The Trusted Information Security Assessment Exchange (TISAX) applies to all automotive firms and supply chain partners who access sensitive information. This sensitive data could be customer automotive information, employee data, and information regarding competitive products.
Like PCI-DSS in the credit card industry or NIST 800-171 for defense contracts, TISAX is an automotive industry-specific for German and EU firms.
TISAX is optional for German and European Union (EU) members to get this certification. However, many firms within the automotive sector in Germany and the EU prefer collaborating with small-to-medium enterprises (SMEs) and other organizations that have reached various levels of assessment maturity. Many German automotive firms mandate their original equipment manufacturers (OEM) partners to obtain this credential.
ForeNova's MDR offering is agile and secure, priced to align with the SME automotive market in Germany and the rest of the European Union. Their experience in detecting next-generation cyberattacks across the automotive supply chain, combined with automated incident response and reporting, helps SME organizations meet TISAX compliance.
The Association of European Vehicle Manufacturers established the Trusted Information Security Exchange (TISAX). The TISAX standard leverages several elements of ISO 27001 security standards and aligns with requirements within the German Association of the Automotive (VDA) Industry assessment and exchange frameworks.
- Implement a data management and infrastructure process, including continuous vulnerability assessments, automated incident response, and remediation capabilities.
- Implement and sustain a secure software development lifecycle (SSDLC) workflow for all application development.
- Maintain consistent alignment with cybersecurity industry best practices, including change control, sunsetting legacy security controls, and continuous monitoring of all critical infrastructures, devices, and hosts.
- Maintain a consistent state of cybersecurity readiness.
TISAX requires organizations to complete a successful assessment relevant to the level of sensitivity of the data they handle.
The assessment process breaks down into the following stages:
Registration
The firm needs to set up an account on the ENX portal to start the assessment process.
Defining the Scope of the Assessment
Determine which level of assessment the firm is targeting to meet the proper level of certification.
Execute a Self-Assessment
The firm will need access to the information security assessment (ISA) form and will perform the initial self-assessment of established processes.
Remediation Stage
Develop and execute a remediation plan to correct issues raised during the self-assessment security audits.
What Are the Various Assessment Levels?
TISAX compliance establishes three assessment levels based on the level of protection of the data held and processed by the supply chain partner. As the level of security required increases, automotive firms will need to achieve higher assessment levels.
Assessment Level 1
TISAX standards consider Level 1 to be an introduction level. Automotive organizations must only complete a self-assessment, leveraging the ISA questionnaire.
Assessment Level 2
This assessment is ideal for automotive supply chain providers handling highly sensitive issues. The automotive firm must leverage the ISA questionnaire and engage a third-party assessor to validate its cybersecurity control mandated by TISAX.
Assessment Level 3
This assessment level mandates that any automotive firm within the supply chain handle the highest level of sensitive information, requiring additional layers of security protection. Level 3 also requires location checks and in-person interviews with the auditors.
Why is Compliance Critical for SMEs and Automotive Firms in Germany?
Small-to-medium enterprise (SME) automotive firms in Germany seek to become TISAX-compliant suppliers and must complete the assessment and certification process. SME automotive firms must also demonstrate their security controls and processes and ability to securely share secret information throughout the automotive supply chain, making achieving this standard critical for their business.
SMEs investing in achieving TISAX compliance understand the need to sustain this mandate between initial assessments and future engagements executed by third-party auditors.
Automotive firms who choose not to comply with TISAX face several upstream and downstream challenges.
- There is a possibility of losing access to valuable orders supporting larger automotive companies within Germany and the EU.
- Your ability to protect your data becomes even more challenging.
What Are the Benefits of Complying With TISAX?
- Automotive firms that become TISAX certified also become more cyber-reliant by adopting several Annex A controls within the ISO 27001 framework. Investing in TISAX also helps reduce legal liabilities and cyber insurance premiums.
- Having enabled ISO 27001 controls supporting the TISAX certification, organizations will also see reduced operational outages from cyberattacks.
- Having TISAX certification shows the firm's commitment to data protection. Adopting a solid data protection strategy will reduce the likelihood of automotive firms facing non-compliance fines within other mandates, including GDPR.
What Are the Maturity Levels Within TISAX?
TISAX establishes various maturity levels within its mandate for organizations to align with. Like assessment levels, these maturity levels align with the organization's completion of multiple prerequisites, including evaluating its current information security management system (ISMS) capabilities.
Maturity Level 0: Incomplete
At this stage, automotive companies can achieve this without objectives or documentation.
Maturity Level 1: Perform
Automotive firms have cybersecurity adaptive control; however, only specific documentation elements exist. Documentation of the current deployment is required; however, validation from a third party is unnecessary at this level.
Maturity Level 2: Manage
The automotive firm continuously maintained high cybersecurity readiness, supported by proper procedures and documentation. Proper documentation inspection and validation of cybersecurity controls operation are required.
Maturity Level 3: Establish
The automotive firm leveraged industry-accepted cybersecurity best practices, including security architectures, zero-trust, email security, network segmentation, and data encryption. This level requires proof of operation, third-party validation, and enforceable security policies.
Maturity Level 4: Predictability
The automotive firm continues to enable next-generation cybersecurity adaptive control combined with continuous monitoring and key performance indicators (KPI). These indicators include mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR). Proper documentation, including continuous improvement plans, measurement of the effectiveness of the incident response, and accurate reporting of all cybersecurity controls and processes, are required.
Maturity Level 5: Optimize
The automotive firm continues to adjust its cybersecurity defensive strategy based on internal and external assessments of its security operations, management of the various security devices, and upkeep of its documentation. Organizations must provide accurate reporting and documentation showing their compliance with TISAX. The automotive firm will need these artifacts available for auditors at a brief notice as required.
How Can MDR Services Support SME Firms To Comply With TISAX?
SME automotive companies wanting to maintain their TISAX often need help with the capital cost of adding several layers of cybersecurity tools defined within the ISO 27001 framework and staffing full-time, 24/7 security operations teams.
SME firms in Germany and the EU that want to reach maturity levels with TISAX can leverage an MDR service from ForeNova.
Specific to TISAX, several maturity levels align well with an MDR offering. SME's can leverage MDR within these levels:
- Maturity Level 1: Managed firewalls, IDS, or identity systems.
- Maturity Level 2: Managed incident response 24/7 or augmenting existing staff.
- Maturity Level 3: Enabling new cybersecurity controls and providing MDR coverage.
- Maturity Level 4: Enabling next-generation cybersecurity tools and providing 24x7 continuous monitoring, KPI reporting, incident response, and remediation services.
- Maturity Level 5: Providing complete turnkey managed services, including detection and response, compliance reporting, and validating KPIs supporting mandates.
Why ForeNova?
SME automotive firms in Germany need access to talent and experience to help with TISAX certification. By obtaining and sustaining this credential, these firms will have access to the larger automotive manufacturing firms in Germany and the EU. If these firms become non compliant, the business opportunities will continue to be challenging.
ForeNova is an agile and flexible MDR service company that aligns well with the SME market in Germany and the EU. Their pricing model, service delivery, and expertise exceed their client's expectations while supporting a pricing model designed for this market.
Are you an automotive firm in the EU looking to comply with TISAX? Learn more about how ForeNova can help you with the cybersecurity requirement for TISAX compliance.
.svg)
.svg)
