Codelab sp.z o.o. (LLC) obtained the result of the TISAX assessment (“ Trusted Information Security Assessment Exchange ‘‘) in line with the question catalogue of information security of the German Association of the Automotive Industry (VDA ISA). The assessment was conducted by the audit provider, Bureau Veritas, and the final assessment meeting was held in May 2021. We are talking to Anna Michel-Makuch and Marek Kopyto, leaders of the process regarding submitting to this assessment, about what TISAX exactly is, why it is so difficult to meet its requirements and how it benefits our clients.
Jan Zaborowski (Codelab) – Anna, our ISO 9001 or 27001 certificates are quite commonly known in the business world, but TISAX is a less popular name, and the assessment process itself is quite different – what lies behind this abbreviation? What is included in the assessment that we underwent?
Anna Michel-Makuch (Lead Quality Partner, Codelab): Indeed, much as we are familiar with ISO 9001 and 27001 standards, TISAX is a standard dedicated to a specific industry segment and therefore is less known. However, in our clients’ industry, I mean the automotive , it is a highly expected standard, especially in projects where information security is of paramount importance (e.g. industrial secret, prototypes managament)
JZ: Ok, but is information security not covered by ISO27001 standard? Are additional assessments of our organization necessary?
AMM: Yes, both standards are coherent with each other. TISAX requirements are based on the ISO 27002 standard, but are supplemented with automotive industry-specific requirements for e.g. storage of prototypes. Additionally, ENX, the association that manages TISAX on behalf of the German Association of the Automotive Industry (VDA ISA), has prepared a safe and effective platform for exchange / sharing detailed assessment reports, thus minimising the time needed to conduct third-party audits.
Marek Kopyto (Managing Director, Codelab): It is worth adding that TISAX compliance is a requirement of the biggest clients in the automotive industry. If you want to provide services to car manufacturers, as well as suppliers, sharing the TISAX results is a pivotal gateway to the most interesting projects. When you design vehicles that will appear on the market in a few years, confidentiality and absolute safety are key – due to the assessment process, we have confirmed that you can trust us and entrust your data to our safekeeping.
JZ: The preparation process and then TISAX assessment took almost 2 years. I know that many people participated in the preparations. What does it take to arrange and go through such a process?
MK: Over the last few years, we have undertaken a very ambitious plan to confirm, by the external trust entities, the high standards that we have been enforcing for many years. All this took place in the reality of ownership changes, as well as the impact of the pandemic and the business turmoil that followed. The completion of the next step, so crucial to enable the confirmation of our clients‘ information security, can be credited to the entire team involved in this project. I would like to thank each and every one of these people- it was a tedious and demanding process, but as always, we can count on you.
AMM: True. In recent years it has been yet another stage of assessing our procedures and applied security measures, we are not going to slack off (the full picture of these aspects in Codelab can be found here – editor’s note). The process itself included several stages: gap analysis, internal audits and self-evaluation, training or, along the way, the ISO 27001 certification. It entailed over 80 workshops of the security team, over 5,000 hours worked, over 100 hours of assorted types of audits.
I would also like to join Mark in his thanking. In addition to the dedicated Quality team (thank you for being with me!), we have an efficient work team involved in the organisation of information security management. But for their contribution, It would not have been possible. I will only add that this pays off, not only in terms of confirming our competences, but also in relation to consultations for our clients, who often avail of our expertise. It also contributes to process improvements on their side, with regard to management and quality control.
JZ: Anna, TISAX, for people who are somehow privy to it, is quite strongly associated with security, also in the physical dimension, and in the protection of our offices and buildings. Is it possible to meet these requirements in a hybrid work model as well?
AMM: I must admit that it was both a challenge and a novelty for us. With appropriate security measures and, above all, great maturity of our employees, it proved to be attainable. Moreover, according to the opinions collected from our clients, it did not affect the quality or efficiency of work (over 95% of them evaluated these parameters as unchanged or better, compared to the previous years and conditions). We are learning the „new normal“ together with our clients, also in the rigorous standards discussed here.
MK: Right, on top of formal standards and strict requirements, ultimately, the attitude of our employees is what matters the most, and this has proved perfectly well during the pandemic and hybrid work. it is an essential addition to any change of this type and I am proud of our employees who are truly aware of this subject.
I would like to thank, once again, Anna and the entire Security Team for the effort put into obtaining the TISAX assesment, and I am also indebted to the entire Codelab team – once more, we are not only convinced of our professionalism but it has also been officially confirmed. Due to this, we can be confident about the trust our clients place in us.
What is TISAX?
TISAX (Trusted Information Security Assessment Exchange) is an information security standard defined by the automotive industry. Many car and automotive manufacturers and suppliers have required TISAX certification from their business partners since 2017. The member companies of Verband der Automobilindustrie e. V. (abbreviated as VDA) have created a catalogue derived from the international industry standard ISO / IEC 27001 and adapted to the requirements of the automotive world.
Tests in accordance with VDA ISA, especially for service providers and suppliers, are carried out by accredited certification providers. The ENX Association operates as a management organisation in the new system. It accredits audit providers and monitors implementation quality and assessment results. This is to ensure that the final results are of the desired quality and objectivity, and that the rights and obligations of the participants are retained.
TISAX in Codelab
Codelab sp. z o.o.(LCC) went through the assessment of TISAX (Trusted Information Security Assessment Exchange). Our assessment objectives are:
• Information with High Protection Needs
• Information with Very High Protection Needs
• Protection of Prototype Parts and Components
The information that results are available (on request if not published) through the ENX Portal together with the reference to https://portal.enx.com/en-US/TISAX/tisaxassessmentresults
Participants ID: P22MVY
Scope ID: SPLN1K
Assessment ID: AV32AB‑1
TISAX and TISAX results are not intended for general public.
If you want to learn more about information quality and information security standards, please – click here.