TISAX and Cybersecurity Supply Chain Risk Management

TISAX (Trusted Information Security Assessment Exchange) is an information security standard developed by the German Association of the Automotive Industry (VDA) and managed by the ENX Association. Since its 2017 introduction, automotive manufacturers, parts manufacturers, and suppliers across Europe—and increasingly globally—have widely adopted TISAX to ensure a uniform level of information security within the industry.

Because TISAX requires a comprehensive examination of information security controls, automotive manufacturers and parts suppliers should develop a risk assessment and ongoing monitoring strategy that aligns with its requirements to enable greater cyber resilience in global automotive supply chains.

This post examines information security challenges in the automotive industry, TISAX information security controls and compliance requirements, and best practices to simplify TISAX compliance.

Automotive Industry Information Security Challenges

TISAX was developed to address specific information security challenges and needs in the automotive industry.

Varied Security Requirements

Typically, each automotive manufacturer develops its information security standards, applying these requirements to their suppliers. This approach required suppliers to comply with multiple, sometimes conflicting, security criteria.

Audit Fatigue

Without a common standard, suppliers were subjected to multiple audits by different manufacturers, each assessing information security based on their unique criteria. This was not only repetitive but also resource-intensive for suppliers.

Global Supply Chains

The automotive industry features complex, global supply chains involving numerous partners and suppliers across different regions. Managing information security uniformly across such a vast network without a common standard was increasingly difficult and risky.

Increasing Cyber Threats

As the industry adopted more digital technologies and connected systems, the risk of cyber threats increased. There was a clear need for a standardized approach to protect systems, sensitive information, and intellectual property effectively. Recently, automotive manufacturers such as Toyota have been impacted by significant cyber-attacks against suppliers.

Regulatory Compliance

With regulations like the EU General Data Protection Regulation (GDPR), there was a growing need for standardized practices that help companies comply with legal requirements concerning data protection and privacy.

TISAX aims to harmonize information security assessments, reduce the audit burden on suppliers, and ensure all participants in the automotive supply chain adhere to a high level of security.

TISAX Information Security Controls and Reporting

Currently on version 6.0.2, the TISAX Information Security Assessment (ISA) evaluates nearly 80 information security, prototype protection, and data protection controls across the following nine (9) control families:

• Infosec Policies & Organization
• Identity & Access Management
• Compliance
• Human Resources
• IT Security/Cybersecurity
• Prototype Protection
• Physical Security
• Supplier Relationships
• Data Protection

A completed ISA presents assessment results in a spider diagram, scoring each control sub-family's maturity level from 0 (low) to 5 (high). Each control is also mapped to equivalent controls in industry standards such as ISO 27001, NIST 800-53, BSI, and others.

TISAX Compliance Requirements

Since it is voluntary, TISAX itself does not impose penalties for non-compliance in the traditional sense of regulatory fines. However, not being TISAX compliant can have several significant repercussions for businesses within the automotive industry, particularly regarding their business relationships and reputation.

For many in the automotive industry, TISAX compliance is equated with the bottom line. Companies achieving TISAX compliance demonstrate their commitment to protecting sensitive information, thereby enhancing trust among business partners, mitigating risks associated with cyber threats and non-compliance with regulations, and enhancing revenue, new client acquisition, and existing client retention. The automotive industry strongly incentivizes TISAX, making it nearly essential for companies that want to stay competitive and secure in the sector.

To become TISAX compliant, organizations in the automotive industry must meet several requirements, which are based on the VDA ISA (Information Security Assessment) catalog. This catalog adapts the ISO/IEC 27001 standard to the specific needs of the automotive industry.

Key requirements and steps involved in achieving TISAX compliance include the following.

• Define the scope of the assessment, identifying which parts of the organization and which processes need to be evaluated based on TISAX standards.
• Perform a self-assessment using the VDA ISA questionnaire. This step involves evaluating current practices and policies against TISAX standards to identify gaps.
• Implement necessary controls to address gaps and meet the required standards. This may include enhancing IT security measures, updating policies, and ensuring proper data handling practices.
• Engage an ENX-accredited auditor to perform the official audit and an onsite visit to verify that all TISAX requirements are being met. This includes reviewing documentation, interviewing staff, and inspecting physical and IT security measures.
• Conduct remediation if the audit identifies any areas of non-compliance. After remediation, a follow-up audit might be required to confirm compliance.
• Receive a TISAX label upon a successful assessment. The label is valid for three years and is registered in the ENX TISAX portal and can be shared with clients and partners to prove compliance.
• Regularly review and update security practices and undergo re-assessment every three years or sooner if significant changes occur in their business or IT environment.

These steps ensure that a company meets TISAX standards during the audit and continuously commits to maintaining these standards.

Five Best Practices to Simplify TISAX Compliance

It can be a complex and time-consuming process to identify compliance requirements, collect and analyze the required data, and act on it to avoid a negative compliance finding. Follow these five best practices to simplify the process.

1. Define organizational risk management processes

Build a comprehensive third-party risk management (TPRM) or cybersecurity supply chain risk management (C-SCRM) program in line with your broader information security and governance, enterprise risk management, and compliance programs. Seek out experts who can collaborate with your organization on:

• Defining TPRM and C-SCRM processes and solutions
• Selecting risk assessment questionnaires and frameworks to benchmark results against (e.g., a TISAX-specific assessment or a more general ISO 27001 assessment)
• Optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence to termination and offboarding – according to your organization’s risk appetite
• Establishing clear roles and responsibilities (e.g., RACI) across the organization
• Implementing risk scoring and thresholds based on your organization’s risk tolerance

2. Profile and tier all suppliers

Build a centralized supplier inventory by importing suppliers via a spreadsheet template or through an API connection to an existing procurement or supply chain solution. Teams throughout the enterprise should be able to populate key supplier details with a centralized intake form and associated workflow tasks. This should be available to everyone via email invitation, without requiring any training or solution expertise.

As all suppliers are reviewed, teams should create comprehensive supplier profiles that contain all documentary evidence related to the TISAX assessment, plus insights into a supplier’s demographics, ESG scores, recent business and reputational insights, data breach history, and recent financial performance. This will add needed context for audit processes.

Part of the profiling process is identifying fourth-party and Nth-party suppliers in your supplier ecosystem as critical dependencies can impact tiering decisions. Conduct a questionnaire-based assessment of your suppliers or passively scan the supplier’s public-facing infrastructure. The resulting relationship map should depict extended dependencies that could expose your organization to risk.

Finally, quantify inherent risks for all suppliers to effectively tier suppliers, set appropriate levels of further diligence, and determine the scope of ongoing assessments. Criteria used to calculate inherent risk for supplier tiering can include:

• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations (e.g., GDPR)
• Interaction with protected data

3. Evaluate suppliers against TISAX requirements

Leverage a supplier’s TISAX risk assessment, ISO 27001, NIST 800-53, or other industry standard assessment that can be easily mapped to TISAX requirements. Incorporate the assessment into a central supplier risk management platform, and use workflow automations, task management, and automated evidence review capabilities to evaluate supplier maturity scores. As well, assessment results should be presented in a central risk register that enables you to quickly visualize, sort, and pinpoint the most important risks.

4. Remediate findings

Importantly, suggest remediations for low maturity supplier controls that exceed the risk appetite for the organization. TPRM solutions should include built-in remediation recommendations based on risk assessment results to ensure that your suppliers address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.

5. Continuously monitor suppliers for threats

Continuously track and analyze external threats to suppliers. As part of this, monitor the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources typically include:

• Criminal forums; onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
• Databases containing several years of data breach history for thousands of companies around the world

All monitoring data should be correlated with assessment results and centralized in a unified risk register for each supplier, streamlining risk review, reporting, remediation, and response initiatives.

Once all assessment and monitoring data is correlated into a central risk register, apply risk scoring and prioritization according to a likelihood and impact model. This model should frame risks into a matrix, so you can easily see the highest impact risks and can prioritize remediation efforts on those. Assign owners and track risks and remediations to a level acceptable to the business.

Next Steps for TISAX Compliance

The Prevalent Third-Party Risk Management Platform offers a central, automated solution for scaling third-party risk management and cybersecurity supply chain risk management in concert with your broader cybersecurity and enterprise risk management program. With Prevalent, your team can:

• Build a centralized supplier inventory with comprehensive risk profiles that can be accessed by multiple teams throughout the enterprise
• Gauge inherent risk to inform supplier profiling, tiering, and categorization – and determine the appropriate scope and frequency of ongoing due diligence activities
• Automate risk assessments and remediation across every stage of the third-party lifecycle
• Continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities

Contact Prevalent today for a free maturity assessment to determine how your TPRM policies stack up to TISAX requirements in advance of a supplier pre-assessment, or schedule a demo.