Code­lab sp.z o.o. (LLC) obta­ined the result of the TISAX asses­sment (” Tru­sted Infor­ma­tion Secu­ri­ty Asses­sment Exchan­ge ‘’) in line with the question cata­lo­gue of infor­ma­tion secu­ri­ty of the Ger­man Asso­cia­tion of the Auto­mo­ti­ve Indu­stry (VDA ISA). The asses­sment was con­duc­ted by the audit pro­vi­der, Bure­au Veri­tas, and the final asses­sment meeting was held in May 2021. We are tal­king to Anna Michel-Makuch and Marek Kopy­to, leaders of the pro­cess regar­ding sub­mit­ting to this asses­sment, abo­ut what TISAX exac­tly is, why it is so dif­fi­cult to meet its requ­ire­ments and how it bene­fits our clients.

Jan Zabo­row­ski (Code­lab) — Anna, our ISO 9001 or 27001 cer­ti­fi­ca­tes are quite com­mon­ly known in the busi­ness world, but TISAX is a less popu­lar name, and the asses­sment pro­cess itself is quite dif­fe­rent — what lies behind this abbre­via­tion? What is inc­lu­ded in the asses­sment that we underwent?

Anna Michel-Makuch (Lead Quali­ty Part­ner, Code­lab): Inde­ed, much as we are fami­liar with ISO 9001 and 27001 stan­dards, TISAX is a stan­dard dedi­ca­ted to a spe­ci­fic indu­stry seg­ment and the­re­fo­re is less known. Howe­ver, in our clients’ indu­stry, I mean the auto­mo­ti­ve , it is a high­ly expec­ted stan­dard, espe­cial­ly in pro­jects whe­re infor­ma­tion secu­ri­ty is of para­mo­unt impor­tan­ce (e.g. indu­strial secret, pro­to­ty­pes managament)

JZ: Ok, but is infor­ma­tion secu­ri­ty not cove­red by ISO27001 stan­dard? Are addi­tio­nal asses­sments of our orga­ni­za­tion necessary?

AMM: Yes, both stan­dards are cohe­rent with each other. TISAX requ­ire­ments are based on the ISO 27002 stan­dard, but are sup­ple­men­ted with auto­mo­ti­ve indu­stry-spe­ci­fic requ­ire­ments for e.g. sto­ra­ge of pro­to­ty­pes. Addi­tio­nal­ly, ENX, the asso­cia­tion that mana­ges TISAX on behalf of the Ger­man Asso­cia­tion of the Auto­mo­ti­ve Indu­stry (VDA ISA), has pre­pa­red a safe and effec­ti­ve plat­form for exchan­ge / sha­ring deta­iled asses­sment reports, thus mini­mi­sing the time needed to con­duct third-par­ty audits.

Marek Kopy­to (Mana­ging Direc­tor, Code­lab): It is worth adding that TISAX com­plian­ce is a requ­ire­ment of the big­gest clients in the auto­mo­ti­ve indu­stry. If you want to pro­vi­de servi­ces to car manu­fac­tu­rers, as well as sup­pliers, sha­ring the TISAX results is a pivo­tal gate­way to the most inte­re­sting pro­jects. When you design vehic­les that will appe­ar on the mar­ket in a few years, con­fi­den­tia­li­ty and abso­lu­te safe­ty are key — due to the asses­sment pro­cess, we have con­fir­med that you can trust us and entrust your data to our safekeeping.

JZ: The pre­pa­ra­tion pro­cess and then TISAX asses­sment took almost 2 years. I know that many people par­ti­ci­pa­ted in the pre­pa­ra­tions. What does it take to arran­ge and go thro­ugh such a process?

MK: Over the last few years, we have under­ta­ken a very ambi­tio­us plan to con­firm, by the exter­nal trust enti­ties, the high stan­dards that we have been enfor­cing for many years. All this took pla­ce in the reali­ty of owner­ship chan­ges, as well as the impact of the pan­de­mic and the busi­ness tur­mo­il that fol­lo­wed. The com­ple­tion of the next step, so cru­cial to ena­ble the con­fir­ma­tion of our clients’ infor­ma­tion secu­ri­ty, can be cre­di­ted to the enti­re team invo­lved in this pro­ject. I would like to thank each and eve­ry one of the­se people- it was a tedio­us and deman­ding pro­cess, but as always, we can count on you.

AMM: True. In recent years it has been yet ano­ther sta­ge of asses­sing our pro­ce­du­res and applied secu­ri­ty measu­res, we are not going to slack off (the full pic­tu­re of the­se aspects in Code­lab can be found here — edi­to­r’s note). The pro­cess itself inc­lu­ded seve­ral sta­ges: gap ana­ly­sis, inter­nal audits and self-eva­lu­ation, tra­ining or, along the way, the ISO 27001 cer­ti­fi­ca­tion. It enta­iled over 80 work­shops of the secu­ri­ty team, over 5,000 hours wor­ked, over 100 hours of assor­ted types of audits.

I would also like to join Mark in his than­king. In addi­tion to the dedi­ca­ted Quali­ty team (thank you for being with me!), we have an effi­cient work team invo­lved in the orga­ni­sa­tion of infor­ma­tion secu­ri­ty mana­ge­ment. But for the­ir con­tri­bu­tion, It would not have been possi­ble. I will only add that this pays off, not only in terms of con­fir­ming our com­pe­ten­ces, but also in rela­tion to con­sul­ta­tions for our clients, who often ava­il of our exper­ti­se. It also con­tri­bu­tes to pro­cess impro­ve­ments on the­ir side, with regard to mana­ge­ment and quali­ty con­trol.

JZ: Anna, TISAX, for people who are some­how pri­vy to it, is quite stron­gly asso­cia­ted with secu­ri­ty, also in the phy­si­cal dimen­sion, and in the pro­tec­tion of our offi­ces and buil­dings. Is it possi­ble to meet the­se requ­ire­ments in a hybrid work model as well?

AMM: I must admit that it was both a chal­len­ge and a novel­ty for us. With appro­pria­te secu­ri­ty measu­res and, abo­ve all, gre­at matu­ri­ty of our employ­ees, it pro­ved to be atta­ina­ble. More­over, accor­ding to the opi­nions col­lec­ted from our clients, it did not affect the quali­ty or effi­cien­cy of work (over 95% of them eva­lu­ated the­se para­me­ters as unchan­ged or bet­ter, com­pa­red to the pre­vio­us years and con­di­tions). We are lear­ning the “new nor­mal” toge­ther with our clients, also in the rigo­ro­us stan­dards discus­sed here.

MK: Right, on top of for­mal stan­dards and strict requ­ire­ments, ulti­ma­te­ly, the atti­tu­de of our employ­ees is what mat­ters the most, and this has pro­ved per­fec­tly well during the pan­de­mic and hybrid work. it is an essen­tial addi­tion to any chan­ge of this type and I am pro­ud of our employ­ees who are tru­ly awa­re of this sub­ject.
I would like to thank, once aga­in, Anna and the enti­re Secu­ri­ty Team for the effort put into obta­ining the TISAX asse­sment, and I am also indeb­ted to the enti­re Code­lab team — once more, we are not only convin­ced of our pro­fes­sio­na­lism but it has also been offi­cial­ly con­fir­med. Due to this, we can be con­fi­dent abo­ut the trust our clients pla­ce in us.

What is TISAX?

TISAX (Tru­sted Infor­ma­tion Secu­ri­ty Asses­sment Exchan­ge) is an infor­ma­tion secu­ri­ty stan­dard defi­ned by the auto­mo­ti­ve indu­stry. Many car and auto­mo­ti­ve manu­fac­tu­rers and sup­pliers have requ­ired TISAX cer­ti­fi­ca­tion from the­ir busi­ness part­ners sin­ce 2017. The mem­ber com­pa­nies of Ver­band der Auto­mo­bi­lin­du­strie e. V. (abbre­via­ted as VDA) have cre­ated a cata­lo­gue deri­ved from the inter­na­tio­nal indu­stry stan­dard ISO / IEC 27001 and adap­ted to the requ­ire­ments of the auto­mo­ti­ve world.
Tests in accor­dan­ce with VDA ISA, espe­cial­ly for servi­ce pro­vi­ders and sup­pliers, are car­ried out by accre­di­ted cer­ti­fi­ca­tion pro­vi­ders. The ENX Asso­cia­tion ope­ra­tes as a mana­ge­ment orga­ni­sa­tion in the new sys­tem. It accre­dits audit pro­vi­ders and moni­tors imple­men­ta­tion quali­ty and asses­sment results. This is to ensu­re that the final results are of the desi­red quali­ty and objec­ti­vi­ty, and that the rights and obli­ga­tions of the par­ti­ci­pants are retained.

TISAX in Codelab

Code­lab sp. z o.o.(LCC) went thro­ugh the asses­sment of TISAX (Tru­sted Infor­ma­tion Secu­ri­ty Asses­sment Exchan­ge). Our asses­sment objec­ti­ves are:
• Infor­ma­tion with High Pro­tec­tion Needs
• Infor­ma­tion with Very High Pro­tec­tion Needs
• Pro­tec­tion of Pro­to­ty­pe Parts and Com­po­nents

The infor­ma­tion that results are ava­ila­ble (on requ­est if not publi­shed) thro­ugh the ENX Por­tal toge­ther with the refe­ren­ce to

Par­ti­ci­pants ID: P22MVY
Sco­pe ID: SPLN1K
Asses­sment ID: AV32AB‑1

TISAX and TISAX results are not inten­ded for gene­ral public.

If you want to learn more abo­ut infor­ma­tion quali­ty and infor­ma­tion secu­ri­ty stan­dards, ple­ase — click here.