The TISAX standard – how to build credibility for a company operating in the automotive industry?

Do you run an automotive company or provide services to the automotive industry? You are no doubt still looking for ways to expand your domestic customer base, or perhaps even enter global markets. You also know that you operate in an extremely competitive sector. To attract the attention of potential business partners, it is not enough simply to offer them a high-quality product. Nowadays, a brand’s image is influenced by the quality of all the processes taking place within the company. Great importance is attached to information security – particularly crucial in the automotive industrie, where vast amounts of data are constantly exchanged, which can determine the success of vehicles brought to market.

What is the purpose of participating in the TISAX programme?

The automotive industry relies heavily on know-how, and protecting this knowledge poses a major challenge due to the extensive supply chain. Every year, leading manufacturers launch several new car models, competing to implement increasingly innovative solutions. The key to sales success lies, for example, in maintaining the confidentiality of technological processes or keeping prototype designs secret prior to the vehicle’s official launch. That is why information security has become one of the most important criteria for selecting business partners. Only those who can demonstrate that the processes within their organisation comply with the highest data protection standards are considered trustworthy.

Modern companies usually manage areas of their operations such as service quality and data confidentiality responsibly. However, for many years the automotive industry lacked a common system which, on the one hand, would allow for the harmonisation of security standards and, on the other, would spare both parties in a business relationship time-consuming and costly audits. TISAX (Trusted Information Security Assessment Exchange) is precisely such a standardised tool for assessing information security. A company that joins this programme and is granted the right to use the globally recognised TISAX mark gains the status of a trusted partner capable of meeting the expectations of current and potential customers. It’s hard to imagine better advertising for your brand!

What is TISAX and how did it come about?

TISAX is a tool for verifying the effectiveness of data protection systems in companies within the automotive industry, and at the same time an international standard for managing the security of such information. It strictly defines the processes required to maintain the desired level of confidentiality and provides guidelines for implementing them within a specific type of organisation. TISAX was developed by the VDA (German Association of the Automotive Industry), which has been addressing data security issues for many years. It brings together manufacturers of brands such as BMW, Mercedes-Benz, Audi, Opel, Ford, Volkswagen, and hundreds of other companies. In 2017, the Association published VDA ISA (Information Security Assessment) – an Information Security Assessment Standard based on ISO 27001, but extending it to include issues specific to the automotive sector. The VDA ISA checklist has become the basis for the TISAX model. The platform for information exchange between participants is the www.enx.com portal, managed by the independent association ENX (European Network Exchange), which monitors the quality of the audits carried out and their results.

Uniform information security standards, together with a platform through which the credibility of a potential partner in this area can be verified (or – for a party wishing to demonstrate its own credibility – easily proven), have significantly simplified and accelerated the procedures for assessing information security risks. Before the TISAX model was established, companies operated on the basis of their own checklists, and entering into any partnership involved a lengthy and costly audit process. For the client, this could mean, for example, a delay in deliveries. The audited entity, meanwhile, had to constantly prove its reliability in terms of data protection, often facing the need to meet the conflicting requirements of two contractors. Thanks to participation in the TISAX programme, the verification of a potential partner can be reduced to viewing their assessment on the ENX platform. TISAX members mutually recognise these assessments, and operating under a unified data protection standard eliminates the need for additional audits.

Who can benefit from participating in TISAX?

The TISAX programme was originally aimed at representatives of the automotive industry, such as:

• vehicle manufacturers,
• manufacturers of automotive components and parts,
• manufacturers of consumables,
• software developers,
• car service centres.

However, it soon became apparent that it has practical applications for all entities working with the automotive sector, in particular:

• wholesalers and retail chains,
• transport and freight forwarding companies,
• IT service providers,
• companies providing industry training,
• agencies running promotional campaigns.

TISAX is a flexible tool that offers a range of assessment criteria depending on:

• the nature and volume of information processed (small businesses do not have to meet such high requirements as those handling large volumes of confidential data),
• the organisation’s maturity in security management (regardless of their level, companies can join the programme and improve within its framework).

Therefore, any company in the automotive sector interested in developing its business can join the programme.

Participation in TISAX can be passive or active. In the first case, membership of the programme enables a company to request an assessment of another company (or access to the results of a security standards assessment that has already been carried out), thereby obtaining key information to facilitate the selection of a suitable supplier. Active participants, on the other hand, may (at the request of a potential contractor or on their own initiative) undergo an audit for VDA ISA compliance. Upon passing the audit, they gain the right to use the TISAX mark. For clients, this serves as confirmation that the company manages information security in accordance with the highest standards and that cooperation can be established without further checks.

The scope of the TISAX standard and ISO 27001

Do companies holding ISO 27001 certification need to join TISAX, given that they have already implemented an international information security management standard? Although participation in the programme is voluntary, in practice all major companies in the automotive industry expect their partners to demonstrate documented compliance with VDA ISA, which is most easily confirmed through participation in TISAX. The advantage of TISAX over ISO 27001 lies precisely in the fact that the former enables the mutual exchange of audit results. ISO 27001 certification significantly facilitates the introduction of standards compliant with VDA ISA requirements, but in itself does not guarantee that a given entity offers a sufficiently high level of data security. Nor does it ensure credibility in the eyes of all potential partners in the automotive sector.

The information security standard that forms the basis of the TISAX system aligns with ISO 27001, but extends it to cover issues of particular relevance to the automotive industry, in areas such as:

• identification and monitoring of security zones (e.g. regulations regarding visitor access),
• utility supply (electricity, telecommunications connections, etc.),
• classification of information in terms of its confidentiality,
• definition and monitoring of KPIs in information security processes,
• database encryption and the use of cloud solutions for data storage.

Considerable attention has been paid to the issue of the physical security of prototypes – a topic not covered by ISO 27001 – such as the security of the company’s premises and their surroundings. When joining TISAX, organisations must also meet additional requirements regarding the protection of personal data and dealings with third parties.

What are the benefits of implementing the TISAX standard?

As can easily be deduced from the description of the TISAX programme, by deciding to join it, your company will reap a number of significant benefits. First and foremost, it will fulfil one of the most important conditions for cooperation with automotive manufacturers, thereby gaining a competitive advantage over companies that are not authorised to use the TISAX mark. By demonstrating your organisation’s maturity in data protection, you will positively influence its market position and reputation among current and potential business partners, customers and employees. You will also meet legal requirements regarding data management, thereby gaining the trust of regulatory authorities.

Implementing the TISAX standard will have a direct impact on the quality of your company’s operations and its profitability. Having an efficient data security management system, standardised across the entire automotive industry, means:

• minimising risks in this area of operation,
• minimising the costs associated with the risks incurred,
• better communication with other entities in the supply chain,
• greater efficiency in meeting customer needs,
• the ability to establish cooperation with new contractors more quickly,
• the ability to easily assess the security of cooperation with your own suppliers.

How does the implementation of the TISAX standard work?

If your company decides to join TISAX, it will need to follow a multi-stage standardisation process.

1. Aligning the information security management system with the guidelines set out in VDA ISA, which will enable a smooth transition through the subsequent stages. At this stage, it is advisable to seek the support of an expert in TISAX implementation.
2. Registration on the ENX platform using the online form. This stage involves providing a range of information about the company.
3. Selecting an assessment objective from those listed, which serves to determine the level of requirements that the entity must meet.
4. Conducting a self-assessment (using the tools available on the TISAX platform) of the maturity of the company’s information security management system.
5. If necessary – making the necessary adjustments to the company’s information security management system.
6. An audit carried out by a TISAX-accredited body to assess the actual compliance of the information security management system with the VDA ISA.
7. If necessary – implementing corrective actions to address any non-conformities (e.g. staff training).
8. A scoring assessment, on the basis of which the company is granted the right to use the TISAX mark for 3 years (provided that none of the relevant parameters change during that time).
9. Publication of selected parts of the assessment on the ENX platform so that they are available to all TISAX participants or specific recipients.

The implementation timeframe depends on a number of factors – not only on the maturity of the information security management system, but also, for example, on the size of the company or the nature of its business. You must also take into account the potential costs associated with adapting current data security standards to TISAX requirements. However, if you are planning to expand your business, this process is essential not only for reputational reasons. It is a prerequisite for securing major clients and operating in international markets.