Code­lab sp.z o.o. (LLC) obtai­ned the result of the TISAX assess­ment (“ Trus­ted Infor­ma­ti­on Secu­ri­ty Assess­ment Exch­an­ge ‘‘) in line with the ques­ti­on cata­lo­gue of infor­ma­ti­on secu­ri­ty of the Ger­man Asso­cia­ti­on of the Auto­mo­ti­ve Indus­try (VDA ISA). The assess­ment was con­duc­ted by the audit pro­vi­der, Bureau Veri­tas, and the final assess­ment mee­ting was held in May 2021. We are tal­king to Anna Michel-Makuch and Marek Kopy­to, lea­ders of the pro­cess regar­ding sub­mit­ting to this assess­ment, about what TISAX exact­ly is, why it is so dif­fi­cult to meet its requi­re­ments and how it bene­fits our clients.

Jan Zabo­row­ski (Code­lab) – Anna, our ISO 9001 or 27001 cer­ti­fi­ca­tes are quite com­mon­ly known in the busi­ness world, but TISAX is a less popu­lar name, and the assess­ment pro­cess its­elf is quite dif­fe­rent – what lies behind this abbre­via­ti­on? What is included in the assess­ment that we underwent?

Anna Michel-Makuch (Lead Qua­li­ty Part­ner, Code­lab): Inde­ed, much as we are fami­li­ar with ISO 9001 and 27001 stan­dards, TISAX is a stan­dard dedi­ca­ted to a spe­ci­fic indus­try seg­ment and the­r­e­fo­re is less known. Howe­ver, in our cli­ents’ indus­try, I mean the auto­mo­ti­ve , it is a high­ly expec­ted stan­dard, espe­ci­al­ly in pro­jects whe­re infor­ma­ti­on secu­ri­ty is of para­mount importance (e.g. indus­tri­al secret, pro­to­ty­pes managament)

JZ: Ok, but is infor­ma­ti­on secu­ri­ty not cover­ed by ISO27001 stan­dard? Are addi­tio­nal assess­ments of our orga­niza­ti­on necessary?

AMM: Yes, both stan­dards are coher­ent with each other. TISAX requi­re­ments are based on the ISO 27002 stan­dard, but are sup­ple­men­ted with auto­mo­ti­ve indus­try-spe­ci­fic requi­re­ments for e.g. sto­rage of pro­to­ty­pes. Addi­tio­nal­ly, ENX, the asso­cia­ti­on that mana­ges TISAX on behalf of the Ger­man Asso­cia­ti­on of the Auto­mo­ti­ve Indus­try (VDA ISA), has pre­pared a safe and effec­ti­ve plat­form for exch­an­ge / sha­ring detail­ed assess­ment reports, thus mini­mi­sing the time nee­ded to con­duct third-par­ty audits.

Marek Kopy­to (Mana­ging Direc­tor, Code­lab): It is worth adding that TISAX com­pli­ance is a requi­re­ment of the big­gest cli­ents in the auto­mo­ti­ve indus­try. If you want to pro­vi­de ser­vices to car manu­fac­tu­r­ers, as well as sup­pli­ers, sha­ring the TISAX results is a pivo­tal gate­way to the most inte­res­t­ing pro­jects. When you design vehic­les that will appear on the mar­ket in a few years, con­fi­den­tia­li­ty and abso­lu­te safe­ty are key – due to the assess­ment pro­cess, we have con­firm­ed that you can trust us and ent­rust your data to our safekeeping.

JZ: The pre­pa­ra­ti­on pro­cess and then TISAX assess­ment took almost 2 years. I know that many peo­p­le par­ti­ci­pa­ted in the pre­pa­ra­ti­ons. What does it take to arran­ge and go through such a process?

MK: Over the last few years, we have under­ta­ken a very ambi­tious plan to con­firm, by the exter­nal trust enti­ties, the high stan­dards that we have been enfor­cing for many years. All this took place in the rea­li­ty of owner­ship chan­ges, as well as the impact of the pan­de­mic and the busi­ness turm­oil that fol­lo­wed. The com­ple­ti­on of the next step, so cru­cial to enable the con­fir­ma­ti­on of our cli­ents‘ infor­ma­ti­on secu­ri­ty, can be cre­di­ted to the enti­re team invol­ved in this pro­ject. I would like to thank each and every one of the­se peo­p­le- it was a tedious and deman­ding pro­cess, but as always, we can count on you.

AMM: True. In recent years it has been yet ano­ther stage of asses­sing our pro­ce­du­res and appli­ed secu­ri­ty mea­su­res, we are not going to slack off (the full pic­tu­re of the­se aspects in Code­lab can be found here – editor’s note). The pro­cess its­elf included seve­ral stages: gap ana­ly­sis, inter­nal audits and self-eva­lua­ti­on, trai­ning or, along the way, the ISO 27001 cer­ti­fi­ca­ti­on. It ent­ail­ed over 80 work­shops of the secu­ri­ty team, over 5,000 hours work­ed, over 100 hours of assor­ted types of audits.

I would also like to join Mark in his than­king. In addi­ti­on to the dedi­ca­ted Qua­li­ty team (thank you for being with me!), we have an effi­ci­ent work team invol­ved in the orga­ni­sa­ti­on of infor­ma­ti­on secu­ri­ty manage­ment. But for their con­tri­bu­ti­on, It would not have been pos­si­ble. I will only add that this pays off, not only in terms of con­fir­ming our com­pe­ten­ces, but also in rela­ti­on to con­sul­ta­ti­ons for our cli­ents, who often avail of our exper­ti­se. It also con­tri­bu­tes to pro­cess impro­ve­ments on their side, with regard to manage­ment and qua­li­ty con­trol.

JZ: Anna, TISAX, for peo­p­le who are somehow pri­vy to it, is quite stron­gly asso­cia­ted with secu­ri­ty, also in the phy­si­cal dimen­si­on, and in the pro­tec­tion of our offices and buil­dings. Is it pos­si­ble to meet the­se requi­re­ments in a hybrid work model as well?

AMM: I must admit that it was both a chall­enge and a novel­ty for us. With appro­pria­te secu­ri­ty mea­su­res and, abo­ve all, gre­at matu­ri­ty of our employees, it pro­ved to be attainable. Moreo­ver, accor­ding to the opi­ni­ons coll­ec­ted from our cli­ents, it did not affect the qua­li­ty or effi­ci­en­cy of work (over 95% of them eva­lua­ted the­se para­me­ters as unch­an­ged or bet­ter, com­pared to the pre­vious years and con­di­ti­ons). We are lear­ning the „new nor­mal“ tog­e­ther with our cli­ents, also in the rigo­rous stan­dards dis­cus­sed here.

MK: Right, on top of for­mal stan­dards and strict requi­re­ments, ulti­m­ate­ly, the atti­tu­de of our employees is what mat­ters the most, and this has pro­ved per­fect­ly well during the pan­de­mic and hybrid work. it is an essen­ti­al addi­ti­on to any chan­ge of this type and I am proud of our employees who are tru­ly awa­re of this sub­ject.
I would like to thank, once again, Anna and the enti­re Secu­ri­ty Team for the effort put into obtai­ning the TISAX asses­ment, and I am also indeb­ted to the enti­re Code­lab team – once more, we are not only con­vin­ced of our pro­fes­sio­na­lism but it has also been offi­ci­al­ly con­firm­ed. Due to this, we can be con­fi­dent about the trust our cli­ents place in us.

What is TISAX?

TISAX (Trus­ted Infor­ma­ti­on Secu­ri­ty Assess­ment Exch­an­ge) is an infor­ma­ti­on secu­ri­ty stan­dard defi­ned by the auto­mo­ti­ve indus­try. Many car and auto­mo­ti­ve manu­fac­tu­r­ers and sup­pli­ers have requi­red TISAX cer­ti­fi­ca­ti­on from their busi­ness part­ners sin­ce 2017. The mem­ber com­pa­nies of Ver­band der Auto­mo­bil­in­dus­trie e. V. (abbre­via­ted as VDA) have crea­ted a cata­lo­gue deri­ved from the inter­na­tio­nal indus­try stan­dard ISO / IEC 27001 and adapt­ed to the requi­re­ments of the auto­mo­ti­ve world.
Tests in accordance with VDA ISA, espe­ci­al­ly for ser­vice pro­vi­ders and sup­pli­ers, are car­ri­ed out by accre­di­ted cer­ti­fi­ca­ti­on pro­vi­ders. The ENX Asso­cia­ti­on ope­ra­tes as a manage­ment orga­ni­sa­ti­on in the new sys­tem. It accre­dits audit pro­vi­ders and moni­tors imple­men­ta­ti­on qua­li­ty and assess­ment results. This is to ensu­re that the final results are of the desi­red qua­li­ty and objec­ti­vi­ty, and that the rights and obli­ga­ti­ons of the par­ti­ci­pan­ts are retained.

TISAX in Codelab

Code­lab sp. z o.o.(LCC) went through the assess­ment of TISAX (Trus­ted Infor­ma­ti­on Secu­ri­ty Assess­ment Exch­an­ge). Our assess­ment objec­ti­ves are:
• Infor­ma­ti­on with High Pro­tec­tion Needs
• Infor­ma­ti­on with Very High Pro­tec­tion Needs
• Pro­tec­tion of Pro­to­ty­pe Parts and Com­pon­ents

The infor­ma­ti­on that results are available (on request if not published) through the ENX Por­tal tog­e­ther with the refe­rence to

Par­ti­ci­pan­ts ID: P22MVY
Scope ID: SPLN1K
Assess­ment ID: AV32AB‑1

TISAX and TISAX results are not inten­ded for gene­ral public.

If you want to learn more about infor­ma­ti­on qua­li­ty and infor­ma­ti­on secu­ri­ty stan­dards, plea­se – click here.