TISAX (Trusted Information Security Assessment Exchange) is an information security standard developed by the German Association of the Automotive Industry (VDA) and managed by the ENX Association. Since its 2017 introduction, automotive manufacturers, parts manufacturers, and suppliers across Europe—and increasingly globally—have widely adopted TISAX to ensure a uniform level of information security within the industry.
Because TISAX requires a comprehensive examination of information security controls, automotive manufacturers and parts suppliers should develop a risk assessment and ongoing monitoring strategy that aligns with its requirements to enable greater cyber resilience in global automotive supply chains.
This post examines information security challenges in the automotive industry, TISAX information security controls and compliance requirements, and best practices to simplify TISAX compliance.
TISAX was developed to address specific information security challenges and needs in the automotive industry.
Typically, each automotive manufacturer develops its information security standards, applying these requirements to their suppliers. This approach required suppliers to comply with multiple, sometimes conflicting, security criteria.
Without a common standard, suppliers were subjected to multiple audits by different manufacturers, each assessing information security based on their unique criteria. This was not only repetitive but also resource-intensive for suppliers.
The automotive industry features complex, global supply chains involving numerous partners and suppliers across different regions. Managing information security uniformly across such a vast network without a common standard was increasingly difficult and risky.
As the industry adopted more digital technologies and connected systems, the risk of cyber threats increased. There was a clear need for a standardized approach to protect systems, sensitive information, and intellectual property effectively. Recently, automotive manufacturers such as Toyota have been impacted by significant cyber-attacks against suppliers.
With regulations like the EU General Data Protection Regulation (GDPR), there was a growing need for standardized practices that help companies comply with legal requirements concerning data protection and privacy.
TISAX aims to harmonize information security assessments, reduce the audit burden on suppliers, and ensure all participants in the automotive supply chain adhere to a high level of security.
Currently on version 6.0.2, the TISAX Information Security Assessment (ISA) evaluates nearly 80 information security, prototype protection, and data protection controls across the following nine (9) control families:
A completed ISA presents assessment results in a spider diagram, scoring each control sub-family's maturity level from 0 (low) to 5 (high). Each control is also mapped to equivalent controls in industry standards such as ISO 27001, NIST 800-53, BSI, and others.
Since it is voluntary, TISAX itself does not impose penalties for non-compliance in the traditional sense of regulatory fines. However, not being TISAX compliant can have several significant repercussions for businesses within the automotive industry, particularly regarding their business relationships and reputation.
For many in the automotive industry, TISAX compliance is equated with the bottom line. Companies achieving TISAX compliance demonstrate their commitment to protecting sensitive information, thereby enhancing trust among business partners, mitigating risks associated with cyber threats and non-compliance with regulations, and enhancing revenue, new client acquisition, and existing client retention. The automotive industry strongly incentivizes TISAX, making it nearly essential for companies that want to stay competitive and secure in the sector.
To become TISAX compliant, organizations in the automotive industry must meet several requirements, which are based on the VDA ISA (Information Security Assessment) catalog. This catalog adapts the ISO/IEC 27001 standard to the specific needs of the automotive industry.
Key requirements and steps involved in achieving TISAX compliance include the following.
These steps ensure that a company meets TISAX standards during the audit and continuously commits to maintaining these standards.
It can be a complex and time-consuming process to identify compliance requirements, collect and analyze the required data, and act on it to avoid a negative compliance finding. Follow these five best practices to simplify the process.
Build a comprehensive third-party risk management (TPRM) or cybersecurity supply chain risk management (C-SCRM) program in line with your broader information security and governance, enterprise risk management, and compliance programs. Seek out experts who can collaborate with your organization on:
Build a centralized supplier inventory by importing suppliers via a spreadsheet template or through an API connection to an existing procurement or supply chain solution. Teams throughout the enterprise should be able to populate key supplier details with a centralized intake form and associated workflow tasks. This should be available to everyone via email invitation, without requiring any training or solution expertise.
As all suppliers are reviewed, teams should create comprehensive supplier profiles that contain all documentary evidence related to the TISAX assessment, plus insights into a supplier’s demographics, ESG scores, recent business and reputational insights, data breach history, and recent financial performance. This will add needed context for audit processes.
Part of the profiling process is identifying fourth-party and Nth-party suppliers in your supplier ecosystem as critical dependencies can impact tiering decisions. Conduct a questionnaire-based assessment of your suppliers or passively scan the supplier’s public-facing infrastructure. The resulting relationship map should depict extended dependencies that could expose your organization to risk.
Finally, quantify inherent risks for all suppliers to effectively tier suppliers, set appropriate levels of further diligence, and determine the scope of ongoing assessments. Criteria used to calculate inherent risk for supplier tiering can include:
Leverage a supplier’s TISAX risk assessment, ISO 27001, NIST 800-53, or other industry standard assessment that can be easily mapped to TISAX requirements. Incorporate the assessment into a central supplier risk management platform, and use workflow automations, task management, and automated evidence review capabilities to evaluate supplier maturity scores. As well, assessment results should be presented in a central risk register that enables you to quickly visualize, sort, and pinpoint the most important risks.
Importantly, suggest remediations for low maturity supplier controls that exceed the risk appetite for the organization. TPRM solutions should include built-in remediation recommendations based on risk assessment results to ensure that your suppliers address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.
Continuously track and analyze external threats to suppliers. As part of this, monitor the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources typically include:
All monitoring data should be correlated with assessment results and centralized in a unified risk register for each supplier, streamlining risk review, reporting, remediation, and response initiatives.
Once all assessment and monitoring data is correlated into a central risk register, apply risk scoring and prioritization according to a likelihood and impact model. This model should frame risks into a matrix, so you can easily see the highest impact risks and can prioritize remediation efforts on those. Assign owners and track risks and remediations to a level acceptable to the business.
The Prevalent Third-Party Risk Management Platform offers a central, automated solution for scaling third-party risk management and cybersecurity supply chain risk management in concert with your broader cybersecurity and enterprise risk management program. With Prevalent, your team can:
Contact Prevalent today for a free maturity assessment to determine how your TPRM policies stack up to TISAX requirements in advance of a supplier pre-assessment, or schedule a demo.
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024
Learn how integrating the NIST Privacy Framework with third-party risk management (TPRM) helps organizations enhance data...
09/12/2024
Consider these best practices to ensure third-party service providers adequately protect your customer NPI data.
09/04/2024