EURO-SYMBIOSE supports you in your TISAX® implementation
Article written by our partner consultant Eric Gendron
The TISAX® (Trusted Information Security Assessment Exchange) standard has become essential for companies in the automotive industry. Based on ISA (Information Security Assessment), TISAX® provides a robust framework for implementing an information security management system that enables companies to obtain TISAX® certification.
At the end of a process lasting between six months and a year, ranging from gap analysis to the implementation of an action plan, an assessment is carried out by a certified auditor, either remotely (AL2) or on site (AL3).
In my capacity as an auditor, I have observed a number of recurring issues during the assessments I have conducted. This article presents the top 10 difficulties encountered by companies applying for TISAX® certification.
TOP 1: Taking information security into account at the project and change level
Companies often focus solely on IT projects, whereas the new ISA.6 standard broadens the scope to include OT (Operational Technology) and therefore covers product and process projects or changes, as well as the deployment of the standard’s requirements to systems integrated with production resources.
TOP 2: Identification of information assets
Companies often have a list of IT assets (PCs, mobile devices, printers), but do not systematically list information and data that is important to their activities and processes.
TOP 3: Management of physical security incidents
The standard also requires that a reporting system be in place for physical incidents (theft, intrusion, unaccompanied visitors in the company, doors left open in areas where confidential information is stored).
TOP 4: Physical access and identity management
This includes the lack of centralized management of access to secure areas and the lack of periodic authorization reviews.
TOP 5: Lack of structured risk assessment
Risk analysis must go beyond a simple IATF emergency plan and identify all digital and physical vulnerabilities within the company, which must be addressed using specific approaches.
TOP 6: Requirements related to prototypes
Additional TISAX® modules, such as prototype protection, are often misunderstood or treated superficially and do not take into account the requirements related to their protection, transport, and handling.
TOP 7: Documentation and ISMS: often too much “paperwork,” not enough “real-world experience”
Companies present well-written documents, but no one applies them because they have used “ready-made” document kits provided by service providers, which are not integrated into the management systems already in place within the company.
TOP 8: Deployment of company requirements to suppliers and service providers
As with quality and the environment, the company must express its information security requirements to its suppliers and external service providers and ensure that they are properly taken into account.
TOP 9: Validation of IT service providers and purchased software
In the same way that a supplier qualification and product validation (PPAP) process is implemented, a similar approach is expected for external IT service providers.
TOP 10: Taking into account regulatory requirements relating to information security
In the same way that regulatory monitoring is carried out for security and environmental issues, a similar approach is expected for texts relating to security.
In conclusion, there are many pitfalls and the TISAX requirements are very specific, going beyond what is required by ISO 27001 in particular.
Our EURO-SYMBIOSE consultants, who are TISAX®-approved auditors for certification bodies and IATF auditors, will assist you in implementing the TISAX label with training in partnership with VDA QMC: TISAX® Training: Assessing Yourself with VDA ISA, as well as internal assessments and consulting services for your teams.
📞 Any questions? Our teams are here to listen and assist you with your needs:
France: +33 (0)2 51 13 13 00 – service.clients@euro-symbiose.fr
Morocco/Tunisia: +212 (0)6 91 00 06 46 – service.clients@euro-symbiose.ma
