TISAX

TISAX

I want to tell you that in my youth I was an Accountant, many years ago, I would say in another life, however this other career helped me enormously to understand the administrative, accounting and tax side of companies, I am honest with you, I talk very little about this, however I would like to comment that in my work career I was in the automotive and metalworking industry in Mexico, without a doubt this economic sector has developed a lot lately, and I consider that it is the result of a series of events and transformations that include, on the one hand, the evolution towards globalization Of the sector at the international level, as well as the alignment with industrial policy at the national level; aspects that have allowed it to maintain a process of constant evolution.

A little context, currently the automotive market in Mexico and other manufacturing nations represents a very important economic strategic pillar, a few years ago I worked for Gestamp México in the IT area of course, even when we were immersed in ISO certifications, in that At that time, the exchange of information between companies was very complicated, there were no uniform rules and there was a lot of bias towards large companies.

In this way I would like to tell you that I would have liked the framework for the TISAX ® certification and the ENX Association to be there then, now as the years have passed and as it has evolved I understand that it becomes a control requirement for the companies. German automotive industries, even though a few years have passed, I consider that the contribution of this standard would have at the time boosted the growth of the company even more.

“Information security used to be considered an individual concern for each individual company”

Well, what is TISAX?, first; Its origin was created by the VDA (the German automobile industry association) and is managed by the ENX Association, which evaluates and confirms the status of audit providers approved by TISAX®. Let's go deeper, TISAX is a catalogue Automotive industry standard Information Security Standard (ISA) on key aspects of information security such as data protection and connection to third parties:

TISAX (Trusted Information Security Assessment Exchange)

Companies in the automotive industry have to demonstrate at regular intervals of three years that they meet the safety criteria required for their sector. I tell you that the basis for this test is the catalogue of VDA-ISA requirements issued by the Industry Association. Automotive (Verband der Automobilindustrie, VDA) and that said VDA-ISA catalogue includes the key aspects and criteria of the ISO 27001 standard, this is where it relates a little more to my IT profile, at present it is internationally recognized and provides lists additional criteria and controls, which apply specifically to the automotive sector, such as third-party involvement and protection of prototypes, this is very important, in addition, there is a fully developed and complete audit and exchange mechanism.

“The current version of the ISA standard was issued in 2020”

Let us remember this, with the need to keep information more secure; The large German automotive manufacturers have expanded their consideration and have begun to request their suppliers to implement stricter security control for the exchange of information and mandatory in any of their operations.

ENX COMMUNICATION NETWORK

ENX® is a joint development of the European automotive industry for the secure exchange of critical development, purchasing and production control data.

I have found in practice that ENX security service management provides a high level of security across the enterprise, and its high levels of underlying network service allow ENX to be as open and flexible as the public Internet.

Protect the reputation of the brand and build customer loyalty.

We know that in our digital era, information security needs extend from automotive suppliers to marketing companies and other involved parties, it is a fact for everyone that the main need is to protect projects or design information, prototypes as much as possible, o secret investment plans, large ingestion of data and process information, linked to new digitalization concepts, the development of autonomous cars, interconnections within the supply chain network, and customers' personal data, among others.

There are two roles within the exchange model, which each participating company can assume, according to its needs:

A passive participant, say an OEM, automobile manufacturer, requests that another company, for example, a supplier, undergo an assessment and requests access to the results of the assessment.

Active participant, for example a supplier, in this case a company is called upon by another company, say an OEM or customer, to undergo an assessment, or agrees to conduct an assessment on its own initiative, then once completed, the active participant makes it possible for selected companies (e.g. OEMs) to gain access to the evaluation results.

The requirements of the TISAX certificate protect both computer systems and any other information that has value for the organization, whether it is facilities, security controls, files, or connections to third parties.

The VDA requirements contemplate compliance with four blocks of controls:

  • 64 controls for information security.
  • 4 controls on the relationship with third parties.
  • 22 controls for the protection of prototypes.
  • 4 controls on RGPD Protection of personal data.

I have found that original equipment manufacturers (OEMs) increasingly recognize, and in some cases require, that the TISAX® trust seal be obtained, they know that it is a demonstration of compliance with information security requirements by part of an organization.

How it helps us:

  • We can immediately realize that it prevents duplication of evaluations and allows for common recognition of evaluation results.
  • Facilitates the renewal of existing supplier contracts.
  • Provides business development opportunities thanks to recognition from the entire sector.
  • It addresses the specific requirements of the automotive sector and establishes a common level of information security in the sector.
  • It is very solid because it inspires confidence throughout the entire automotive supply chain.
  • Drives efficiency for both manufacturers and suppliers.
  • ISO/IEC 27001 clauses are referenced throughout the ISA so that companies can easily align supply chain security management with any ISO/IEC 27001 information security management system used in their organization.

I tell you that there are 3 levels of TISAX® evaluation, we must select the appropriate level in the registration phase, so we must rely on a certifying entity.

·         AL 1: Auditee self-assessment, assessment of the auditee's existing self-declaration.

·         AL 2: Checking the plausibility of the self-assessment limited to the evaluation of the evidence and an interview with an expert.

·         AL 3: Complete evaluation that includes evaluation of evidence, on-site inspection and interviews with experts.

This is a type of certification that is being required more frequently in entities that are part of the supply or manufacturing of components for clients in the automotive sector, such as machining, stamping, or metalworking, and that require a “reliable exchange of information security assessment.”

I am sure that service providers in the automotive industry have an area of opportunity; this is provided by the mechanisms to transmit and demonstrate to our clients that we can comply with information security standards and controls.

In this way, I invite you to provide me with your comments, which undoubtedly provide knowledge to those who are starting out in this part of the business and which can make us more competitive and stronger in the global market.

If you made it this far, I thank you for taking the time to read me, Greetings from Mexico.

His friend,



To view or add a comment, sign in

More articles by Rubén Bernardo Guzmán Mercado

  • Una mirada a otra realidad

    Una mirada a otra realidad

    Buenas noches y saludos a los integrantes de la red de redes en LinkedIn profesional, después de casi un año lejos de…

    1 Comment
  • Protection of the operating system is essential

    Protection of the operating system is essential

    Will it be true? Currently, I consider that the constant increase in the number and complexity of computer attacks has…

  • Cybersecurity Purple Team

    Cybersecurity Purple Team

    Rberny 2024 Almost always when we talk about cybersecurity, we say it from the point of view of someone who is…

    1 Comment
  • Inteligencia Artificial en la Ciberdefensa

    Inteligencia Artificial en la Ciberdefensa

    #prepary #certiprof #Rberny #Cybersecurity Descripción: Explora con nosotros casos de estudio emocionantes y…

    3 Comments
  • Let's take care of the supply chain!

    Let's take care of the supply chain!

    Rberny- 2024 We know the importance of companies that generate software and in turn distribute their applications…

  • Changing the mentality on cybersecurity issues, SMEs.

    Changing the mentality on cybersecurity issues, SMEs.

    Small and Medium-sized Enterprises (SMEs) or PYMES in Spanish. PYMES, are small and medium-sized companies, which have…

    1 Comment
  • Cybersecurity Incident Response Plan

    Cybersecurity Incident Response Plan

    Well, the first thing we must consider is to develop a plan that indicates the process to follow when we have a…

    1 Comment
  • In today's world, can everything represent a risk?

    In today's world, can everything represent a risk?

    Information technology We begin this 2024 with the expectation of how our information, our networks, users, clients…

    2 Comments
  • Cyberessentials Public Version

    Cyberessentials Public Version

    CISA Central (source) CISA Central's mission is to reduce the risk of systemic cybersecurity and communications…

  • How safe are we with Apple MacOs?

    How safe are we with Apple MacOs?

    Can MacBooks have viruses? Do Macs need antivirus? We are still immersed in technological innovation, the slope is…

    1 Comment

Insights from the community

Others also viewed

Explore topics