Client: Willi Elbe Group
Building on 70 years of experience, the Willi Elbe Group currently develops and produces steering and powertrain applications for the automotive industry at seven locations worldwide.
Particularly noteworthy is the company’s special knowledge of aluminum, which is used in the manufacture of steering shafts. The lightweight products lead to lower CO2 emissions as well as longer battery ranges while still guaranteeing the highest safety, making the Willi Elbe Group a market leader in this technology.
The company’s success factors include a product portfolio tailored to customer needs, which includes not only customized aluminum steering shafts but also high-load steel applications for commercial vehicle steering technology. The Willi Elbe Group’s technological expertise ranges from propeller shafts for all-wheel-drive passenger cars to cardan shafts for motorcycles.
Initial Situation and Challenges
Like many other suppliers and service providers, the Willi Elbe Group was also requested by OEMs (Original Equipment Manufacturers) to present the TISAX label by a given deadline.
Behind the abbreviation TISAX, which stands for Trusted Information Security Assessment Exchange, lie requirements from the VDA (German Association of the Automotive Industry) and the ENX Association, which were jointly defined and published in the form of a questionnaire. The basis is ISO 27001, which clearly focuses on information security. Additionally, the requirements have been expanded to include data protection and prototype protection components. Depending on the required assessment level, service providers and suppliers must provide evidence of compliance with these specifications. An examination takes place in the form of an audit.
The path to this requires forward-looking planning and good preparation, as implementing the requirements simultaneously at all seven locations worldwide presents a challenge.
Solution
At the beginning of the project, all processes and the information security assets used in them were recorded for the asset inventory, and a risk assessment was conducted together with the department heads. At the same time, key users were defined who will be responsible for the TISAX requirements in their respective departments in the future. To get an idea of the current state of information security in the Willi Elbe Group, these key users were interviewed, followed by a GAP analysis based on the VDA-ISA catalog. Based on the analyses carried out up to this point, initial measures were defined, from which the tasks of the key users and departments were derived.
During this time, it is important to familiarize employees with the topic of information security and its significance for the company. However, to sharpen the awareness not only of the key users but of the entire workforce, mandatory online training sessions were introduced for all employees via the SoSafe platform. These explain how information security is ensured in everyday work and how to deal with threats such as phishing.
Coordinating the seven locations presented a particular challenge. With an Information Security Management System (ISMS) based on the Q.wiki software from Modell Aachen GmbH, we ensured that all policies and documents regarding TISAX are centrally accessible to all employees. Information security assets, risks, and measures were also included in this system and linked to each other. This clear management significantly facilitates maintenance in the future compared to extensive Excel lists. Even the approval process for all documents is stored in the ISMS, so that with the help of role assignment, the page responsible persons, the ISO, and finally the management can review the content and publish it company-wide. To be able to implement the guidelines at each location, the ISMS was built in English. For employees who do not speak English, selected documents were translated into the respective national language, which in the case of the Willi Elbe Group means five additional languages. It quickly became clear that in addition to the centrally acting Information Security Officer (ISO), a Local Information Security Officer (LISO) is needed per location, who is responsible for knowledge exchange and the implementation of necessary measures, and who is accountable for compliance with information security in the individual plants. Suitable employees were selected from the management level for this purpose, for whom a special training concept was developed.
To prepare the Willi Elbe Group for the TISAX audit, internal audits were previously conducted by the ISO and LISOs to check the status of previous implementations in terms of information security and, if necessary, define further measures to ensure that the requirements are met.
Finally, at the beginning of the year, the audit was conducted by TÜV Süd, which, thanks to the good cooperation of all employees and despite the challenges, led to an excellent result with full marks in maturity level and without any deviations. Looking to the future, it is important that despite successfully acquired TISAX labels, information security continues to be reviewed and improved in an iterative PDCA cycle. This is ensured in an annual internal audit, so that in three years’ time, the TISAX labels can be confirmed to the Willi Elbe Group without any deviations.
Passing an initial TISAX audit with the highest possible maturity level is an outstanding result, attributable to the good cooperation of the teams under the management of Ida Mußack from digatus.
Lukas Krahé
CRO
Willi Elbe Gelenkwellen GmbH & Co. KG
Customer Benefits
Whether as a legal requirement or as a demand from OEMs, the importance of information security is increasing enormously and is being increasingly scrutinized. However, the requirements also offer a great advantage to the company itself, as processes are improved and the IT infrastructure is modernized. The company’s progressiveness is also demonstrated by the use of a cloud solution as an ISMS, allowing policies and documents from seven locations worldwide to be centrally managed and viewed.
As a future-oriented company, the Willi Elbe Group can guarantee its customers the necessary security in the exchange and handling of information. This not only strengthens trust but also lays the foundation for good and secure cooperation in the future.
Robert Mair
With over 17 years of professional experience in the IT industry, Robert Mair has developed comprehensive expertise across a wide range of functions and sectors. His profound knowledge in managing international and national projects, as well as leading hybrid teams, gives him a deep understanding of steering and successfully completing challenging projects in time-critical customer situations. In his role as Principal at digatus, he primarily contributes his expertise in the areas of IT Mergers & Acquisitions and IT Transformation.
