The modern automotive industry faces many new challenges, as vehicles evolve with more complex data requirements and supply chains become increasingly interconnected, major Original Equipment Manufacturers (OEMs) require certain Standards as a mark of trust from potential suppliers. Currently, this trust is codified in TISAX (Trusted Information Security Assessment Exchange). For businesses that have not previously dealt with Standards, TISAX can be seen as a daunting regulatory hurdle. However, a TISAX label is more than a compliance check, it's a recognised mark that your organisation has robust information security measures in place specific to the automotive industry, including considerations for protecting key intellectual property and prototype innovations. In this episode, Ian Battersby is joined by Emma Coxhill, isologist at Blackmores, to explore what TISAX is, who it applies to, what it requires and how OEM's and automotive suppliers can take their first steps towards earning a TISAX label. You'll learn · What is TISAX? · Who is TISAX applicable to? · Why is TISAX important? · What are the 3 assessment levels within TISAX? · What are the 3 different subject areas within TISAX? · How is TISAX implemented? · Why does TISAX use labels instead of certificates – and how can people verify these? · What is the ENX portal and how does this help with supplier onboarding? · Where should companies start if they want to earn a TISAX label? Resources · Register for our TISAX webinar here · ENX · Isologyhub In this episode, we talk about: [02:05] Episode Summary – Emma Coxhill joins Ian to dive into the topic of TISAX, including who it's applicable to, why it's important and how businesses can make a start on earning a TISAX label. [03:40] What is TISAX? TISAX was developed for the automotive industry by the German Association of the Automotive Industry, VDA, and it's managed by the ENX Association. It's based on the ISO 27001 Annex A controls, and was created for the automotive industry because they were looking to standardise the framework for assessing and sharing information security results between manufacturers and their suppliers. [04:40] Who is TISAX applicable to? While applicable to the automotive industry, it encompasses quite a lot of businesses within this. This is because is applies to any organisation that handles sensitive data relating to vehicle development, manufacture and marketing. So, this can include any company providing car parts, vehicle software, cloud services, testing labs, engineering etc. Basically, any service providers to OEMs (original equipment manufacturers) will be applicable. TISAX can also be applicable for those dealing with automotive related events, marketing and photography, as new models are protected IP and will require related business to prove that they have the correct security requirements to ensure any potential prototypes are protected. [06:50] Why is TISAX important? Mainly, it gives the automotive industry a trusted, standardised way to ensure information security across the entire supply chain. Without it, the OEMs and suppliers can conduct their own audits, but it'll be their own interpretations or what is considered an adequate level of security. The industry saw this as an open door to chaos, so TISAX was created to protect highly confidential automotive information and support compliance with relevant data protection laws. However, now it's not so much a 'nice to have' Standard as it is a requirement to trade, especially within Europe. It's fast becoming a tender requirement, and many OEMs won't make it past the procurement process without a valid TISAX label. The ENX portal, where labels are registered, can also help speed up the on-boarding process. So, the whole TISAX system has been built for ease of access to help manufacturers choose suppliers that prioritise information security. [09:00] What's the consequence of not having a TISAX label? A loss of opportunities. Those within the automotive industry that don't have a valid label will be seen as a security risk, leaving them at a competitive disadvantage. [10:30] What are the 3 levels within TISAX? Unlike ISO 27001, TISAX has levels that depend on the level of data sensitivity that you're dealing with. Level 1: Self-assessment – Considered as 'normal risk' with general processing of data. Level 2: Remote Audit – Applicable to those dealing with confidential information such as design documents or internal projects. This requires both a self-assessment and an audit. Level 3: On-site Assessment – Highly confidential information, so this applies to those dealing with sensitive research, development information or prototype data etc. This requires a physical on-site assessment, as the qualified TISAX auditor will need to ensure that you have the appropriate physical security measures in place. Most businesses will require level 2, but if you're looking to work with high-spec OEMs, then level 3 is more desirable. [12:00] What are the 3 subject areas within TISAX? The 3 main areas are as follows: Information Security: This covers general information security controls such as relevant policies, access controls, risk management, incident handling and secure operations. Prototype Protection: This focuses on safeguarding physical and digital prototypes, design data, test vehicles and confidential development information. Data Protection: This ensures proper handling of personal data in line with legal requirements such as GDPR. If you're just doing a self-assessment, you can pick the areas which are most relevant to you. If you've been requested to earn a TISAX label, they will usually provide you with their preference on subject areas. Many will opt to take information security, but data protection is also quite common. The prototype section is more specialist and not applicable to all businesses. [14:00] How is TISAX implemented? There are a few stages to gaining a TISAX label: Awareness – Learn the requirements for TISAX and planning for the project ahead. This may include asking your clients about what they expect of your from an information security perspective and working out costs for assessments and any additional support. The ENX website has a lot of really useful info, including a handbook and a copy of the self-assessment. Preparation – This is where you need to complete your TISAX scope and register yourself on the ENX portal. Your scope needs to specify your selected level (1,2 or 3) and the subject areas you'll be focusing on. You also need to include the locations within scope, which have to be listed one by one (not simply 'all offices in the UK' for example). Self-Assessment – The template for this can be downloaded from the ENX website. This is essentially a Gap Analysis that grades your current level of compliance with the TISAX requirements. It includes a scoring mechanism, where you'll be aiming to get a 2.71, as that's the pass rate. This self-assessment will highlight what gaps you need to fill before going ahead with an external assessment. Implementation – This is where you will bridge those gaps highlighted in the Self-assessment. This will involve creating the required documentation requested by TISAX and updating existing systems to align with requirements. Before going ahead with external assessments, we highly recommend you conduct some internal audits to ensure you're ready. External Assessment – Whether this is remote or on-site, you need an official TISAX auditor to perform the assessment. A list of approved TISAX auditors is available on the ENX portal, we recommend getting a few quotes to get the best price. We also recommend requesting a kick-off meeting so you can have a chat with your auditor about the requirements and how they'd like to review the required evidence of compliance. The Assessments are similar to that of an ISO certification, it's broken down into 2 segments. One is a document/evidence review and the other is done with both parties present to go through their findings, review further evidence and to question any gaps found. Again, similar to ISO, you may receive either minor non-conformities, non-conformities, opportunities for improvement or observations in their final report. If you get any non-conformities, you'll need to provide an action plan within 2 weeks following from your assessment to address them. You will then be allowed a few months to implement the corrections, which will be reviewed and approved by the auditor before receiving your label. If you only received opportunities for improvement then you'll get a label straight away. [20:40] Why does TISAX use labels instead of certificates – and how can people verify these? Taking ISO 27001 as a comparison, that certification has a blanket framework that can apply to every business. While you can exclude small bits, the vast majority applies to everyone. TISAX is more scaled based on the level of security you're dealing with. Businesses can pick both different levels and different subject areas for their Label. Another key difference is that Labels can only be verified through the ENX portal, this is where other TISAX clients can see who has what Label, including the details of level and selected subject areas. Business can still chose to state TISAX compliance on their website, but the details regarding the level of compliance only need to be seen be relevant individuals. [22:05] What is the ENX portal and how does this help with supplier onboarding? The ENX portal is accessible through the ENX website. It does require a fee to make an account, but this is where everything related to TISAX is managed. This is where you wi
