Jul 02, 2021

Main Challenges of Compliance with TISAX®

The industry-wide enforcement of the TISAX® VDA Information Security Assessment (VDA ISA) applies to all companies of the German automotive supply chain: auto manufacturers and OEMs, partners and suppliers.

The automotive cybersecurity market is estimated to grow by $ 1.92 bn during 2021-2025 with GAGR increasing by 17%. The higher the security demand is, the stronger is the automotive laws’ requirements laid on car manufacturers all over the world.

Companies in the automotive sector require a reliable and working framework for the identification of information security risks, regular updates of risk assessments, and response to digital challenges, along with implementing other required processes.

What is TISAX®

Since 2017, TISAX® as one of the most used standards in the automotive sector has acted as an assessment and exchange mechanism through which organizations can conduct audits and assure compliance with the information security requirements catalog developed by the German automotive group Verband Deutscher Automobilindustrie (VDA).

Even if companies aren’t based in Germany and produce only a single component that will ultimately end up in a German vehicle, their network still falls under the purview of those requirements, so they need to use TISAX® to complete an information security assessment.

Challenges on the way to TISAX® Certification

Since TISAX® is only a few years old, many companies are still looking for the right approach to its successful implementation and an effective way to deal with the arising challenges.

The cumbersome process of ISMS creation and documentation compatible with VDA ISA / TISAX®

When preparing for TISAX® certification, you will have to get ready for an ISMS implementation from scratch or rework your existing ISMS based on ISO 27001 considering TISAX® requirements. 

If you need to go through the entire process of ISMS establishment, the SCM solution combines security compliance assessment, risk management, performance control, and monitoring as well as a single communication channel, all in one solution, based on the PDCA cycle.

TISAX® vs ISO 27001: How to transform an ISO/IEC 27001 ISMS to TISAX®?

Compliance with ISO 27001 and the Trusted Information Security Assessment Exchange (ENX TISAX®) go hand in hand. Since ENX TISAX® is ISO 27001-based, certain requirements and controls may coincide. Running TISAX on the basis of your existing information security management system is a process that ends up in overwhelming manual work, as some requirements of TISAX and ISO 27001 overlap, and their maintenance may lead to increased manual work, human errors, and insufficient time management.

When building TISAX® compliance on the basis of existing ISMS, it may take some time and effort of your compliance team to review those 52 controls for ISMS establishment. A compliance management solution is able to speed up this process essentially reducing the amount of work. The controls from 27001 that are already implemented in the organization can be reused for TISAX®. What is more, our system allows managing your contribution to both standards.

Meeting multiple data security requirements of TISAX®

Data security regulations like TISAX® are multifaceted, requiring the coordination of efforts of multiple departments within an organization, along with multiple vendors, partners, and advisors. Even requirements for a single section of the guidelines can involve coordination between groups of stakeholders and solutions from several different vendors. Tracking all the TISAX®-related activities is often confusing and time-consuming, and here’s where a GRC solution can help to keep track of all your activities.
In order to streamline the TISAX® certification process, automotive organizations use solutions that address multiple standards and involve automation. That reduces workloads on company resources and reduces the number of solutions (and the number of investments) a company needs to meet its obligations.

Compliance Aspekte enables easy coordination and optimization of the diversity and complexity of assets in line with business objectives and priorities. It allows you to view your compliance program holistically without missing anything important.
SCM is designed to help you establish effective ISMS process management and assure the required levels of information security protection.

Protection of sensitive data  

The protection of personally identifiable information (PII) is also required by TISAX®. You must define the sensitivity of files containing PII, and classify and protect them (section 18.2).   SCM provides you with additional requirements for an ISMS to manage the PII processing. You can also use frameworks for PII Controllers and PII Processors to cover data privacy.

Strict access control

Section 9 of the VDA ISA security assessment defines the requirements for access control: standards for policies and procedures related to user registration, permission management, sensitive data access, and other aspects of access management.
A standardized tool-driven approach allows you to save time and effort on repetitive work, as these requirements can be imported from existing ISMS.

Establishing prototype protection

TISAX® particularly focuses on proper prototype protection. If the supplier works with the prototypes, the related sensitive information must be secured from leakages and breaches. TISAX® has 22 additional controls for companies to adhere to.

Compliance Aspekte provides all the controls for prototype protection, well structured and organized in the system.

Running third-party assessments

If the supplier is connected to an IT network or similar exchange that involves sharing of sensitive data, TISAX® requires third-party evaluations to be carried out and documented.
With SCM, you will have controls for the evaluation of other parties involved right in the system.

Audit preparation

Getting ready for a future audit for TISAX® for the first time can be quite cumbersome. Which maturity level to choose? What is the proper answer to a control question? What is the status of all your requirements? Who is responsible for fulfilling this task? Dealing with all these aspects at once without a specific tool is drastic.
The ENX TISAX® audit reporting process requires automation using modern GRC (Governance, Risk management, and Compliance) systems.

A tool-driven approach for TISAX® certification

Compliance Aspekte is a solution that fully supports the new VDA ISA catalogue version 5.0. It contains the requirements for “Information security“, “Data protection“ and “Prototype protection” that are grouped in corresponding modules.

In the system, you can assess each requirement/control question by assigning levels of maturity. SCM greatly simplifies the assessment and decision-making processes due to the granular display and the possibility to conduct separate assessments. You can also view the criticality (must, should, high) and details of each requirement (related documents, responsible person, tasks assigned, other information), and its implementation status. In SCM, you can also create tasks or add individual controls. The results of self-assessments are displayed on a dashboard, so you always know where you are at.

TISAX® is a registered trademark of the ENX Association. Infopulse GmbH has no business relationship with ENX. Mentioning the TISAX® brand does not imply any statement by the brand owner on the suitability of the services advertised here.

Try Compliance Aspekte For Free

Book a 1-2-1 Live Demo and Obtain a 3-months Non-binding Trial

    What Standards are you interested in?

    I have read the privacy policy and agree.