All for One uses its more than a decade-long experience in the implementation, auditing and maintenance of Information Security Management Systems, comprehensively supporting companies from the automotive industry in the preparation and implementation of the TISAX® standard. But that’s not all. As an IT company providing services to this sector, we have also undergone an audit and obtained the TISAX® label, which is our passport in the automotive ecosystem.
The TISAX® label (certificate) is a relatively new standard for confirming systemic information security management in companies operating in the automotive industry. Until a few years ago, as a consulting company, we were carrying out ISMS implementations in this sector according to the ISO/IEC 27001 standard, and then soon the industry began to recognize the TISAX® standard as more suitable for its profile, with the requirements described in the VDA ISA checklists. Thus, organizations with ISO/IEC 27001 certifications launched projects to convert their management systems, while new participants started projects to implement an ISMS in accordance with VDA ISA/TISAX.
It is worth noting that the popularity of TISAX® is due in part to the better alignment of VDA ISA requirements with the specifics of the automotive industry and the precise identification of areas requiring special protection (e.g., prototypes) relative to the more general requirements of ISO/IEC 27001. At the same time, most of the controls required to obtain the TISAX label are a reference to ISO/IEC 27001, which in turn makes it easier for organizations previously certified to ISO/IEC 27001 to adapt their management systems.
An example of such a successful conversion is the Integrated Management System we use at All for One Poland – we have maintained certification according to ISO/IEC 27001 since 2007, and we successfully passed the TISAX audit in 2023. Thus, we will meet all information security requirements of both our automotive customers (TISAX®) and other industries (ISO/IEC 27001).
Our example illustrates what an ecosystem of automotive-related companies is within the meaning of VDA ISA/TISAX®. It encompasses not only manufacturing companies – suppliers of parts and components – but also a broad spectrum of service companies from various industries, such as IT, marketing, engineering/design, logistics, sales, as well as financial and insurance services. TISAX® implementations result in an ecosystem of cooperating organizations in the automotive supply chain that mutually confirm the use of a systemic approach to information security management.
The VDA ISA checklist has undergone numerous modifications and additions in recent years. The current edition – version 6.0 – published at the end of 2023, and applicable to new certifications as of April 1, 2024, represents a mature catalog of issues to be regulated as part of systemic information security management It draws from recognized global standards such as: ISO/IEC 27001:2022, NIST SP800-53r5 or ISA/IEC 62443. The standard is also consistent with legal regulations such as GDPR and NIS 2.
The scope of application defined in the VDA ISA is very wide. Many controls describe detailed requirements in the IT area, for example: the requirement to use MDM tools for managing mobile devices (including e.g. data encryption), strong (two-factor) authentication, archiving and analysis of system logs, management of vulnerabilities and updates of IT systems, business continuity plans, backup & recovery solutions and many others.
In practice, this means that the project of ensuring compliance with VDA ISA is both a business project affecting many processes in the organization and, at the same time, an IT modernization project in terms of a higher level of cybersecurity.
All for One Poland provides all these services comprehensively. However, in each company the project is different due to the profile of a given organization, the size of the business, priorities and risks, as well as the maturity of the IT environment. Therefore, to achieve final success, an individual approach is necessary, based, among others, on: a gap analysis, IT security audit and penetration tests, as well as a risk analysis conducted together with the business.