Step on It: What to Know About TISAX Compliance in the Automotive Market
The automotive industry is one of the largest in the world, with sales estimated at $2.95 trillion for 2022. It’s also an industry undergoing profound change thanks to global supply chains and digital transformation — which means that the security and compliance demands for the auto industry are undergoing profound change, too.
Let’s start with the technology changes alone. Those changes are being driven (no pun intended) by the rise of autonomous driving, in-vehicle connectivity, and electric vehicles. They are fundamental shifts in how cars work, with far more of a vehicle’s operations depending on data, software, and technology.
There’s the rise of the global supply chain. Large auto manufacturers now routinely have thousands of suppliers and assembly plants scattered around the world; that exposes the manufacturer to even more compliance risks, as you need to assess the security of all those suppliers feeding into the world’s next-generation vehicles and share an enormous amount of data with them.
The auto industry knows all this, and knows it needs a robust solution that can serve the whole industry. So let’s talk about what that solution looks like: TISAX, the Trusted Information Security Assessment Exchange.
Defining the TISAX Framework
Broadly speaking, TISAX is an information security framework tailored for the automotive industry. It allows participants in the auto sector to achieve a recognized standard of information security, so that they can be trusted members of the global auto supply chain. TISAX also allows companies to assess the security of others in the supply chain, before exchanging confidential information with those parties.
In that sense, TISAX is an industry-specific compliance framework like many others: PCI DSS for retailers exchanging credit card data; HIPAA spelling out privacy standards for healthcare companies; or the NIST 800-171 standard for defense contractors. TISAX does the same for the auto industry.
TISAX was pioneered by the German Association of the Auto Industry, known as the VDA for its abbreviation in German. The VDA developed an information security assessment (the VDA ISA) in the 2010s that suppliers for the auto industry could use to demonstrate their security posture. That assessment evolved into the TISAX framework, and TISAX certification now serves as a seal of approval for any supplier in the auto industry.
The framework itself descends from the ISO 27001 standard for information security, although TISAX and ISO 27001 differ in several notable ways. For example, ISO 27001 is a standard for the whole world; this means that updates to it are slow-going, as every stakeholder is consulted. TISAX is managed by a private, much smaller governing body, so its requirements are reviewed (and updated as necessary) every year. Both frameworks require audits, but TISAX gives companies more freedom to choose the type of audit and the level of compliance you want to achieve. ISO 27001 only allows for on-site audits, against one level of compliance.
TISAX also exists specifically to create a safe, secure means of information exchange in the automotive supply chain. Once a supplier is certified as TISAX-compliant, it can then function more efficiently within that supply chain, passing around sensitive data such as design prototypes, component specifications, crash test results, software algorithms, personal data, and more.
The business imperative for TISAX certification is compelling. It can open new doors for manufacturers and service providers that want to enter the lucrative automotive sector — when you probably already have the fundamentals for TISAX compliance in place anyway, since it derives from ISO 27001 and other common security standards.
All that said, achieving TISAX certification still requires planning and attention to detail.
The Elements of TISAX Compliance
A company’s TISAX compliance journey unfolds roughly like other compliance journeys you might undertake:
- Begin by deciding what level of compliance you want
- Understand which parts of your operations are in scope
- Perform a self-assessment
- Undergo a formal independent audit
- Remediate any weaknesses found
- Document that all weaknesses have been addressed
TISAX compliance does, however, have some unique considerations. For example, TISAX is governed by the ENX Association, a trade association of European automotive businesses — and ENX defines the scope of TISAX audits, rather than you. So, a company seeking certification for TISAX compliance must first register with ENX, and submit an information security self-assessment based on a questionnaire developed by the VDA.
At this beginning step a company must also decide what level of TISAX compliance it wants to achieve. There are six levels, from 0 to 5,; but certification only starts at level 3 or higher. The level you choose dictates the number of controls you’ll need to implement, test, and document.
TISAX compliance also requires an independent audit from an approved TISAX auditor. The ENX Association maintains a list of approved auditors, and you can choose one based on your geographic region and other needs.
After that, the compliance process should start to feel familiar. Most companies will first want to perform an internal audit, so they can identify and correct any weaknesses before the independent audit. The independent audit might uncover more weaknesses, which you will need to correct.
The independent auditor also submits its findings to ENX. If you have minor issues, you might get a temporary certification, valid only for a limited time while you fix those outstanding issues. If you have material weaknesses, the ENX won’t issue any certification at all until those weaknesses are fixed. Once you do have final certification, however, your company can publish the results to the TISAX Exchange for other businesses in the automotive sector to see.
Getting Started with TISAX
The good news is that many of the controls included in TISAX are the same ones found in Annex A of the ISO 27001 standard,; or are basic good practice for cybersecurity programs generally. If you want to pursue TISAX certification, one important first step would be to map your existing security controls to TISAX (and perhaps ISO 27001 or other frameworks that may be on your compliance agenda).
Then come the standard next steps of implementing policies, procedures, and controls as necessary to close any gaps you find; documenting your work along the way.
The more practical question for CISOs is whether they have the right tools and processes in place to manage TISAX compliance — since it most likely will be the latest in a long line of security frameworks your business is trying to follow. We explored the wisdom of using audit management software in a previous post on this blog; all that wisdom still applies here, too. Efficiency of collaboration, storage of evidence, task assignment and alerting: the more you can automate them, the better your compliance journey will be.
That’s true in the auto industry or any other.
Get the Latest on Compliance Operations.
Matt Kelly is editor and CEO of RadicalCompliance.com, a blog and newsletter that follows corporate governance, risk, and compliance issues at large organizations; it includes the Compliance Jobs Report, a weekly update on compliance professionals moving around the industry. He also speaks on compliance, governance, and risk topics frequently.
Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.
Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Massachusetts, and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.