Jul 02, 2021

Resolving Main Challenges of TISAX Implementation

The industry-wide enforcement of the TISAX VDA Information Security Assessment (VDA ISA) applies to all companies of the German automotive supply chain: auto manufacturers and OEMs, partners and suppliers.
TISAX challenges

The automotive cybersecurity market is estimated to grow by $ 1.92 bn during 2021-2025 with GAGR increasing by 17%. The higher the security demand is, the stronger is the automotive laws’ requirements laid on car manufacturers all over the world.

Companies in the automotive sector require a reliable and working framework for the identification of information security risks, regular updates of risk assessments, and response to digital challenges, along with implementing other required processes.

What is TISAX

Since 2017, TISAX as one of the most used standards in the automotive sector has acted as an assessment and exchange mechanism through which organizations can conduct audits and assure compliance with the information security requirements catalogue developed by German automotive group Verband Deutscher Automobilindustrie (VDA).

Even if companies aren’t based in Germany and produce only a single component that will ultimately end up in a German vehicle, their network still falls under the purview of those requirements, so they need to use TISAX to complete an information security assessment.

Challenges of TISAX Certification

Since TISAX is only a few years old, many companies are still looking for the right approach to its successful implementation and an effective way to deal with the arising challenges.

Cumbersome process of ISMS creation and documentation compatible with VDA® ISA / TISAX

When preparing for TISAX certification, you will have to get ready for an ISMS implementation from scratch or rework your existing ISMS based on ISO 27001 considering TISAX requirements. 

If you need to go through the entire process of ISMS establishment, the SCM solution combines security compliance assessment, risk management, performance control, and monitoring as well as a single communication channel, all in one solution, based on the PDCA cycle.

TISAX vs ISO 27001: How to transform an ISO/IEC 27001 ISMS to TISAX?

Compliance with ISO 27001 and the Trusted Information Security Assessment Exchange (ENX TISAX®) go hand in hand. Since ENX TISAX is ISO 27001 based, certain requirements and controls may coincide. Running TISAX on the basis of your existing information security management system is a process that ends up in overwhelming manual work, as some requirements of TISAX and ISO 27001 overlap, and their maintenance may lead to increased manual work, human errors and insufficient time management.

When building TISAX compliance on the basis of existing ISMS, it may take some time and effort of your compliance team to review those 52 controls for ISMS establishment. A compliance management solution is able to speed up this process essentially reducing the amount of work. The controls from 27001 that are already implemented in the organization can be reused for TISAX. What is more, SCM allows managing your contribution to both standards.

Meeting multiple data security requirements of TISAX

Data security regulations like TISAX are multifaceted, requiring the coordination of efforts of multiple departments within an organization, along with multiple vendors, partners, and advisors. Even requirements for a single section of the guidelines can involve coordination between groups of stakeholders and solutions from several different vendors. Tracking all the TISAX related activities is often confusing and time-consuming, and here’s where a GRC solution can help to keep track of all your activities.
In order to streamline the TISAX certification process, automotive organizations use solutions that address multiple standards and involve automation. That reduces workloads on company resources and reduces the number of solutions (and the amount of investments) a company needs to meet its obligations.

Infopulse Standard Compliance Manager enables easy coordination and optimization of the diversity and complexity of assets in line with business objectives and priorities. It allows you to view your compliance program holistically without missing anything important.
SCM is designed to help you establish effective ISMS process management and assure required levels of information security protection.

Protection of sensitive data  

The protection of personally identifiable information (PII) is also required by TISAX. You must define the sensitivity of files containing PII, classify and protect them (section 18.2).   SCM provides you with additional requirements for an ISMS to manage the PII processing. You can also use frameworks for PII Controllers and PII Processors to cover data privacy.

Strict access control

Section 9 of the VDA ISA security assessment defines the requirements for access control: standards for policies and procedures related to user registration, permission management, sensitive data access, and other aspects of access management.
A standardized tool-driven approach allows you to save time and effort on repetitive work, as these requirements can be imported from existing ISMS.

Establishing prototype protection

TISAX particularly focuses on proper prototype protection. If the supplier works with the prototypes, the related sensitive information must be secured from leakages and breaches. TISAX has 22 additional controls for companies to adhere to.
Infopulse SCM provides all the controls for prototype protection, well structured and organized in the system.

Running third-party assessments

If the supplier is connected to an IT network or similar exchange that involves sharing of sensitive data, TISAX requires third-party evaluations to be carried out and documented.
With SCM, you will have controls for the evaluation of other parties involved right in the system.

Audit preparation

Getting ready for a future audit for TISAX for the first time can be quite cumbersome. Which maturity level to choose? What is the proper answer to a control question? What is the status of all your requirements? Who is responsible for fulfilling this task? Dealing with all these aspects at once without a specific tool is drastic.
The ENX TISAX® audit reporting process requires automation using modern GRC (Governance, Risk management, and Compliance) systems.

A tool-driven approach for TISAX certification

Infopulse SCM is a solution that fully supports the new VDA ISA catalogue version 5.0. It contains the requirements for “Information security“, “Data protection“ and “Prototype protection” that are grouped in corresponding modules.

In the system, you can assess each requirement/control question by assigning levels of maturity. SCM greatly simplifies the assessment and decision-making processes due to the granular display and the possibility to conduct separate assessments. You can also view the criticality (must, should, high) and details of each requirement (related documents, responsible person, tasks assigned, other information), and its implementation status. In SCM, you can also create tasks or add individual controls. The results of self-assessments are displayed on a dashboard, so you always know where you are at.

Request a trial


Benefit of free usage of the Infopulse SCM for 3 months to find out how the solution can optimize and streamline your compliance management. Please fill out this form, choose the standards and features you are most interested in. Our consultants will be glad to deliver a personalized webinar for you explaining step by step all the benefits of the SCM adoption.