Knowledge Solutions

การรักษาความปลอดภัยข ้อมูลสารสนเทศ
ในอุตสาหกรรมยานยนต์ กับมาตรฐาน TISAX®

Seminar | 25 April 2023

Agenda
 Introduction
 Impact to automotive
industrial
 Assessment level
 Sample controls
 Related ISO Standard

1
 TISAX® Overview TISAX – What is TISAX® ?
Trusted Information Security Assessment Exchange (TISAX®)
SGS is a TISAX® Audit Provider

TISAX® is an assessment and exchange mechanism for the information security of enterprises and
allows recognition of assessment results among the participants.

If you want to process sensitive information from your customers or evaluate the information security of
your own suppliers, TISAX® supports you in reducing efforts.

TISAX® is based on the Information Security Assessment (ISA) – a catalog of requirements concerning
ISO/IEC 27001 – developed by the German Association of the Automotive Industry (VDA).

TISAX® Overview TISAX – What is TISAX® ?

Trusted Information Security Assessment Exchange (TISAX®)

The ENX Association acts as the governance organization within TISAX® and is responsible for the
further development of TISAX®, the monitoring of TISAX® audit providers and assessment execution, as
well as quality assurance.

The TISAX® assessment scheme ensures a uniform level of information security among car
manufacturers, service providers and suppliers.

It helps to protect data by ensuring integrity and availability in the manufacturing process. A dedicated
online platform allows the exchange of information security assessment results within the automotive
sector.

2
 TISAX® - An impact to automotive industrial
Not only IATF certified Customers – much more…!!

Generally all company´s that working with Information and/or IT connection

with the automotive supplier or customer are potential customers for TISAX
assessments!

Some examples for different business sectors:

 Potential customer could be a caterer that operate a canteen
 Potential customer could be a disposal / recycling company
 Potential customer could be a IT service provider company
 Potential customer could be a temporary employment company
 Potential customer could be a company in the marketing sector
 Potential customer could be a call-centre that is doing acquisition for
another company (e.g. automotive company)

Many more different service executed by suppliers for automotive companies

leading to more potential TISAX client
5

Major Components of TISAX®

Trusted Information Security Assessment Exchange (TISAX®)

Information Security
- All basic controls based on the standard ISO/IEC27001

Prototype Protection
- Includes prototypes of classified vehicles, components and parts
- Applied for protection classes High and Very high according to VDA ISA

Protection
- Compliance with the Art.28 of EU General Data Protection Regulation

3
 TISAX® Assessment Level
TISAX uses Assessment Levels (ALs) to differentiate between various intensities and methodologies
according to different needs of the auditee. In general, a higher AL increases the accuracy of the
assessment as well as the efforts needed to complete the assessment.

The ALs are designed to provide sufficient accuracy depending on the requirements. There are three
possible assessment levels:
AL 1 Assessment of existence of a self-declaration (self-assessment) of the auditee
AL 2 Plausibility check of the auditee’s self-assessment conducted by an audit provider (i.e.,
evaluation of evidence and an expert interview)
AL 3 Detailed evaluation of evidence on the basis of the auditee’s self-assessment in form of on-
site inspection and expert interviews

An assessment performed with a higher AL always fulfills the requirement of an assessment with
lower AL (i.e., an assessment performed in AL 2 is always sufficient if the requirement is AL 1,
and an assessment performed in AL 3 is always sufficient if the requirement is AL 1 or AL 2).

Assessment Objective Guidance

4
 TISAX® Assessment Level
AL 1:
self-assessment.

The auditor checks for the existence of a completed self-assessment.

low trust level and are thus not used in TISAX®. But it is of course
possible that your partner may request such a self-assessment outside of
TISAX®.

AL 1 Assessments are used within Simplified Group Assessments where

the trustworthiness of the self-assessment has been established through
the precondition and sample checks. The auditor must verify, that the
auditee has conducted a self-assessment of the relevant site. Further
checks such as plausibility of maturity levels or implementation
descriptions or detailed checks of provided evidence is not required.
9

TISAX® Assessment Level

AL 2:
AL 2 is a plausibility check of a self-assessment provided by the auditee.
The plausibility check is based on the self-declaration of the auditee,
verification of provided documentation and evidence, and is generally
concluded with an expert interview with representatives of the auditee.

Interviews generally via audio conference. If requested, she/he can

conduct the interviews in person.

Assessments in assessment level 2 generally do not include an on-site

inspection. However, assessments always include an on-site inspection
if you have selected one of the “prototype” assessment objectives.

If you have evidence you don’t want to send to the audit provider, you
can request an on-site inspection. In this way, the audit provider can still
check your “for your eyes only” evidence.
10

5
 TISAX® Assessment Level
AL 3:

AL 3 is a full assessment conducted on-site. It is based on

examination and evaluation of documents of evidence, an
on-site inspection that includes visual inspections,
observations as well as interviews with personnel on site.

Each control must be verified on site. All checks will be more

comprehensive, and the assessment will thoroughly verify
the self-assessment result in an in-depth on-site inspection
and face-to-face interviews

11

TISAX® process

12

6
 TISAX® assessment objectives
and TISAX® labels

13

TISAX® Sample controls – Information Security

1.5 Assessments

Question: 1.5.2 To what extent is the ISMS reviewed by an independent authority?

Objective: As an essential control mechanism, assessing the effectiveness of the ISMS from merely an
internal point of view is insufficient. Additionally, an independent and therefore objective assessment shall be
obtained at regular intervals and in case of significant changes.

Requirement (must):
+ Information security reviews are carried out by an independent and competent body at regular intervals
and in case of significant changes.
+ Measures for correcting potential deviations are initiated and pursued.

Reference: ISO 27001: A.18.2.1

14
Based on VDA ISA 5.1 as of 27/04/2022 – intentionally to highlight at the requirement at “must” only.

7
 TISAX® Sample controls – Information Security
1.6 Incident Management

Question: 1.6.1 To what extent are information security events processed?

Objective: Organized processing of information security events aims at limiting potential damage and
preventing recurrence.
Requirement (must):
+ A definition of information security events/vulnerabilities exists.
+ A procedure for reporting and recording information security events/vulnerabilities is defined and implemented.
+ The following aspects are considered:
- Reaction to information security events/vulnerabilities
- Report form and channel
- Processing body
- Feedback procedure
- Indications regarding technical and organizational measures (e.g. disciplinary action).
+ Procedures for ensuring traceability in case of information security events/vulnerabilities are established and documented.
+ Information security events/vulnerabilities are assessed and documented in order to ensure traceability.
+ An adequate reaction to information security events/vulnerabilities is given.
+ A strategy for an adequate reaction to events of information security violations:
-This includes escalation procedures, remedial actions and communication to relevant internal and external bodies
as well as a procedure for deciding whether a cybercriminal attack will be prosecuted.
15
Reference: ISO 27001: A.16.1.1, A16.1.2 Based on VDA ISA 5.1 as of 27/04/2022 – intentionally to highlight at the requirement at “must” only.

TISAX® Sample controls – Information Security

4.1 Identify Management

Question: 4.1.1 To what extent is the use of identification means managed?

Objective: To check the authorization for both physical access and electronic access, means of identification
such as keys, visual IDs or cryptographic tokens are often used. The security features are only reliable if the
use of such identification means is handled adequately.

Requirement (must):
+ The requirements for the handling of identification means over the entire lifecycle are determined and
fulfilled. The following aspects are considered:
- Creation, handover, return and destruction,
- Validity periods,
- Traceability,
- Handling of loss.

Reference: ISO 27001: A.9.2.6

16
Based on VDA ISA 5.1 as of 27/04/2022 – intentionally to highlight at the requirement at “must” only.

8
 TISAX® Sample controls – Prototype Protection
8.1 Physical and Environmental Security

Question: 8.1.7 To what extent is a documented visitor management in place?

Objective: Protection against unauthorized access to security areas where vehicles, components or parts
classified as requiring protection are manufactured, processed or stored, including traceable documentation.

Requirement (must):
+ Registration obligation for all visitors.
+ Documented non-disclosure obligation prior to access.
+ Publication of security and visitor regulations.
+ Country-specific legal provisions regarding data protection are to be observed.

17
Based on VDA ISA 5.1 as of 27/04/2022 – intentionally to highlight at the requirement at “must” only.

TISAX® Sample controls – Prototype Protection

8.2 Organizational Requirements

Question: 8.2.5 To what extent is a process defined for granting access to security areas?

Objective: A process is defined for the protection against unauthorized access to security areas where
vehicles, components or parts classified as requiring protection are manufactured, processed or stored.

Requirement (must):
+ Responsibilities for access authorization are clearly specified and documented.
+ A process for new assignments, changes and revocations of access rights is in place.
+ Code of conduct in case of the loss/theft of access control means.

18
Based on VDA ISA 5.1 as of 27/04/2022 – intentionally to highlight at the requirement at “must” only.

9
 TISAX® Sample controls – Data Protection
9 Data Protection

Question: 9.1 To what extent is the implementation of data protection organized?

Objective: A process is defined for the protection against unauthorized access to security areas where
vehicles, components or parts classified as requiring protection are manufactured, processed or stored.

Requirement (must):
+ Appointment of a data protection officer where legally required, otherwise appointment of a person responsible for data
protection
+ Organizational implementation of data protection
- Integration of the data protection officer into the corporate structure
- Voluntary or obligatory appointment of a data protection officer
- Full-time or part-time data protection officer
- Internal or external data protection officer
- Support of the data protection officer by directly assigned employees (department “Data Protection”) depending on the company size
- Support of the data protection officer by data protection coordinators in the company departments depending on the size of the
company (e.g. Marketing, Sales, Human Resources, Logistics, Development, etc.)

19
Based on VDA ISA 5.1 as of 27/04/2022 – intentionally to highlight at the requirement at “must” only.

Related ISO Standard

ISO/SAE 21434:2021 – Road Vehicles – Cybersecurity Engineering

An automotive industry standard developed by the International Standard of

Organization (ISO) alongside the Society of Automotive Engineers (SAE).

ISO 21434 provides a guideline for ensuring the cybersecurity process of road
vehicle electronic systems that organizations need in order to:
• Define cybersecurity policies and processes
• Analyze, identify, and manage cybersecurity risks
• Champion a “security by design” or cybersecurity culture within the
organization

ISO 21434 applies to all the software included in vehicles as well as electronic
systems and components, and last but not least, the hardware as well.

20

10
 ISO/SAE 21434 Cybersecurity Process Structure

21 Source: ISO/SAE 21434:2021(en) Road vehicles — Cybersecurity engineering

https://www.iso.org/obp/ui/#iso:std:iso-sae:21434:ed-1:v1:en

Thank you!
Do you have any questions?
cbe.thailand@sgs.com
(02) 678 1813 ext. 6
LINE: @sgsthailand
Facebook: SGS
www.sgs.co.th

22

11