“TISAX, or Trusted Information Security Assessment Exchange, is a security certification process all German automotive companies and suppliers strive to achieve. The German Association of the Automotive Industry (VDA) developed the certification.”
German suppliers wanting to sustain their TISAX certification need to monitor all their critical systems from cyberattacks. Suppliers continue to pursue managed detection and response (MDR) solutions from providers like Forenova to help meet ongoing TISAX operational requirements and improve their security posture.
TISAX is a comprehensive information technology (IT), and cybersecurity certification focus embedded with many industry-specific security requirements—ongoing monitoring of all critical systems, including applications accessing sensitive automotive design and manufacturing processes. To achieve TISAX compliance, automotive suppliers must complete several steps to ensure their various systems remain protected, their security operations capabilities are functioning, and their ongoing monitoring and reporting remain active and accurate.
The step in achieving TISAX starts with the automotive supplier or manufacturer understanding why they are investing in this certification and at what level. With the VDA assessment documentation, organizations need to consider what level of assessment they are focusing on achieving. This decision needs to align with the business objectives and long-term goals. If the goal of the supplier is to become a tier-1 provider to BMW or other industry leaders, this will require them to achieve the highest level. Suppose the provider's business goal is more about providing a basic level of engagement within an automotive supplier chain. In that case, they may focus their initial efforts on the lowest level of assessment.
The VDA documentation breaks down TISAX assessments into three levels.
Level 1 assessment for TISAX requires automotive forms to execute a self-assessment defined by the VDA ISA 6.0. Completing the self-assessment helps the organization understand its current cybersecurity protection capabilities, what policies they currently have available, and what monitoring and response functions they are leveraging.
Level 2 assessment also requires automotive firms to complete a self-assessment and engage an external auditor to validate their findings. Completing a level 2 assessment extends the firm's ability to assess a greater amount of sensitive data within the supply chain or directly from industry leaders.
Level 3 assessment requires extensive self-assessment, third-party penetration testing, vulnerability assessments, external third-party validating, and site visits with in-person interviews. Achieving level 3 assessment extends the supplier's ability to access the highest level of sensitive information within the supply chain or direct information from industry leaders. Firms seeking level 3 TISAX certification can expect the process to take up to three years.
After the firm has completed its work on the proper assessment, it is working towards executing a gap analysis based on VDA documentation, which is critical. Results from the self-assessments or third-party validation provide the firm with crucial issues to remediate.
Based on the assessment results, the VDA offers an example of a gap analysis for firms to determine what problems need to be addressed to meet the various levels. The gap analysis helps establish an order of priority regarding which issues need to be remediated first, based on the assessment level the firm is seeking.
Self-assessment or third-party validation might raise issues the firm will not need to address. If the firm is only seeking level 1, the firm may consider putting off any remediation. Firms seeking level 2 or 3 may consider resolving all relevant issues. The gap analysis will set an element of alignment and priority based on the VDA document. Organizations must remedy any matters required to complete the target assessment maturity level based on the priority.
Here are some common steps organizations should follow within their implementation plan:
Following the organization's current change control process, all changes to production systems need to be completed within the approved outage window.
Once the firm has completed the remediation plan based on the gap analysis, the next critical step is implementing or updating its existing Information Security Management System (ISMS) to reflect the remediation and additional security controls installed because of the gap analysis and remediation plan. Automotive firms looking to further their cybersecurity protection strategy continue to adopt the ISO 27001 framework.
Automotive firms must ensure they have successfully deployed several security adaptive control defensive layers to meet TISAX compliance assessment levels. These layers include:
To achieve level 2 and level 3 assessment certifications, automotive firms must ensure they have implemented and validated their various physical and environmental systems, which internal and external assessment teams have tested. These systems include biometric systems for physical access, secured doors, data center badge readers, and remote access locks in various factory locations.
Along with meeting TISAX compliance standards, German automotive firms must comply with the General Data Protection Regulation (GDPR) for data privacy. Any information, including personally identifiable information (PII), needs to be protected. Automotive firms, especially those that collect customer information, must protect this information under GPDP.
Automotive firms investing in security awareness training as a cybersecurity defensive strategy will see a reduction in successful cyberattacks against their digital assets.
As automotive suppliers become certified in TISAX, the need to protect their digital assets becomes even more significant. TISAX is critical for the automotive supplier to increase revenues and ecosystem alliances for future growth. Successful cybersecurity attacks will impede their ability to become an active partner within the German automotive supplier.
Security awareness training is critical to lower the risk against their various attack surfaces.
Automotive firms seeking a TISAX-certified assessment auditor should consult the ENX website for a list of AFNOR-certified auditing firms. Here is a short list of a few European Union (EU)- based auditing firms certified to complete TISAX assessment certification.
TISAX certification costs encompass the auditor's fees, control implementation expenses, and consultant fees.
Sustaining a secure enterprise network is a significant part of reducing initial audit TISAX certification and recertification. Automotive firms want to reduce the risk of attack against their most critical digital assets, so they invest in a partnership with an MDR company like Forenova to help protect the automotive industry supply chain.