August 11, 2023
Ensuring information security is a crucial component of any connected vehicle software solution. That’s why assessment and compliance with industry standards such as those outlined by TISAX are crucial to long-term success.
Trusted Information Security Assessment Exchange (TISAX) is a European automotive industry standard that is globally recognized and adopted. It was developed by the German Association of the Automotive Industry (VDA) alongside the European Network Exchange (ENX), an association of European automakers.
Undergoing the TISAX auditing and certification process allows companies to assess the information security of their suppliers based on their awarded “Information Security Assessment” (ISA) level. In other words, it simplifies a company’s individual efforts by providing a mechanism for the assessment of information security systems and the sharing of assessment results with pertinent parties.
The auditing process usually begins when an automaker requests a potential partner or supplier to prove that their company’s information security management system (ISMS) meets a defined ISA level. However, it can also be initiated independently by a supplier, which is how Sibros proceeded with certification. The entire TISAX process involves three steps, some of which have several sub-steps.
The registration phase is where the company prepares for the audit and registers its intent to undergo assessment. It begins with compiling information to determine the scope of the assessment, as well as to define the assessment objectives. Before entering the online portal and submitting registration, a legal agreement with ENX must be signed. This includes but is not limited to a nondisclosure agreement (NDA) and contractual terms and conditions. Once all the paperwork and preparations are in order, the company must register online via the ENX portal.
During this stage, a TISAX auditor conducts a thorough assessment of the company, after which they award an ISA level.
First, the company must undergo an ISA self-assessment to determine whether or not they are prepared for a third-party assessment. The amount of preparation required varies depending on the information security management system’s maturity level. If any gaps or deficiencies are found in the self-assessment the company must then address these prior to moving forward with TISAX certification.
Next, is the selection of a certified TISAX auditor or audit provider. This provider will conduct their own information security assessment, the scope of which is based on pre-specified requirements (i.e. certain certification levels do not require the assessor to be on-site). Similar to the self-assessment, if any areas do not meet expected standards the company may develop and implement a corrective action plan prior to a follow-up assessment.
Once the assessment is complete the company is awarded with its results via the ENX portal. These are valid for three years and include an official TISAX audit report
During the final stage of the assessment, the audited company can share its results with customers and potential partners. This is all accomplished through the ENX portal and results are only shared with parties that have been authorized by the certified company.
To achieve an Assessment Level 3 certification, the highest level available in the automotive industry, all assessment checkpoints must be verified on-site and by a third-party assessment body.
Sibros selected TÜV Nord as its audit provider and received the following results:
In summary, Sibros’ ISMS meets the TISAX framework requirements and was awarded Assessment Level 3 for all assessed categories, along with a protection level of "Very High", and an overall maturity level of 3.0. These labels are valid until 2026. The successful completion of this TISAX audit demonstrates Sibros’ strong commitment to information security and its ability to meet the standards required by its customers and partners. To learn more about Sibros’ safe and secure connected vehicle platform talk to us today.