- September 08
- 7 min
Cybersecurity standards double down when it comes to IT partners working with the automotive industry. OEMs steadily demand proof of compliance with strict information security requirements from their partners and contributors.
TISAX certification was created to facilitate the procedural aspects and build standard obligations in the highly competitive automotive industry. You can learn from this article about the essence of the certification and its implications for business cooperation.
Table of contents:
What is TISAX?
What gives organizations being TISAX compliant?
TISAX – Mutually respected standard for information security audits in the automotive industry
What are the benefits of implementing TISAX?
TISAX reassures compliance, security and seamless cooperation
What do TISAX certification standards include?
What does the process of becoming TISAX compliant look like from the formal side?
How long is the TISAX certificate valid?
What’s at stake when your automotive IT vendor is not compliant with TISAX?
TISAX (Trusted Information Security Assessment Exchange) is an international standard used in the automotive industry, defining the conditions for maintaining the required degree of confidentiality when exchanging information with business partners.
Origins of TISAX certification
The standard for TISAX was developed by the German automotive industry association VDA (Verband der Automobilindustrie) and covers a catalog of issues (VDA ISA, Information Security Assessment) concerning information security. The foundation of the VDA ISA is the global standards ISO/IEC 27001 and ISO/IEC 27002, which define the framework for an Information Security Management System.
TISAX compliance is a confirmation of adherence to standards and fair cooperation between partners engaged in the automotive industry.
An organization that has implemented the requirements described in the VDA ISA and performs an audit – by making the results of the audit available to its partners – confirms its credibility and, in most cases, avoids additional audits before and during the partnership. TISAX compliance is required by major automotive companies.
The automotive industry is marked by specific requirements. The frequency of information and data exchange throughout the operating area is enormous. A key issue in the external exchange of information is the protection of prototypes and ensuring the security of communications with subcontractors and suppliers.
In order to ensure proper protection of the data and information being processed, the VDA (German Automotive Industry Association) established the first IT security law and published it in 2015. A catalog of information security questions (VDA ISA) was developed and successively refined. It is based on the main requirements and guidelines of the international standards ISO/IEC 27001 and ISO/IEC 27002 for an Information Security Management System.
VDA ISA – Information Security Assessment
VDA ISA has become a foundation for information security in the automotive industry. It consists of a main, core component plus supplementary modules for prototype protection, third-party connections (e.g., design offices) and data protection (BDSG – Federal Data Protection Act), which can be used during an audit. Other modules are being developed and added to the catalog depending on needs and requirements.
VDA regulators have introduced substantive and formal pre-conditions for the establishment of a common audit and information exchange mechanism (TISAX) in the automotive industry for information security assessment (ISA). It guarantees a unified level of information exchange security. The TISAX model is designed to be as universal as possible, so it can also be applied to other sectors.
The VDA ISA is used by partner companies for their internal purposes and to audit third-party suppliers and service providers that handle a company’s confidential information. In the past, audits of third-party suppliers were conducted by the company involved itself, resulting in one organization being subjected to rather frequent audits. This generated, on both sides, time and financial waste.
As the main advantages of implementing TISAX certification can be mentioned:
- creation of transparent supplier and service provider evaluation,
- establishing a common level of information security in the automotive industry,
- improving communication in the supply chain,
- establishing lasting and positive relationships with suppliers,
- the chance to gain brand new business contacts.
However, the benefits are much greater. For companies that are thinking seriously about working with the automotive industry, this includes IT service providers, TISAX certification means:
Growth, by strengthening existing and developing new business relationships.
Time and money savings, by being able to avoid multiple information security audits from customers.
Security, through a management system capable of preventing information security breaches and cyber-attacks.
Strengthening confidence, by taking a comprehensive approach to data protection.
Identifying and mitigating risks, by establishing risk management procedures.
Distinction. Based on an evaluation by one of the leading automotive industry certification units.
As of 2017 TISAX has established a common mechanism for evaluating and exchanging information security audits following VDA ISA, which more than 1,000 companies already use in more than 40 countries. Every company that works for customers in the German automotive industry needs a TISAX certificate as of 2018. At the same time, VDA has created the ENX (European Network Exchange) information exchange platform to handle the services provided, including TISAX.
Participants in TISAX can be all companies in the automotive industry (e.g.: automakers, component suppliers, raw material suppliers, service providers to the automotive industry as well as its customers, research institutes, contractors and automotive collaborators) that want to either commission an audit or share audit results via TISAX.
Participants have two options to choose from:
- accessing information (requesting the audit result),
- providing information (providing the audit result).
A TISAX participating company may be audited at the request of another participant or make its own evaluation arrangements. Once the accredited entity conducts the audit, the results are available to the requesting party. In addition, the audited company can share its results with other TISAX participants at different levels of detail, thus avoiding extra audits for other stakeholders, while maintaining the same security compliance requirements.
The scope of the TISAX standard covers in a nutshell:
- two-factor authentication in the processing of sensitive data,
- monitoring of KPIs (Key Performance Indicators) in specific information transfer security processes,
- database encryption,
- restrictions on the use of cloud solutions to store entrusted data (e.g.: technical documentation),
- processes for the physical protection of prototypes (e.g.: masking).
The process consists of 3 fundamental stages: Registration, Assessment, Exchange. The process cannot take longer than 9 months:
This fee-based stage is done completely online, via a web form. The purpose of registration is:
• acceptance of the general terms and conditions of participation in TISAX (non-negotiable),
• providing personal data of the Information Protection and Security Officer (the person responsible for cooperation and contact with TISAX),
• gathering information about the company’s activities and defining the scope of the assessment,
• selecting the purpose of the evaluation.
The next step of TISAX accession is based on the VDA ISA survey and consists of activities for:
• conducting a self-assessment based on the VDA ISA and its interpretation,
• implementing possible corrective actions,
• assigning a TISAX-accredited auditor,
• audit for compliance with TISAX requirements,
• receiving the TISAX report with the final evaluation result.
The essence of the final stage is the exchange of information regarding the evaluation. The auditor within 5 – 10 days publishes the result of the assessment on the exchange platform (ENX), which offers the user number of possibilities:
• sharing the result with a business partner who has previously made such a request,
• making the result available to all/selected TISAX users,
• sharing the result in individually defined scopes.
TISAX labels (i.e., assessment results) expire after 3 years. This period may be shortened as a result of significant changes in the scope of the assessment (e.g.: change of location, company profile). Renewing the label requires undergoing the entire evaluation process once again.
Information security and the requirements of the automotive industry
Information nowadays is of enormous value. We are producing more and more of it, so it is becoming more difficult and more important to secure it properly.
Concern for information security indicates a high level of awareness in organizations, and that is gradually becoming a standard. Large companies are responsible for this state of affairs. They are beginning to require their suppliers to adequately secure the information they transmit.
Non-compliance with TISAX in an era of increased information security risks virtually wipes out opportunities for cooperation. Standardization aims to streamline and systematize processes. At least 30,000 websites are hacked worldwide every day. A serious focus on protecting patents and intellectual property is fully justified.
After carefully evaluating suppliers, we decided to try a new approach and start working with a near-shore software house. Cooperation with DSS from Hicron was something different, and it turned out to be a great success that brought added value to our company.
With HICRON’s creative ideas and fresh perspective, we reached a new level of our core platform and achieved our business goals.
Many thanks for what you did so far; we are looking forward to more in future!
Hicron is a partner who has provided excellent software development services. Their talented software engineers have a strong focus on collaboration and quality. They have helped us in achieving our goals across our cloud platforms at a good pace, without compromising on the quality of our services. Our partnership is professional and solution-focused!