Antonio Jose Segovia
March 11, 2019
Update 2022-08-11.
You probably know what ISO 27001 is, because it is an international standard, very popular in the information security sector, that helps organizations of all sectors to protect their information. But, did you know that the automotive industry is also interested in information security, and that they even have their own information security standards? In the following article, you’ll learn all the key aspects of the relationship between ISO 27001 and TISAX (Trusted Information Security Assessment Exchange), the information security standard for the automotive industry.
TISAX (Trusted Information Security Assessment Exchange) is a standard developed by the European vehicle manufacturers, suppliers, and organizations, as an assessment and exchange mechanism for information security in the automotive industry. It brings standardization, assurance, and mutual recognition of information security audits compliant with ISO 27001 standards.
Twenty years ago, my mother had a small car, a Renault Twingo, and I was very impressed with it, because it was the first car that I had ever seen with an integrated digital control panel. In that time, this technology was a revolution, because most cars had an analog control panel. At the same time, that was my first experience with any digital technology in a car.
Today, cars are so different, and I don’t know a current car without some kind of digital technology. Even so, information technology is probably one of the most important parts, because most of our cars are managed by software, and it is so useful, because most actions related to our cars are now automated: tire pressure, speed limit, parking, etc.
If you have a car with Wi-Fi/Bluetooth connection, applications, cameras, etc., then basically, you can say that you have a computer with wheels. And, of course, if your car is like a computer, then threats related to information security also apply to it.
This is why companies in the automotive sector have performed information security assessments, not only in their own systems and processes, but also in their providers’ systems. But the problem is that without a common standard, each assessment may be performed according to different criteria, and the results may also be different.
So, in 2016, the ENX association (an association of European vehicle manufacturers, suppliers, and organizations) developed a standard called “TISAX,” which is composed of requirements from VDA ISA (VDA is the German Association of the Automotive Industry, and ISA is an abbreviation for “Information Security Assessment”). Curiously, this standard is very similar to ISO 27001 and the security controls of its Annex A.
To establish the assessment and exchange mechanism for information security in the automotive industry, as well as criteria for assessment results exchange, in 2016, the ENX association (an association of European vehicle manufacturers, suppliers, and organizations) developed a standard called “TISAX.”
In 2017, TISAX became aligned with requirements from VDA ISA (VDA is the German Association of the Automotive Industry, and ISA is an abbreviation for “Information Security Assessment”), so this standard is also known as VDA TISAX.
It enables your company to meet industry requirements and demonstrate to your end-users that you take data protection seriously. Besides standardization, TISAX brings assurance and mutual recognition of information security audits in accordance with ISO 27001 standards. In the automotive industry, there is a big demand for TISAX-compliant suppliers, as a guarantee that sensitive data will be adequately protected. This is why becoming TISAX certified gives your company a competitive advantage. Curiously, this standard is very similar to ISO 27001 and the security controls of its Annex A.
The results of the information security assessment can be shared between other members of TISAX; so, for example, if your company is developing some system, or some software, or any other thing for an automotive company (BMW, Mercedes, Renault, or any other), you can share the results of your assessment with them, giving confidence that you are aligned with the TISAX requirements.
As a standard recognized by the main players in the automotive industry, TISAX ensures a common ground for manufacturers to assess information security risks in their products and implement proper controls to treat them.
Additionally, it also allows assessment information from different manufacturers to be exchanged in a secure manner, as well as to be compared, increasing the understanding of risks and the maturity of the security approach in the industry as a whole. Also, TISAX helps avoid redundant audits.
As said, an important component in TISAX is the VDA ISA requirements (that really are security controls), which are very similar to the information security controls of ISO 27001 Annex A, but adding specific security controls for connection with third parties, prototype protection, and data protection.
Really, the VDA ISA requirements can be put into four groups:
To learn more about Annex A, read this article: Overview of ISO 27001:2013 Annex A.
For each requirement, TISAX uses maturity levels to indicate the effectiveness, and furthermore, TISAX defines a target maturity for each requirement. So, basically, if you want to implement the VDA ISA requirements and be compliant with TISAX, you need to implement all the requirements with a minimum maturity level.
With ISO 27001, the concept of maturity levels does not exist, because you need to implement only the security controls that you need for the risks identified during the risk assessment. So, you only need to implement the necessary security controls for the risks identified, and you don’t need to define maturity levels. But, from my experience, this concept is very useful, because it can help you to improve the ISMS each year.
The maturity levels defined in TISAX are the following:
Table: Maturity levels in TISAX
For example, if you have security controls this year with the maturity level of “2 – Managed,” then clearly, you can improve your ISMS the next year if these security controls reach the level of “3 – Established.”
For more information about maturity models, this article might be interesting for you: Achieving continual improvement through the use of maturity models.
TISAX is a certifiable standard, which means that once an organization can show compliance with its requirements, it can be audited by ENX-recognized audit providers. If the company successfully passes the audit, it can be allowed to receive TISAX certification, which is valid for a three-year period, with annual surveillance audits.
Requirements consist of four modules: (1) Information security, (2) Connections to third parties, (3) Data protection, and (4) Prototype protection, with three possible target levels for certification: low, high, and very high.
In TISAX, the PDCA is not mandatory as it is in ISO 27001. You only need to focus on the VDA ISA requirements, although, from my point of view, by clearly defining a PDCA you can improve the compliance with these requirements, because you can define a formal Information Security Management System for the continual improvement.
And, although I have referenced “controls” in the table of maturity levels, you can also use the maturity levels for processes, which means that you can use them to improve the risk management process, or the internal audit process, or the management review process, etc.
As you can see in this article, TISAX and ISO 27001 are very similar, and one of the most important concepts of TISAX, which is the maturity levels, is compatible with ISO 27001, and can help you to improve your ISMS. And, of course, if you are on the TISAX side, the PDCA of ISO 27001 can also help you to improve your organization.
So, basically, both standards are compatible, and they can work together to help your organization to improve both your processes and your security controls!
To learn how to implement ISO 27001 in your company through a step-by-step wizard, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.