artifacts that don’t map cleanly to your assessment.

A recurring pattern in ENX guidance is that scoping drives cost and risk. For battery suppliers, scoping pitfalls include:

• R&D lab is “out of scope” on paper, but engineers move prototype files through shared infrastructure
• OT/MES networks are treated as “operations only,” but they handle OEM-related production data and availability objectives
• Suppliers/subcontractors (calibration labs, logistics, cloud platforms) touch protected data but aren’t governed under supplier controls

Practical scoping map (use this before your tabletop)

Create a one-page scope map that answers:

1. Sites: Which plants, labs, and offices are in the TISAX scope?
2. Protection objects: What types of information/assets are protected? (confidential designs, prototypes, production data, personal data)
3. Assessment objectives: Which TISAX objectives apply? (e.g., Confidential vs Strictly confidential, prototype-related objectives, high availability)
4. Assessment level: What level is implied? (AL2 vs AL3 depends on objective)
5. Interfaces: Which third parties touch the scope?

Mini-checklist: tabletop scope alignment

• Exercise participants match scope owners (IT, OT, R&D, HR, procurement, facilities)
• Injects reference real systems and processes in-scope (MES, PLM, Git, file shares, badge access)
• Outputs are stored as evidence artifacts, tagged to ISA domains
• Follow-up actions become corrective actions with owners and dates

Evidence (approved source):

• ENX Portal is the authoritative system for registration, scope definition, and result exchange; sharing of results is controlled and explicit, and once shared/published, it cannot be revoked.
• The Participant Handbook clarifies the difference between the ISMS scope (ISO 27001) and the TISAX assessment scope (must be within, but not necessarily equal).

Pro Tip:
If you anticipate AL3 later (prototype objectives often imply AL3), design tabletops now with AL3 rigor: site-based realities, physical access decisions, and “show me” evidence expectations.

---

Ransomware tabletop drill script for EV battery suppliers (facilitator guide + injects)

Answer-first: A TISAX-ready ransomware tabletop for an EV battery supplier should simulate both IT compromise and business-impact decisions (availability, prototype/IP protection, supplier/customer communications). The deliverable is not “we talked about it,” but a decision log, evidence list, and a corrective-action plan mapped to ISA domains.

Below is a ready-to-run script you can adapt. Keep it to 90–120 minutes. Record decisions and artifacts in real time.

Roles (define before the session)

• Incident Commander (IC): accountable decision-maker
• IT Lead: identity, endpoints, network, backup/recovery
• OT/MES Lead: production line systems, plant safety, downtime tradeoffs
• R&D/Engineering Lead: BMS firmware, lab systems, prototype handling
• Facilities/Security: physical access, visitor control, prototype areas
• Legal/Compliance: regulatory/customer reporting posture
• Procurement/Vendor Mgmt: MSSP, cloud providers, critical suppliers
• Comms/Customer Lead: OEM status updates, internal messaging
• Scribe: captures decisions, timestamps, evidence references

Scenario setup (read aloud)

“On a Tuesday at 09:10, users report they cannot access the MES dashboard. A ransom note appears on a shared printer. Engineering also reports unusual Git activity on a BMS firmware repository. The OEM portal is used daily for CAD and test reports.”

Inject timeline (choose 6–10 injects)

Inject 1 (09:12): EDR flags mass file encryption on a Windows jump host used to access MES.
Decision prompts: isolate plant network? shut down jump host? who approves?

Inject 2 (09:18): OT lead says stopping the line mid-process may scrap WIP and trigger safety procedures.
Decision prompts: what is the safety shutdown plan? who owns it?

Inject 3 (09:25): IAM logs show a privileged account used from an unusual location.
Decision prompts: disable accounts? emergency access process? evidence capture?

Inject 4 (09:32): R&D lead reports a prototype pack test report is missing from the secure share; suspicious exfiltration is possible.
Decision prompts: treat as confidentiality breach? prototype protection escalation?

Inject 5 (09:40): Backup team finds last clean snapshot is older than expected; retention policy unclear for a critical MES database.
Decision prompts: restore point choice? downtime estimate? decision authority?

Inject 6 (09:48): A supplier emails: “We received malicious files from your SFTP.”
Decision prompts: supplier notification workflow? third-party risk actions?

Inject 7 (09:55): OEM asks for an update in 30 minutes: “Are prototypes or production impacted?”
Decision prompts: what can you say confidently? who approves outbound comms?

Inject 8 (10:05): Threat actor claims they stole design documents and will leak them.
Decision prompts: legal posture? evidence preservation? internal messaging?

Expected outputs (what you must capture)

• Incident classification and severity rationale
• Containment steps and authority chain
• Recovery strategy (including “why this restore point”)
• Customer/supplier communications draft
• Evidence list (logs, tickets, access changes, meeting notes)
• Immediate corrective actions (top 5)

Evidence (approved source):

• TISAX emphasizes incident management, monitoring, and continuity; maturity levels reward measurement and continuous improvement (ISA maturity 0–5).
• AL3 assessments include on-site verification and interviews; auditors will expect documented process and observed practice alignment.

Key Takeaway:
Your tabletop should force at least one uncomfortable tradeoff: confidentiality vs availability vs safety. That’s the difference between “a compliance meeting” and an operational exercise.

---

AAR templates that auditors can actually use (plus metrics tied to maturity)

Answer-first: A TISAX-grade After-Action Review (AAR) turns discussion into traceable improvements: findings → root causes → corrective actions → owners → deadlines → evidence. If you don’t produce this chain, your tabletop won’t meaningfully improve maturity scores.

A consistent pattern in evidence-heavy assessments is that traceability wins: each lesson learned should map to an ISA domain and produce a repeatable artifact.

AAR Template (copy/paste)

1) Exercise metadata

• Scope / site:
• Date/time:
• Scenario:
• Participants (roles):
• Assessment objectives impacted (e.g., confidentiality, prototype protection, availability):
• TISAX target level (AL2/AL3):

2) What happened (timeline)

• Timestamps + decisions + key facts assumed

3) What went well

• 3–5 bullets, each with: why it worked and how to repeat it

4) Gaps observed (findings table)

Finding	Impact (C/I/A)	Root cause	Control domain (ISA)	Severity	Owner	Due date	Evidence to close

5) Corrective actions (SMART)

• Action, measurable success criteria, dependencies, budget needs

6) Evidence package generated

• Links to tickets, logs, screenshots, policy references, comms drafts

7) Management summary (1 page)

• Business impact, risk posture, top decisions needed

Lightweight maturity signals (useful for “0–5” conversations)

• Repeatability: could you run the same process next month with a different IC?
• Measurement: do you have time-to-contain/time-to-communicate targets?
• Governance: were exceptions documented and approved?
• Supply chain: did you execute supplier notification and risk workflows?

Evidence (approved source):

• ENX describes TISAX as a three-step process (registration, assessment, exchange) and expects corrective actions to be tracked and closed; labels are valid for three years, so sustainment matters.
• ENX states organizations assessed under TISAX meet relevant NIS2 requirements in areas like risk management and incident response, increasing the value of measurable, repeatable AAR outputs.

Pro Tip:
Store AARs in the same repository structure you use for ISA evidence—organized by domain and control question—so auditors don’t have to “interpret” your folder system.

---

Tooling architecture that supports tabletops and TISAX evidence (without spreadsheet chaos)

Answer-first: The most sustainable TISAX tooling approach is layered: ENX Portal for official scopes and label exchange, plus an internal GRC backbone for governance, and automation for continuous evidence collection. This reduces audit friction at AL2/AL3 and makes tabletop outputs reusable evidence.

ENX does not endorse software. That neutrality forces you to build your own operational system around the ISA Excel catalog and the Participant Handbook process logic.

Practical 3-layer model (quotable)

1. ENX layer (official): ENX Portal for participant registration, scopes, labels, and controlled result sharing.
2. GRC layer (governance): control library, risk register, policies, corrective actions, reporting.
3. Automation layer (execution): integrations that continuously collect evidence (IAM, ticketing, cloud, CI/CD, monitoring).

Tool categories mentioned in the approved research

• Enterprise GRC: ServiceNow GRC, MetricStream, RSA Archer, AuditBoard
• TISAX-oriented GRC: CyberArrow GRC, VComply, Trustero AI (noting that public detail on TISAX-specific depth varies)
• Compliance automation: Sprinto, Drata, Thoropass
• Privacy/data protection tooling: OneTrust, Transcend, PrivIQ, Wired Relations, Netwrix Auditor

How tabletops fit the stack

• GRC layer: store exercise plan, attendance, decision logs, AAR, corrective actions
• Automation layer: attach objective evidence (access changes, incident tickets, backup logs) instead of screenshots
• Reporting: export an “auditor pack” aligned to ISA sections

Evidence (approved source):

• ENX reports more than 60,000 sites have undergone TISAX assessments globally.
• Audit fees are cited as typically €5,000–€10,000 for smaller scopes, rising to €50,000–€200,000 for large/complex suppliers; implementation projects can span 3–15 months depending on maturity.
• Tools with automation can reduce manual effort enough to pay back within one to two years (as reported in the research synthesis), especially for multi-framework environments.

Key Terms (mini-glossary)

• TISAX: An ENX-governed assessment and exchange mechanism for automotive supply-chain information security.
• ENX Portal: The official platform for TISAX registration, scoping, and controlled sharing of results.
• VDA ISA catalog: The control questionnaire (Excel) used as the normative basis for TISAX assessments.
• Assessment scope: The set of locations/processes under assessment, defined in ENX Portal.
• Assessment objective: The protection target (e.g., confidentiality, prototype protection) driving required rigor.
• AL2: Remote plausibility assessment with evidence review and interviews.
• AL3: On-site assessment with physical/process verification and interviews.
• Maturity level (0–5): A scale for how standardized, measured, and optimized controls are.
• AAR: After-Action Review; the structured “lessons learned + corrective actions” output of an exercise.
• GRC platform: Software used to manage governance, risk, compliance controls, evidence, and reporting.
• Continuous control monitoring (CCM): Automated checks that validate controls over time, not just at audit time.

Key Takeaway:
If your tabletop outputs live in email threads, you’ll re-pay the “evidence tax” every audit cycle. Put exercises into your compliance system as first-class artifacts.

---

The Counter-Intuitive Lesson I Learned

Answer-first: The most effective ransomware tabletop is not the most technical one—it’s the one that forces cross-functional decisions you’d rather avoid, and then turns them into evidence and governance improvements.

Here’s the counter-intuitive part: teams often over-invest in “attack realism” and under-invest in decision realism. But assessors (especially at AL3) care whether your organization can:

• Decide who has authority to halt production or isolate networks
• Communicate credibly to OEMs and suppliers under uncertainty
• Prove that your incident process is repeatable and evidenced

A useful exercise design trick is to limit technical detail and increase decision pressure:

• Add “OEM update in 30 minutes”
• Add “prototype data exfil suspected”
• Add “backup restore point is older than expected”
• Add “supplier claims you infected them”

Evidence (approved source):

• AL3 includes planned/unplanned interviews and observation; “documentation aligns with observed practice” is a recurring expectation in the research synthesis.
• TISAX includes maturity measurement and continuous improvement; tabletops that produce KPIs and corrective actions directly support higher maturity.

Pro Tip (fast upgrade):
Run the same scenario twice: once as discussion, once as a timed “decision sprint” with a real comms draft and an evidence pack. The delta between the two is usually where the best corrective actions live.

---

FAQ

1) Do TISAX tabletop exercises need to be “required” by ENX?

No. ENX doesn’t prescribe tabletop exercises as a mandatory method, but TISAX requires incident management, monitoring, and continuity controls—and exercises are a strong way to prove operational maturity.

2) What’s the difference between AL2 and AL3 in practice for exercises?

AL2 is a remote plausibility review; AL3 is on-site verification with deeper checking. Exercises supporting AL3 should include site realities (physical access, OT constraints) and produce cleaner evidence chains.

3) How often should we run a ransomware tabletop?

The research doesn’t prescribe a cadence. A practical approach is at least annually and after major changes (new plant, new OEM program, major infrastructure change), because labels last three years but drift is real.

4) Can we reuse ISO 27001 work for TISAX exercises?

Yes. TISAX is an automotive overlay on ISO 27001 and GDPR, and sources note 20–30% savings when pursuing ISO 27001 and TISAX together by reusing controls/evidence.

5) What’s the single biggest evidence mistake during tabletops?

Not producing traceable corrective actions with owners, due dates, and closure evidence. Auditors can’t score “good discussion.”

6) How do we handle prototype protection in a ransomware scenario?

Treat it as both confidentiality and physical/process risk: access to prototype areas, restrictions on photos/recording, and secure handling of prototype data and devices. Ensure facilities/security are in the room.

7) How do we stay current with 2025 ENX updates?

Use a listening checklist when attending industry webinars: note any ENX comments on scoping, AL2/AL3 expectations, ISA updates, and evidence quality—then convert them into internal control updates.

---

Conclusion: closing the loop from the war room

Back in that war room, the best outcome isn’t “we paid nothing” or “we restored fast.” It’s that, weeks later, you can point to a clean chain: decision log → AAR → closed actions → evidence mapped to ISA domains—ready for AL2/AL3 scrutiny and credible to your OEM customer.

If you want a practical next step: take the ransomware drill script above, run it once within your registered scope, and produce the AAR package in your GRC system.

CTA (Gradum.io): If you’d like these scripts and templates as editable docs (facilitator guide, inject cards, AAR tables, and evidence-pack structure) and want help aligning them to your ISA-based TISAX program, follow Gradum.io for more implementation playbooks and updates.