MRIS for TISAX® 2027 · ISA Module Information Security

Do your controls still work when the attacker is an AI?

MRIS assesses the 45 controls of the TISAX® ISA 2027 catalog — 324 individual requirements — against GenAI-accelerated attacks and names concrete hardening measures from the MHC catalog for every gap.

Free · CC BY 4.0 · No registration · For CISOs and ISMS leads at TISAX®-obligated organizations

Why “Mythos”?

Mythos (Anthropic) was the first frontier AI model whose capabilities in an attacker’s hands fundamentally changed the security landscape. MRIS uses it as the reference threat model: every control is measured against an attacker with Mythos-level capabilities.

What has changed

Four threat shifts as the assessment grid

Patience

Attacker patience

AI attackers work on a target indefinitely, in parallel and without fatigue.

Time

Time compression

Minutes, not days, pass between initial access and damage.

Aggregation

Aggregation resistance

Fragmented individual steps stay below every reporting and detection threshold.

Actor

Capability decoupling

Attack capability no longer depends on the actor's resources.

1
Assess45 controls (324 requirements) against the threat model
2
ClassifyFour categories, 72 findings in 8 patterns
3
Harden10 MHC plus 6 individual measures close the gaps
Risk Classification

Four categories. One clear verdict per control.

Each of the 45 controls of the ISA 2027 Information Security module is assessed against the GenAI threat landscape — at the level of the 324 individual requirements. What is assessed is the requirement wording, not any specific organization’s implementation.

45Controls total
Context: 58% of controls lose part of their protective effect — mostly because wording such as “regularly” mandates no event-driven response mechanism. Only one control (4.1.2, pure password factor) loses its core effect entirely.
Compensating Controls

Select a control — see the flanking hardening

Select one of the 31 controls with findings. MRIS shows the assigned Myth-Hardening Controls (MHC) or individual measures that close the gap.

Select a control on the left
to see the matching MHC.

Mappings per MRIS for TISAX® 2027, annex (72 findings across 31 controls).

Leverage

A few controls cover many gaps

Number of individual findings (of 72) each MHC carries. Prioritization starts with the broadest impact. MHC-16 is an original addition without a TISAX® finding.

Scope

What MRIS does — and deliberately does not

MRIS provides

  • +Effectiveness assessment of all 45 controls (324 requirements) of the ISA 2027 IS module
  • +Gap analysis against NIST CSF 2.0, C5:2026, DORA, CRA, NIS2 and ISA/IEC 62443-2-1
  • +Implementation guidance for 10 MHC with maturity paths and audit evidence
  • +Threat Priority Score and P0/P1/P2 roadmap for prioritization

MRIS deliberately does not provide

  • Not part of the official TISAX® assessment process, not authorized by ENX
  • No substitute for a TISAX® maturity assessment by an accredited audit provider
  • No assessment of any specific organization’s implementation — the wording is assessed
  • Prototype Protection and Data Protection are outside the scope of this analysis
Assessed against
TISAX® ISA 2027NIST CSF 2.0BSI C5:2026DORACRANIS2 Directive/IRISA/IEC 62443-2-1OWASP ASI
Download

Both documents. Free.

Part I · Analysis

MRIS for TISAX® 2027 – Analysis and Gap Assessment

Assessment of all 324 requirements, 8 pattern clusters, gap analysis against 6 reference frameworks.

PDF · July 2026 · CC BY 4.0 · English
Download
Part II · Implementation Guide

MRIS TISAX® 2027 Implementation Guide v1.0

Implementation guidance for the 10 MHC: maturity paths, audit evidence, Threat Priority Score and P0/P1/P2 roadmap.

PDF · July 2026 · CC BY 4.0 · English
Download
Usage note

The MRIS publications are working aids (CC BY 4.0, © 2026 Richard Peddi). TISAX® is a registered trademark of the ENX Association; the ENX Association administers TISAX® on behalf of the VDA. This analysis is an independent, privately produced work with no affiliation to the ENX Association or the VDA — neither part of the official TISAX® assessment process nor authorized by ENX, and no substitute for a maturity assessment by an accredited audit provider. No legal or certification advice; use at your own responsibility.