For some time now, the automotive sector has been especially impacted by digitalisation and the wide adoption of software. The days when we expected cars to be able to move us from point A to B, having low maintenance costs are gone. Cars have become multimedia devices in addition to their basic function, driving.
Car manufacturers are rushing to deliver fancier and fancier versions of cars to outrun the competition. The entire development process of a given vehicle model involves the whole supply chain that the Original Equipment Manufacturers (OEMs) collaborate with. The complexity of the automotive supply chain may surprise you: according to publicly available data, one of the German premium car OEMs works with approximately 60,000 direct suppliers worldwide (!).
In such a vast and diverse collaboration model, OEMs must be confident that when sharing their secrets, prototype designs, innovative solutions etc. their suppliers can ensure the highest standards of information protection. One possible way this issue can be handled is to audit all suppliers before entering into cooperation. As much as this can be a very successful method it is used only in selected cases due to high resource and effort requirements.
This challenge opened up a need for the definition of an automotive-specific security standard that suppliers would need to comply with – TISAX.
In this article, I’ll explain what TISAX certification is and tell you how Spyrosoft is achieving it.
TISAX – the origin and mechanism
In order to establish common requirements for information security, tailored specifically for the automotive industry in 2017, the German Association of the Automotive Industry (VDA) with the cooperation of OEMs such as Audi, Daimler, Mercedes, Volkswagen, established TISAX® (Trusted Information Security Assessment Exchange). This group did not try to reinvent the wheel but used the already established information security standard – ISO/IEC 27001 – Requirements for Information Security Management System and added this extra “automotive flavor”.
In simple terms, TISAX is an information security assessment and exchange mechanism. This means that the first step for a company that wants to be TISAX compliant is to go through a set of security requirements defined in the VDA ISA catalogue and perform an assessment (first self-assessment and then assessment by an independent third-party audit provider). Once the audit results are positive, an organisation is issued with a TISAX label and the assessment results are exchanged on the ENX platform with other TISAX participants.
What differentiates ISO-based certifications of management systems and TISAX is that in the case of ISO, you get a certificate that you can publish on a website or send to anyone. With TISAX, you do not receive a certificate, but your assessment result information is visible on the ENX assessment exchange portal. If you want (or you are requested) to exchange the details of the assessment information with other TISAX participants (business partner, client, company) you share a copy of that assessment information generated specifically for that unique TISAX participant.
TISAX – the structure
The TISAX label, or as it is sometimes referred to as the “TISAX certificate”, is not the same for each company but reflects the scope and target maturity of the assessment chosen by an organisation.
The TISAX requirements scope in the VDA ISA catalogue is divided into 3 modules:
- Information Security requirements – obligatory
- Prototype Protection requirements – for organisations and work on prototype parts and components
- Data Protection – for organisations that process personal data according to Article 28 (“Processor”) of the European General Data Protection Regulation (GDPR)
Each module, apart from requirements grouped into categories “must” and “should”, defines additional ones – “high protection needs” and “very high protection needs”. This means that we move from basic security protection needs (“must” and “should” requirements) to the most rigorous (“high” and “very high”).
Once we decide which TISAX module is applicable to our organisation or which is required by our business partner, we can choose the target level we want to implement (or our business partner has indicated).
The maturity levels in TISAX, also called Assessment Levels (AL), are not a new idea. They are taken from well-known industry process frameworks such as CMMI or A-SPICE. We distinguish the following ALs in TISAX:
In order to achieve AL3 – Established, an organisation must implement all requirements defined in groups “must”, “should”, “high” and “very high”.
The difficulty of implementing TISAX requirements increases with the target maturity level you want to achieve. The automotive industry standard and expectation of OEMs and/or Tier 1 suppliers is AL3 – Established – which means that the organisation has taken sufficient measures to ensure protection for information assets with high and very high protection needs. Levels 4 and 5 can be utilised internally in the company as part of continual improvement initiatives. However, very rarely does it happen that business partners expect them from their suppliers.
As part of the assessment types, the following rules apply:
- AL1 – for AL1 in any module, only self-assessment needs to be performed by the organisation. It is not verified by any third party.
- AL2 – for AL2, apart from the self-assessment prepared by the organisation, an independent audit provider needs to be selected (the list of accredited audit providers is published in official TISAX resources). The audit provider gets familiar with the self-assessment results and then performs a plausibility check. Such an assessment usually is performed remotely.
- AL3 – for AL3, both self-assessment and selection of the independent audit provider is required. This type of assessment always takes place on-site, on a company’s premises, in any of its locations that is declared to be aiming at AL3.
Interestingly, if an organisation stores and works with prototype parts and components, it must meet straight AL3 requirements at the minimum.
Spyrosoft has been awarded AL3 TISAX label – Information Security with Very High Protection Needs in Wroclaw, Krakow and Zagreb locations.
TISAX at Spyrosoft
We’ve been observing the increasing adoption of TISAX since 2020 and we have been preparing for it ever since. With time, more and more OEMs expected their suppliers to implement TISAX. Today this “expectation” has evolved into a requirement, which means that suppliers without a TISAX label are not considered in quotation requests for new projects.
We started TISAX implementation as an internal project led by the Quality Management department. We made use of the already implemented and certified ISO 27001 Information Security Management System, so in this context, I view TISAX implementation not as another new standard to follow, but as an improvement of our already established policies and procedures.
Although TISAX is associated with the automotive industry, it is not sufficient to implement it only in the Automotive Business Unit. The general idea is that the whole system (or all company departments) must be aligned so that the same level of protection is provided regardless of where a given information asset is processed.
What benefits does TISAX give?
The benefits could be divided in 2 categories:
- Improvement of working of the existing Information Security Management System (more precisely its policies, processes and procedures)
- Increased security awareness among employees
- Noticeable increase in new project quotation requests
- Less intense security scrutiny/audits performed by the customer at the project set-up
The last point perfectly sums up the overall TISAX philosophy – “Since you are TISAX certified, I know what security measures you had to implement to achieve that, so I’m confident my data will be handled with the highest protection standards.”
Formally, TISAX certification is not fixed for an unlimited period. As it is with any company-wide-management system, it needs to be alive, maintained, improved on, and periodically checked for compliance. In three years’ time, we will be undergoing an external re-assessment for the renewal of our TISAX labels.
We are not slowing down the pace and have already started TISAX implementation in our office in Timisoara, Romania.
About the author