What is VDA ISA and ENX TISAX^® 

International information security standard VDA ISA was developed by the German Association of the Automotive Industry VDA (Verband der Automobilindustrie) based on ISO/IEC 27001 and 27002 standards.

The standard VDA ISA (Information Security Assessment) contains strictly structured information security assessment criteria, KPIs and additional optional modules:

• Information Security
• Data protection
• Availability
• Prototype protection

  
  

ENX TISAX® (Trusted Information Security Assessment Exchange, a registered trademark that belongs to ENX) is a framework for VDA ISA which allows independent vendors to share their certification and assessment results with their customers (usually from the automotive industry).

Our certifications (CISSP, ISO 27001 Lead Auditor, CISA, OSCP, CEH, etc.) allow us to cover both formal and practical aspects of security compliance and security management.

When building an Information Security Management System (ISMS) and security controls, we rely not only on ISO 27001/27002, VDA ISA and TISAX requirements, but also actively use other standards and frameworks, when this is appropriate or explicitly required by our customers or their partners. For example, ISO/TS 16949, ASPICE (Automotive Software Performance Improvement and Capability dEtermination), GDPR (General Data Privacy Regulation), and so on.

Our approach to implementation begins with simple steps so that you receive the first results for free. That would also introduce you to the process and help you understand how the implementation works and your role in it.

Scoping and Prioritization

• We prepare individual self-assessment questionnaires for our customers, to start assessing the current state of the ISMS in accordance with VDA ISA. Then we define and document the scope and elaborate the project plan for the initial audit and gap analysis.

  Scope definition is crucial for VDA ISA and ENX TISAX®. Any mistakes at this stage can lead to excessive implementation and maintenance works or unsuitable certification results. Also, we perform the initial prioritization of tasks, to allow you to get the most important security measures as soon as possible.

  Usually, the scope includes the customer's business processes to which physical and logical security processes apply. They include, but are not limited to:

  • Human Resources
  • Customer Strategy & Relationships: Marketing, Customer Success Management, License Renewal
  • Customer Acquisition: Sales and Pre-Sales
  • Technology Management
  • Product/Service Release and Delivery
  • Product Development
  • Product Testing
  • Customer Care: Tech Support
  • Accounting Management
  • Financial Analysis & Capital Managemen
    

Initial Audit, Gap Analysis, and detailed Project planning

We usually carry out this stage within 3 to 4 weeks, depending on the approved scope. During the initial audit, we interview the customer’s employees, verify documents, assess physical security and the perimeter, etc.

This stage includes the analysis of the initial or current state of the processes and information security management controls, business processes and technological processes; analysis of the physical security of the premises, personnel, IT infrastructure, etc. The outcome of this stage is an initial audit report, gap analysis and a detailed schedule for the implementation of the VDA ISA controls.

The implementation plan takes into account the customer’s capability to perform some part of the project tasks

Implementation of TISAX^® Security Processes and Operations

• This stage is usually performed within 6 to 9 months, depending on the approved scope, initial state, requirements and the results of the previous stage.

  This stage includes, but is not limited to, implementation of the following essential steps:

  • Building and automation of the ISMS using the appropriate GRC (Governance, Risk management, and Compliance) tools. This will allow us to classify the assets and assign responsible persons for them, build a risk matrix, conduct a self-assessment for each asset, with evidence for each item. The GRC tools also contain reports on various activities, ranging from security awareness training to independent security audits.
  • Security incident management using your preferred task management and tracking system (Redmine, Jira, etc.). The Customer will be able to trace the entire workflow: task creation, assignment of the responsible person for each task, response and incident closure measures, and reporting.
  • Change management. Any significant changes in the Customer information system should be transparent and should be processed using Change Requests.
  • Implementation of the necessary basic security measures and controls, including firewalls, VPN, access rights restriction, separation of guest and internal wireless networks and many other things. The implementation is performed by the Customer’s IT department under tight supervision and guidance by our personnel.
  • Implementation of the basic elements of the Secure Software Development Lifecycle (SDLC) within the production processes.
  • Training for employees in security policies and rules at all locations. Each employee must sign the Security Policy Commitment and the Security Awareness Training Reporting Record.
  • Development and calculation of KPI according to different criteria and requirements of VDA ISA.

  The result of this phase is not just a set of documents and records that correspond to your actual processes, but also a new security culture within your organization and the highest degree of readiness for official certification

TISAX^® Certification Process

The certification process usually lasts 1-3 months, depending on the approved scope. During this stage, we will select the certification body, perform a pre-audit, make the necessary corrections and conduct the certification audit.

First, we help you register for the audit and fill in the ENX TISAX® application form. Then we help you choose a certification body from the list of ENX approved TISAX® audit providers. We consult with the certifying organization on your behalf.

Then you make an agreement with the certification body directly and we start the pre-audit and implementation process described above.

When the date of the official certification comes, we represent you and show what we have built for you. After that, the auditor analyzes the results, collects the evidence and produces the final report. We support you throughout the whole process and help you provide the required documents.

Finally, you get the ENX TISAX® certificate, become officially compliant and can share the assessment results with your clients through the ENX portal.