Everywhere you turn these days, people are talking about data protection and information security. The same goes for us at Leinhäuser, where these have been topics of discussion for many years now. Today, companies increasingly expect their suppliers to have data-protection certifications. Fortunately, we at Leinhäuser have good news for them: We’ve recently passed an audit according to TISAX guidelines. These guidelines aren’t just a standard that’s widely recognized in the automotive industry — it’s a standard used by many small- and medium-sized enterprises in other industries as well.
Leinhäuser has years of experience securely processing and transmitting sensitive information. As part of its collaboration with partners in the automotive industry, Leinhäuser has been applying the guidelines of the German Association of the Automotive Industry (VDA) for years now. But then in 2017, the association created a uniform standard for the entire supply chain: the TISAX label. “From the manufacturer to the supplier and service provider,” said Dr. Martin Unterberger, the chairman of the association’s working group on information security.
The association’s ISA (Information Security Assessment) is based on the international ISO/IEC 27001 standard. The VDA has commissioned the ENX Association to assign its accredited auditor to conduct the assessments. Even though TISAX (short for Trusted Information Security Assessment Exchange) is based directly on the automotive association’s guidelines as well as ISO/IEC 27001, new requirements have been formulated as well. As a result, information security has once again received special attention by us at Leinhäuser.
Our employees involved in the process provided answers to questions about how preparation and the assessment itself were carried out.
With TISAX, the VDA toughens its rules
A dedicated team led by our information security officer spent several months preparing for the assessment. The work involved not just our IT and management teams — employees from our partner and project management teams joined as well. As a result, both areas of the TISAX requirements were covered: management and IT.
The assessment goal was set with the help of the TISAX-accredited auditor. As a first step, the TISAX criteria had to be adapted to apply to Leinhäuser as a translation provider. Even though the label is considered to be a uniform standard, it was primarily designed with automotive suppliers in mind. This work was done in a constructive dialogue with the auditor. In this joint effort, the assessment criteria were altered to apply to a company that is the size and type of Leinhäuser.
First things first: taking stock
During an initial audit, we first underwent a precise review of existing security measures. The result was positive. We had already taken many of the required steps. Nonetheless, a few things had to be done before the final audit was conducted.
The company had three months following the initial assessment to implement the remaining requirements. That meant one thing: developing new processes, training employees in them and then testing their new knowledge. What would happen during a fire? What would happen during a blackout? How does email encryption work? The responsible employees had to know the answers. Our employee Nina Mölbert took on the task of overseeing the internal audit and asked some tough questions to ensure that all employees had information about the new regulations at their fingertips.
One time-consuming task involved structuring relevant information to reflect the organization used in the TISAX document in order to show which steps had already been taken. The necessary documentation was compiled over a period of several months to create a foundation for process optimization. The hard work paid off: “Basically, the assessment simply confirmed what we had already been doing,” said Marc Fleischer, our Head of IT. “But we are always open to new things. For instance, our documentation is much more detailed since the TISAX audit, and required measures can be more clearly developed from them.”
You always keep learning: Leinhäuser attends ISO training at TÜV SÜD
In addition to the internal preparations, the technical service company TÜV SÜD offered a course on the subject matter and implementation of ISO/IEC 27001. “The ISO training was the hardest part for me,” Nina Mölbert said. The participating employees attended a two-day program and were tested at the end of the course. This meant that long-time Leinhäuser employees had to sit down and cram once again.
It was now time for the final part of the assessments: the audit of the company by the TISAX-accredited auditor from ENX. And Leinhäuser passed — with flying colors.
Even though data protection and information security have always been a top priority at Leinhäuser, the TISAX label has reaffirmed our efforts. “Before TISAX, information security was primarily an IT issue,” Nina Mölbert said. “It has now gone much farther and become a management issue.”
Audit passed — now what?
We are happy that TISAX has strengthened our work on data protection and information security and that we had an opportunity to further expand our information-security system. The company’s management team has profited from the assessment as well: “Information security is not just an IT issue,” Heike Leinhäuser said. “It’s an important issue for the people who have to work with it. TISAX gave us a chance to enhance something that was already very important to us.”
The audit hardly marks the end of the road, though. Information security is a never-ending process. TISAX also involves continuous improvement of audited companies. Our employee Christine Hahn-Smith is currently working to create a high-security standard among all of our service partners. There is no secret about it: Security is an issue not only for us at Leinhäuser, but also for all service providers in the process chain.
“We are really glad that our partners place a high priority on security, too,” Christine Hahn-Smith said. “As a result, we can pass on confidential jobs to a large number of them, because they meet the required security standards so extensively.”
The journey continues — even when it comes to information security. Our next TISAX audit is just three years away.