Business relationships at the corporate level involve the delivery of services and/or products, as well as the exchange of a significant amount of information, which is considered the most valuable element for an organization.
Today, globalization of relationships and networked work has brought significant benefits to companies, such as access to international markets, reduced production costs, increased competitiveness, and service quality. However, this also comes with previously unknown risks due to various technological processes that enable it.
As a result, organizations must control the risks they are exposed to by establishing standardized information security measures for all involved parties, ensuring protection throughout the value chain.
IIn this regard, the German Association of the Automotive Industry (VDA) has developed a methodology for evaluating information security uniformly in the automotive industry called TISAX (Trusted Information Security Assessment Exchange).
What is TISAX?
It is a security standard aimed at guaranteeing and accrediting applied information security, among other aspects, for suppliers related to major German automotive manufacturers.
It is based on a maturity-oriented security approach aimed at establishing standardized levels of information security in the industry, saving costs and efforts for manufacturers and suppliers, and enabling common recognition of efforts made to protect information.
Requirements for TISAX Compliance
The requirements for compliance with the TISAX standard are outlined in the current version 5.1 of the “Information Security” module of VDA, which contains all the necessary security controls applicable to companies and collaborators in the automotive industry.
VDA requirements are divided into three blocks of controls:
- Information Security: 41 security questions distributed across the following blocks:
- Information Security Policies
- Information Security Organization
- Asset Management
- Risk Management
- Assessments
- Incident Management
- Human Resources
- Physical Security and Business Continuity
- Identity Management
- Access Management
- Cryptography
- Operations Security
- Acquisition, Requirement Management, and System Development
- Supplier Relationships
- Compliance
- Protection of Prototypes: 22 questions distributed across the following blocks:
- Physical and Environmental Security
- Organizational Requirements
- Handling of Vehicles, Components, and Parts
- Requirements for Test Vehicles
- Requirements for Events and Shootings
- Data Protection: Establishing a single block with 4 questions about personal data protection.
For each control question, organizations must define the objectives to be achieved, specifying mandatory (“must”) objectives, recommended (“should“) objectives, as well as requirements for high and very high protection needs.
The following table summarizes the security objectives to be met by organizations:
Evaluation objective | Applicable requirements |
---|---|
High protection information | All requirements of the criteria catalog "Information Security" ("Requirements (must)" and "Requirements (should)") Additionally "Requirements for high protection needs" (if applicable) |
Very high protection information | All requirements of the "Information Security" criteria catalog ("Requirements (must)" and "Requirements (should)") Additionally "Requirements for high protection needs" and "Requirements for very high protection needs" (if applicable) |
Protection of parts and components | All requirements applicable to "High Protection Information" plus the requirements of the "Protection of Prototypes" chapter: • Physical and environmental security • Organizational requirements • Handling of vehicles, components and parts |
Protection of prototype vehicles | All requirements applicable to "High Protection Information" plus the requirements of the "Protection of Prototypes" chapter: • Physical and environmental security • Organizational requirements • Handling of vehicles, components and parts |
Handling of test vehicles | All requirements applicable to "High Protection Information" plus the requirements of the chapter "Protection of Prototypes": • Organizational requirements • Handling of vehicles, components and parts • Requirements for test vehicles |
Protection at events and filming | All requirements applicable to "High Protection Information", plus the requirements of the "Protection of Prototypes" chapter: • Organizational requirements • Handling of vehicles, components and parts • Requirements for events and filming |
Data protection | All requirements applicable to "Highly Protected Information" plus the requirements of the "Data Protection" chapter. |
Protection special data categories | All requirements applicable to "Very Highly Protected Information" plus the requirements of the "Data Protection" chapter. |
The form defining TISAX requirements must be completed according to the criteria in the table above, indicating the maturity level for each defined question. It is essential to achieve a rating of 3 or higher, based on the 6 established maturity levels:
- Level 0: Incomplete
- Level 1: Performed
- Level 2: Managed
- Level 3: Established
- Level 4: Predictable
- Level 5: Optimized
How to Get TISAX Certified?
The first step is online registration with ENX (European Network Exchange), providing essential information about the organization, including:
- Participant’s Name.
- Primary Contact.
- Participant’s Address.
- Scope of Evaluation.
- Scope Locations.
The second step involves assessment of the standard, differentiating between 3 levels:
- Level 1: Designed for suppliers who only need to complete the VDA questionnaire and publish the self-assessment.
- Level 2: Established for more complex suppliers, requiring completion of the VDA self-assessment and random verification by an audit provider via video conference or phone call.
- Level 3: Designed for suppliers handling highly sensitive external data, requiring an on-site audit by an accredited audit provider.
Finally, after the audit is completed, a report with the organization’s results is issued. If the results are satisfactory, a certification is provided. TISAX certification is valid for 3 years, and there are no annual follow-up audits to verify compliance with the standard.
How Can We Assist You with TISAX Compliance?
TISAX implementation is essential for suppliers related to the automotive industry that need to protect the information managed within their organization In this regard, GlobalSuite Solutions provides essential support for TISAX implementation, helping organizations manage security controls more efficiently.
Contact us to discover how we can help your organization meet established controls, protect your information, and improve your company’s information security!