Client: Willi Elbe Group
Building on 70 years of experience, the Willi Elbe Group currently develops and produces steering and powertrain applications for the automotive industry at seven locations worldwide.
Particularly noteworthy is the company’s specialized knowledge of aluminum, which is used in the manufacture of steering shafts. The lightweight products lead to lower CO2 emissions as well as longer battery ranges while still guaranteeing the highest safety, making the Willi Elbe Group a market leader in this technology.
Among the company’s success factors is the product portfolio tailored to customer needs, which includes not only customized aluminum steering shafts but also highly resilient steel applications for commercial vehicle steering technology. The Willi Elbe Group’s technological expertise ranges from drive shafts for all-wheel drive passenger cars to cardan shafts for motorcycles.
Initial Situation and Challenges
Like many other suppliers and service providers, the Willi Elbe Group was also requested by OEMs (Original Equipment Manufacturers) to present the TISAX label by a given deadline.
Behind the acronym TISAX, which stands for Trusted Information Security Assessment Exchange, are requirements defined jointly by the VDA (German Association of the Automotive Industry) and the ENX Association, published in the form of a questionnaire. The basis is ISO 27001, with a clear focus on information security. Additionally, the requirements have been expanded to include data protection and prototype protection components. Depending on the required assessment level, service providers and suppliers must provide evidence of compliance with these specifications. An audit is conducted as a form of verification.
The path to this requires forward-looking planning and good preparation, as implementing the requirements simultaneously at all seven locations worldwide presents a challenge.
Solution
At the beginning of the project, all processes and the information security assets used in them were recorded for the asset inventory together with the department heads, and a risk assessment was carried out. At the same time, key users were defined who will be responsible for the TISAX requirements in their respective departments in the future. To get an idea of the current state of information security in the Willi Elbe Group, these key users were interviewed, followed by a GAP analysis based on the VDA ISA catalog. Based on the analyses conducted up to this point, initial measures were defined, from which the tasks of the key users and departments were derived.
During this time, it is important to familiarize employees with the topic of information security and its significance for the company. However, to sharpen not only the awareness of key users but that of the entire workforce, mandatory online training sessions were introduced via the SoSafe platform for all employees. These explain how information security is ensured in daily work and how to deal with threats such as phishing.
A particular challenge was the coordination of the seven locations. With an Information Security Management System (ISMS) based on the Q.wiki software from Modell Aachen GmbH, we ensured that all guidelines and documents regarding TISAX are centrally accessible to all employees. Information security assets, risks, and measures were also incorporated into this system and linked to each other. This clear management significantly facilitates maintenance in the future compared to extensive Excel lists. Even the approval process for all documents is stored in the ISMS, so that with the help of role assignment, the page administrators, the ISO, and finally the management can review the content and publish it company-wide. To implement the guidelines at each location, the ISMS was built in English. For employees who do not speak English, selected documents were translated into the respective national language, which in the case of the Willi Elbe Group means five additional languages. It quickly became clear that in addition to the centrally acting Information Security Officer (ISO), a Local Information Security Officer (LISO) is needed for each location, who is responsible for knowledge exchange and implementation of necessary measures, and is accountable for compliance with information security in the individual plants. Suitable employees were selected from the management level for this purpose, for whom a special training concept was developed.
To prepare the Willi Elbe Group for the TISAX audit, internal audits were previously conducted by the ISO and LISOs to check the status of previous implementations in terms of information security and, if necessary, define further measures to ensure that the requirements are met.
Finally, at the beginning of the year, the audit by TÜV Süd took place, which, thanks to the good cooperation of all employees and despite the challenges, led to an excellent result with a full score in maturity level and without deviations. Looking to the future, it is important that despite successfully acquired TISAX labels, information security is continuously reviewed and improved in an iterative PDCA cycle. This is ensured in an annual internal audit, so that in three years’ time, the TISAX labels can be confirmed to the Willi Elbe Group without deviations.
Passing an initial TISAX audit with the highest possible maturity level is an outstanding result, attributable to the good cooperation of the teams under the management of Ida Mußack from digatus.
Lukas Krahé
CRO
Willi Elbe Gelenkwellen GmbH & Co. KG
Customer Benefits
Whether as a legal requirement or as a demand from OEMs, the importance of information security is increasing enormously and is increasingly being scrutinized. However, the requirements also offer a great advantage to the company itself, as processes are improved and the IT infrastructure is modernized. The company’s progressiveness is also demonstrated by the use of a cloud solution as an ISMS, allowing guidelines and documents from seven locations worldwide to be centrally managed and viewed.
As a future-oriented company, the Willi Elbe Group can guarantee its customers the necessary security in the exchange and handling of information. This not only strengthens trust but also lays the foundation for good and secure cooperation in the future.
Christoph Pscherer
He has been working in the IT environment for almost 30 years, gaining experience in various roles and areas. Through his years of experience as a Service Manager, he knows the challenges and needs on the customer side. He has been applying this deep understanding and knowledge at digatus for more than eight years. As Head of BU IT M&A and Transformation, he and his team support all IT topics along the value chain of M&A projects. This includes due diligence, carve-out, and integration projects.
