Published: 12 Oct 2020
Raymond Mooney, PCQI, Business Development Manager at TÜV Nord, UK, outlines the requirements and advantages of the TISAX Standard for automotive businesses.
The automotive industry is a place where a significant amount of confidential information and data exists. For instance, a car manufacturer may share sensitive information with a supplier about a new model. This could relate to a marketing event such as a photoshoot or the development of a prototype vehicle that hasn’t been presented to the public yet.
Car manufacturers attach great value to protecting their information against theft or loss and minimising reputational risk. In order to ensure a valid approach to information security, the Verband Der Automobilindustrie (VDA) – an organisation with more than 600 members including BMW, Volkswagen Audi Group and Daimler – has developed the Trusted Information Security Assessment Exchange (TISAX) label. The TISAX label is recommended by the VDA and it is mandatory to do business with certain VDA members.
The difference between TISAX and ISO 27001
Many organisations equate information security assessment with ISO 27001 certification. This is understandable, since it is a globally-recognised industry standard. TISAX has taken the foundation of ISO 27001 and made adjustments to make it more automotive specific. Both approaches supply independent evidence where information is handled safely and securely. An organisation is assessed against a list of criteria at appropriate levels to show compliance with the TISAX standard. Achievement of the TISAX label via a rigorous assessment of the organisation’s information security policy and processes demonstrates that the organisation is a reliable partner in the automotive supply chain.
TISAX is based on ISO 27001 and follows its main principles, but there are also some differences. The most important difference is that TISAX defines specifically what ‘secure’ means when applied to information in the automotive industry, whereas ISO 27001 is open to a certain degree of interpretation. There are specific sections on prototype vehicles, parts and components, handling of test vehicles and protection of information during events, films and photoshoots.
Another difference between the two is the assessment methodology. ISO 27001, for example, requires an annual audit, whereas TISAX requires one assessment, which is valid for three years. In terms of conformance confirmation, ISO 27001 awards a certificate, while TISAX awards a label. Certification to ISO 27001 is achieved by meeting the requirements of the standard, while achieving a TISAX label is based on meeting the requirements of the assessment objective in the VDA assessment catalogue – requested at the outset.
The current Tisax assessment objectives are:
- Information with high protection needs.
- Information with very high protection needs.
- Data protection. According to Article 28 (Processor) of the European General Data Protection Regulation (GDPR).
- Data protection with special categories of personal data. According to Article 28 (Processor) with special categories of personal data as specified in Article Nine of the European General Data Protection Regulation (GDPR).
- Protection of prototype parts and components.
- Protection of prototype vehicles.
- Handling of test vehicles.
- Protection of prototypes during events and film or photo shootings.
Achieving the TISAX label
To achieve the TISAX label, a number of steps are required. The first step is to register at ENX, the organisation that administers and manages the TISAX programme. As part of this registration, you must also include a scope, which leads to the setting of assessment objectives based on information held, data protection required, protection of prototype parts, components and vehicles, and handling of test vehicles.
After registration, you will receive a ‘scope excerpt’. Within TISAX, 10 ‘assessment objectives’ have been defined, which have been compiled based on the scope of your company and the required level of data protection (high protection level or very high protection level). Often, your customer or client will define one or more audit assessment objectives.
An accredited certification body, such as TÜV UK, will perform the assessment based on the chosen objectives. The assessment is against level two (high) or level three (higher), depending on the level of information security required. First, you will have to complete a self-assessment (level one). If no nonconformances are identified, the certification body will upload the audit report to the ENX portal and your TISAX label will be published on the ENX platform. You can then manage the degree of openness and access on the platform, as an active participant.
Achieving the appropriate TISAX label is a mandatory requirement to do business with a number of VDA motor manufacturer members. Apart from maintaining your business relationship with VDA members, there are other benefits. For instance, all TISAX audit providers offer mutually acceptable assessments, which ensure standardised audit results, which are acceptable throughout the automotive industry. After obtaining the TISAX label, you can then decide how accessible your audit results are to others. The exchange of assessment results is exclusively accessible to registered participants and only takes place with your explicit consent.
The TISAX audit process is also efficient in terms of resources and time. An assessment is required every three years, compared to an annual basis for other industry standards such as ISO 27001. To conclude, TISAX is a standard that demonstrates to stakeholders that your sensitive data is managed systematically and professionally in accordance with a relevant and comprehensive catalogue of information security controls.
Further details on the TISAX label can be found on TUV Nord’s website.