There’s no denying that when the government uses phrases like “levelling up”, “Global Britain” and “net zero“, they have in mind the automotive sector as a crucial element.
A key component of the nation’s economy and a focal point for growth initiatives, the sector is estimated to add billions of pounds to the UK economy every single year. Remarkably, almost 800,000 people are directly employed in or connected to this sector and it accounts for 10% of total UK exports.
Key to its continued relevance is a keen eye for innovation. However, those innovations bring a new set of compliance challenges that every automotive sector company must understand and act upon to remain within the law.
In this blog, we’ll take a holistic look at the compliance challenges in the automotive sector and share how to achieve TISAX and ISO21434 certifications.
The Rise of Connected and Autonomous Vehicles
Read any recent news website and you are likely to stumble across Connected and Autonomous Vehicles (CAVs). More commonly referred to as ‘self-driving cars’.
These are projected to be the future of the industry providing additional environmental, social and economic benefits. Whilst there is some way to go to realise the potential of CAVs fully, the foundations are in place and building has started! You can see this on the Department for Transport’s Centre for Connected and Autonomous Vehicles (CCAV) website.
Cars are just not simply “cars” anymore. They are also sophisticated computers, entertainment modules and even artificial intelligence prototypes. To quote an article by McKinsey & Company:
Today’s cars have up to 150 electronic control units; by 2030, many observers expect them to have roughly 300 million lines of software code. By way of comparison, today’s cars have about 100 million lines of code. To put that into perspective, a passenger aircraft has an estimated 15 million lines of code, a modern fighter jet about 25 million, and a mass-market PC operating system close to 40 million.
The development of these vehicles by manufacturers has become a complex interweaving of hardware and software, with both elements an integral part of how vehicles operate and affect the safety of the vehicle.
Consequently, it is vital that code is protected as compromised code could pose a serious risk to both life and business operations.
What is the Compliance Picture in the Automotive Industry?
Relative to other sectors, organisations operating in the automotive sector report an increased requirement to demonstrate good information governance practices and prototype safeguarding.
Standards such as ISO27001 (Information Security) and ISO27701 (the privacy extension to ISO27001) are vital in helping these organisations understand their risk framework and address risks to information security and data privacy respectively.
From those foundations of functional Information Security Management, ISMS (PIMS discretionary), compliance to Automotive sector schemes can be achieved. This includes:
- Association of the Automotive Industry Information Security Assessment (VDA ISA)
- Trusted Information Security Assessment Exchange (TISAX)
- ISO21434 – Road Vehicles Cybersecurity Engineering
What is ISO21434?
ISO21434 focuses on the cybersecurity risk in road vehicle electronic systems; addressing the risks associated with the increased connectivity in modern CAVs. Although ISO21434 does not specify a requirement for a functional ISMS, it is considered best practice.
Current safety-driven measures are not enough to cover the issue of cyber risk hence the creation of this sought-after standard.
What is VDA ISA?
The VDA ISA, meanwhile, is a self-assessment questionnaire which asks about the automotive sectors’ generally accepted security requirements. An existing ISMS will largely cover this requirement with the extra considerations easily incorporated within your system. On achieving VDA ISA an organisation can then apply for TISAX certification.
What is TISAX?
TISAX is a security standard devised by the German Association of the Automotive Industry in 2017 to ensure a base level of information & cyber security in the European auto industry. It is administered by the ENX Association and requires third-party auditor assessment to achieve certification.
How do you Achieve TISAX Certification?
TISAX was originally based on ISO27001, and the requirement for a framework for the protection of information using an ISMS is extant. However, TISAX builds on the foundation provided by an ISMS by adding guidance for data and prototype protection. The scope, assessment measures and recommended measures also differ if you have ISO27001 certification.
TISAX starts with the VDA ISA self-assessment, as mentioned above, which is usually followed up by third-party assessment.
To achieve certification to TISAX an organisation must show that there is a degree of information security maturity across a spectrum of factors relating to the organisation and data handled. A common question is:
The requirement for demonstrating maturity in information security prevents this approach.
Simply: get your information security framework right then implement TISAX. Or if you like an analogy, build the walls before putting the roof on.
If you have experience with ISO certification schemes you will understand the consistency in approach the certification bodies take in completing the required assessments.
TISAX differs in that registration depends on which assessment objectives are chosen; usually being the most relevant to their business and handling requirements agreed with the auto company. Your assessment will therefore be tailor-made dependent on the objectives selected, a process detailed in the TISAX handbook.
Having determined the objectives, an organisation then selects the assessment level 1-3 or Low, High, or Very High. The selected level determines how an auditor will check the evidence necessary to make the certification decision.
Costs will vary depending on the scope and objectives. Timescales are not defined, beyond the requirement to have any more than nine months between the initial audit and the approved optimisation phase.
How do you Achieve ISO21434 Certification?
ISO21434 assists automotive product developers, manufacturers, and associated supply chains in ensuring vehicle security. It’s the first dedicated standard to consider cyber security in the engineering process for road vehicles.
With CAVs the likely direction of travel for this industry, standards like ISO21434 are increasingly essential for manufacturers.
Having ISO27001 already implemented will only benefit in providing those stable foundations to help achieve ISO21434.
Once all these things have been achieved you should seek to confirm the effectiveness through a process of self-audit before seeking certification through third-party assessment.
How can Risk Evolves Help overcome your Compliance challenges in the automotive sector?
Risk Evolves can support you on your journey, whether that is meeting ISO27001 requirements or advancing your ISO21434 or TISAX goals.
We’ll take your unique requirements and provide you with straightforward and concise solutions, outlining exactly what is needed. Step away from the elevate your organisation by obtaining ISO certification. Let us be your trusted partner, accompanying you every step of the way.
Want a no-obligation chat to discover how we can help you? Click here.
