TISAX stands for Trusted Information Security Assessment Exchange), it comprises an information security standard for the automotive industry.
It consists of requirements from VDA ISA (Verband der Automobilindustrie Information Security Assessment. The latest version is 4.1.1 (download here) which bares great resemblance with ISO 27001 and the Annex A controls (ISO 27002).
VDA ISO is relevant for all organizations developing technology used in the automotive industry
VDA ISA requirements can be divided into four categories:
- Information security (chapters 1-22)
- Supplier and vendor management (chapter 23)
- Data protection (chapter 24)
- Prototype protection (chapter 25)
The biggest difference with ISO 27001, is that TISAX requires all controls to be indicated with a maturity level. Within Instant 27001, this can easily be achieved by populating the field “Status” (which indicates whether the control is implemented or not) with any of the following:
- Level 0 (Incomplete)
A process does not exist or the existing process does not achieve the required results
- Level 1 (Performed)
The requirements necessary for the respective information protection needs are performed. A process is in place and shows signs of its working. It is, however, not completely documented. Therefore, its working at all times cannot be ensured.
- Level 2 (Managed)
The process for achieving the objective is managed. It is documented and proof (e.g. documentations) is available.
- Level 3 (Established)
The process for achieving the objective is established, the processes are linked in order to show existing dependencies. The documentation is up to date and maintained.
- Level 4 (Predictable)
Requirements from Level 3 and, in addition, results are measured (e.g. KPI) making the process predictable.
- Level 5 (Optimizing)
Requirements from Level 4 and, moreover, additional resources (e.g. personnel and finances) are being implemented in an optimizing manner. The process is subject to continuous improvement.
ISO 27001 instead of TISAX?
For most requirements, the target maturity level is 3 (Established) or 4 (Predictable). When an organization has achieved ISO 27001 certification, a maturity level of 4 is assumed, which will grow to level 5 in the next years.
So, instead of filling the VDA information security assessment by hand, Instant 27001 poses a great alternative. And achieving ISO 27001 certification will make a much stronger point to your stakeholders!
Assessment levels (AL)
You can use the Assurance statement from Instant 27001 as a basis to achieve Assessment Level 2 (AL2) or undergo a full ISO 27001 certification using the Statement of Applicability to acquire Assessment Level 3 (AL3).