TISAX, Ensuring Information Security in the European Automotive Industry

The automotive industry has never been more challenging or competitive. Amid changes in global economies, regulations and market dynamics, automakers are now having to prioritise technological development to ensure their vehicles are not lagging behind the level of innovation that the market currently demands.

Manufacturing for automotive is becoming increasingly digital, driven by the technologies that are creating new user experiences. In Europe, the auto industry is by far the biggest spender on R&D, investing an impressive €60.9 billion this year alone. However, whilst these changes bring positive improvements to the industry, they also introduce increased risks.

IT security plays a critical role in the automotive sector. Focused on innovation, automakers and suppliers greatly fear industrial espionage and digital theft, so they expend considerable energy to ensure their systems remain functional and their trade secrets remain protected.

Manufacturers, suppliers and others operating in the automotive industry demand a certain level of security from their business partners. This is why companies in the automotive sector have performed information security assessments, not only in their own systems and processes, but also in their providers’ systems. But the problem is that without a common standard, each assessment may be performed according to different criteria.

Getting to grips with the TISAX assessment process

In order to secure the constantly increasing connectivity, the VDA (German Association of the Automotive Industry) and the ENX Association (an association of European vehicle manufacturers, suppliers and organisations) developed TISAX – a standard that evaluates IT security measures as relevant to the automotive sector. TISAX was derived from ISO 27001 and adapted to the specifics of the industry. With results published online by ENX, OEMs are able to verify for themselves whether a service provider or supplier meets the assessment standard.

The idea is to create added value to data exchanges between manufacturers and suppliers in order to reduce costs and save time. For instance, to what extent can a manufacturer “trust” a supplier or another partner? And how will the confidential information be properly handled and protected?

If you’re an automotive supplier or service provider, TISAX compliance has become a prerequisite for doing business with any major German automobile company including the likes of Volkswagen, BMW, Audi, Porsche, Mercedes and Daimler. However, like many other data security mandates, TISAX is only a few years old, and many organisations are still searching for the right approach to it.

Ensuring Process Adherence

Externally audited TISAX assessment results are now a key requirement in European supplier selection processes, so self-assessment and the capability to continuously improve are critical to remaining competitive. To achieve certification, organisations need to show that they can follow these, and other, rules. They also need to document their processes so that they can continuously prove compliance during recertifications.

These businesses need to ensure standards are maintained and rely heavily on internal audits and the services of independent consultants, as the cost of not meeting TISAX requirements both for current and new contracts can have a significant impact on supplier revenue. However, when there is a failure to meet the specifications of the audit, there is no connected and managed process to investigate and carry out corrective actions.

Ease Inc. has taken the model of the Excel sheet distributed to help companies perform internal audits and overlaid it onto their layered process auditing platform. This allows TISAX self-assessments to be scheduled and tracked, performed on a mobile device regardless of internet connection, provide the output report and most importantly identify, assign and manage failures and mitigations which occur during the self-assessment process. This allows automotive supply chains to be fully aware at all times of the TISAX assessment levels in all of its plants, with results accessible through one single dashboard.

It can be assumed that TISAX assessments will become more and more important. As maturity requirements increase, then so does audit frequency and burden, especially for higher risk services such as prototyping and innovation. This is where quality becomes a key competitive differentiator, where global operations and cost pressures have pushed automakers and their suppliers towards large, extended sourcing and supply chain operations. At the same time, however, compliance and regulations have been increasing, and the industry has moved into the digital world. All these factors result in an increasing demand for flexible, upgraded management systems that can automate field-level quality management tasks and provide real-time monitoring and transparency.