TISAX certification: Secure Together!
Data is the most valuable asset of the 21st century. Some business models are solely build to trade with data. "Knowledge is the solution!" as we like to say at MS POS. Data is therefore not only a valuable commodity, but also a desirable one. As an IT manager in a company, you are therefore faced with a major challenge. How can you ensure that data is protected and handled properly? Even if you are well positioned in terms of cyber security, there is still a matter of customers and suppliers with whom you share data as a company. Let's take a look at the automotive industry, whose association agreed on a uniform standard in 2017, the so-called Trusted Information Security Assessment Exchange, or TISAX for short.
What is TISAX?
Data and information security are the central point of every IT administrator. Unfortunately, you can only manage and control what happens within your own walls. As soon as data is transferred to third parties and it is not protected there just as well, you lose control. That's why the VDA (German Association of the Automotive Industry) has developed a standard called TISAX. TISAX is a derived form of the ISO2700X standard. Every company can undergo an audit according to VDA ISA (ISA = Information Security Assessment) and receive TISAX certification upon meeting the criteria. This certification can then be shown to a business partner to ensure that all data is appropriately protected. The certificate is stored in the online portal of the ENX Association and can be viewed from there. The ENX portal does not differentiate between suppliers and customers. Everyone is considered a TISAX participant and it is an individual decision to what extent and with whom to share audit results.
The test targets
The most important step in defining the scope is selecting the audit objectives. Audit objectives determine the requirements your information security management system (ISMS) must meet and are based on the type of data being processed.
The current audit objectives are:
- information with a high protection requirements
- information with very high protection requirements
- protection of prototype parts and components
- protection of prototype vehicles
- handling of test drives
- protection of prototypes during events, film and photo shoots
- Data Protection
- data protection for special categories of personal data
Test objectives are interdependent. For example, "information with very high protection needs" cannot be audited without also auditing "information with high protection needs."
Assessment level
It often happens that a partner requires a certain assessment level (AL) for certification. Therefore, the test objectives are each assigned to a so-called "assessment level". There are levels 1 - 3.
3 is the highest and therefore safest level, which we as MS POS GmbH also strive for. For an AL3, the interviews always take place in person followed by an on-site examination.
The exam
Following registration and prior to the exam, two important aspects have to be clarified: testing service provider and the self-assessment.
The effort of the audit itself depends on the scope, number of sites, the targeted AL and of course the thoroughness of the preparation. For a site with 5-25 employees, one working day should be sufficient. If deficiencies are found, they must be corrected and a follow-up audit will take place. The entire audit process must not exceed a duration of 9 months.
After successful testing, a TISAX label is issued. This label is valid for three years and can be shared with other TISAX participants via the ENX platform.
At the moment, we are intensively dealing with the topic of TISAX ourselves.
For more information about TISAX - certification you can have a look at the ENX Association manual there is a description of the entire process.