Introduction of an information security management system (ISMS)

TRIOLOGY underwent the TISAX assessment in the first quarter of 2021. Our ISMS (Information Security Management System) was assessed by Dekra to determine whether it meets the security level of the target maturity level “high” and whether we thus fulfill the industry-wide uniform security standards. To achieve this goal, our small project team worked for just over a year to establish the ISMS and associated processes to improve information security within TRIOLOGY. In this blog post, I would like to explain the process in more detail. First, however, I would like to briefly explain what TISAX actually is and what advantages the labels create for us as a company.

What actually is TISAX?

TISAX - Result Available

As the importance of information security has also increased in recent years due to advancing digitalization, the requirements for companies to implement a high level of security are also increasing in parallel.

Since sensitive data is handled in the automotive industry in particular, the German Association of the Automotive Industry (VDA) established a uniform testing procedure in 2017: the “Trusted Information Ssecurity Assessment EXchange” (TISAX). This procedure is designed to ensure that all suppliers and partners also meet the defined security standards. The ENX Association is responsible for the accreditation of the testing service providers and the verification of the assessment results. The requirements of TISAX are based on the standards of ISO 27001 for ISMS and ISO 27017 for cloud security and are defined in the Information Security Assessment (VDA ISA).

What advantages does TISAX offer?

The automotive industry’s intention in standardizing the audit procedure for information security was to establish an equally high level of security in the supply chain as well as to reduce the effort and expense for the partners involved by means of a uniform procedure.
But the introduction of an information security management system also offers us other advantages. On the one hand, we save time and money in the tendering process, as there is no need for an intensive examination of the security-relevant aspects that the client requires of us. In the future, TISAX certification will become the status quo in the industry, so that more and more customers will demand it from us. In addition, we will generally gain a clear competitive advantage over competitors who do not have TISAX. Overall, the collaboration with our customers and partners will be strengthened and simplified.
In recent months, we have intensively trained and sensitized our employees on this topic and will continue to do so in the future. After all, employee awareness is one of the success factors for increasing information security, alongside certain technical measures that we implemented as part of the project.

Ablauf des Assessment-Prozesses

The process from inception to audit can be broken down into six major elements.

  1. GAP analysis: Even before the official start of the project, our IT department conducted a GAP analysis of the technical requirements together with our consultant. This provided us with a good basis for this area at the start of the project, so that our colleagues were able to gradually work through the tickets resulting from the GAP analysis over the entire project period. These included the implementation of a mobile device management system, automatic vulnerability scans, and finer segmentation of the networks.
  2. Organizational: Among the formal items we completed at the start of the project in June 2020 were registration with the ENX Association, selection of an audit service provider, and selection of a tool in which to map the ISMS. We as a project team also underwent and successfully passed the “ISO 27001 Foundation” training and exam, as well as our ISB for “Chief Information Security Officer”.
  3. Creation of the guidelines: In the next step, we created the guidelines relevant for us based on the TISAX requirements. The most important document is the information security guideline, which we created first and which was approved and published by the management. Overall, we were already quite well positioned with our processes, so in many places we only had to document them in writing. In other places, however, it was necessary to implement new processes. To do this, we brought the affected employees on board to let them participate in the design of the processes; for example, in the implementation of a project risk assessment, which is now carried out for every new project.
  4. Risk assessment: The risk assessment was one of the most important points. Here, we first identified all assets (information, services, resources), mapped them in the tool and linked them to the company’s processes. After we also defined criteria for the assessment, each manager was able to perform the risk assessment for the project assigned to him or her. Depending on the results of the assessment, measures were further developed to minimize the risks in the future.
  5. Creating awareness: In a concept for employee awareness, we have developed and already partially implemented various measures to raise employee awareness of information security. Furthermore, we initially developed a basic training course based on the guidelines within this framework and then successfully implemented this in the 1st quarter of 2021.
  6. Vorbereitung & Durchführung des Assessments: Ab Anfang Februar 2021 ging es in großen Schritten auf das Assessment zu. Zunächst hatten wir dafür ein Kickoff-Termin mit unserem Auditor der Dekra. Hier wurden seinerseits die einzelnen Schritte und wichtigen Punkte für das Assessment erläutert. Von dort an waren es noch knapp 6 Wochen bis zum Audit. Anfang März haben wir im Rahmen der Wirksamkeitskontrolle und als Vorbereitung ein internes Audit durch einen externen Dienstleister durchgeführt. Die Erkenntnisse daraus konnten wir prima für das Audit der Dekra nutzen, um dem ISMS einen letzten Feinschliff zu geben.

The results of the assessment are confidential and can be accessed online in the future by our business partners via the ENX portal. This ensures that the results cannot be falsified and are always up-to-date.
According to ENX, we are unfortunately not allowed to publicly announce whether we have now received the important labels. But this much can be revealed: The project team is relieved and overjoyed after the last months…

Share this post.

Nathalie Voigt
IT-Project Business Services
nathalie.voigt@triology.de