TISAX Compliance
Company Updates

/

August 11, 2023

/

#

Min Read

TISAX Compliance

This is an external post, click the button below to view.
View Post

Ensuring information security is a crucial component of any connected vehicle software solution. That’s why assessment and compliance with industry standards such as those outlined by TISAX are crucial to long-term success. 

What is TISAX?

Trusted Information Security Assessment Exchange (TISAX) is a European automotive industry standard that is globally recognized and adopted. It was developed by the German Association of the Automotive Industry (VDA) alongside the European Network Exchange (ENX), an association of European automakers. 

Undergoing the TISAX auditing and certification process allows companies to assess the information security of their suppliers based on their awarded “Information Security Assessment” (ISA) level. In other words, it simplifies a company’s individual efforts by providing a mechanism for the assessment of information security systems and the sharing of assessment results with pertinent parties. 

The Auditing Process

The auditing process usually begins when an automaker requests a potential partner or supplier to prove that their company’s information security management system (ISMS) meets a defined ISA level. However, it can also be initiated independently by a supplier, which is how Sibros proceeded with certification. The entire TISAX process involves three steps, some of which have several sub-steps. 

Step 1: Registration

The registration phase is where the company prepares for the audit and registers its intent to undergo assessment. It begins with compiling information to determine the scope of the assessment, as well as to define the assessment objectives. Before entering the online portal and submitting registration, a legal agreement with ENX must be signed. This includes but is not limited to a nondisclosure agreement (NDA) and contractual terms and conditions. Once all the paperwork and preparations are in order, the company must register online via the ENX portal. 

Step 2: Assessment

During this stage, a TISAX auditor conducts a thorough assessment of the company, after which they award an ISA level. 

First, the company must undergo an ISA self-assessment to determine whether or not they are prepared for a third-party assessment. The amount of preparation required varies depending on the information security management system’s maturity level. If any gaps or deficiencies are found in the self-assessment the company must then address these prior to moving forward with TISAX certification. 

Next, is the selection of a certified TISAX auditor or audit provider. This provider will conduct their own information security assessment, the scope of which is based on pre-specified requirements (i.e. certain certification levels do not require the assessor to be on-site). Similar to the self-assessment, if any areas do not meet expected standards the company may develop and implement a corrective action plan prior to a follow-up assessment. 

Once the assessment is complete the company is awarded with its results via the ENX portal. These are valid for three years and include an official TISAX audit report

Step 3: Exchange

During the final stage of the assessment, the audited company can share its results with customers and potential partners. This is all accomplished through the ENX portal and results are only shared with parties that have been authorized by the certified company.  

The Importance of TISAX & Sibros’ Compliance

To achieve an Assessment Level 3 certification, the highest level available in the automotive industry, all assessment checkpoints must be verified on-site and by a third-party assessment body.

Sibros selected TÜV Nord as its audit provider and received the following results: 

  • High Availability
  • Very High Availability
  • Information with High Protection Needs
  • Information with Very High Protection Needs
  • Data Protection according to EU-GDPR Art. 28 ("Processor")
  • Data Protection according to EU-GDPR Art. 28 of special personal data
Reproduction of Sibros' ISA 4 Results (for original report please contact us)

In summary, Sibros’ ISMS meets the TISAX framework requirements and was awarded Assessment Level 3 for all assessed categories, along with a protection level of "Very High", and an overall maturity level of 3.0. These labels are valid until 2026. The successful completion of this TISAX audit demonstrates Sibros’ strong commitment to information security and its ability to meet the standards required by its customers and partners. To learn more about Sibros’ safe and secure connected vehicle platform talk to us today. 

Mahesh Venugopala
Mahesh Venugopala
Mahesh Venugopala serves as Senior Director of Security at Sibros where he is repsonsible for stewarding cybersecurity practices, methods and frameworks across the company's suite of cloud-based and embedded software products. Prior to joining Sibros, Mahesh was responsible for security at Autonomic (a subsidiary of Ford), a SaaS data platform managing billions of connected vehicle signals and events per day. Mahesh has over 20 years of experirence across roles in product security, security architecture, cryptography, key management, encryption in transit and rest, cloud security, secure software development life cycle (SDLC), and secure DevOps.