In the modern age, cars aren't just cars anymore - they're also sophisticated computers, entertainment units, and sometimes more.
Auto manufacturers are increasingly handling sensitive and confidential data (not just personal information, but R&D, prototype data, and so on), and that means so are their various software vendors. That's why some of these manufacturers got together to create a framework and certification to help ensure the industry here in Europe met or exceeded minimum security standards.
That framework is TISAX, and if you're reading this article then you might need it. So, what is TISAX, and how do you get certified? Let's take a look.
Read more about data in the automotive sector: "The automotive sector is changing: Can you keep up?"
Trusted Information Security Assessment Exchange.
TISAX is a security standard devised by the German Association of the Automotive Industry (VDA) in 2017 to ensure a base level of information & cyber security in the European auto industry. It is administered by the ENX Association, and while isn't officially recognised as an international standard, many foreign software partners do choose to get TISAX certified as well.
TISAX was originally based on ISO/IEC 27001, which presents a framework for protecting information through the use of an information security management system (ISMS). However, TISAX goes beyond this standard by adding guidance for data and prototype protection, among other areas. The scope, assessment and recommended measures are also different.
You'll see a number of assessment criteria within TISAX that have been pulled from ISO 27002 and 27017, too.
TISAX starts with a self-assessment, which is usually followed-up by an outside auditor either online or in person, depending on your individual scope. To be successful in qualifying for TISAX certification, your business will need to show that it possesses the required information security maturity across a variety of factors related to your business and the data it will handle on behalf of your auto partner.
Or, in short, you're going to be given a checklist and it will help you identify your maturity score in key areas. Then someone will check that score.
But not all TISAX assessments are alike
This is because each registrant chooses which assessment objectives are most relevant to their business, based on the types of data they will be handling and specific requirements from the auto company. You will then be asked a series of questions related to those objectives. In this way, you won't have to answer all of the questions as some of them may fall outside of your scope (more on scope below).
So what are the objectives? Well, there are eight of them all totalled and they each map to one of three categories, called 'criteria catalogs'. Those are:
And the objectives are:
You'll also need to determine your assessment level, which will be low, high or very high (aka AL 1, 2 or 3). Your assessment level helps determine whether you can get away with just a self assessment, or if you'll need an auditor to check your evidence, interview your people, or even complete an on-site assessment.
TISAX is not a legal requirement. But, whether you consider it 'mandatory' or not is up to your definition of the word.
OK, so it's not law, but it's increasingly considered best practice in the European and global auto industries. As such, it's getting more and more unlikely that you will be able to work with car manufacturers on any project that requires the handling of their data if you don't have TISAX certification. If they say they want it, you'll need to get it.
Generally, companies will be asked to get their TISAX certification from a partner company. Typically this will be the car manufacturer itself, but TISAX isn't just for partners of auto manufacturers.
You may need your own partners to get certified, too. If someone handles your data, and you're handling a marque's data, you will probably need to ask your own vendors to seek out TISAX certification to ensure they have the ISMS required to keep all of that information safe.
Of course, if you know you're going to be approaching the auto industry in future you could look to get certified in advance. You don't actually 'need' a trigger. Plus, even if no one asks you, it's still a great process to go through to ensure your company is achieving industry best practice when it comes to cyber security.
The TISAX assessment process generally follows these steps:
For a much more detailed explanation of these steps, read through the TISAX Participant Handbook.
Duration: As mentioned just before, no more than nine months can pass from the initial audit (coming after your self-assessment) and the final audit result. All optimizations and corrections must be made within this timeframe.
Validity: TISAX certifications are valid for three years under the same scope. If your scope changes (i.e. you weren't handling prototype data but now you are), you will need to manage the TISAX process again. This is one reason that it often pays to get a higher level of certification than required, so that you 'future-proof' your business.
Cost: The cost of TISAX depends fully on your scope. You can expect to pay a fee to register, and to pay an additional fee to the independent auditing company (or multiple fees, if multiple audits are to take place). Your budget will also need to leave room for optimizations and improvements, and any third-party vendors who will help you make those changes.
Not every company will need a thorough, level-three assessment, although you may be requested to get one regardless (or choose to get one yourself for future-proofing).
It's very common for companies to get their scope wrong. This could lead to the business failing because it was not audited at a high enough level for the type of data in question. Or, it could lead to the opposite - being over-audited, where you fail over things that just weren't relevant to your partnership (and could have been skipped as a result).
Some companies find that their data protection requirements are also so light that they are asked to conduct only the self-assessment, with no audit required. This helps them better secure their business, but doesn't count as a TISAX certification.
Got multiple locations? You'll need to take that into account
If your organization has multiple business locations, you have to define whether they will all be included in your audit, or just some of them. Who will be handling the data?
If you include all locations but one fails, the entire business will fail. So this isn't a decision to take lightly. You'll be making a choice between using a single scope that includes all locations at once (for cost efficiency), or adopting a single scope per location (more costly, but less risk of failing across the entire business).
Want to learn more? Go to the handbook and find section "220.127.116.11. Scoping".
If you're looking at all of this and thinking it's a whole lot, you're worried your business won't pass the certification, or perhaps you've failed in the past - we can help.
At dig8ital, we know TISAX inside and out and can assist you in a number of different ways. First, we can walk you through preparing for TISAX, understanding your objectives and assessment level, auditing your system, and working out the gap between where you are now and where you need to be in order to pass.
From there, we'll work with you to fully optimize your system in line with your business goals. Our experts can embed themselves in your company, get to know your teams, and figure out what areas we can improve, what steps we need to take to get to where we're going, and how we develop those new services in a cost-effective manner.
To learn more about how we can help your unique business, contact us now for a FREE maturity consultation.