Implementation of and certification on VDA and TISAX
ISO 27001 Compliance Assessment Online Wizard is also recommended for you. Check within 10 minutes to what extent your company complies with ISO 27001, and also how much time you need to achieve full compliance and certification.
WHAT IS VDA ISA AND TISAX
International information security standard VDA ISA was developed by German association of automobile industry VDA (Verband der Automobilindustrie) basing on ISO/IEC 27001 and 27002 standards.
The standard VDA ISA (Information Security Assessment) contains strictly structured information security assessment criteria, KPIs and additional optional modules:
- Connection to 3rd parties
- Data protection
- Prototype protection
TISAX (Trusted Information Security Assessment Exchange) is a framework for VDA ISA which allows independent vendors to share their certification and assessment results with their customers (usually from automobile industry).
Our certifications (CISSP, ISO 27001 Lead Auditor, CISA, OSCP, CEH, etc.) allow us to cover both formal and practical aspects of security compliance and security management. When building an ISMS and security controls, we rely on VDA ISA requirements.
Our approach to implementation begins with simple steps in order to give you the first value for free, to introduce you to the process and to allow you to understand clearly the essence of the implementation works and your role in them.
Scoping and prioritization
We prepare individual self-assessment questionnaires for our customers, to start assessing the current state of the ISMS in accordance with VDA ISA. Then we define and document the scope and elaborate the project plan for the initial audit and gap analysis.
Scope definition is crucial for VDA ISA and TISAX. Any mistakes at this stage can lead to excessive implementation and maintenance works or to wrong outcomes of certification. In addition, we perform the initial prioritization of tasks, to allow gaining the most of real security as soon as possible.
Usually the scope includes the customer's business processes to which physical and logical security processes apply. They include, but are not limited to:
- Human Resources
- Customer Strategy & Relationships: Marketing, Customer Success Management, License Renewal
- Customer Acquisition: Sales and Pre-Sales
- Technology Management
- Product/Service Release and Delivery
- Product Development
- Product Testing
- Customer Care: Tech Support
- Accounting Management
- Financial Analysis & Capital Management
We perform this stage for you free of charge. When you understand that you are interested in working with us further, we send you a commercial offer and sign a service agreement.
Initial audit, gap analysis and detailed project planning
We usually carry out this stage during 3 to 4 weeks, depending on the approved scope. During the initial audit, we interview the customer’s employees, verify documents, assess physical security and perimeter, etc.
This stage includes the analysis of the initial or current state of the processes and information security management controls, business processes and technological processes; analysis of the physical security of the premises, personnel, IT infrastructure, etc. The outcome of this stage is a report on initial audit, gap analysis and detailed schedule for the implementation of the VDA ISA controls.
The implementation plan takes into account the customer’s capability to perform some part of the project tasks.
Implementation of security processes and operations
This stage is usually performed during 4 to 9 months, depending on the approved scope, initial state, requirements and the results of the previous stage.
This stage includes, but is not limited to, implementation of the following essential steps:
- Building and automation of the ISMS using the appropriate GRC (Governance, Risk management and Compliance) tools. It will allow to classify the assets and assign responsible persons for them, build a risk matrix, conduct self-assessment for each asset, with evidence for each item. The GRC tools also contain reports on various activities, ranging from security awareness trainings to independent security audits.
- Security incident management using some task management and tracking system (Redmine, Jira etc.). The Customer will be able to trace the entire workflow from task creation, assignment of the responsible person for each task, response and incident closure measures, and reporting.
- Change management. Any significant changes in the Customer information system should be transparent and should be processed using Change Requests.
- Implementation of the necessary basic security measures and controls, including firewalls, VPN, access rights restriction, separation of guest and internal wireless network and many other things. The implementation is performed by the Customer’s IT department under tight supervision and guidance by our personnel.
- Implementation of the basic elements of the Secure Software Development Lifecycle (SDLC) within the production processes.
- Training for employees on security policies and rules at all locations. Each employee must sign the security policy commitment and the security awareness training reporting record.
- Development and calculation of KPI according to different criteria and requirements of VDA ISA.
The result of this phase is not just a set of documents and records that correspond to your actual processes, but also a new security culture of your organization and the highest degree of readiness for official certification.
Certification process usually lasts 1-3 months, depending on the approved scope. This stage includes the selection of certification body, pre-audit, corrective actions and certification audit.
First, we help you register for the audit and fill in the TISAX application form. Then we help you choose a certification body from the list of ENX approved TISAX audit providers. We consult with the certifying organization on your behalf.
Then you make an agreement with the certification body directly and we start the pre-audit and implementation process described above.
When the date of the official certification comes, we represent you and demonstrate what we have built for you. After that, the auditor analyzes the results, collects the evidences and produces the final report. We support you all the time and help you get the requested evidences.
Finally, you get the TISAX certificate, become officially compliant and may share the assessment results with your clients through the ENX portal.
Click the button below to contact us and get a free consultation on VDA ISA and TISAX:
WHAT IS NEXT?
TISAX certification is valid for 3 years. Information security management system must be live during all the time. It should be developed further, maintained and optimized.
We provide continuous support of the ISMS, conducted throughout the entire ISMS life cycle, in full scope. It includes but is not limited to:
- Monthly/quarterly training of employees at all locations. The training session takes 1 hour and can be held for various categories of employees (general staff, software developers, system administrators, HR, etc.).
- Monitoring of implemented security systems.
- Vulnerability monitoring.
- Quarterly vulnerability scan and pentests (both automated and manual).
- Regular audit of source code security.
- Continued implementation of security policies and procedures with a separate focus on further smooth implementation of security requirements to the Software Development Life Cycle (SDLC).
- Implementation of the reporting in the GRC tools.
- Participation in all workflows of the company from the point of compliance with the security requirements.
- Monthly/quarterly reporting to the top management about security incidents, if any, and about overall IT security state and progress.
We provide managed compliance with TISAX and full support of further confirmations of the status of TISAX compliance.
Please choose, what would you like more, to get help on VDA ISA and TISAX implementation:
or to assess the compliance of your organization with ISO 27001 online in several minutes for free: