ISO 27001 + TISAX – key areas & implications for IT projects

How to ease the cooperation and secure software development in the automotive industry
Krzysztof Pieczyński
Krzysztof Pieczyński
Head of Business Development
October 11
9 min
Table of Contents

Efforts to secure the most important information do not bypass the automotive industry. The specific nature of the automotive sector determines the need to take care of the security of information entrusted to partner companies. According to ISO 27001, securing information within an organization is not enough. Protecting it when transferring it outside the company premises is also necessary.

Certification in the automotive industry, why is it necessary?

Companies like VW, Fiat, Toyota or BMW but also VDA organization (Association of the German Automotive Industry) know data protection very well. Hence, for years they have been making every effort to ensure that certifications enable safe cooperation between partners.

Let’s picture a situation when, in a production plant manufacturing components for several car manufacturers, the engineering of specific components would not be properly secured and available to competitors. Or what about the case when, upon entering the production hall, we come across information on the purchasers of the components involved? From the point of view of the competitors, this would be quite a treat. 

When looking for an edge in a global, competitive automotive market,  automotive corporations hold long-standing strategic plans for developing and releasing new vehicles and solutions. While typically tagged confidential, companies must transfer such information outside with associated suppliers and other stakeholders. In that case, they must ensure that the information will remain appropriately secured.

This applies to the manufacturing of physical components and the development of IT services that support broad automotive efforts, e.g.: sales or post-sales services.

How do you check your automotive partner’s compliance?

The easiest way is to ask for an ISO 27001-compliant information security certificate. If your contractor does not have one, you might try to check the level of security on your own. However, this is potentially resources-consuming, might influence the project timeline, and requires ISO27001 basic knowledge.  

In the absence of an ISO 27001 automotive certification, the partner sends its partners forms to complete – Information Security Assessment. They include questions about the security measures in place. Such form is usually based on ISO 27002 (which is a substantive and descriptive development of ISO/IEC 27001) and contains 51 security features.

For each security feature, one assigns a value between 1 and 5, depending on the degree of implementation of specific security features. The clarification questions included in the form are helpful in this regard. Out of all the questions, the 10 most important are selected, which must be met at least at level 3.

As proof of how important it is for automotive companies to secure the transferred data, consider that the score received in the certification test impacts the possibility of further cooperation.

Information security & cyber security is the future of remote collaboration

Information security in the automotive industry is not just for the benefit of car corporations. In every organization, there is information (know-how, contracts, plans, projects, personal data) that absolutely must be protected. Companies that expect their suppliers to provide information to be safe impose a certain standard that brings tangible benefits to all.

From ISO 27001 to TISAX – a road to automotive partnership

The origins of its formation are linked to the ISO/IEC 27001 standard’s universal approach to the process model of information protection. VDA (Verband der Automobilindustrie – German Automotive Industry Association) has expanded its scope to include issues specific to the automotive industry. Within a decade of VDA launching its first information security working group, VDA ISA (Information Security Assessment) has become a new tool for assessing the maturity level of information security management systems (ISMS).

In May 2016, the Trusted Information Security Assessment Exchange (TISAX) was established and is experiencing significant growth in membership, particularly among German companies. Membership in TISAX is aimed at automakers, suppliers of automotive components, raw materials and other entities in the supply chain, service providers, including especially IT.

The benefits of having TISAX have also been noticed by other customer service providers, including large chains of sales, leasing, warranty and post-warranty service.

TISAX has become an essential certification also for research institutes and various entities related to the automotive industry. Advantages of being TISAX certified include an overall increase in the level of trust and security of cooperation and

  • the ability to prove to a business partner a certain level of information security in accordance with VDA ISA requirements;
  • faster cooperation launch;
  • the ability to verify a contractor’s assessment of the level of security;
  • credibility and objectivity of the standard

ISO 27001 or TISAX, which matters most to the automotive industry?

TL;DR – Both.

Prior to proceeding with TISAX, each organization must perform an implementation (or adaptation, such as an extension of the implemented ISO/IEC 27001) of its ISMS (Information Security Management System), using the documentation published by VDA.

Unified and consistent requirements ensure that the system functions and improves across all entities that choose to implement it.

Even when the implementation is completed, in the process of continuous improvement, it is necessary to monitor its functioning through periodic audits, IT security verification, penetration and social engineering tests, password management, and other measures to minimize the risk of an incident.

The information security management system implemented and entrenched in the organization is then subject to an accredited external audit. After completing the process, the company allowed to present its achievement to its business partners. 

Learn about specific issues automotive companies face during digital transformation

The benefits of being TISAX compliant

Although the process for becoming a TISAX-compliant company as outlined may seem complicated, there are numerous benefits, both on the road to becoming a TISAX-compliant company and receiving certification.

Aligning a company with the standard set by VDA ISA (and ISO/IEC 27001) results in proactive risk management within the organization. It reduces the possibility for losses.

TISAX members honor each other’s assessments and operate under a standard that establishes an equal level of data protection, removing the need to audit each other.  

In a situation where a counterparty requests to submit its assessment, prior membership in TISAX accelerates the establishment of cooperation.

Participation in TISAX provides an indisputable advantage over non-certified competitors. In part, it is the confirmation of the effectiveness of the steps taken earlier on the path of data protection. TISAX crowns the entire organization’s efforts on the road to proving to be a trustworthy IT partner for the automotive industry.  The TISAX assessment demonstrates the maturity of the organization and the effectiveness of the implemented ISMS.

ISO 27001 & TISAX – what are the differences?

TISAX is the industry standard for assessing information security in the automotive industry. Unlike ISO 27001 as a standard,  TISAX is, in some cases, much more detailed in requirements and considers industry-specific aspects such as prototype protection. 

Hicron Software House digitizing Automotive supply chain

ISO 27001 & TISAX certified IT partner – Hicron Software House

Information security management, as well as information security certification, is extremely important. In a world of digitizing services and remaining competitive, an automotive IT partner that maintains security standards at the highest level is a significant business contributor.

Get an Expert View on how to choose
the right software vendor

How do we know this? We have been partnering in the automotive business for more than 16 years. We support automotive companies in 27 countries. We come from SAP and are aware of the business processes as well as the requirements of the automotive industry. We have implemented ISO 27001 and TISAX to ensure the highest safety standards of cooperation. Our custom solutions for automotive have already improved the workflow across several automotive divisions.

Krzysztof Pieczyński
Krzysztof Pieczyński
Head of Business Development
  • follow the expert:


What our partners say about us

After carefully evaluating suppliers, we decided to try a new approach and start working with a near-shore software house. Cooperation with Hicron Software House was something different, and it turned out to be a great success that brought added value to our company.

With HICRON’s creative ideas and fresh perspective, we reached a new level of our core platform and achieved our business goals.

Many thanks for what you did so far; we are looking forward to more in future!

hdi logo
Jan-Henrik Schulze
Head of Industrial Lines Development at HDI Group

Hicron is a partner who has provided excellent software development services. Their talented software engineers have a strong focus on collaboration and quality. They have helped us in achieving our goals across our cloud platforms at a good pace, without compromising on the quality of our services. Our partnership is professional and solution-focused!

NBS logo
Phil Scott
Director of Software Delivery at NBS

The IT system supporting the work of retail outlets is the foundation of our business. The ability to optimize and adapt it to the needs of all entities in the PSA Group is of strategic importance and we consider it a step into the future. This project is a huge challenge: not only for us in terms of organization, but also for our partners – including Hicron – in terms of adapting the system to the needs and business models of PSA. Cooperation with Hicron consultants, taking into account their competences in the field of programming and processes specific to the automotive sector, gave us many reasons to be satisfied.


PSA Group - Wikipedia
Peter Windhöfel
IT Director At PSA Group Germany

Get in touch

Say Hi!cron

    Message sent, thank you!
    We will reply as quickly as possible.

    By submitting this form I agree with   Privacy Policy

    This site uses cookies. By continuing to use this website, you agree to our Privacy Policy.

    OK, I agree