Last Updated on January 15, 2024
The TISAX (Trusted Information Security Assessment Exchange) standard for protection of intellectual property, personal data, and other sensitive data in the automotive supply chain is based on the respected ISO 27001 cybersecurity standard. So, if your company has achieved or is working towards ISO 27001 certification, that should help you advance towards TISAX compliance, right?
To share what’s most important for security and business leaders in the auto industry to know about TISAX, a recent episode of The Virtual CISO Podcast features Ed Chandler, National Sales Manager at TÜV SÜD America. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.
A lighter lift
Ed points out that the internal security assessment (ISA) component of TISAX includes a table that maps TISAX requirements directly to ISO 27001 Annex A.
“It’s a lighter lift for an organization because they’ve taken into account a lot of these factors already,” Ed says.
Supports multi-site assessments
Another benefit of ISO 27001 alignment for larger orgs with multiple sites looking to comply with TISAX is that a mature, ISO 27001 compliant information security management system (ISMS) supports a “simplified group assessment” process within TISAX.
Essentially, TISAX may allow either multiple per-location assessments, or a single assessment applicable across multiple locations, provided the assessment objectives are the same for all the sites. But if the assessment objectives differ across sites, you’ll need separate assessments for those sites.
“If you have an organization that is doing prototypes at one location and they’ve got personally identifiable information (PII) at another location, then obviously the best path forward will most likely be single site assessments or multiple, multiple-site assessments,” explains Ed.
Leveraging ISO 27701 with TISAX
The TISAX requirements for data protection are basically intended to ensure that a supplier’s privacy program aligns with GDPR as a starting point.
While the TISAX requirements for the data protection assessment objectives are not based directly on the ISO 27701 “privacy extension” to ISO 27001, achieving certification against the ISO 27701 requirements is a big step in the right direction.
For example, an org seeking ISO 27701 certification could define compliance with TISAX data protection requirements as within the scope of its ISO 27701 privacy information management system (PIMS). This would not only establish a TISAX compliant privacy program, but also accrue the considerable marketing and client acquisition benefits of an ISO 27701 certification in addition to the associated TISAX label.
What’s next?
To enjoy this podcast episode with TISAX expert Ed Chandler in its entirety, click here.
Here’s how close an ISO 27701 certification gets you to GDPR compliance: Does ISO 27701 Certification Mean You Comply with GDPR and CCPA?