Handelsblatt’s 7th annual conference “Cybersecurity 2017”: VDA presents TISAX – Auditing model for unified level of information security in the value and supply chain
Vehicle manufacturers do a large proportion of product development work in cooperation with their suppliers. “It is very important to protect the data that are transferred or exchanged. When protecting prototypes in particular, the players have to ensure that everyone in the supply chain applies a similar level of IT security,” stressed Dr. Joachim Damasky, Managing Director for technology and the environment at the German Association of the Automotive Industry (VDA).
The TISAX (Trusted Information Security Assessment Exchange) model has been developed under the aegis of the VDA to guarantee a unified level of data security at all the parties involved. “TISAX allows information security assessments to be recognized at all companies in the automotive industry and provides a common standard for auditing and for sharing information,” Damasky said.
At today’s seventh annual conference organized by the business newspaper Handelsblatt in Berlin, entitled “Cybersecurity 2017,” Dr. Martin Unterberger, chairman of the VDA’s “Information Security” working group and Senior IT-Auditor at Porsche, explained the model: “TISAX means that the automotive industry is the first industry worldwide to offer an assessment based on a standardized catalog of questions and to mutually recognize the audit results – over the entire value and supply chain, from the manufacturer and the supplier all the way to service providers.”
TISAX has been well received since its market launch. Well over 600 companies with 1,000 facilities in 32 countries have registered since the beginning of 2017, and more than 100 audits have already been carried out.
TISAX is operated by the ENX Association that has been commissioned by the VDA to conduct the audits as a neutral body. Several international audit providers are being accredited to perform the audits (valid for three years) for the ENX Association (www.enx.com\tisax) at service providers and suppliers. The results can then be accessed by the VDA’s members or made available to other TISAX participants – provided the audited company has agreed. The advantage of the TISAX model is that it saves VDA members and their suppliers work, time and expense for a security check.
TISAX is based on the Information Security Assessment (ISA) developed by the VDA – a catalog of questions based on the ISO 27001 standard. Until now the ISA catalog of questions was already used in audits at suppliers and service providers who process sensitive information from the companies. In the past these audits were frequently conducted by the companies themselves, which resulted in service providers or suppliers being audited several times at relatively short intervals.