ISO Standards and More 24 Jul 2024

Information Security in the Automotive Industry – TISAX® Standard

The dynamic development of information and communication technologies accelerates the circulation of electronic information, which increases threats. The automotive industry, vulnerable to information loss, requires effective security standards.

The dynamic development of information and communication technologies affects the high pace of electronic information circulation. Modern technological solutions provide users worldwide with numerous tools to collect, store, and process information. This progress has also led to new types of threats that organizations must face. This most sought-after and valuable resource requires ensuring an effective level of security throughout its lifecycle.

The automotive sector, like any other, is vulnerable to information loss. The number of incidents and cybercrimes continues to grow. Information security has always been and continues to be an essential element of comprehensive company management processes. Organizations support their activities by implementing information security management systems based on global standards. These documents are generally universal, allowing for widespread and multiple applications across various industries. However, they are not tailored to the specific needs of companies in the automotive sector.

The response to the need for information security management in the automotive industry is the TISAX® standard along with the VDA ISA Information Security Assessment tool. In response to the need to adapt existing information security management standards in the industry, the Information Security Committee of the German Association of the Automotive Industry (VDA) defined a questionnaire covering commonly acceptable requirements. This document takes the form of a questionnaire in a spreadsheet called the VDA Information Security Assessment (VDA ISA) and is an assessment tool for the TISAX® standard. The questionnaire is based on the international standard ISO/IEC 27001 and ISO/IEC 27017. The requirements also include references to the controls of Annex A of ISO/IEC 27001:2022 and the NIST Cyber Security Framework version 1.1. The task of the VDA ISA is to support automotive market participants in demonstrating effective information security management.

The foundation of the TISAX® standard, established in early 2017, is the exchange of VDA ISA assessment results with other participants through a dedicated platform – the ENX Portal. This exchange is also reflected in the standard's name: Trusted Information Security Assessment Exchange. It should be noted that the requirements assessed under TISAX® include, in addition to the VDA ISA questionnaire requirements, the requirements of the assessed organization’s clients and its own requirements.

Mandatory requirements and their number are linked to the chosen information security assessment objectives under TISAX®. The VDA ISA questionnaire contains 11 tabs, among which three key criteria catalogs are crucial for assessment: Information Security, Prototype Protection, and Data Protection. Not all catalog requirements must be met by the organization in every assessment. The list of requirements depends on the scope, purpose, and level of the TISAX® assessment chosen by the organization.

TISAX® Standard and ISO/IEC 27001 – A common foundation with some differences. A successfully completed certification audit in compliance with the TISAX® standard is valid for 3 years. Unlike ISO standards, the assessed organization does not receive a "certificate" but a label in the ENX Portal visible to registered and authorized entities, also known as TISAX® participants. There are no annual surveillance audits within the three-year certification cycle. Additionally, under the TISAX® standard, process maturity is assessed on a 6-point quantitative scale. The higher the maturity level, the more advanced the information security management processes are. The organization must present appropriate objective evidence demonstrating compliance with the requirements for the given level during the assessment.

Effective implementation, successful assessment results, and exchange are only the first steps towards "effective information security." Demonstrating to business partners that effective information security is an important strategic goal for the organization will be an opportunity to create entirely new business relationships or strengthen existing ones. Enhancing credibility as a trusted business partner will also help strengthen a company's durable and positive image in the automotive market. It will also allow the company to open up to new markets and projects.

Work on implementing and maintaining the TISAX® standard requires investment, which will pay off for every player in the automotive industry.

Literature:

  1. Calder A., Watkins S., An international guide to data security and ISO27001/ISO27002, Kogan Page Limited, London 2020.
  2. The European Union Agency for Cybersecurity, Threat Landscape 2023, October 2023.
  3. VDA, Annual Report 2022, November 2022.
  4. VDA, Information Security Assessment, Version 6.0.1.
  5. VDA, White Paper Harmonization of Classification Levels, Version 1.0, April 2018.
  6. VDA, TISAX Participant Handbook, version 2.7, December 2023. Online sources:
  7. https://portal.enx.com/en-us/TISAX/faqs/ [2024.01.04, 1:00 PM]

Article author


Paweł Miszczuk

Business Partner, Consultant, Lead Auditor, Trainer

Norms Sphere

Paweł has 18 years of international professional experience in information technology, risk management, auditing, and training. He is the author of numerous industry articles and training programs on the international stage. He conducts research on auditing in the digitalization era. He has over 2,000 training hours with very high participant ratings and has conducted over 600 days of first, second, and third-party audits. Currently, as an independent consultant, he helps companies worldwide achieve their strategic business goals by providing a wide range of consulting, training, and advisory solutions.


Share this article

Recommended from this category