TISAX is an information security management standard according to ISO/IEC 27001 and specified for the automotive industry. It is based on a questionnaire of the VDA (Verband der Automobilindustrie, Engl.: German Association of the Automotive Industry). The ENX Association – which is an association of European vehicle manufacturers, suppliers and organisations – accredits the testing bodies and monitors the quality of the implementation as well as the assessment results.
For High Mobility, confidentiality, availability and integrity of information are of great value. That is why we have taken these extensive measures to protect sensitive and confidential information.
TISAX and TISAX results are not intended for the general public. Results are available (on request if not published) through the ENX Portal.
What are TISAX and ISO/IEC 27001?
TISAX and ISO/IEC 27001 contain requirements on how to manage information as well as how to assess information security. Organisations and companies that work with sensitive or personal information and therefore have increased data protection requirements can implement these standards to improve their operations and to increase trust among stakeholders.
ISO/IEC 27001 is jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The ISO on their website describes it as follows:
“ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organisations, regardless of type, size or nature.”
Scope
The implementation of the Information Security Management System (ISMS) according to TISAX and ISO/IEC 27001 at High Mobility is extensive. It includes the business operations of the company as well as the High Mobility data platform and marketplace for vehicle data.
Goals and Objectives
Abstractly, the main objectives of implementing an information security management system at High Mobility were
- to ensure confidentiality, availability and integrity of systems, information and data,
- that all processes and practices in the company are compliant with GDPR (General Data Protection Regulation), and
- to cultivate a mindset of privacy-by-design.
The High Mobility platform and the marketplace is an access point for vehicle data. It is vital for us to build trust among all parties that are connected to our platform. This includes automakers and drivers who provide access to car data as well as mobility service providers who utilise it.
In practice, this means: Data must be protected so that it cannot be maliciously modified, leaked or stolen. Processes and practices must be designed to protect information and data from external as well as internal threats.
Project Implementation
An Information Security Team consisting of CTO Kevin Valdek, COO Martin Lauer and Information Security Officer (ISO) Maidu Üle was appointed to perform the implementation. Comprehensive management reviews of all obligations and measures were carried out. All employees received information security awareness training with follow-up questionnaires and the opportunity to be part of forming the implemented measures and best practices.
COO Martin Lauer said:
“The information security awareness training was a great opportunity to involve the whole company into a process. When people work together, it is crucial to regularly align objectives and basic principles. The implementation of the ISMS had a positive effect on our cooperation within the company beyond the concrete goals of the ISMS.”
To ensure information security and data protection at every level of the company, all fourteen controls of Annex A of ISO / IEC 27001 were evaluated in regard to processes and practices in the company.
The Information Security Team went through a risk assessment process in which all possible risks and risk scenarios for the company as well as for its systems were examined. The outcome of this assessment was documented. All individual risks are stored in a risk database.
Policies, procedures, processes and workflows for information security and risk treatment were determined. In order to be able to evaluate the performance of these measures, KPIs, thresholds and responsibilities were defined.
Conclusion and Outlook
The ISMS according to ISO/IEC 27001 and TISAX is not a time-limited measure that is completed after its implementation. Instead, it needs and results in ongoing action. Crucially, a culture of continuous improvement has been established.
High Mobility will conduct reviews and re-evaluations of the ISMS on an ongoing basis, including management review meetings and information security trainings for all employees.
CTO and founder Kevin Valdek recapitulates:
“As a platform and marketplace for live vehicle data, information security has always been an essential part of our identity. We have always been aware of the great responsibility that comes with our operating model. Of course we learned new things during the implementation of the ISMS, but it was also a confirmation of the strength of our existing practices that we have been working on over the past 8 years.”