Automotive News TISAX - VDA ISA (information security assessment)

Richard Regalado

Trusted Information Resource
To help secure the ever-increasing connectivity in the automotive industry, the German Association of the Automotive Industry (Verband der Automobilindustrie, VDA) developed a catalogue of criteria for assessing information security. The VDA Information Security Assessment ((broken link removed) and (broken link removed)) is based on the fundamentals of the international ISO/IEC 27001 and 27002 standards adapted to the automotive industry. In 2017, it was updated to cover controls for the use of cloud services.

VDA member companies used this instrument both for internal security assessments and for assessments of suppliers, service providers, and other partners that process sensitive information on their behalf. However, because these evaluations were handled individually by each company, it created a burden on partners and duplicated effort on the part of VDA members.

To help streamline evaluations, the VDA set up a common assessment and exchange mechanism, the Trusted Information Security Assessment Exchange (TISAX). The catalogue of underlying TISAX requirements, Questionnaire for Checking Information Security Assessment and Information Security Management, Vers. 4 ((broken link removed) and (broken link removed)), provides common standards for IT security measures, and enables companies registered in TISAX to share assessment results. The VDA entrusted a neutral third party, the ENX Association, with TISAX implementation. In that capacity, it accredits audit providers (auditors), maintains the accreditation criteria and assessment requirements, and monitors the quality of implementation and assessment results.

This link contains information from the VDA site including the VDA ISA assessment tool.
(broken link removed)
 

Richard Regalado

Trusted Information Resource
Is Tisax assessment conducted by certified auditors similar to ISO/IEC 27001 audit?

There is a TISAX checklist that is used and a maturity level is used instead of the usual binary - conformity or nonconformity for ISO/IEC 27001 audits. Auditors also need to show competency in IATF 16949.
 

Akinom

Registered
Thank you for your support.
Could you provide me information how to build good list of assets? Should every piece of information (documents), software and hardware should be included in the list? I'm struggling with very big amount of data.
 

Richard Regalado

Trusted Information Resource
Thank you for your support.
Could you provide me information how to build good list of assets? Should every piece of information (documents), software and hardware should be included in the list? I'm struggling with very big amount of data.

Sorry for the late reply Akinom.

Before I answer, may I know why you are building a list of assets?
It's not a requirement of ISMS.

Richard
 

Akinom

Registered
Sorry for the late reply Akinom.

Before I answer, may I know why you are building a list of assets?
It's not a requirement of ISMS.

Richard

It is required by VDA ISA in control 8.1 (To what extent are inventories existent for objects (assets) that contain information in different versions?).
Isn't it?
 

umas967

Registered
Hallo
I was looking for requirements specified by ENX to "qualify" a 3rd party Tisax auditor.
Can any body kindly send me a reference link where to understand them?
thank you
Ugo
 
Top Bottom