TISAX is a European information and cyber-security standard developed to protect data within the automotive industry. It is used to assess all organizations involved in the production of vehicles and allows the subsequent sharing of results on a designated, non-public platform.
What is TISAX?
The single-industry security framework is governed by the ENX Association on behalf of the German Automobile Industry Association (the VDA). TISAX stands for Trusted Information Security Assessment Exchange.
TISAX is based on a set of security requirements set out in the VDA Information Security Assessment (ISA), a document put together by the VDA, along with many of the technical controls of ISO 27001, with additional prototype and data protection rules.
Depending on the type of sensitive data an organization has access to, they fall into one of three security levels, and they are assessed accordingly (read more about levels below).
TISAX certification confirms that an organization’s information security system complies with the security requirements set by TISAX.
Once certification is obtained, results are stored and accessed on a platform overseen by the ENX Association.
What is the purpose of TISAX?
The automobile supply chain is a long one – OEMs (original equipment manufacturers) work with a network of many suppliers and partners that contribute to getting new cars from the drawing board to the road. Sensitive information is shared amongst them in order to get the job done, but insufficient data protection along the chain could cause data losses or even theft.
To protect trade secrets, prototype information, customer information and other confidential data within the automotive industry, a TISAX certification is required by most major German OEMs from their partners in the automobile production and distribution chain.
This ensures that data stays secure during the design, manufacturing and distribution phases of automobile production.
Not only that, but an organization that can prove its TISAX compliance has a competitive edge over others who do not, making it trustworthy in the eyes of potential customers.
What is the scope of TISAX?
A TISAX certification is required for all organizations that do business with most major players in the German automotive industry. It is globally-recognized standard.
All automotive suppliers and service providers who process sensitive information should get their TISAX certification. If it isn’t required by your current customers, it may be in the future, and for now you will demonstrate to consumers that data security is a serious consideration for you.
TISAX Assessment Levels
There are three levels of assessment in TISAX, since the cooperation levels between OEMs and their suppliers are of different scales and complexities. The audit method required to obtain a TISAX certification is specific for each level.
In theory, each organization can decide for itself which level of assessment it wants to comply with. In practice, the OEMs specify the assessment level they require from organizations they do business with.
- Level 1: A “normal” security level. The organization is only required to complete a self-assessment questionnaire. This level is mostly irrelevant when doing business and is often only used internally.
- Level 2: A “high” security level. An approved audit provider will follow-up on the self-assessment with plausibility checks done by phone. This means a document-based remote interview and review of evidence provided.
- Level 3: A “very high” security level. An inspection, interviews and ISMS (information security management system) assessment is carried out by an approved audit provider, who physically visits the organization. If the organization has more than one location, each of them can be visited by the auditor.
How to implement TISAX
In order to get a TISAX certification, an organization needs to follow these steps in the assessment:
1st step
Preparation
Anyone interested in TISAX certification needs to register as a TISAX participant on the TISAX portal. This is the only way that an organization can get assessed and have access to the TISAX platform to share and receive TISAX results.
It’s also the time to get to know the TISAX requirements.
2nd step
Self-assessment
No matter which assessment level an organization chooses to comply with, the first step to a TISAX certification is the self-assessment questionnaire.
3rd step
Audit
For levels 2 and 3, the organization needs an approved auditor to conduct a remote plausibility check or on-site assessment visit.
4th step
Optimization
After the audit, the auditor will draw attention to any findings that needs to be addressed, and an action plan will need to be put together by the organization. After further action by the organization and checks by the auditor, the assessment will be completed.
5th step:
Results
The auditor will upload the organization’s TISAX report onto the designated platform. The organization can then decide who the results can be accessed by and to what extent. Results are not publicly available.
A TISAX certification is valid for 3 years, after which the process must be repeated. There are no intermittent checks during this time.
How does Safetica help to comply with TISAX
As mentioned above, the TISAX standard requires that data stays secure during automobile production's design, manufacturing, and distribution phases. Safetica solution is the right tool to use to securely process data electronically.
With Safetica, it is easy to comply with TISAX data protection-related requirements. You‘ll have a better overview of how automotive production-related data are handled, see how employees treat such sensitive data and minimize the risk of misusing sensitive and personal data. When there‘s a security threat, you‘ll be notified in real-time.
1. Company Security Policy Compliance
Safetica makes it possible to monitor user operations across an entire organization. It can recognize sensitive information and generate reports on how data is processed.
Based on its data classification, Safetica can apply DLP policies and enforce selected security policies and desired user behavior whenever users interact with personal or sensitive information. This helps employees follow best practices and prevent unsecured or prohibited methods of storing and working with sensitive data.
2. Sensitive Data Visibility
Knowing where your sensitive data is stored and how your employees process it is very important. You need to ensure that data processing is secured and reduce the risk of data leakage.
Safetica's detailed file and user operation monitoring and audit provide an overview of information flows, critical sensitive data storage, and detailed information about:
- which exact external parties and storage have been contacted
- which of these received the organization's sensitive data.
3. Data Leakage Notification
If you experience a security event related to sensitive data leakage, you need to be informed of the incident immediately so you can react and minimize any impact, or, better yet, prevent the information from leaking at all.
If an actual or attempted data security incident occurs, Safetica’s real-time email alert system notifies the appropriate personnel. It promptly reports the incident and provides sufficient detail so management can assess the impact of the situation and take follow-up action.
Safetica also provides extensive audit records on operations performed with sensitive data. This helps to identify the depth of the breach, the sensitive documents concerned, and the individuals affected.
Using API integration, all records can be sent to SIEM or data analytic tools, e.g., Power BI or Tableau.
See Safetica in action. Complete this quick contact form today.
Author
Kristýna Svobodová
Content Strategist @Safetica
Next articles
Regulatory Compliance
Regulatory Compliance
HITRUST framework: The Scope, Purpose, and How to Comply
This article will guide you through HITRUST's evolution, its current scope, and how it can be a game-changer for your organization's data protection strategy.
Regulatory Compliance