TISAX: Five recommendations for a successful audit I msg security advisors

You'd like to find out more about the range of services offered by the msg group? Then visit the websites of msg and its group companies.

Visit site

Current website

All msg websites
Range of services
Cybersecure Business Transformation
Governance & Compliance Excellence
Strategy & Organisation
Digital Trust
Service modules
Company
About us
Latest news
All news and topics
Career
Overview & Vacancies
Benefits

Message

Failed loading XML...

Assessment for automotive suppliers

TISAX: Five recommendations for a
successful audit

A post by Wolfram Funk

Five recommendations for a successful audit

Why TISAX?

TISAX stands for “Trusted Information Security Assessment Exchange”. The so-called “TISAX Label” of the ENX Association, an association of European automotive manufacturers, suppliers and associations at European level, was introduced in 2017.

The label serves as proof to the automotive industry that a supplier has a certain level of security.
It must be renewed every three years.
It is required by automotive manufacturers (OEMs) on a contractual basis from their suppliers.
The TISAX label is based on a common, standardized assessment process implemented through accredited auditors.

In new service tenders, for example, suppliers are required to submit certificates in accordance with certain standards if they are awarded a contract. Often, suppliers then have a “grace period” of twelve months. If a supplier then fails to provide the required evidence, the OEM has the right to discontinue the contracts. Some OEMs also require further information security certifications, for example based on ISO 27001, the global standard for information security management.

ISO/SAE 21434 “Road vehicles – Cybersecurity engineering” is a new standard on the horizon that may become relevant for suppliers in the future.

The auditing

To obtain the TISAX label, the company must submit a self-disclosure in the form of a comprehensive questionnaire to a recognized auditing service provider. This self-disclosure is then reviewed by the auditors. For the highest level of the label, auditors will conduct interviews and on-site visits. The underlying VDA-ISA requirements catalog is based on the ISO 27001 and ISO 27002 security standards, but is more detailed in individual requirement specifications.

Five recommendations for a successful audit

1. Use the TISAX audit to implement an information security management system (ISMS):

Although a TISAX audit can be set up as a project, it must result in an ongoing security process. The company must constantly improve this and respond dynamically to changes in the environment. This includes, for example, new technologies, threats, vulnerabilities, or changes in the organization's activities such as new business areas. Companies that rest on their laurels after a successful initial certification will struggle to renew the TISAX label after three years. Companies with an existing ISMS, possibly even with ISO 27001 certification, can obtain and renew the TISAX label with manageable additional effort.

2. Receive support at all levels of management.

Significant personnel resources may be required for audit preparation and implementation. In addition, various specialist areas, central departments and managers must be involved in the auditing process. It is important that those responsible for information security secure the support of top management in advance and obtain the necessary resources.

3. Define the planned scope with care.

The TISAX label always applies to a specific company site. It is usually more efficient to audit several sites at once. Therefore, the current and potential auditing requirements for all sites must be carefully analyzed in advance. But a word of caution: An overall label can be jeopardized by the failure of a single site!

4. Avoid “mothware”.

Some people think that it is sufficient to fill in a large number of templates for security policies and concepts for an audit. This is by no means the case. Auditors attach great importance to verifying that information security is lived as a process. This evidence can be supported, for example, by meaningful KPIs and by fully maintained lists of risks, measures and security incidents.

5. Prepare the audit carefully.

This process starts with the detailed completion of the ISA questionnaire. It has proven useful to briefly and precisely summarize the implementation description and document references under a control question, especially for each MUST or SHOULD individual requirement. In the audit itself, the participants must have this information at hand and be able to present it without a long search. The external audit must be preceded by an internal audit to identify potential “open flanks”. Information security officers should conduct appropriate briefings in advance for all colleagues involved in the audit.

msg supports companies in achieving certification readiness for TISAX as well as for other common information security management standards and, at the same time, is itself audited according to TISAX in individual business units or locations as a supplier to the automotive industry.

Share this post

Author und contact

Wolfram Funk msg security advisors

Wolfram Funk
Principal IT Consultant

wolfram.funk@msg.group

You would like to know more?

We are looking forward to your message!

Kontaktieren Sie uns!

Please fill out the form and we will contact you as soon as possible.

The field is limited to only letters and a hyphen (-).

The field is limited to only letters.

The field is limited to only numbers.

The field is limited to only letters,numbers and hyphens (/:.,!?-).

With this form collected individual-related data are exclusively used for internal handling and will be not forwarded to third parties. Please consider our data privacy statement.

I agree with the data privacy statement of msg advisors.

Contact

msg industry advisors ag
Robert-Bürkle-Str. 1
85737 Ismaning

+49 89 96 10 11 300
+49 89 96 10 11 113

advisors@msg.group

News from the msg group

The msg group

msg is an independent international group of companies with autonomous regional companies and subsidiaries and over 10,000 employees.

The msg group is active in over 34 countries in the banking, insurance, automotive, food, life science & chemicals, public sector, telecommunications, travel & logistics and utilities sectors. msg also develops integrated software solutions and advises its clients in all aspects of information technology.

Imprint
Privacy

Search
Menu (EN)
- Range of services
- Company
- Career
  - Overview & Vacancies
  - Benefits

Cookie settings

The msg security advisors uses cookies to provide an optimal website experience that is tailored to your specific needs. These includes cookies that are necessary for ensuring the smooth operation and the security of our web pages, as well as those used for anonymous statistical purposes, to help us reach our commercial business goals, or to display personalized content. You have the right to choose which categories you wish to allow. Please note that your decisions may affect which page functions are available while using our site. Further information can be found in our data protection information.

Required

Statistics

Hide details

Required

Required cookies are used to ensure the smooth operation of our web pages and to make them user friendly. They also enable security-related functions. Furthermore, these types of cookies help us identify whether you would like to remain logged in under your profile, thereby allowing us to make our services available to you even faster the next time you visit our site.
Statistics

In order to ensure continuous improvement of our content, structure and our website in general, we record anonymized data for statistical purposes. With your consent, data on your user behavior will be transmitted anonymously to Google Analytics. We use these cookies, for example, to determine how many times a specific page is accessed or the effect of certain pages of our web presence; we then use that information to optimize our site.