FR | EN

TISAX, the cyber evaluation system for carmakers

When it comes to automotive cybersecurity, automakers are drawing a new line that their subcontractors must not cross. Inspired by ISO/IEC 27001, the TISAX standard is making its way into calls for tender. AFNOR Certification is now recognized by ENX, the association that owns the standard, to assess the practices and information systems of industry players.

Published on 11/12/2023, updated 12/09/2024 à 21:47 Reading time : 3 minutes

They’re moving up a gear. In a highly competitive and innovative environment, the automotive giants are becoming increasingly aware of the risks of piracy and leakage resulting from the digitalization of processes and exchanges. How do you protect a prototype’s drawings when it’s time for a subcontractor to start manufacturing it? How do you ensure the security of confidential plans stored on a server abroad? How do you protect yourself against ransomware that threatens to spread the secrets of a revolutionary future engine on the darkweb? How to ensure business continuity in the event of a major crisis? TISAX is the answer to these new concerns for an entire sector.

 

TISAX evaluation: a sector-specific version of ISO/IEC 27001

Initiated by the German automotive industry, including the well-known VDA(Verband der Automobilindustrie), the TISAX (for ” Trusted Information Security Assessment Exchange “) project got underway in 2017. This private-sector standard is designed to adapt the requirements ofISO/IEC 27001 to the automotive sector,

TISAX logo voluntary international standard on information systems security management. Other manufacturers, particularly French ones, soon joined the initiative, which came to fruition in early 2023. This sector is characterized by strong competition and the race for innovation, with a real risk of espionage, multiplied tenfold by the large subcontracting chain,” points out Thomas Sanjullian, Digital Confidence Product Manager at AFNOR Certification. The TISAX assessment is designed to ensure that all players involved comply with strict cybersecurity rules. ” Data registry, governance, business continuity plan, employee awareness and training… TISAX requirements vary according to the level of assessment, of which there are three:

  • The first is limited to a catalogue-based self-assessment to check whether the requirements have been met.
  • The second requires the intervention of a third-party evaluator, who will conduct “plausibility” interviews with the teams concerned, to ensure that these same requirements are met.
  • The third involves an in-depth audit lasting several days on site, with verification of all catalog requirements. This last level deals in particular with data relating to prototypes and test cars.

TISAX is no longer an option, ” notes Pascal Thomas, auditor for AFNOR Certification. French manufacturers are already including this requirement in their invitations to tender. To be able to respond and receive data from the manufacturer, they must provide proof of their level. ” Since September 2023, AFNOR Certification has been the only French organization recognized to carry out this assessment. The auditors are currently undergoing training to be able to carry out their first audits from early 2024. Internationally too , the AFNOR group’s offices are getting organized and will soon be offering TISAX to the automotive ecosystem in their respective countries. A vital step forward on the road to risk management and the sovereignty of sensitive data. Interested? Register for our next information webinar, to be held in English on January 30, 2024.