Service providers and suppliers in the automotive industry are increasingly required to demonstrate the TISAX® information security standard to OEMs. Often, companies lack the necessary know-how. With TISAX® , the automotive industry has set a comprehensive standard to ensure information security within the industry and to secure the data exchange between client and supplier. A medium-sized supplier commissioned the cyber security team of Sulzer GmbH to prepare his company for the TISAX® assessment. Beforehand, he had only marginally dealt with the topic. Gökhan Kurtbay, Senior Consultant at Sulzer GmbH, and Stephan Fenzl, Project Manager and Authorized Signatory at niteflite networxx GmbH, explain in the Praxis-Talk what the biggest challenges were and which services they used to quickly and successfully support the client to prepare for a TISAX® assessment. “During an initial check, we discovered that virtually the entire IT system had to be rebuilt. Because this exceeded our in-house capacities, we called in the experts from niteflite networxx. We knew that they would be able to handle the IT side of consulting related to TISAX® well”, says Goekhan Kurtbay. Stephan Fenzl adds, “We already had experience in consulting related to TISAX® and knew which key points were important. We’re talking about hardware, processes and documentation, which is of course essential for the label.”
An ISMS for enterprise-wide information security
The foundation for a successful TISAX® assessment is the implementation of an information security management system (ISMS) that defines processes that bring information security to the high level required by the industry. “These guidelines make sense as you thoroughly address the security aspect of your business. Many of the points they contain are relatively easy to implement, while others are a bit more involved”, says Stephan Fenzl. The latter certainly includes the required documentation, especially if no corresponding processes and systems have yet been established. Document management is a central component in the implementation of the TISAX® requirements. Processes and approaches must be introduced that document all measures without gaps and enable continuous updating.
Individual consulting on documentation for compliance
Stephan Fenzl says, “Here you have to plan for the long term in consulting, because individual departments have to implement tasks and create documents.” Because of the company’s size, some of these departments didn’t exist at all – not even an IT manager. Instead, there were many employees who acted as all-rounders but had little time and nor the necessary know-how to implement the complex TISAX® specifications. So the security experts from Sulzer and niteflite networxx worked out the issues according to best practice specifications in order to be able to hand them over to the customer “turnkey”. Stephan Fenzl: “In the process, three to four technicians always had their work cut out. Since we had a tight time frame, we had to make sure that everything was tightly timed and that our processes were also optimized.” With good and efficient planning, this was achieved within the set deadline despite COVID restrictions.
COVID challenge and full management support
“Another challenge was to verify the client’s information, which COVID did not allow us to do on site”, Goekhan Kurtbay admits. Many analyses could be performed remotely with the appropriate technical tools. “With so-called remote management and monitoring software (MMS), for example, the entire network can be scanned and an inventory taken”, explains Stephan Fenzl. The consultants encountered an open management with realistic ideas that cooperated fully. “Support from management is essential because you have to take the employees with you. They have to understand, accept and live the measures. Support from management is the be-all and end-all”, says Stephan Fenzl. Goekhan Kurtbay adds: “The management wanted to get everything right right away for the future. This is important because recertification is due after three years. If you then have to start from scratch, you’ve wasted a lot of time and resources.”
Dream team for compliance
Both safety consultants emphasize the good cooperation: “An intensive and regular exchange with each other is essential in order to coordinate the next steps in each case. After all, we always had to ask ourselves what needs to be realized further in order for our client to achieve compliance”, says Stephan Fenzl. They emphasize that they will continue to join forces in the future and successfully help companies to prepare for an TISAX® assessment. In this context, the distribution of roles is clearly defined: Sulzer’s cyber security team provides organizational consulting, while niteflite networxx expertly takes care of the IT. “TISAX® label or ISO certifications are on the rise. Since we complement each other very well, we will certainly do more projects together in the future”, says Stephan Fenzl. Goekhan Kurtbay adds, “The IT specialists at niteflite networxx bring a tremendous amount of additional knowledge around certifications and TISAX®.”
A must – the TISAX® label for the automotive industry
The TISAX® label is becoming increasingly important for suppliers in the automotive industry, as OEMs want to use it to ensure that the entire supply chain can operate with a uniform, high level of security across the board. The TISAX® specifications build on the ISO 27001 security standard and are derived from the information security standard for the automotive industry (VDA ISA) defined by the VDA. All areas from the organization, IT and data protection are covered. Topics that are particularly important for the automotive industry, such as prototype and data protection, also play an important role. The assessment is not only intended to provide a snapshot, but to establish the necessary processes and measures in the long term and expandable throughout the company.
Managed IT services from niteflite networxx
niteflite networxx provides IT services and IT security as managed services. niteflite networxx was founded in 1998 and has developed from a classic IT service provider into a professional full-service system house for IT infrastructure, IT service (managed service) and IT security. The company offers holistic IT solutions for companies and, if desired, can take over complete or partial proactive IT support. In the TISAX® area, niteflite networxx supports companies with the necessary technical IT know-how to successfully complete certification. Its clientele includes numerous medium-sized companies from various industries. niteflite networxx is headquartered in Weilheim, 50 km south of Munich.
Consulting from Sulzer – secure and at eye level
The cyber security team of Sulzer GmbH personally and competently advises companies in the automotive industry on information security, data protection, as well as compliance and prepares them for an TISAX® assessment. After countless successful consultations at eye level, the Sulzer security experts clarify the most important questions in advance and provide concrete instructions for action. Sulzer GmbH has been a successful full-service provider for process and IT consulting in the automotive industry for over 40 years. Reliability and expertise distinguish us in all areas. We have successfully introduced the TISAX® label in all of our subsidiaries in Germany. Further information on TISAX® at: https://www.sulzer.de/tisax/ (Only available in German language) TISAX® assessment: success-story of the HecknerGroup Learn more about the support program go-digital. (Only available in German language)
TISAX® is a registered trademark of the ENX Association. No business relationship exists between Sulzer GmbH and ENX Association with respect to the consulting services described above. The mention of the TISAX® trademark does not imply any statement by the trademark owner as to the suitability of the services advertised herein.