Code­lab sp.z o.o. (LLC) obtai­ned the result of the TISAX assess­ment (“ Trus­ted Infor­ma­ti­on Secu­ri­ty Assess­ment Exchan­ge ‘‘) in line with the ques­ti­on cata­lo­gue of infor­ma­ti­on secu­ri­ty of the Ger­man Asso­cia­ti­on of the Auto­mo­ti­ve Indus­try (VDA ISA). The assess­ment was con­duc­ted by the audit pro­vi­der, Bureau Veri­tas, and the final assess­ment mee­ting was held in May 2021. We are tal­king to Anna Michel-Makuch and Marek Kopy­to, lea­ders of the pro­cess regar­ding sub­mit­ting to this assess­ment, about what TISAX exact­ly is, why it is so dif­fi­cult to meet its requi­re­ments and how it bene­fits our clients.

Jan Zabo­row­ski (Code­lab) – Anna, our ISO 9001 or 27001 cer­ti­fi­ca­tes are qui­te com­mon­ly known in the busi­ness world, but TISAX is a less popu­lar name, and the assess­ment pro­cess its­elf is qui­te dif­fe­rent – what lies behind this abbre­via­ti­on? What is inclu­ded in the assess­ment that we underwent?

Anna Michel-Makuch (Lead Qua­li­ty Part­ner, Code­lab): Inde­ed, much as we are fami­li­ar with ISO 9001 and 27001 stan­dards, TISAX is a stan­dard dedi­ca­ted to a spe­ci­fic indus­try seg­ment and the­re­fo­re is less known. Howe­ver, in our cli­ents’ indus­try, I mean the auto­mo­ti­ve , it is a high­ly expec­ted stan­dard, espe­cial­ly in pro­jects whe­re infor­ma­ti­on secu­ri­ty is of para­mount impor­t­ance (e.g. indus­tri­al secret, pro­to­ty­pes managament)

JZ: Ok, but is infor­ma­ti­on secu­ri­ty not cove­r­ed by ISO27001 stan­dard? Are addi­tio­nal assess­ments of our orga­niz­a­ti­on necessary?

AMM: Yes, both stan­dards are cohe­rent with each other. TISAX requi­re­ments are based on the ISO 27002 stan­dard, but are sup­ple­men­ted with auto­mo­ti­ve indus­try-spe­ci­fic requi­re­ments for e.g. sto­rage of pro­to­ty­pes. Addi­tio­nal­ly, ENX, the asso­cia­ti­on that mana­ges TISAX on behalf of the Ger­man Asso­cia­ti­on of the Auto­mo­ti­ve Indus­try (VDA ISA), has pre­pa­red a safe and effec­ti­ve plat­form for exchan­ge / sharing detail­ed assess­ment reports, thus mini­mi­sing the time nee­ded to con­duct third-par­ty audits.

Marek Kopy­to (Mana­ging Direc­tor, Code­lab): It is worth adding that TISAX com­pli­an­ce is a requi­re­ment of the big­gest cli­ents in the auto­mo­ti­ve indus­try. If you want to pro­vi­de ser­vices to car manu­fac­tu­rers, as well as sup­pliers, sharing the TISAX results is a pivo­tal gate­way to the most inte­res­ting pro­jects. When you design vehi­cles that will appe­ar on the mar­ket in a few years, con­fi­den­tia­li­ty and abso­lu­te safe­ty are key – due to the assess­ment pro­cess, we have con­fir­med that you can trust us and ent­rust your data to our safekeeping.

JZ: The pre­pa­ra­ti­on pro­cess and then TISAX assess­ment took almost 2 years. I know that many peop­le par­ti­ci­pa­ted in the pre­pa­ra­ti­ons. What does it take to arran­ge and go through such a process?

MK: Over the last few years, we have under­ta­ken a very ambi­tious plan to con­firm, by the exter­nal trust enti­ties, the high stan­dards that we have been enfor­cing for many years. All this took place in the rea­li­ty of owners­hip chan­ges, as well as the impact of the pan­de­mic and the busi­ness tur­moil that fol­lo­wed. The com­ple­ti­on of the next step, so cru­cial to enab­le the con­fir­ma­ti­on of our cli­ents‘ infor­ma­ti­on secu­ri­ty, can be credi­ted to the ent­i­re team invol­ved in this pro­ject. I would like to thank each and every one of the­se peop­le- it was a tedious and deman­ding pro­cess, but as always, we can count on you.

AMM: True. In recent years it has been yet ano­t­her sta­ge of asses­sing our pro­ce­du­res and app­lied secu­ri­ty mea­su­res, we are not going to slack off (the full pic­tu­re of the­se aspects in Code­lab can be found here – edi­tor’s note). The pro­cess its­elf inclu­ded several sta­ges: gap ana­ly­sis, inter­nal audits and self-eva­lua­ti­on, trai­ning or, along the way, the ISO 27001 cer­ti­fi­ca­ti­on. It ent­ail­ed over 80 work­shops of the secu­ri­ty team, over 5,000 hours worked, over 100 hours of assor­ted types of audits.

I would also like to join Mark in his thanking. In addi­ti­on to the dedi­ca­ted Qua­li­ty team (thank you for being with me!), we have an effi­ci­ent work team invol­ved in the orga­ni­sa­ti­on of infor­ma­ti­on secu­ri­ty manage­ment. But for their con­tri­bu­ti­on, It would not have been pos­si­ble. I will only add that this pays off, not only in terms of con­fir­ming our com­pe­ten­ces, but also in rela­ti­on to con­sul­ta­ti­ons for our cli­ents, who often avail of our exper­ti­se. It also con­tri­bu­tes to pro­cess impro­ve­ments on their side, with regard to manage­ment and qua­li­ty con­trol.

JZ: Anna, TISAX, for peop­le who are somehow pri­vy to it, is qui­te stron­gly asso­cia­ted with secu­ri­ty, also in the phy­si­cal dimen­si­on, and in the pro­tec­tion of our offices and buil­dings. Is it pos­si­ble to meet the­se requi­re­ments in a hybrid work model as well?

AMM: I must admit that it was both a chal­len­ge and a novel­ty for us. With appro­pria­te secu­ri­ty mea­su­res and, abo­ve all, gre­at matu­ri­ty of our employees, it pro­ved to be attainab­le. Moreo­ver, accord­ing to the opi­ni­ons collec­ted from our cli­ents, it did not affect the qua­li­ty or effi­ci­en­cy of work (over 95% of them eva­lua­ted the­se para­me­ters as unch­an­ged or bet­ter, com­pa­red to the pre­vious years and con­di­ti­ons). We are lear­ning the „new nor­mal“ tog­e­ther with our cli­ents, also in the rigo­rous stan­dards dis­cus­sed here.

MK: Right, on top of for­mal stan­dards and strict requi­re­ments, ulti­mate­ly, the atti­tu­de of our employees is what mat­ters the most, and this has pro­ved per­fect­ly well during the pan­de­mic and hybrid work. it is an essen­ti­al addi­ti­on to any chan­ge of this type and I am proud of our employees who are tru­ly awa­re of this sub­ject.
I would like to thank, once again, Anna and the ent­i­re Secu­ri­ty Team for the effort put into obtai­ning the TISAX asses­ment, and I am also indeb­ted to the ent­i­re Code­lab team – once more, we are not only con­vin­ced of our pro­fes­sio­na­lism but it has also been offi­cial­ly con­fir­med. Due to this, we can be con­fi­dent about the trust our cli­ents place in us.

What is TISAX?

TISAX (Trus­ted Infor­ma­ti­on Secu­ri­ty Assess­ment Exchan­ge) is an infor­ma­ti­on secu­ri­ty stan­dard defi­ned by the auto­mo­ti­ve indus­try. Many car and auto­mo­ti­ve manu­fac­tu­rers and sup­pliers have requi­red TISAX cer­ti­fi­ca­ti­on from their busi­ness part­ners sin­ce 2017. The mem­ber com­pa­nies of Ver­band der Auto­mo­bil­in­dus­trie e. V. (abbre­via­ted as VDA) have crea­ted a cata­lo­gue deri­ved from the inter­na­tio­nal indus­try stan­dard ISO / IEC 27001 and adap­ted to the requi­re­ments of the auto­mo­ti­ve world.
Tests in accordance with VDA ISA, espe­cial­ly for ser­vice pro­vi­ders and sup­pliers, are car­ri­ed out by accredi­ted cer­ti­fi­ca­ti­on pro­vi­ders. The ENX Asso­cia­ti­on ope­ra­tes as a manage­ment orga­ni­sa­ti­on in the new sys­tem. It accredits audit pro­vi­ders and moni­tors imple­men­ta­ti­on qua­li­ty and assess­ment results. This is to ensu­re that the final results are of the desi­red qua­li­ty and objec­ti­vi­ty, and that the rights and obli­ga­ti­ons of the par­ti­ci­pants are retained.

TISAX in Codelab

Code­lab sp. z o.o.(LCC) went through the assess­ment of TISAX (Trus­ted Infor­ma­ti­on Secu­ri­ty Assess­ment Exchan­ge). Our assess­ment objec­ti­ves are:
• Infor­ma­ti­on with High Pro­tec­tion Needs
• Infor­ma­ti­on with Very High Pro­tec­tion Needs
• Pro­tec­tion of Pro­to­ty­pe Parts and Com­pon­ents

The infor­ma­ti­on that results are avail­ab­le (on request if not publis­hed) through the ENX Por­tal tog­e­ther with the refe­rence to

Par­ti­ci­pants ID: P22MVY
Scope ID: SPLN1K
Assess­ment ID: AV32AB‑1

TISAX and TISAX results are not inten­ded for gene­ral public.

If you want to learn more about infor­ma­ti­on qua­li­ty and infor­ma­ti­on secu­ri­ty stan­dards, plea­se – click here.