Introduction TISAX & BCMS
TISAX (Trusted Information Security Assessment Exchange) is a certifiable standard for information security, specific to the automotive industry. It was developed by the members of the German Association of the Automotive Industry (Verband der Automobilindustrie e.V.) based on the ISO/IEC 27001 standard for information security management systems (ISMS) and adapted to their specific needs.
- the secure processing of confidential information,
- prototype protection, and
- data protection
in the business relationships between automotive manufacturers and their service providers and suppliers.
A Business Continuity Management System (BCMS) is designed to ensure the continued existence of the company and the maintenance of important business processes in crisis and emergency situations through holistic crisis management.
The associated ISO 22301 requires a risk assessment to ensure that all important processes and procedures are protected that have an impact on critical business functions, and that normal operations are restored as quickly as possible in the event of unexpected disruptions.
Crisis management – growing importance in TISAX
The transformation of the automotive industry towards autonomous driving, hybrid and electric vehicles, connected vehicles, and the possibilities of 5G technology, offers ever-increasing risks and threats in the area of cybersecurity for suppliers, OEMs, and drivers. New and exceptional threats outside of information risks can hardly be addressed by TISAX certification alone.
When an incident occurs despite compliance with TISAX, a systematic and well-rehearsed handling of those situations is essential to reduce or avoid damage to the organisation. An established crisis management is therefore considered an important and complementary component in the TISAX environment.
Interfaces between TISAX and BCMS
Both the BCMS (ISO 22301) and the ISMS (ISO 27001) have similar requirements and approaches that are also required for TISAX certification, such as a sound risk methodology.
Appropriately adapting the scope, an organisation can use a single risk methodology to cover both areas.
TISAX does, however, already require some business continuity management through the requirements for exceptional situations, where the focus there is on information security related scenarios. This includes the requirement for a functioning crisis team as well as regular emergency exercises.
Fulfilling this requirement through a structured, consistent BCMS gives the greatest assurance that the required business continuity and crisis management measures are in place and effective.
Business Continuity Management as added value in TISAX
“What can go wrong, will go wrong.”
BCM steps in when compliance with TISAX requirements for prototype protection, perimeter security of the company premises, or IT security has not been sufficient to stop a threat. It addresses what action should be taken and offers tools to develop and establish action plans company wide. It supplements TISAX with coping strategies and improves resilience in the event of disruptions, emergencies, or crises.
But Business Continuity Management covers more than just the information security risks addressed by TISAX.
Instead, BCM focuses on minimizing the impact of any threats in any business area by safeguarding critical business functions through appropriate prevention and an adequate response.
Trend towards demonstrating crisis management to win new contracts
Business resilience to hazards and risks is under strain in times of increasing cyber-attacks, strained supply chains, and climate change-related extreme weather events.
To increase the resilience of production, research, and supply chains, organisations are not just implementing their own business continuity management but are also expecting robust crisis management and business continuity from their suppliers. There are increasing demands from the automotive industry for crisis management in addition to TISAX compliance. Combining TISAX certification with a robust BCMS offers the best chance to prevent threats from disrupting operations. This will make any organisation a trusted link in the global supply chain.