The automotive industry is in the middle of a massive shift. Because of this, a standard approach to Information Security is required to meet the ever-expanding changes of securing vast networks of international suppliers while safeguarding large, extensive data streams. Given these challenges, the industry has reviewed and has widely accepted the Trusted Information Security Assessment Exchange (TISAX) to meet these expanding security challenges head-on and at the source.
TISAX serves as an IT security assessment and certification program for organizations operating within the automotive industry. It was created by the European automotive businesses and introduced by the Verband der Automobilindustrie (VDA) – German association of the automotive industry.
The primary focus of TISAX is to ensure the secure handling of business partners’ information, safeguarding of prototypes, and adherence to data protection standards as outlined by the General Data Protection Regulation (GDPR) for engagements between car manufacturers and their service providers or manufacturers. TISAX was developed with ISO 207001 standards as its foundation in terms of Information Security specifications. The two are identical.
So, who should be TISAX compliant? Any company that intends to conduct business with European, specifically German, industries should ensure TISAX accreditation. This would also require all automotive companies and service providers to manage the confidentiality of the data. This confidential data includes any data that could lead to the identification of people or vehicles such as customer data, employee data, and technical details.
Currently, TISAX certification is not legally required. However, it is highly recommended and, in some cases, required by the manufacturer to enter into a business dealing with most German manufacturers to demonstrate that the organization keeping the significance of securing the data is a priority.
Some of the compliance requirements:
Ensuring that a robust information management system is established while conducting effective risk assessment and mitigation.
Being able to describe the secure practices in all phases of software development.
Ensuring a secure IT infrastructure is in place, endpoints of the firewall are adequately tracked for various breaches and compromises.
Reviewing and ensuring that incidence response and disaster recovery is a high priority that has been thoroughly tested.
Institute 27001 security measures and controls
Conducting periodic security assessments and monitoring the results from the findings for remediation purposes
Abiding by all legal and regulatory mandates
TISAX is broken down into three assessment levels based on the sensitivity of the data processed by the supplier. The levels:
Suppliers who manage data considered low to moderate sensitivity levels. At this stage, organizations should be conducting a self-assessment by means of a questionnaire called the Information Security Assessment (ISA)
Suppliers dealing with highly sensitive information. Although level 2 utilizes the ISA questionnaire for self-assessment, like level 1, level 2 takes it a step further and mandates the validation of the self-assessment by an independent external auditor.
Designed to handle extremely sensitive data. As a result, the TISAX criteria become much more comprehensive by means of incorporating extra security measures tailored to protect data management. The main difference is that level 3 also demands on-site physical checks and balances, and requires face-to-face interviews conducted by the independent auditor.
How does your organization get TISAX certified?
There are several different procedural steps within this assessment. However, the best means to obtain an in-depth, clear understanding is to download and consult the TISAX participant handbook. This can be obtained through www.enx.com or engage Needling Worldwide to assist in the process.
As far as TISAX certification costs, this can vary greatly depending on the size of the company, the extent of the security posture, and what their ultimate goal is in relation to the importance of the data they’re responsible for securing and maintaining.
Comments