March 9, 2022


Digital transformation and information security have become key elements in all industries, especially in the Automotive Industry.

Information is a very important asset, a source of competitive advantage, which is why it requires special protection. The protection of Confidentiality, Integrity, Availability of information has become a challenge, combined with operational efficiency and business continuity.

The increase in cybercrime has been the order of the day, especially during the pandemic, now talking about different Cybercrime Cartels.

The German Association of the Automotive Industry (VDA for its acronym in German), seeking to generate confidence in the automotive sector, launches the catalog of controls necessary for information security (Information Security Assessment-ISA-) which gives rise to the VDA- ISA and thus gives rise to TISAX, Trusted Information Security Assessment eXchange).

A peculiarity of TISAX is that it contains information security controls as well as controls for the protection of vehicle prototypes and parts that have not been presented to the public. To better understand what is stated in this document, I suggest familiarizing yourself with the concepts of TISAX. There are several sources of information about its origin, requirements, controls, certification process, among others, it is suggested to visit the official TISAX portal.

Long before the existence of TISAX, I have had the pleasure of doing many third-party audits for international certification bodies, in different standards, including ISO/IEC 27001, 27017, 27018, 22301 in different sectors, including the Automotive sector in countries such as USA, Mexico, Peru, Uruguay. Migrating to TISAX having the necessary experience in ISO/IEC 27001 was part of the evolution.

In this article I seek to share with you some typical findings that I have found in the last TISAX certification audits that I have had the pleasure of carrying out in different plants of the Automotive Sector, in some cases they have represented Non-Conformities, as well as to clarify some false beliefs about TISAX. I'm sure you'll find the tips very helpful as part of your implementation.

Does TISAX apply only to the IT area? = false belief

Let's not forget that the information can be represented in different media, one of them is the electronic media, the information can be in written media, it can be in corporate videos within the intranet, on paper, in the minds of the collaborators. The Automotive Sector is one of the most automated global manufacturing industries, this implies equipment and machinery connected to the network. Therefore, only thinking about the IT area becomes very limited when thinking about a TISAX implementation, since the information flows through the organization's processes.

Common Finding 1: Information Asset Inventory

Requirement of TIXAX – VDA ISA 5.0.4

This control tends to be confused with the Asset Inventory that is normally kept in an IT area, where the organization's computer equipment, servers, monitors, UPS, etc., are normally found, all with their serial number, state of the guarantee, among other important columns that are typically carried.

Although the column of non-negotiable requirements (Requirements must) is clear on several occasions I have been presented with the classic IT asset inventory.

The Information Security Risk asset inventory is a valuable element prior to Information Security Risk Management, it must work with a different approach to the classic IT Inventory, in this inventory the digital information is a line, installed applications is another line, hardware is another line, operating system is another line, collaborators are another line, as well as physical information.

As a reference, I suggest consulting the ISO/IEC 27005:2018 Information Security Risk Management standard, Annex B.

Common Finding 2: Relationships with Suppliers

Requirement of TIXAX – VDA ISA 5.0.4

The automotive industry is mature in the implementation and management of international regulations and standards such as IATF, ISO 9001, 14001, among others, so I have found that supplier management in general is carried out correctly.

When auditing TISAX, I have normally been presented with the inventory of suppliers that apply to IT, sometimes with some classification as critical and their respective signed confidentiality agreements.

Bearing in mind that today there is industrial equipment connected to the Internet with remote support agreements by the manufacturer, auditing some technical support connections to industrial equipment, it has been interesting to see that the connection has been made by a collaborator who no longer works at the provider.

The lesson learned at this point and based on the information security approach and the suggestion to the supply areas in conjunction with the IT area is that it is not enough just to have the supplier classified as critical and to have a signed confidentiality agreement. .

It is necessary to go deeper, to understand if the provider's personnel will be connected to any asset of the organization, it can imply in demanding some more things at the contractual level from the provider, such as compliance with a user and access management policy, guaranteeing that if an employee of the provider is terminated.

Your user by trade will be deleted, especially the one you use to connect to plant assets. It has been common to find that this control is not carried out thoroughly, but it is also understandable that for this reason it is one of the TISAX controls.

Elder A. Guerra V.

CEO ES Consulting

INLAC Registered Expert ISO/IEC JTC 1/SC27/WG1 Information security,cybersecurity and privacy protection

For more information on this and other topics
you can send us a message

contact us