The rise of smart and connected cars in the last decade has led to a sharp increase in cyberattacks involving automobiles. According to Upstream Security’s 2020 Automotive Cybersecurity Report, the number of annual automotive cybersecurity incidents has increased by a staggering 605% since 2016. More than half of these were carried out by cybercriminals acting remotely to disrupt businesses, steal property, and demand ransom. Popular attack vectors included keyless entry systems, backend servers, and mobile apps.
It is, therefore, no surprise that the automotive industry is taking steps to protect both its cars and confidential information from such incidents in the future. In Germany, automotive group Verband der Automobilindustrie (VDA) set up the Trusted Information Security Assessment Exchange (TISAX) in 2017 to act as an assessment and exchange mechanism through which organizations can submit to audits in compliance with VDA’s Information Security Assessment (ISA). VDA ISA is largely based on existing international standards ISO/IEC 27001 and 27002.
TISAX is governed by the ENX Association, an organization consisting of automobile manufacturers, suppliers, and four national automotive associations, and is meant to ensure a unified level of information security and bring standardization, quality assurance, and mutual recognition of audits to VDA ISA compliance.
Who does TISAX apply to?
Any company part of the German automotive supply chain is required to prove defined levels of information security management according to the requirements set out in VDA ISA. Enforced industry-wide, TISAX applies to auto manufacturers and original equipment manufacturers (OEMs), but also partners and suppliers, whether they are based in Germany or not.
A three-step process
The need for a TISAX assessment report is triggered by a request from a partner to prove VDA ISA compliance. To receive an assessment, companies will have to go through three steps:
- Registration: subject to a fee, this initial step allows ENX to gather information about the company and establishes what needs to be part of the assessment.
- Assessment: the company undergoes an assessment through one of ENX’s authorized TISAX audit providers. The audit is based on an assessment scope that matches the requirements of the partner that requested the company to prove VDA ISA compliance. Should a company fail to pass the assessment, the TISAX process may require additional steps.
- Exchange: finally, the company can share the result of the assessment with the partner that requested proof of VDA ISA compliance.
Scope of TISAX assessments
There are two types of scopes for TISAX assessments: standard and custom. The custom scope allows companies to choose a narrower or expanded scope of assessment. However, many companies that require VDA ISA compliance will only accept information security assessment results based on the standard scope. This is why ENX encourages all TISAX participants to opt for the standard scope.
The standard scope comprises all processes and resources at company sites that are subject to security requirements from partners in the automotive industry. Processes include the collection, storage, and processing of information. Depending on the size of a company, sites can refer to office spaces, development, and production sites, and data centers. Resources meanwhile can indicate work equipment, employees, contractors, and IT infrastructure.
TISAX assessment objectives
There are currently eight TISAX assessment objectives:
- Information with high protection needs
- Information with very high protection needs
- Protection of prototype parts and components
- Protection of prototype vehicles
- Handling of test vehicles
- Protection of prototypes during events, filming, or photoshoots
- Data protection, in accordance with Article 28 of the EU’s General Data Protection Regulation (GDPR) referring to data processors
- Data protection with special categories of personal data, in accordance with Article 28 of GDPR referring to data processors and Article 9 that governs special categories of personal data
Companies need to select at least one assessment objective which will be considered the benchmark for an organization’s information security management system. All TISAX audit providers base their assessment strategy mainly on the assessment objective. Each assessment objective maps to a criteria catalog of the VDA ISA.
Some objectives also require companies to automatically meet another objective. For example, the “Protection of prototype parts and components” objective requires organizations to also achieve the “Information with high protection needs” objective.
Each assessment objective corresponds to a TISAX label that a partner may require a company to obtain. Organizations must choose the objective corresponding to the desired label and, once they pass the TISAX assessment successfully, they will receive the label for it.
Self-assessment based on VDA ISA
Before embarking on a TISAX assessment, ENX recommends companies conduct a VDA ISA self-assessment of their information security management system to ensure that it matches the expected maturity level required for TISAX.
VDA ISA is based on six levels of implementation maturity: Incomplete, Performed, Managed, Established, Predictable and Optimizing. The target maturity level for all control questions is Level 3 (Established).
VDA ISA has three criteria catalogs: information security, prototype protection, and data protection, each comprised of a set of questions. The objective of each question is detailed along with the mandatory and optional requirements needed to achieve it.
The Information security criteria are comprised of 41 questions that deal with data protection in a more general sense and include the protection of confidential information from leaks, theft, and human error.
Prototype protection criteria, made up of 22 questions, refer to the physical and environmental security of prototypes, their transport, and requirements for filming and photoshoots. The Data protection criteria meanwhile include only 4 questions that specifically address GDPR compliance, the protection of personally identifiable information (PII), and special categories of sensitive data as defined under the GDPR.