Client: IFA Group
The IFA Group develops and produces longitudinal shafts, side shafts, joints, and components for renowned automotive manufacturers in countries such as Germany, USA, China, and Poland with approximately 2,600 employees. This makes it one of the top 50 companies in the German supplier industry, counting BMW, Ferrari, Ford, GM, Mercedes-Benz, Porsche, and Volkswagen among its customers.
The company’s success factors include forward-looking research and sustainable development, which is why shafts for electric drives are currently in focus. It’s interesting to note that the longitudinal and side shafts used in hybrid and pure electric vehicles must withstand particularly high torques while producing very little noise.
Initial Situation and Challenges
Currently, many suppliers and service providers of OEMs (Original Equipment Manufacturers) are being contacted to demonstrate the TISAX label by a given deadline. TISAX (Trusted Information Security Assessment Exchange) is a questionnaire developed by the VDA (German Association of the Automotive Industry) and the ENX Association, based on ISO 27001 and extended to include prototype and data protection. The focus is on information security, for which requirements have been defined that service providers and suppliers must meet for their customers.
From planning and preparation to actual implementation, there is a high effort that must be reconciled with the strict time limits of the OEMs.
Solution
To gain an initial overview of the current state of information security at IFA Group, a GAP analysis was conducted based on the VDA ISA catalog, for which selected key users were interviewed.
For the subsequent recording of the asset inventory and risk assessment, all company processes were documented and analyzed with regard to information security, so that appropriate measures could be defined.
A prerequisite for this process is to ensure sufficient awareness among employees by emphasizing the importance of information security. To regularly expand knowledge, training sessions are used that employees can complete independently online. This teaches employees how to integrate information security into their daily work and how to deal with threats, e.g., phishing.
To provide a uniform storage location for all TISAX-relevant information and documents, an ISMS (Information Security Management System) was also introduced. One decisive advantage is the direct linking of assets (values) with the associated risks and measures. In contrast to several endlessly long Excel lists, an ISMS provides a good overview and significantly facilitates data maintenance. The document approval process is also considerably reduced and can be managed using role assignments. Particularly important in setting up an ISMS is ensuring intuitive use so that all employees can quickly and easily access the information they need.
Finally, the risk assessment was followed by planning and implementing appropriate measures to reduce the probability of occurrence and/or the extent of damage. For this step, so-called controls were used, which are based on ISO 27002 and adapted to the IFA Group.
Once the measures have been implemented or are partly still in the implementation phase, an internal audit is conducted by an ISO (Information Security Officer). This analyzes the current maturity level of the ISMS so that further measures can be initiated if necessary. This is followed by the final audit by an external auditor from an appropriate certification body, which in the case of IFA Group is TÜV Süd.
The audit by TÜV Süd has now taken place. Despite the challenge of having four locations with numerous employees TISAX certified simultaneously, IFA Group successfully acquired the TISAX label on the first attempt with a very good result.
As the maturity level of information security is tracked in a PDCA cycle (Plan-Do-Check-Act), an internal audit is scheduled annually, ensuring that the TISAX label can be confirmed without deviations every three years in the future.
Customer Benefits
As a future-oriented company, the IFA Group wants to guarantee its customers security in the exchange and processing of information. By obtaining the TISAX label, this security awareness is communicated to the OEMs, strengthening the decades-long trust and enabling collaboration on further projects.
The company’s progressiveness is further demonstrated by driving digitalization through the use of a cloud solution as an ISMS. In the near future, the IFA Group plans to implement this process-supporting system in other business areas for centralized management of documents and processes.
Christoph Pscherer
He has been working in the IT environment for almost 30 years, gaining experience in various roles and areas. Through his years of experience as a Service Manager, he knows the challenges and needs on the customer side. He has been applying this deep understanding and knowledge at digatus for more than eight years. As Head of BU IT M&A and Transformation, he and his team support all IT topics along the value chain of M&A projects. This includes due diligence, carve-out, and integration projects.
