Information security as Competitivity Factor
In the era of digitisation, information security increasingly represents a decisive factor in remaining competitive. This applies in particular to the automotive industry – here companies exchange huge amounts of sensitive data on a daily basis, data that needs to be protected against theft, loss or manipulation. Information security used to be considered as being the individual concern of each particular company, but this should change in future through the common assessment and exchange mechanism TISAX ‘(Trusted Information Security Assessment Exchange).
TISAX – what does this mean?
Companies in the automotive industry have to demonstrate at regular three-year intervals that they fulfil the required security criteria of their sector. The basis for this proof is the VDA-ISA catalogue of requirements issued by the Association of the Automotive Industry (Verband der Automobilindustrie, VDA). The VDA-ISA catalogue comprises the key aspects and criteria of the internationally recognised standard ISO 27001 and additional lists of criteria, which specifically apply to the automotive sector, such as the involvement of third parties and the protection of prototypes.
Furthermore, there is a fully developed and comprehensive audit and exchange mechanism. The audit and reporting processes ensure a high degree of comparability and transparency and thus strengthen the feeling of confidence of the respective customers who are therefore demanding to an increasing extend the attainment of the relevant TISAX labels to be a binding requirement. The TISAX online platform makes it possible for participants to exchange assessment data and at the same time makes it easier for participants and audit providers to get in touch with one another.
The body responsible for TISAX is the VDA and the ENX Association monitors the quality of the execution and of the assessment results. You can find the associated TISAX handbook here.
Two possible roles in terms of participation
There are two roles within the exchange model, which each participating company can assume, according to its needs:
- Passive participant (e.g. OEAM, automotive manufacturer): calls for another company (e.g. a supplier) to undergo an assessment and requests access to the to the assessment results.
- Active participant (e.g. supplier): a company is either called by another company (e.g. OEM of customer) to undergo an assessment, or undertakes to have an assessment done on their own initiative. After completion, the active participant makes it possible for selected companies (e.g. OEMs) to gain access to the TISAX portal by registering as a participant.
This is a prerequisite for entrusting an accredited audit provider with the task of carrying out an assessment.
Various different protective classes and assessment levels
The ENX Association, as the operator of the TISAX programme, has clearly defined level and scope of an assessment, TISAX differentiates between three different “protection levels” (normal, high, and very high), defining the needed level of protection of the information in question. Furthermore, TISAX differentiates three “assessment levels” defining the depth of assessment and the assessment method:
- Information with normal protection level: Assessment level 1 in the form of self-assessment. Results of assessments with assessment level 1 are normally not used in the TISAY but may be requested outside the scheme.
- Information with high protection level: Assessment level 2 through an audit organisation, using the self-assessment as a basis, as well as various documents and a telephone interview (if required, onsite inspection).
- Information with very high protection level: Assessment level 3 carried out by an independent audit provider based on documentation and an on-site audit.
The scope and the duration of the TISAX assessment are in each case essentially determined according to the list of criteria, which are to be dealt with, the objectives of the protection, the complexity of the ISMS and the number of sites involved.
Who is authorised to carry out audits in accordance with TISAX?
Only audit providers accredited according to TISAX are permitted to carry out the assessments. TÜV NORD CERT is in the process of gaining accreditation.
The four stages in gaining TISAX certification
- Online registration on the TISAX platform
- Selection and appointment of an accredited audit provider, e.g. TÜV NORD CERT
- Performance of the assessment, using documentation or on-site audits
- Exchange of information on the results of the audit with other selected TISAX participants, based on explicit authorization by the audited company.
Who recognises TISAX?
A TISAX certification is required and recognised by all VDA members and OEMs such as Audi, Volkswagen, and BMW.
The advantages of the TISAX procedure are as follows:
- Relevant assessment criteria
- Homogeneous assessment quality and a high level of transparency standardised and stringent testing and reporting procedures complete control of the assessment results avoidance of double and multiple assessments broad acceptance in the automotive sector
- Consolidation of existing and promotion of new business relations consequent orientation to customer needs reduction of risks and establishment of a risk management.
Are you interested in gaining TISAX certification? Feel free to get in touch with us!