All you need to know about TISAX

The background to the creation of TISAX

The way businesses operate has been radically transformed in recent decades, with a huge increase in their dependence on IT. It is now unimaginable that a company does not use IT systems in almost any aspect of its operations. Its technical support requires an ever-increasing IT capacity, an ever-stronger IT infrastructure and the right specialist skills to operate it. For a number of reasons, it is a good practice for companies to outsource a large part of these tasks; the operation of the IT infrastructure and even the infrastructure itself, together with the applications running on it, to specialist external companies and then to use them as cloud services.

Alongside the rise of cloud services, IoT devices connected to the internet and Industry 4.0 are also on the rise. However, while this trend has many benefits, it also has many new risks and dangers. Business operations have become highly vulnerable to the IT that supports them, and therefore to the companies that provide them. If the IT service supporting a process is not available, the process itself cannot function. If an IT service fails or is interrupted, the process it supports will also fail. This can easily happen whether due to a software failure, an operational problem or a cyber attack (e.g. ransomware), all of which can cause significant damage. But we can also think of information confidentiality issues, as the data in the systems that support the company's operations is confidential business information, and unauthorised access to it could result in unforeseeable business damage, loss or even legal consequences.

This makes it increasingly important for companies to ensure that not only their own information security systems, but also those of their suppliers operate securely. The specific requirements with its high quality and security standards, make this particularly important in case of the automotive industry. To ensure this, the German automotive industry's trade association (VDA - Verband der Automobilindustrie / German Association of the Automotive Industry) established an automotive information security requirements and auditing system called TISAX (Trusted Information Security Assessment Exchange) in 2017. Although these have already been reflected partially in different automotive quality management standard requirements, they were clarified in a unified form in TISAX, this way standardising the cybersecurity expectations for automotive stakeholders. The TISAX standard has two major advantages: on the one hand, it defines a uniformly high level of security to be achieved and on the other hand it creates a common denominator. For a large automotive supplier working with several manufacturers, it would be a challenge to achieve and harmonise compliance with different and stringent requirements from one manufacturer to another, not to mention providing assurance, such as conducting separate audits per manufacturer. The TISAX requirements framework summarises the information security expectations for automotive suppliers in a uniformed format, so that all automotive manufacturers and customers interpret, audit and accept it in the same way and therefore it is usually formulated as a starting point for becoming an automotive supplier.

Risks in the automotive industry posed by the third parties

In Gartner's 2019 survey[1], compliance leaders, regardless of industry, identified third party risk as the biggest threat, and it has still remained dominant. No organisation operates completely autonomously, all have outsourced operations, suppliers that need to be provided with sensitive data or access rights to properly perform their roles in the supply and value chains. A common attacker approach is to attack suppliers with weaker security measures, thus which is easier to execute, rather than attacking the primary target but well-protected organisation. This also allows attackers to gain access to the sensitive data or access privileges they want to obtain, which can be used to commit further acts.

This is also true for the automotive industry, which is a highly competitive and fast-growing industry, and Hungary has a large stake in it because of the factories and the many suppliers operating in our country. The competitive advantage provided by new developments and innovations is key, which is why the TISAX standard and the ISA survey - on which TISAX is based - focus on the requirements for security and confidentiality of developments. One of the most striking aspects is that prototypes are still mainly protected from spy photographers by camouflage, but there have also been numerous reports of industrial espionage to obtain sensitive data on industrial developments, which, in line with current trends, also takes place in the cyberspace.

The reason TISAX was created is because car manufacturers needed to manage the risks posed by suppliers with inadequate levels of information security. TISAX covers the information security requirements that VDA members (e.g. well-known car, bus and truck manufacturers, component manufacturers) expect from their suppliers, based on the controls of the widely known ISO 27001 standard, but also includes a number of specific elements.

The structure of TISAX

Main documents

The TISAX standard is based on two important documents: the Participant Handbook, which contains the rules for obtaining certification, and the VDA Information Security Assessment (ISA) table, which contains the information security requirements.

Assessment objectives

To understand the logic behind the information security requirements set by TISAX, it is also necessary to review the assessment objectives detailed in the ENX TISAX Participant Handbook (current edition: v2.5.1). The assessment objectives depend on the data provided by the automotive manufacturers and other partners to the supplier and they also determine the security measures to be applied.

The supplier must select the activities it carries out and apply the appropriate security measures. If these are met, the supplier will be awarded TISAX certification. The assessment objectives can be grouped into three categories:

1. General information security (transferred information to be protected)
2. Prototype protection (transferred prototype parts and vehicles to be protected)
3. Data protection (personal data transferred, processed)

Information security requirements

The assessment of the catalogue on general information security is mandatory for all surveys. Within the information security criteria, the controls to be applied depend on the identified security need. The fulfilment of the other two criteria is optional and depends on the assessment objectives defined by the supplier. Prototype protection refers to the handling and presentation at photo shoots and other events and general physical protection of the developed prototypes and individual components, while the assessment of data protection requirements includes the assessment of GDPR relevant issues.

The TISAX requirements for information security are based on the controls of ISO 27001, which are clearly mapped to each other in the ISA table. However, the ISA requirements are much more detailed and specific, whereas the controls in ISO 27001 are generic and need to be developed by the organisation.

Depending on the protection need identified, all requirements must be met to at least TISAX standard maturity level 3 (Established), however, failure to meet even one requirement will result in a failure to meet the standard.

TISAX processes

The TISAX standard is based on ISO 27001 only for the content of the requirements, while the compliance rules, processes and records are set out separately and overseen by the ENX Association, which brings together automotive industry stakeholders. There are the below three steps to achieve TISAX compliance:

1. Registragion,
2. Evaluation,
3. Sharing.

Registration

The compliance process starts with registration, which is described in detail in the Participant Handbook. This is an administrative procedure to be carried out at the ENX Portal.

During registration, an important decision has to be made: to set out the scope of the assessment, which should cover all elements of the supplier's organisation involved in the management of the data provided to the supplier by the car manufacturers and other partners. Such elements may include physical sites, IT systems and hardware, cloud services used and other outsourced activities. The standard scope includes all processes and resources involved at the specified sites that are subject to security requirements.

Evaluation

Preparation

First, the organisation must achieve the level of information security expected by the TISAX standard - and the selected assessment objective(s). In the initial situation, suppliers are recommended to perform a gap assessment, i.e. to assess which of the requirements of the TISAX standard are met and which are not. Following the assessment, one or more internal projects should be initiated, possibly with external assistance, to address the identified gaps. If everything has been remedied, these can be verified by a self-assessment, as required by the TISAX standard, which is also a prerequisite for a live assessment.

Auditor selection

As with other information security standards, TISAX compliance can only be certified by authorised auditors listed on the ENX website, who are identified in the standard as audit providers.

Conducting an information security assessment

The TISAX standard uses several information security assessment approaches, of which Assessment Level 2 (AL2) and Assessment Level 3 (AL3) are relevant. The AL2 audit is only possible for some assessment objectives, where auditors check the existence of self-assessment and the validity of the evidence, interviews are conducted via video-conferencing, on-site visits to the supplier's premises are optional. The majority of the evaluation objectives expect an AL3 audit with on-site visits and a more rigorous examination of evidence and self-assessment through confirmation.

Sharing

Once the audit has been successfully completed, the auditor uploads the audit report to the ENX Portal and it can be shared through the portal at several levels, depending on the information needs of the car manufacturers and other partners: just the label, but also the summary, details and maturity level of the report.

Conclusion

Complying with ISA requirements and achieving TISAX certification can be challenging, but the energy invested will always deliver the expected results.

Among the difficulties to be expected is that developing, implementing and meeting the requirements described in the information security requirements at a minimum maturity level of "3” will require a significant amount of work if not already implemented by the vendor, due to their comprehensive nature and number.

This means intensive documentation as a first step, and then its ongoing management, which requires the involvement of significant and skilled resources. Closely related to this is the fact that the preparation of documentation is not the end but the means, in practice it requires real risk management, which is in the organisation's own interest, as it is the only way to create added value.

As well as the difficulties to overcome, it is also worth bearing in mind the benefits of certification. TISAX has been designed to create common ground between suppliers, with a common set of expectations across the framework. It is also beneficial for the organisation, as it contributes effectively to protecting its reputation, know-how and, indirectly its operations and financial stability (e.g. a ransomware attack suffered by a supplier could disrupt the supply chain and prevent just-in-time orders from being fulfilled, or a supplier could face significant penalties if a cyber-attack steals highly confidential CAD drawings of a prototype part).

It is therefore worth thinking of the process of preparing for and obtaining TISAX certification as an opportunity, rather than as an expected, mandatory task.

How SOCWISE can help

We can support our customers at several points on the path to TISAX certification:

• We offer a free initial consultation. This will include an assessment of your organisation's current situation in order to provide you with the best offer to prepare for the TISAX audit and to continue to effectively manage your information security.
• We provide support to help you prepare, which may include setting up a regulatory framework, carrying out a risk analysis or developing a personal data management policy.
• We will carry out a preliminary test audit to assess your company's compliance, so that any gaps can be identified before a real audit.

If your company needs SOCWISE's consultancy services to prepare for TISAX certification, please feel free to contact us!

[1] https://www.gartner.com/en/legal-compliance/insights/third-party-risk-management