Introduction of an information security management system (ISMS)

TRIOLOGY underwent the TISAX assessment in the first quarter of 2021. Our ISMS (Information Security Management System) was assessed by Dekra to determine whether it meets the security level of the target maturity level “high” and whether we thus fulfill the industry-wide uniform security standards. To achieve this goal, our small project team worked for just over a year to establish the ISMS and associated processes to improve information security within TRIOLOGY. In this blog post, I would like to explain the process in more detail. First, however, I would like to briefly explain what TISAX actually is and what advantages the labels create for us as a company.

 

What advantages does TISAX offer?

The automotive industry’s intention in standardizing the audit procedure for information security was to establish an equally high level of security in the supply chain as well as to reduce the effort and expense for the partners involved by means of a uniform procedure.

But the introduction of an information security management system also offers us other advantages. On the one hand, we save time and money in the tendering process, as there is no need for an intensive examination of the security-relevant aspects that the client requires of us. In the future, TISAX certification will become the status quo in the industry, so that more and more customers will demand it from us. In addition, we will generally gain a clear competitive advantage over competitors who do not have TISAX. Overall, the collaboration with our customers and partners will be strengthened and simplified.

In recent months, we have intensively trained and sensitized our employees on this topic and will continue to do so in the future. After all, employee awareness is one of the success factors for increasing information security, alongside certain technical measures that we implemented as part of the project.

Procedure of the assessment process

The process from inception to audit can be broken down into six major elements.

1. GAP analysis: Even before the official start of the project, our IT department conducted a GAP analysis of the technical requirements together with our consultant. This provided us with a good basis for this area at the start of the project, so that our colleagues were able to gradually work through the tickets resulting from the GAP analysis over the entire project period. These included the implementation of a mobile device management system, automatic vulnerability scans, and finer segmentation of the networks.
2. Organizational: Among the formal items we completed at the start of the project in June 2020 were registration with the ENX Association, selection of an audit service provider, and selection of a tool in which to map the ISMS. We as a project team also underwent and successfully passed the “ISO 27001 Foundation” training and exam, as well as our ISB for “Chief Information Security Officer”.
3. Creation of the guidelines: In the next step, we created the guidelines relevant for us based on the TISAX requirements. The most important document is the information security guideline, which we created first and which was approved and published by the management. Overall, we were already quite well positioned with our processes, so in many places we only had to document them in writing. In other places, however, it was necessary to implement new processes. To do this, we brought the affected employees on board to let them participate in the design of the processes; for example, in the implementation of a project risk assessment, which is now carried out for every new project.
4. Risk assessment: The risk assessment was one of the most important points. Here, we first identified all assets (information, services, resources), mapped them in the tool and linked them to the company’s processes. After we also defined criteria for the assessment, each manager was able to perform the risk assessment for the project assigned to him or her. Depending on the results of the assessment, measures were further developed to minimize the risks in the future.
5. Creating awareness: In a concept for employee awareness, we have developed and already partially implemented various measures to raise employee awareness of information security. Furthermore, we initially developed a basic training course based on the guidelines within this framework and then successfully implemented this in the 1st quarter of 2021.
6. Vorbereitung & Durchführung des Assessments: Ab Anfang Februar 2021 ging es in großen Schritten auf das Assessment zu. Zunächst hatten wir dafür ein Kickoff-Termin mit unserem Auditor der Dekra. Hier wurden seinerseits die einzelnen Schritte und wichtigen Punkte für das Assessment erläutert. Von dort an waren es noch knapp 6 Wochen bis zum Audit. Anfang März haben wir im Rahmen der Wirksamkeitskontrolle und als Vorbereitung ein internes Audit durch einen externen Dienstleister durchgeführt. Die Erkenntnisse daraus konnten wir prima für das Audit der Dekra nutzen, um dem ISMS einen letzten Feinschliff zu geben.