Data security in automotive

TISAX is a standard developed based on ISO 27001, taking into account specific requirements for the automotive industry. In order to achieve compliance with the standard, it is necessary to implement an Information Security Management System, which will guarantee the appropriate required level of protection of confidentiality, availability and integrity of data, as detailed in the VDA ISA checklist.

The implementation of the Information Security Management System at Ficomirrors Polska is a project that was carried out jointly with All for One. The first step was a security audit conducted in 2017. The work continued in the following years aimed at implementing security standards. Finally, the ISMS went live on March 1, 2023.

The next few months were spent using and improving it. Internal audits were conducted, deficiencies identified in policies and procedures were corrected, a management review was conducted, and employee training was carried out. All these activities made it possible to familiarize employees with the key regulations increasing safety, and to gather the evidence necessary for certification of the System at the same time.

Companies operating in supply chains of the automotive segment are increasingly required to become TISAX compliant. This is exactly what happened to Ficomirrors Polska. All for One Poland consultants supported Ficomirrors Polska in the development, implementation and improvement of the system. As a result, the company passed an independent audit and received the industry-desired label on the ENX portal, which confirms that it meets the highest standards in information security management.

The creation of the Information Security Management System at Ficomirrors began with the basics, namely the creation of a risk analysis. At this stage, All for One consultants conducted training and workshops with Ficomirrors employees to identify threats and risks to information and then create appropriate action plans.

Information security risk analysis is a powerful tool that identifies problems and actual security gaps. It applies to the entire organization, so all process owners must be involved. In this way, it is possible to identify risks that are often invisible in other management systems. By talking to employees from each department, we get a complete picture of the risks that exist in those departments. This is why risk analysis is so important for the entire ISMS.

The identified risks are then assessed and addressed. This is a moment of difficult decisions. Some changes may require large investments, a lot of time and resources, and VDA requirements are not always clear – they leave the organization considerable freedom in the selection of technical and organizational measures. The support provided by an experienced consultant is worth its weight in gold here, as it helps reduce excessive costs and select optimal solutions.

An indispensable part of any management system is documentation. The set of policies, procedures and instructions in the area of information security plays a special role, as it connects many areas, such as physical security rules, supplier control or cybersecurity. The documentation must be understandable to all employees and at the same time meet the organization’s own requirements and those of TISAX itself. During the implementation of the system at Ficomirrors, All for One consultants adapted already existing documents, as well as developed new ones. The customized approach ensures that procedures and policies correspond to actual processes and help implement them.

The ISMS also requires the implementation of technical safeguards. In this area, too, Ficomirrors benefited from the expertise of All for One consultants. For example, the implementation of an information labeling system for the Office 365 environment (Azure Information Protection) was carried out by All for One in cooperation with TISAX lead consultant, integrating the technical solution with the formal assumptions made in the Management System, which greatly facilitated and accelerated the work. The project also included the implementation of other IT features that increase security of business data and personal data processing, among other things.

The certification audit formally began in August 2023 and ended in December 2023. The TISAX label obtained is valid until 2026.

Anyone who has participated in a certification audit of any management system knows how crucial it is to prepare employees for a meeting with the auditor. Even the best system needs to be properly demonstrated, so it is important that the requirements in a particular area are known and understood by employees. In the case of TISAX, it is also necessary to prepare the evidence that is sent to the certification body. The audit preparation stage is a summary of several years of work on the system, and requires experience and anticipation of the auditor’s expectations. The knowledge and competence of the All for One consultants involved in the audit were helpful in making it run smoothly and efficiently.

We were implementing the Information Security Management System implementation project at Ficomirrors Poland together with All for One Poland for several years. Originally, our business need was to obtain ISO/IEC 27001 certification, but the dynamically changing business environment and expectations of our contractors led to a change in our goal during the project, shifting towards obtaining the TISAX label, which is more desirable in the automotive industry.

Due to our international structure and existing corporate regulations, it was a major organizational challenge to correlate the system documentation developed in the course of the project with the security policies of the FICOSA Group that we are a part of and that is headquartered in Spain and coordinates the work of plants in 16 countries.

We will use the time until the next TISAX audit to further improve the implemented regulations and train employees. We also plan to invest in cybersecurity to be better prepared for emerging threats. We also need to respond to new contractor requirements. Changes will also affect business processes due to the evolution of the VDA ISA checklist.

The ISMS provides our organization with tangible added value in terms of security management. We have obtained regulation and control mechanisms to measure the effectiveness of the solutions used. We are growing in the belief that by implementing an internationally recognized standard, our organization has become an even better business partner for customers and suppliers.

Michał Kasak, Director of IT Systems and Information Security, Ficomirrors Polska

The basic three sections are:

• Information security – the basic level that forms the basis of the system; it includes requirements related to governance, risk, change control, cybersecurity or compliance with regulations and standards;
• Prototype protection – intended for companies that create, develop or produce prototypes. This section includes specific requirements related to, for example, masking components, separating production lines, conducting tests or even organizing photo shoots and recordings;
• Data protection – relating to the requirements of the GDPR and the protection of personal data. By achieving compliance with the requirements in this section, we can reduce the need to complete additional assessments when entrusting personal data.

The requirements in the sections are divided into the “must” category (requirements that must be implemented absolutely), “should” category (requirements that are also necessary but can be excluded in justified situations), and additional requirements for higher levels of protection (High protection needs, Very high protection needs). The scope necessary for implementation usually results from the customer’s requirements.