- TISAX Compliance - 02/06/2022
Information security is becoming increasingly vital in the digital era to preserve competitiveness. This is especially true in the automotive industry, where companies often communicate large amounts of sensitive data that must be protected from theft, loss, or manipulation.
OEMs and their suppliers produce one of the world’s most complicated supply chains. Several individual manufacturers conducted independent audits of their suppliers in the past due to severe criteria customary in this business. As a result, suppliers were obliged to submit to several customer audits, which took a tremendous amount of time, effort, and money.
TISAX, or Trusted Information Security Assessment Exchange, is a German automobile industry framework for data security certification. TISAX was founded in 2017 and has since become the industry standard for ensuring that companies have adequate data security.
TISAX allows businesses to have their data security systems and processes audited by a third party and share the results with customers and partners. TISAX assessments are based on the VDA ISA (Verband der Automobilindustrie Information Security Assessment) regulations, which are based on ISO 27001 standards. TISAX evaluations involve high-level corporate governance and risk management, as well as technical issues including data classification, encryption, and reporting. Companies that are unable to demonstrate compliance will find competing in the German vehicle market difficult or impossible.
The requirements are provided in the form of a catalogue of questions based on the primary components of ISO 27001 (VDA ISA version 5.0). The ISA now has three criteria catalogues:
• Data security, prototype protection, and information security
On a 6-point maturity scale, individual implemented and applied measures are assessed for compliance and efficacy. The higher the maturity level of an information security management system, the more advanced it is:
0-unfinished, 1-completed, 2-managed, 3-established, 4-predictable, 5-optimizing
TISAX focuses on issues of prototype protection not covered by ISO standards. These are they:
• vehicle, component, and part handling: transportation, parking, and storage; • test vehicle requirements: camouflage, trial and, test area, public road trials;
TISAX participants can be any automobile company that wants to demonstrate that the data they utilize is secure. The participants are divided into two groups:
• Active participants: companies who submit to TISAX (for example, suppliers) and make the assessment findings public on their own initiative or at the request of another organization (for example, a manufacturer);
• Passive participants: organizations (e.g. producers) that want to know the findings of another organization’s (e.g. supplier’s) TISAX evaluation and request that another organization (e.g. supplier) do so and then post the results on the TISAX website
This Common has created a standard degree of information security in the automobile sector. The construction of a transparent supplier and service provider assessment is one of the primary benefits of implementing TISAX. This allows for the development of long-term, mutually beneficial relationships with suppliers, as well as improved communication across the supply chain. The ENX platform also enables for the formation of completely new business relationships.
The VDA ISA catalogue provides three protection tiers for enterprises based on the likely harm.
• Normal: the risk of damage is low, short-term, and limited to a single company.
• High: the potential for damage is significant, medium-term, or not restricted to a single event.
• Very high: The risk of damage threatens the company’s existence, is long-term, or is not limited to a single company.
TISAX enables mutual acceptance of information security assessments and offers a method for sharing and exchanging information. The evaluated firm has complete control over the evaluation outcomes. All TISAX tests require questions from the ISA criterion library. Their applicability is defined by the participants’ evaluation goals.
For automotive suppliers and service providers who operate with sensitive data, TISAX examinations have been created. TISAX labels are recognized by all VDA members. In some cases, TISAX certification is already mandatory for suppliers.
The assessment procedures used are determined on the assessment level. TISAX distinguishes three levels:
• Assessment level 1 – The auditor just verifies that the self-assessment is complete. There is no access to the contents of the evaluation, and no proof is gathered. Internal causes, in the true sense of self-evaluation, are the most common. TISAX does not utilize assessment findings since they have a low degree of confidence.
• Assessment level 2 – The auditor checks self-credibility. Evaluation (for all sites included in the assessment scope). He or she helps by evaluating evidence and conducting interviews with people (generally via audio conference). Assessments do not involve on-site inspections (save for prototypes used as assessment targets). For information with high-security standards, a Level 2 evaluation is necessary.
• Assessment level 3 — All of the checks necessary for a level 2 evaluation are completed by the auditor. All inspections, however, are more comprehensive. He or she checks self-assessment results by an in-depth on-site inspection and face-to-face interviews. Assessment level 3 is required for prototypes and data protection with certain kinds of personal data.
Each organization can assess its information security management system before commencing the registration process (ISMS). A self-assessment based on the ISA can be used to determine whether the company’s ISMS meets the requisite maturity level. On the VDA website, the ISA document is available as an Excel file. The following are the types of control information security questions:
It also includes new prototype protection criteria and additional data protection questions to assess a service provider’s fundamental capacity to act as a processor under Article 28 of the EU General Data Protection Regulation. Must requirements, should requirements, further requirements for high protection needs, and extremely high protection needs are the four columns of requirements. After completing the form, the result score indicates if the firm is ready for a TISAX assessment and may expect to get TISAX labels.
Evidence is critical for a business to achieve and maintain compliance, so a list of documents that should be presented to the auditor should be in place.
The document list will almost certainly improve your chances of finishing the audit. The auditor will be able to conduct the audit more efficiently using these documents as evidence. Auditors will gain a deeper grasp of your business processes, systems, and infrastructure as a result of this.
Before beginning the audit process, an organization must provide the auditor with a management description. The document contains a comprehensive overview of an organization’s system, including procedures, operations, infrastructure, and controls. These are system controls that let a company provide services to clients while also ensuring business data security, availability, processing integrity, confidentiality, and privacy. It’s also worth noting that if the process changes during the engagement, the Management Description submitted to the auditor must be revised.
Documents containing a list of physical inventory of all network devices, equipment maintenance records, and information about security strategies and measures must be in place. System settings, data retention, and destruction policies, policies for outsourced application development, acceptable access, and usable policies, encryption policies, implementation requirements, and password requirements, to name a few, are all part of this.
Access logs, system backup logs, system update logs, patch records, and important security measures protecting client data must all be included in the document. Any data and documentation relevant to the deployment and management of infrastructure security controls must be documented.
Organizations must also have operational documents in place, such as systems control documents, data flow diagrams, details of risk management programs and plans, compliance programs, and privacy documents like privacy practices, data use agreements, unsubscribe, and opt-out policies, and confidentiality agreements.
Human resources documents include having an organizational chart in place, a list of every employee’s roles and responsibilities related to compliance process positions, an employee handbook, employee access levels, security awareness training logs, policies, procedures, and processes for hiring and onboarding new employees, evaluating employee performance, a formal process for terminating employees, evidence of removing physical and system access for terminated employees, and more. Policies, standard operating procedures, and an information security policy, as well as a code of conduct,
Many people still consider information security to be an unprofitable added cost. Fortunately, an increasing number of companies recognize the importance of implementing information security standards. Security of data Audit standards, quality assurance, and mutual recognition are all promoted by the VDA TISAX concept. Importantly, it allows enterprises to decrease costs while satisfying business goals (due to a reduction in the frequency of audits). The automobile industry’s information security concerns are addressed with a set of questions (based on the ISO 27001 standard). Companies that embrace the standard can show their contractors that their company’s degree of information security is appropriate or meets the expectations of a contractor interested in working with them.