Codelab sp.z o.o. (LLC) obtained the res­ult of the TISAX assess­ment (” Trus­ted Inform­a­tion Secur­ity Assess­ment Exchange ‘’) in line with the ques­tion cata­logue of inform­a­tion secur­ity of the Ger­man Asso­ci­ation of the Auto­mot­ive Industry (VDA ISA). The assess­ment was con­duc­ted by the audit pro­vider, Bur­eau Ver­itas, and the final assess­ment meet­ing was held in May 2021. We are talk­ing to Anna Michel-Mak­uch and Marek Kopy­to, lead­ers of the pro­cess regard­ing sub­mit­ting to this assess­ment, about what TISAX exactly is, why it is so dif­fi­cult to meet its require­ments and how it bene­fits our clients.

Jan Zaborowski (Codelab) — Anna, our ISO 9001 or 27001 cer­ti­fic­ates are quite com­monly known in the busi­ness world, but TISAX is a less pop­u­lar name, and the assess­ment pro­cess itself is quite dif­fer­ent — what lies behind this abbre­vi­ation? What is included in the assess­ment that we underwent?

Anna Michel-Mak­uch (Lead Qual­ity Part­ner, Codelab): Indeed, much as we are famil­i­ar with ISO 9001 and 27001 stand­ards, TISAX is a stand­ard ded­ic­ated to a spe­cif­ic industry seg­ment and there­fore is less known. How­ever, in our cli­ents’ industry, I mean the auto­mot­ive , it is a highly expec­ted stand­ard, espe­cially in pro­jects where inform­a­tion secur­ity is of para­mount import­ance (e.g. indus­tri­al secret, pro­to­types managament)

JZ: Ok, but is inform­a­tion secur­ity not covered by ISO27001 stand­ard? Are addi­tion­al assess­ments of our organ­iz­a­tion necessary?

AMM: Yes, both stand­ards are coher­ent with each oth­er. TISAX require­ments are based on the ISO 27002 stand­ard, but are sup­ple­men­ted with auto­mot­ive industry-spe­cif­ic require­ments for e.g. stor­age of pro­to­types. Addi­tion­ally, ENX, the asso­ci­ation that man­ages TISAX on behalf of the Ger­man Asso­ci­ation of the Auto­mot­ive Industry (VDA ISA), has pre­pared a safe and effect­ive plat­form for exchange / shar­ing detailed assess­ment reports, thus min­im­ising the time needed to con­duct third-party audits.

Marek Kopy­to (Man­aging Dir­ect­or, Codelab): It is worth adding that TISAX com­pli­ance is a require­ment of the biggest cli­ents in the auto­mot­ive industry. If you want to provide ser­vices to car man­u­fac­tur­ers, as well as sup­pli­ers, shar­ing the TISAX res­ults is a pivotal gate­way to the most inter­est­ing pro­jects. When you design vehicles that will appear on the mar­ket in a few years, con­fid­en­ti­al­ity and abso­lute safety are key — due to the assess­ment pro­cess, we have con­firmed that you can trust us and entrust your data to our safekeeping.

JZ: The pre­par­a­tion pro­cess and then TISAX assess­ment took almost 2 years. I know that many people par­ti­cip­ated in the pre­par­a­tions. What does it take to arrange and go through such a process?

MK: Over the last few years, we have under­taken a very ambi­tious plan to con­firm, by the extern­al trust entit­ies, the high stand­ards that we have been enfor­cing for many years. All this took place in the real­ity of own­er­ship changes, as well as the impact of the pan­dem­ic and the busi­ness tur­moil that fol­lowed. The com­ple­tion of the next step, so cru­cial to enable the con­firm­a­tion of our cli­ents’ inform­a­tion secur­ity, can be cred­ited to the entire team involved in this pro­ject. I would like to thank each and every one of these people- it was a tedi­ous and demand­ing pro­cess, but as always, we can count on you.

AMM: True. In recent years it has been yet anoth­er stage of assess­ing our pro­ced­ures and applied secur­ity meas­ures, we are not going to slack off (the full pic­ture of these aspects in Codelab can be found here — edit­or­’s note). The pro­cess itself included sev­er­al stages: gap ana­lys­is, intern­al audits and self-eval­u­ation, train­ing or, along the way, the ISO 27001 cer­ti­fic­a­tion. It entailed over 80 work­shops of the secur­ity team, over 5,000 hours worked, over 100 hours of assor­ted types of audits.

I would also like to join Mark in his thank­ing. In addi­tion to the ded­ic­ated Qual­ity team (thank you for being with me!), we have an effi­cient work team involved in the organ­isa­tion of inform­a­tion secur­ity man­age­ment. But for their con­tri­bu­tion, It would not have been pos­sible. I will only add that this pays off, not only in terms of con­firm­ing our com­pet­ences, but also in rela­tion to con­sulta­tions for our cli­ents, who often avail of our expert­ise. It also con­trib­utes to pro­cess improve­ments on their side, with regard to man­age­ment and qual­ity con­trol.

JZ: Anna, TISAX, for people who are some­how privy to it, is quite strongly asso­ci­ated with secur­ity, also in the phys­ic­al dimen­sion, and in the pro­tec­tion of our offices and build­ings. Is it pos­sible to meet these require­ments in a hybrid work mod­el as well?

AMM: I must admit that it was both a chal­lenge and a nov­elty for us. With appro­pri­ate secur­ity meas­ures and, above all, great matur­ity of our employ­ees, it proved to be attain­able. Moreover, accord­ing to the opin­ions col­lec­ted from our cli­ents, it did not affect the qual­ity or effi­ciency of work (over 95% of them eval­u­ated these para­met­ers as unchanged or bet­ter, com­pared to the pre­vi­ous years and con­di­tions). We are learn­ing the “new nor­mal” togeth­er with our cli­ents, also in the rig­or­ous stand­ards dis­cussed here.

MK: Right, on top of form­al stand­ards and strict require­ments, ulti­mately, the atti­tude of our employ­ees is what mat­ters the most, and this has proved per­fectly well dur­ing the pan­dem­ic and hybrid work. it is an essen­tial addi­tion to any change of this type and I am proud of our employ­ees who are truly aware of this sub­ject.
I would like to thank, once again, Anna and the entire Secur­ity Team for the effort put into obtain­ing the TISAX asses­ment, and I am also indebted to the entire Codelab team — once more, we are not only con­vinced of our pro­fes­sion­al­ism but it has also been offi­cially con­firmed. Due to this, we can be con­fid­ent about the trust our cli­ents place in us.

What is TISAX?

TISAX (Trus­ted Inform­a­tion Secur­ity Assess­ment Exchange) is an inform­a­tion secur­ity stand­ard defined by the auto­mot­ive industry. Many car and auto­mot­ive man­u­fac­tur­ers and sup­pli­ers have required TISAX cer­ti­fic­a­tion from their busi­ness part­ners since 2017. The mem­ber com­pan­ies of Verb­and der Auto­mobilindus­trie e. V. (abbre­vi­ated as VDA) have cre­ated a cata­logue derived from the inter­na­tion­al industry stand­ard ISO / IEC 27001 and adap­ted to the require­ments of the auto­mot­ive world.
Tests in accord­ance with VDA ISA, espe­cially for ser­vice pro­viders and sup­pli­ers, are car­ried out by accred­ited cer­ti­fic­a­tion pro­viders. The ENX Asso­ci­ation oper­ates as a man­age­ment organ­isa­tion in the new sys­tem. It accred­its audit pro­viders and mon­it­ors imple­ment­a­tion qual­ity and assess­ment res­ults. This is to ensure that the final res­ults are of the desired qual­ity and objectiv­ity, and that the rights and oblig­a­tions of the par­ti­cipants are retained.

TISAX in Codelab

Codelab sp. z o.o.(LCC) went through the assess­ment of TISAX (Trus­ted Inform­a­tion Secur­ity Assess­ment Exchange). Our assess­ment object­ives are:
• Inform­a­tion with High Pro­tec­tion Needs
• Inform­a­tion with Very High Pro­tec­tion Needs
• Pro­tec­tion of Pro­to­type Parts and Com­pon­ents

The inform­a­tion that res­ults are avail­able (on request if not pub­lished) through the ENX Portal togeth­er with the ref­er­ence to

Par­ti­cipants ID: P22MVY
Scope ID: SPLN1K
Assess­ment ID: AV32AB‑1

TISAX and TISAX res­ults are not inten­ded for gen­er­al public.

If you want to learn more about inform­a­tion qual­ity and inform­a­tion secur­ity stand­ards, please — click here.