Making the Automotive Supplier Industry Safer with TISAX Audit Standards

About seven years ago, vehicle manufacturers agreed on the audit standard Trusted Information Security Assessment Exchange, or TISAX. Similar to GxP in the pharmaceutical sector and BaFin in the financial industry, TISAX sets the rules for how suppliers in the automotive industry should handle information and data. The system forms the foundation for the automotive market, enabling the development of secure, innovative applications for connected and autonomous driving. Today, TISAX certification has become a requirement for suppliers to collaborate with OEMs.

Less than two years ago, it was revealed that specifications from major OEMs were found on the darknet. The reason: hackers had been in the systems of a Tier 1 supplier for around a year and had extracted information. According to Handelsblatt, 50 million US dollars were demanded for the return of the stolen data. While cyberattacks can never be fully prevented, when they occur, the gap should be identified and closed. To mitigate such risks, Capgemini implements information security management systems.

Basis: risk analysis for all processes

The TISAX audit standard provides the basis for this approach. It defines the rules according to which information is exchanged within the company, whether verbal, digital or printed. From the CEO to the gatekeeper, from purchasing and production to sales and suppliers: all processes and assets are subjected to a risk analysis, for example, and documented in an audit-proof manner. Where are the guidelines or specifications written, how were they implemented, where is the evidence, who is responsible? These are considerations that, for example, come into play when using a company laptop. If this isn’t properly documented, security gaps can arise, such as if the device isn’t encrypted, lacks virus protection, or doesn’t have a privacy filter. To address this professionally, the procedure is described in “policies” before implementation. If there is no Identity and Access Management (IAM) or Privileged Access Management (PAM) and the company stores information in the cloud, a security issue could quickly spread across the entire organization. TISAX was created in collaboration with OEMs, the German Association of the Automotive Industry (VDA) and suppliers to the automotive industry, who founded the ENX Association. Their goal: a secure and trustworthy exchange of information in the automotive industry’s value chains.

OEMs usually require TISAX Assessment Level 2 or 3 from suppliers

At its core, TISAX ensures the adherence to overarching protection goals such as “confidentiality,” “availability,” and “integrity.”

The VDA’s Information Security Audit Catalogue (VDA ISA, version 6.x) provides three assessment levels. Levels 2 and 3 are relevant for participation in the automotive market. For Assessment Level 1 (AL 1), the company conducts an internal audit that isn’t independently verified. At Assessment Level 2 (AL 2), the company provides necessary documentation and evidence, which is spot-checked by independent auditors for plausibility. At Assessment Level 3 (AL 3), a detailed on-site audit of the entire VDA ISA is performed.

Capgemini supports companies with TISAX certification

Capgemini helps clients evaluate their information security posture and close potential security gaps based on current best practices. We offer “audit readiness” according to TISAX’s information management system for the desired Level 2 or Level 3 labels.

To do this, we implement and audit the Information Security Management System (ISMS), assess processes, and generate all required documentation according to VDA ISA. One of the advantages is that Capgemini has in-house certified auditors who conduct detailed pre-audits after the system is implemented, ensuring that companies are audit-ready. Capgemini provides not only the attestation service but also supports clients with the operational implementation and foundation of all cyber-security requirements (e.g., from Incident Management to Penetration Testing). If needed, Capgemini can even assign an Information Security Officer (CISO) to prepare for and conduct the audit. A full ISMS-TISAX implementation typically takes four to six months, depending on the size of the company and the number of locations.

Checklist-based approach: Immediate delivery required

Unlike the process-oriented ISO certifications, TISAX labeling is based on a checklist approach. This means that during the certification audit, the auditor cannot randomly decide to revisit a process during a follow-up audit. For TISAX, everything must be delivered immediately, meaning during the assessment. If there are any deficiencies, the auditor can issue a major or minor deviation based on the risk to the ISMS. The company must then resolve these deviations within a set time frame to obtain the label. If only minor deviations are found, the company can receive a temporary label, which also includes an action plan that must be completed within a defined period. Once the action plan is implemented, a successful follow-up assessment can be conducted.

Good to know:

• Those who obtain a label must conduct an internal audit annually. Every three years, an external audit is required.
• TISAX ISMS implementations can also incorporate other standards, such as data protection, ISO 27001, IEC 62443, a traditional cloud certification like ISO 27017, or the EU Network and Information Security Directive (NIS2).
• NIS2 is mandatory for all relevant companies in the “manufacturing sector” under the Vehicle Manufacturing Act.

Expert exchange:

Do you also want to tackle this topic or have you already gained experience?

Get in touch with us! We look forward to exchanging ideas with you.