Richard Regalado
Trusted Information Resource
To help secure the ever-increasing connectivity in the automotive industry, the German Association of the Automotive Industry (Verband der Automobilindustrie, VDA) developed a catalogue of criteria for assessing information security. The VDA Information Security Assessment ((broken link removed) and (broken link removed)) is based on the fundamentals of the international ISO/IEC 27001 and 27002 standards adapted to the automotive industry. In 2017, it was updated to cover controls for the use of cloud services.
VDA member companies used this instrument both for internal security assessments and for assessments of suppliers, service providers, and other partners that process sensitive information on their behalf. However, because these evaluations were handled individually by each company, it created a burden on partners and duplicated effort on the part of VDA members.
To help streamline evaluations, the VDA set up a common assessment and exchange mechanism, the Trusted Information Security Assessment Exchange (TISAX). The catalogue of underlying TISAX requirements, Questionnaire for Checking Information Security Assessment and Information Security Management, Vers. 4 ((broken link removed) and (broken link removed)), provides common standards for IT security measures, and enables companies registered in TISAX to share assessment results. The VDA entrusted a neutral third party, the ENX Association, with TISAX implementation. In that capacity, it accredits audit providers (auditors), maintains the accreditation criteria and assessment requirements, and monitors the quality of implementation and assessment results.
This link contains information from the VDA site including the VDA ISA assessment tool.
(broken link removed)
VDA member companies used this instrument both for internal security assessments and for assessments of suppliers, service providers, and other partners that process sensitive information on their behalf. However, because these evaluations were handled individually by each company, it created a burden on partners and duplicated effort on the part of VDA members.
To help streamline evaluations, the VDA set up a common assessment and exchange mechanism, the Trusted Information Security Assessment Exchange (TISAX). The catalogue of underlying TISAX requirements, Questionnaire for Checking Information Security Assessment and Information Security Management, Vers. 4 ((broken link removed) and (broken link removed)), provides common standards for IT security measures, and enables companies registered in TISAX to share assessment results. The VDA entrusted a neutral third party, the ENX Association, with TISAX implementation. In that capacity, it accredits audit providers (auditors), maintains the accreditation criteria and assessment requirements, and monitors the quality of implementation and assessment results.
This link contains information from the VDA site including the VDA ISA assessment tool.
(broken link removed)