ENCONA hosted a free webinar on 21 September 2022, moderated by our Marketing Manager, TARRYN JORDAAN, who was joined by Armin Obstbaum, Brandon Roux and Stefan Lindhuber.
Established in early 2017, the TISAX® testing and exchange mechanism was founded on the German Association of the Automotive Industry (VDA) catalog of ISA (Information Security Assessment) requirements, largely established on the basis of the international ISO/IEC 27001 standard. The platform provides members throughout the value chain standardized assessment of their information security status to be shared with partners working throughout the automotive industry. Standardized TISAX® assessment eliminates unnecessary and duplicate audits saving you both time and money. We introduce the TISAX® assessment process to you in this webinar.
The recording is available for you to watch, or find it on our podcast. Feel free to share and you are able to download the slides used below:
Our network of global, qualified, and expert consultants in the TISAX® arena is available to help guide you through this project in your organization and prepare you for assessment. In addition, we offer Introduction to TISAX training (2 half days online or 1 full day in-person) aimed at managers or team members involved in the labeling process or kicking it off, or the more detailed VDA TISAX with ISA training (2 half days online or 1 full day in-person), which includes the self-assessment questionnaire.
What Is This TISAX® Thing Everyone Is Talking About?
Last but not least, in response to the question posed by Jacob:
"According to VDA ISA 5, it is stated in clause 8.3.1 that it is possible to exempt the transport of vehicles, components or parts classified as requiring protection arranged are a measure in accordance with customer requirements. What evidence can I show with the TISAX (or format) to comply with point 8.1.2 of IATF 16949, and do I consider the TISAX as an integrated software or a tool? And, if a company is still implementing a TISAX program, how long is the recommended time to bring all requirements to fruition? Considering projects that are 4 years old."
According to VDA ISA 8.3.1, a process for obtaining client-specific requirements for the transport of vehicles, components, and parts classified as requiring protection must be described and implemented. These security specifications defined by the client must be made announced and complied with. In case of security-relevant incidents, the necessary communication to the client must be defined and actually practiced in this way.
In this respect, the VDA ISA catalog does not deviate in essence from the confidentiality requirements of IATF 16949:2016 and ISO 9001. As proof, the requirements documented in writing will be necessary and, in the case of incidents, the documented information about the prescribed communication with the client.
If someone wants to carry out both certifications, quality management and information security management must be intertwined in such a way that the corresponding process fulfills the requirements of both regulations in any case. The two systems must become one integrated system so that no process regulations exist more than once - or even worse - in a deviating manner. This must be avoided at all costs.
TISAX itself is neither software nor a tool, but this label describes the fulfillment of the requirements contained in the VDA ISA catalog, just as a certification reflects conformity to the corresponding standard.
If someone follows the security requirements specified by the customer, it is not relevant whether the project is already 4 years, but whether the specified confidentiality is still required - contractual specifications are there often longer. It depends on the current requirements of the customer.
However, for a successful TISAX assessment, all audited processes must be compliant and without any deviation. The recommended time is "asap", as the action plan must be submitted to and confirmed by the auditor performing the assessment, and the included actions must be implemented strictly within the agreed timeframe. And time is always running out. In our experience, no auditor will make an exception for non-compliant actions, and you can't put these requirements into perspective in risk management because it is a "must" requirement.
We hope that we have been able to answer the question to your satisfaction!