VDA ISA IMPLEMENTATION FOR AUTOMATIVE

The VDA ISA stan­dard for infor­ma­ti­on secu­ri­ty in the auto­mo­ti­ve indus­try pro­vi­des audi­ta­ble and uni­form spe­ci­fi­ca­ti­ons for mar­ket par­ti­ci­pan­ts. Fol­lo­wing the intro­duc­tion of an ISMS based on VDA ISA, a TISAX® audit or cer­ti­fi­ca­ti­on is per­for­med by an ENX-accre­di­ted test­ing ser­vice provider.

Note: TISAX® is a regis­tered trade­mark of the ENX Asso­cia­ti­on. SEC4YOU has no busi­ness rela­ti­onship with the ENX Association.

The advan­ta­ges of VDA ISA and TISAX®

TISAX® is com­pa­ra­ble to ISO 27001

The VDA ISA cata­log is based on sel­ec­ted con­trols of ISO/IEC 27001, but spe­ci­fies the requi­red imple­men­ta­ti­on in gre­at detail in many mea­su­res. As a result, a TISAX® cer­ti­fi­ca­te can replace an ISO 27001 certification.

Uni­form safe­ty level in the auto­mo­ti­ve industry

Despi­te a lar­ge num­ber of Euro­pean test­ing ser­vice pro­vi­ders, the TISAX® label is award­ed strict­ly accor­ding to uni­form spe­ci­fi­ca­ti­ons. Mar­ket par­ti­ci­pan­ts the­r­e­fo­re rely on the uni­form safe­ty level of TISAX® cer­ti­fied companies.

TISAX® cer­ti­fi­ca­ti­on is requi­red for new sup­p­ly con­tracts with OEMsSchweinwerfer

If infor­ma­ti­on is exch­an­ged with OEMs and pro­ces­sed for them, the­se cli­ents requi­re a TISAX® label “Infor­ma­ti­on Secu­ri­ty High” or “Infor­ma­ti­on Secu­ri­ty Very High” from the auto­mo­ti­ve sup­pli­ers as a mini­mum. When hand­ling pro­to­ty­pes, addi­tio­nal­ly “Pro­tec­tion of pro­to­ty­pes”. The purcha­sing depart­ments of the lar­ge OEMs such as BMW, Audi, Volks­wa­gen and others now also demand TISAX® from small companies.

Reduc­tion of effort for audits by OEMs

The num­ber of indi­vi­du­al audits and sup­pli­er sur­veys is signi­fi­cant­ly and sus­tain­ab­ly redu­ced by TISAX® cer­ti­fi­ca­ti­on. Cer­ti­fied sup­pli­ers are reli­e­ved by the eli­mi­na­ti­on of the­se time-con­sum­ing indi­vi­du­al audits. Once TISAX® labels have been issued, no fur­ther audits are requi­red for a peri­od of 3 years.

Reco­gni­ti­on out­side the auto­mo­ti­ve industry

A TISAX® cer­ti­fi­ca­ti­on accor­ding to Pro­tec­tion Level “Infor­ma­ti­on Secu­ri­ty High” or “Infor­ma­ti­on Secu­ri­ty Very High” is con­side­red by experts to be of hig­her qua­li­ty com­pared to ISO 27001 cer­ti­fi­ca­ti­on. The­r­e­fo­re, the TISAX® label speaks for the qua­li­ty of a company’s infor­ma­ti­on security.

Ques­ti­ons? Free ans­wers here!

The imple­men­ta­ti­on of VDA ISA until the suc­cessful com­ple­ti­on of the TISAX® assessment

We recom­mend car­ry­ing out the imple­men­ta­ti­on in the fol­lo­wing steps and pro­vi­de sup­port in all pha­ses with con­sul­ting and pro­ject management:

Defi­ni­ti­on of the Pro­tec­tion Level

The requi­re­ment as to which pro­tec­tion level (high or very high) is neces­sa­ry is usual­ly the respon­si­bi­li­ty of your cus­to­mer (OEM). It is important to cle­ar­ly com­mu­ni­ca­te which TISAX® label(s) is/are requi­red and by what date.

GAP ana­ly­sis

In an initi­al GAP ana­ly­sis, an audi­tor or con­sul­tant com­pa­res the matu­ri­ty level of infor­ma­ti­on secu­ri­ty against the requi­re­ments of the VDA ISA cata­log. Befo­re imple­men­ta­ti­on, the tar­get matu­ri­ty level of 3.00 is usual­ly not achieved.

Imple­men­ta­ti­on VDA ISA and ISMS

The VDA ISA cata­log is divi­ded into the sec­tions Info­Sec Gui­de­lines and Orga­niza­ti­on, Human Resour­ces, Phy­si­cal Secu­ri­ty and Busi­ness Con­ti­nui­ty, Iden­ti­ty and Access Manage­ment, IT Secu­ri­ty and Cyber­se­cu­ri­ty, Sup­pli­er Secu­ri­ty, and Com­pli­ance. A matu­ri­ty level of 3 “Estab­lished” must be achie­ved in all sec­tions. SEC4YOU can bring pro­ven TISAX® com­pli­ant ISMS tem­pla­tes (inclu­ding poli­ci­es, ISMS manu­al, risk manage­ment, pro­cess descrip­ti­ons, con­tin­gen­cy plans) to this stage.

Pre-audit

In the cour­se of a pre-audit, a TISAX® expert per­forms a GAP ana­ly­sis and docu­ments devia­ti­ons from the tar­get matu­ri­ty level. The­se can be eli­mi­na­ted in this pha­se until the TISAX® audit.

TISAX® audit by the sel­ec­ted test­ing ser­vice provider

The audit by the test­ing ser­vice pro­vi­der is car­ri­ed out with the invol­vement of the spe­cia­list depart­ments and detail­ed exami­na­ti­on of evi­dence. In the first pha­se of the audit, the com­pa­ny must car­ry out a self-assess­ment and, if pos­si­ble, pro­vi­de docu­men­ted evi­dence for the indi­vi­du­al controls.

If the audit is suc­cessful­ly com­ple­ted, the TISAX® label(s) is/are valid for 3 years.

VDA ISA Reifegrad 0-1VDA ISA Reifegrad 3

Nice to know

  • What is the con­nec­tion bet­ween VDA ISA and TISAX®?

    The free­ly available VDA ISA cata­log is available in the cur­rent ver­si­on 5 both via the VDA web­site www.vda.de and via the TISAX® por­tal www.tisax.net and forms the basis for the TISAX® assess­ment. An appoin­ted TISAX® audi­tor asses­ses the infor­ma­ti­on secu­ri­ty of a com­pa­ny in the cour­se of an audit on the basis of the VDA ISA cata­log and appli­es to ENX for the TISAX® label(s).

    How much effort does a TISAX® cer­ti­fi­ca­ti­on require?

    Depen­ding on the matu­ri­ty of the exis­ting infor­ma­ti­on secu­ri­ty poli­ci­es and pro­ces­ses and the size of the com­pa­ny, even small com­pa­nies need at least 20 per­son-days to imple­ment the IDA-ISA requi­re­ments. It is man­da­to­ry for the com­pa­ny to have an infor­ma­ti­on secu­ri­ty offi­cer or CISO for day-to-day ope­ra­ti­ons, but this role does not have to be a full-time position.

  • Which TISAX® labels are there?

    The­re are eight dif­fe­rent TISAX® labels that can be requi­red of a partner:

    • Infor­ma­ti­on secu­ri­ty with pro­tec­tion requi­re­ment “high”
    • Infor­ma­ti­on secu­ri­ty with pro­tec­tion requi­re­ment “very high”
    • Pro­to­ty­pe pro­tec­tion ( 4 different)
    • Data pro­tec­tion ( 2 labels, “Data” and “Spe­cial data”)

    Infor­ma­ti­on secu­ri­ty cer­ti­fi­ca­ti­on includes 43 con­trol objec­ti­ves, with a high num­ber of must and should requi­re­ments. The cer­ti­fi­ca­ti­on of the addi­tio­nal cata­logs Pro­to­ty­pe Pro­tec­tion and Data Pro­tec­tion requi­res man­da­to­ry basic audi­ting accor­ding to infor­ma­ti­on secu­ri­ty “high” or “very high”. The pro­to­ty­pe pro­tec­tion cata­log com­pri­ses 22 con­trol objec­ti­ves. The data pro­tec­tion cata­log has 4 con­trol objectives.

  • How is the matu­ri­ty level of infor­ma­ti­on secu­ri­ty determined?

    The VDA ISA cata­log defi­nes the matu­ri­ty levels from matu­ri­ty level 0 “Incom­ple­te”, through 1 “Per­for­med” and 2 “Con­trol­led” to the tar­get matu­ri­ty level 3 “Estab­lished”. The matu­ri­ty level “Estab­lished” is defi­ned in the IDA ISA cata­log as follows:

    A stan­dard pro­cess is fol­lo­wed that is inte­gra­ted into the over­all sys­tem. Depen­den­ci­es on other pro­ces­ses are docu­men­ted and sui­ta­ble inter­faces have been crea­ted. Evi­dence exists that the pro­cess has been used sus­tain­ab­ly and actively over an exten­ded peri­od of time.”

  • How long does a TISAX® audit take?

    The pre­pa­ra­ti­ons for a TISAX® cer­ti­fi­ca­ti­on take 6–12 months on avera­ge, whe­re­as the exe­cu­ti­on of the audit by the audit ser­vice pro­vi­der usual­ly takes only 1–3 days. In the case of “very high” pro­tec­tion requi­re­ments and pro­to­ty­pe pro­tec­tion, it is man­da­to­ry to con­duct an on-site audit; in the case of “high” pro­tec­tion requi­re­ments, the audit can also be con­duc­ted remotely.

  • Are the­re pri­ce dif­fe­ren­ces or com­pe­ti­ti­on among test­ing ser­vice providers?

    At the start of the year 2022, the ENX Asso­cia­ti­on alre­a­dy lists 13 inspec­tion ser­vice pro­vi­ders, 5 of them in Aus­tria, which are in free com­pe­ti­ti­on. It makes sen­se to compa­re the com­mer­cial offers and avai­la­bi­li­ty of the inspec­tion ser­vice pro­vi­ders and, if neces­sa­ry, to have a first non-bin­ding dis­cus­sion with the auditor.

  • Do I recei­ve a TISAX® cer­ti­fi­ca­te with which I can advertise?

    Unfort­u­na­te­ly no, the con­fir­ma­ti­on of the TISAX® label(s) (often also cal­led “cer­ti­fi­ca­te”) takes place exclu­si­ve­ly in the ENX por­tal. In this por­tal, com­pa­nies can publish their TISAX® labels for all or sel­ec­ted busi­ness part­ners and con­trol the rea­ding rights indi­vi­du­al­ly on a gra­nu­lar basis.

YOUR ADVANTAGES

  • Cer­ti­fied sta­te-of-the-art infor­ma­ti­on security

 

  • Uni­form secu­ri­ty level in the auto­mo­ti­ve industry

 

  • Redu­ced effort due to eli­mi­na­ti­on of indi­vi­du­al audits and sup­pli­er surveys

 

  • TISAX® cer­ti­fi­ca­ti­on requi­red for new sup­p­ly contracts

QUICK LINKS

Ques­ti­ons about Secu­ri­ty Awa­re­ness? Would you like to talk to an expert?