Zum Inhalt gehen

Making the Automotive Supply Industry Safer with TISAX Audit Standards

11/24

About seven years ago, vehicle manufacturers agreed on the audit standard Trusted Information Security Assessment Exchange, or TISAX. Similar to GxP in the pharmaceutical sector and BaFin in the financial industry, TISAX sets the rules for how suppliers in the automotive industry should handle information and data. The system forms the foundation for the automotive market, enabling the development of secure, innovative applications for connected and autonomous driving. Today, TISAX certification has become a requirement for suppliers to collaborate with OEMs.

Less than two years ago, it was revealed that specifications from major OEMs were found on the darknet. The reason: hackers had been in the systems of a Tier 1 supplier for around a year and had extracted information. According to Handelsblatt, 50 million US dollars were demanded for the return of the stolen data. While cyberattacks can never be fully prevented, when they occur, the gap should be identified and closed. To mitigate such risks, Capgemini implements information security management systems.

Basis: risk analysis for all processes

The TISAX audit standard provides the basis for this approach. It defines the rules according to which information is exchanged within the company, whether verbal, digital or printed. From the CEO to the gatekeeper, from purchasing and production to sales and suppliers: all processes and assets are subjected to a risk analysis, for example, and documented in an audit-proof manner. Where are the guidelines or specifications written, how were they implemented, where is the evidence, who is responsible? These are considerations that, for example, come into play when using a company laptop. If this isn’t properly documented, security gaps can arise, such as if the device isn’t encrypted, lacks virus protection, or doesn’t have a privacy filter. To address this professionally, the procedure is described in “policies” before implementation. If there is no Identity and Access Management (IAM) or Privileged Access Management (PAM) and the company stores information in the cloud, a security issue could quickly spread across the entire organization. TISAX was created in collaboration with OEMs, the German Association of the Automotive Industry (VDA) and suppliers to the automotive industry, who founded the ENX Association. Their goal: a secure and trustworthy exchange of information in the automotive industry’s value chains.

OEMs usually require TISAX Assessment Level 2 or 3 from suppliers

At its core, TISAX ensures the adherence to overarching protection goals such as “confidentiality,” “availability,” and “integrity.”

The VDA’s Information Security Audit Catalogue (VDA ISA, version 6.x) provides three assessment levels. Levels 2 and 3 are relevant for participation in the automotive market. For Assessment Level 1 (AL 1), the company conducts an internal audit that isn’t independently verified. At Assessment Level 2 (AL 2), the company provides necessary documentation and evidence, which is spot-checked by independent auditors for plausibility. At Assessment Level 3 (AL 3), a detailed on-site audit of the entire VDA ISA is performed.

Capgemini supports companies with TISAX certification

Capgemini helps clients evaluate their information security posture and close potential security gaps based on current best practices. We offer “audit readiness” according to TISAX’s information management system for the desired Level 2 or Level 3 labels.

To do this, we implement and audit the Information Security Management System (ISMS), assess processes, and generate all required documentation according to VDA ISA. One of the advantages is that Capgemini has in-house certified auditors who conduct detailed pre-audits after the system is implemented, ensuring that companies are audit-ready. Capgemini provides not only the attestation service but also supports clients with the operational implementation and foundation of all cyber-security requirements (e.g., from Incident Management to Penetration Testing). If needed, Capgemini can even assign an Information Security Officer (CISO) to prepare for and conduct the audit. A full ISMS-TISAX implementation typically takes four to six months, depending on the size of the company and the number of locations.

Checklist-based approach: Immediate delivery required

Unlike the process-oriented ISO certifications, TISAX labeling is based on a checklist approach. This means that during the certification audit, the auditor cannot randomly decide to revisit a process during a follow-up audit. For TISAX, everything must be delivered immediately, meaning during the assessment. If there are any deficiencies, the auditor can issue a major or minor deviation based on the risk to the ISMS. The company must then resolve these deviations within a set time frame to obtain the label. If only minor deviations are found, the company can receive a temporary label, which also includes an action plan that must be completed within a defined period. Once the action plan is implemented, a successful follow-up assessment can be conducted.

Good to know:

  • Those who obtain a label must conduct an internal audit annually. Every three years, an external audit is required.
  • TISAX ISMS implementations can also incorporate other standards, such as data protection, ISO 27001, IEC 62443, a traditional cloud certification like ISO 27017, or the EU Network and Information Security Directive (NIS2).
  • NIS2 is mandatory for all relevant companies in the “manufacturing sector” under the Vehicle Manufacturing Act.

Expert exchange:

Do you also want to tackle this topic or have you already gained experience?

Get in touch with us! We look forward to exchanging ideas with you.

Unsere Expert*innen

Markus Jans

Senior Manager Attestation & Senior Cyber Security Auditor | Capgemini
Markus Jans, Senior Manager Attestation & Senior Cyber Security Auditor Capgemini, ist studierter Nachrichtentechnik-Ingenieur und staatl. gepr. Elektrotechniker. Er begann seine berufliche Tätigkeit als Entwicklungsingenieur für Hard-/Software (BOSCH). Weitere Stationen folgten, u. a. bei TEVA Pharmaceutical AG und DEKRA Certification. Er ist seit sieben Jahren u. a. Lead Auditor 3rd Party (ISO 27001, TISAX, ISO 9001) und seit 2023 bei Capgemini als Lead für die Thematik Attestation zuständig. Aus diesem Bereich steuert er Implementierungsprojekte im Bereich Cyber Security in den Branchen Automotive und Life Science bis hin zur Zertifizierung gemäß den regulatorischen Anforderungen. Markus Jans ist u. a. Gründungsmitglied beim BSI im AK ACSMS und unterstützt diverse Gremien hinsichtlich Cyber-Security-Fragen.

Eike Daumer

Regional Head Cybersecurity, Attestation Service
Eike hat langjährige Erfahrung im Bereich Cybersecurity und IT-Compliance. Seine Expertise umfasst die Entwicklung, Implementierung und Auditierung von Cybersecurity-Managementsystemen über verschiedene Branchen hinweg. Mit einem klaren Fokus auf GRC, SOX, KRITIS und ISO/IEC 2700x unterstützt Eike seine Kunden erfolgreich bei der Erfüllung von Compliance-Anforderungen und Zertifizierungen. Als anerkannter Lead Auditor für ISO 27001 und KRITIS begleitet er Unternehmen mit einer strategischen und praxisorientierten Herangehensweise.

Anke Rieche

Global Automotive Program Lead
Anke ist eine Business Development Expertin mit 20 Jahren Erfahrung in den Bereichen Software, Infrastruktur und Beratung. Als hochmotivierte Teamplayerin mit ausgeprägter Kundenorientierung hat sie sich einen Namen für die Entwicklung und Umsetzung von Markteinführungskonzepten gemacht, insbesondere im Zusammenhang mit den SAP-Plattformen S/4 HANA und Intelligent Enterprise, vor allem im Automobilmarkt. Anke ist davon überzeugt, dass Automobilzulieferer und OEMs durch den Einsatz der Automotive Cloud-Lösungen von SAP, einschließlich der gemeinsamen Entwicklungen von SAP und Capgemini und der Co-Innovation mit Pilotkunden, neue Dimensionen der Agilität und Geschwindigkeit erreichen können.