TISAX® certified! Security for your EDI/B2B processes in the SEEBURGER Cloud

SEEBURGER Cloud Services has been ISO 27001 certified and ISAE 3402 audited for many years.

In addition to this, SEEBURGER has now successfully subjected its cloud services to the automotive-specific TISAX^® certification. This gives companies in the automotive industry the assurance that their cloud-based processes for B2B/EDI, CAD and more at SEEBURGER meet a certain level of maturity in accordance with the requirements of the ‘VDA Information Security Assessment’ (VDA ISA).

What is TISAX^®?

TISAX^® (Trusted Information Security Assessment Exchange) is the solution of the German Association of the Automotive Industry (Verband der Automobilindustrie e.V. (VDA)) for the growing security needs between automotive manufacturers and suppliers when dealing with confidential information. TISAX^® is the established standard for information security in the automotive industry.

TISAX^® is based on ISO/IEC 27001 – in particular on the security controls from Annex A. TISAX^® affects all processes, procedures and involved resources in the company that process information subject to the security requirements of partners in the automotive industry. This includes the collection, storage and processing of information and applies to all technical components and software solutions. TISAX^® is an industry standard for the creation of information security in the automotive industry, which is not only recognized by the automotive manufacturers, but also demanded by the automotive suppliers with regard to its implementation.

TISAX^® in the Automotive Industry

As early as 2005, an interdisciplinary VDA working group dealing with information security began adapting existing standards for information security management to the needs of the automotive industry. The result of the joint work was a questionnaire based on ISO/IEC 27001, which covers the industry-wide accepted requirements of the automotive industry for information security and supplements the security controls of ISO 27001 from Annex A with the following security controls:

• Information security
• Connection of further parties (supplier management)
• Protection of prototypes
• Privacy

A further substantial difference is that with ISO 27001, the area of application (thus the range of the enterprise) for which the information security management is used (the so-called ‘scope’ which covers business processes, applications and infrastructure objects), is by and large freely configurable. The questionnaire, on the other hand, imposes considerable specifications.

The questionnaire was called ‘VDA Information Security Assessment’ (VDA ISA) and enabled VDA members to ‘self-assess’ the maturity level of their internal control system (ICS) for information security management.

Originally, companies only used the VDA ISA for internal purposes. Gradually however, more companies have used it to assess the maturity level of their suppliers and have even carried out complete audits of their suppliers’ ICS (including on-site audits). This meant a considerable effort for the suppliers, meaning they soon required a verified audit by authorized certification service providers in order to avoid the costs of repeated audits by different companies.

This was made possible by the TISAX^® (Trusted Information Security Assessment Exchange) standard, at the end of which the TISAX^® certificate or TISAX^® labels are issued. In order to obtain this standard, an audit is conducted by an accredited certification service provider on behalf of the respective company. For TISAX^® this examination is called an assessment or audit.

After a successful TISAX^® audit the company is registered at ENX. The ENX Association acts as a governance organization. It accredits the testing service providers and monitors the quality of the performance and the assessment results. This is to ensure that the audit results have the desired quality and objectivity, and that the rights and obligations of the participants are respected.

The TISAX^® Maturity Level

TISAX^® uses the concept of ‘maturity levels’ to evaluate the quality of all aspects of the Information Security ICS. The more mature the ICS for information security, the higher the maturity level.

The concept of maturity levels originally goes back to the quality framework CMM (Capability Maturity Model), which was widely used in the early 1990s. NB: Neither the quality framework CMM nor its successor CMMI (Capability Maturity Model Integration) played a significant role in the automotive industry. It was not until 2001, when the quality framework SPICE (Software Process Improvement and Capability dEtermination), which also operates with maturity levels, was used to evaluate automotive suppliers in the software and electronics sector that maturity models began to spread in the automotive industry.

TISAX^® differentiates between six maturity levels in close alignment with the quality frameworks CMMI and SPICE. Notes on the detailed definition of the maturity levels can be found in the TISAX^® participant manual as well as the following consolidated view in the form of a simplified table:

The Six TISAX^® Maturity Levels:

TISAX^® – Assessment Levels

The assessment level determines the severity of the audit and is usually specified by the car manufacturer as an audit requirement. The severity level depends on the sensitivity and thus the need for protection of the tested data and processes in the company or location.

TISAX^® provides in its test methodology a classification based on the following three assessment levels:

• Assessment Level 1 (normal protection requirements): The company conducts an internal audit of the internal control system (ICS) based on the VDA-ISA. The external auditor checks the completeness of the audit, but does not perform any audit procedures itself. Assessment Level 1 cannot be certified.
• Assessment Level 2 (high protection requirements): An external auditor carries out a plausibility check of the ICS based on the VDA-ISA. In the case of a positive assessment, certification is granted.
• Assessment Level 3 (very high protection requirements): The external auditor checks and verifies the ICS in detail on the basis of the VDA-ISA. In the event of a positive assessment, certification is granted.

Labels are awarded on the basis of the audited assessment level.

In order to achieve the audited assessment level, the achieved maturity levels per audit must correspond to at least one target value specified by ENX. This ensures that all requirements of the audited assessment level are met across all topics and that there is no compensation for over- and under-fulfilled controls. The ENX target values for the individual controls lie between maturity level 2 and 4, with an average value of 3.0.

Finally, the overall level of maturity for the assessment level tested is determined as an average value. This average value must be close to the possible maximum value of 3.0 (at least 2.7) to receive the TISAX^® label at all.

Re-certification for the locations within the scope is typically performed every three years or when a company wishes to achieve a higher target maturity level.

What does the TISAX^® requirement mean for automotive suppliers?

More and more automobile manufacturers, for example BMW, the VW Group (including Porsche) and increasingly their suppliers (including Dräxlmeier and Ventrex) are demanding TISAX^® certification with an appropriate assessment level from their business partners and their sub-suppliers. These requirements are increasingly becoming part of the non-disclosure agreements and purchasing conditions of automobile manufacturers and suppliers.

This trend is by no means limited to the automotive industry. Information security in the context of digitization always involves risk management, which concerns everyone today. This not only involves EDI data, but also design and drawing data, catalogs, prices, etc., some of which are far more worthy of protection.

TISAX^® and also the GDPR (General Data Protection Regulation) introduced in 2018 have further accelerated this trend. In principle, every company that works for customers in the automotive industry has required TISAX^® certification since the beginning of 2018. Suppliers in the automotive industry require TISAX^® certification to receive orders. And outside the automotive industry, information security is increasingly important.

TISAX^® is therefore becoming increasingly important. This poses great challenges for automotive suppliers and service providers that go beyond the industry standards that have been in use until now. In addition to the severity of the requirements, the breadth to which the automobile manufacturers require the majority of their suppliers to comply with the standard is extraordinarily large. This hits smaller companies particularly hard.

In summary, it can be said that TISAX^® places significantly higher demands on the internal control system of the audited company than previously common industry standards such as ISO 27001 or specific audits of automobile manufacturers.

TISAX^® and Supply Chain Management

TISAX^® has an impact on all IT processes used in the supply chain. Supply Chain Management (SCM) is of great importance due to the close integration in the automotive industry. All real flows of goods must be controlled by corresponding information flows, whose security management is the focus of TISAX^®. For this reason TISAX^® also concentrates on merchandise management processes and EDI (Electronic Data Interchange).

TISAX^®: This is how SEEBURGER supports the in-house operation of the EDI system

In order for suppliers to be able to fulfill the TISAX^® certification required by their customers with the desired assessment level, both technical and organizational precautions must be taken. For example, unauthorized access must be prevented and the protection goals of information security (confidentiality, availability and integrity) must be ensured. And the EDI solution used must be designed and structured in such a way that it can be certified.

Should you require TISAX^® certification, SEEBURGER will also be happy to assist you with the technical configuration of your SEEBURER BIS. In addition to mere consulting services, SEEBURGER also offers software modules of the Business Integration Suite (BIS) to support your technical equipment. These assist you in operating for greater information security, including BIS Secure Proxy, BIS Data Store Extension, BIS FX or even EPX7 for CAD.

TISAX^®: Benefit from SEEBURGER Cloud Services

With its Full Service and iPaaS operating models, SEEBURGER offers companies fast and secure transfer of high-quality data in the cloud. This also applies to special technical services such as the Supplier Portal Service for connecting non-EDI-capable suppliers via WebEDI. With the TISAX^® certification, SEEBURGER proves that the cloud services offered meet the industry-specific requirements of the automotive industry for the performance of an information security management system as well as a specific TISAX^® assessment level.

This makes it easier for you as a supplier to the automotive industry to prove your own TISAX^® Assessment Level to your customers.

With TISAX^® certification, SEEBURGER expands its leading position as an EDI cloud provider

For more than 30 years, SEEBURGER has built up an excellent reputation in the field of B2B integration (with more than 15 of those years being with cloud services) and has always attached great importance to information security. Since September 2020, the SEEBURGER Cloud Services for the Bretten site are now also TISAX^® certified, with Assessment Level 2 (high protection requirement). In the initial assessment, an overall maturity level of 2.9 of the maximum possible 3.0 was calculated for Assessment Level 2.

The TISAX^® certification not only refers to the exchange of EDI data, but also includes the exchange of data in the CAD/CAx environment and for other processes such as API integration, API management, MFT, Industrial IoT and international E-Invoicing.

“For SEEBURGER, the TISAX^® certification is further proof of the high process quality and consistent advancement that has already begun with the successful certification and implementation of ISO 27001 and ISAE 3402” says Uwe Heber, Vice President Operation, Cloud & Managed Services, SEEBURGER AG.

Do you want to fully meet the information security requirements of your customers and their customers?

Do you want to benefit from the information security that SEEBURGER offers you in the context of its cloud services?

Get in touch with us. We will be happy to show you how we can support you in your digitization initiatives in a TISAX^®-compliant manner.