Customer: Willi Elbe Group
Building on 70 years of experience, the Willi Elbe Group currently develops and produces steering and drivetrain applications for the automotive industry at seven locations worldwide.
The company’s specialist knowledge of aluminium, which is used in the production of steering shafts, is outstanding. The lightweight products lead to lower CO2 emissions and longer battery ranges while still guaranteeing maximum safety, making the Willi Elbe Group a market leader in this technology.
One of the company’s success factors is its product portfolio, which is tailored to the needs of its customers and includes not only customised aluminium steering shafts but also heavy-duty steel applications for the steering technology of commercial vehicles. The Willi Elbe Group’s technological expertise ranges from drive shafts for cars with four-wheel drive to cardan shafts for motorbikes.
Initial situation and challenges
Like many other suppliers and service providers, the Willi Elbe Group was requested by the OEMs (Original Equipment Manufacturers) to present the TISAX label by a specified deadline.
The abbreviation TISAX, which stands for Trusted Information Security Assessment Exchange, refers to the requirements of the VDA (German Association of the Automotive Industry) and the ENX Association, which were jointly defined and published in the form of a catalogue of questions. As it is based on the ISO 27001 standard, the focus is clearly on information security. In addition, the requirements have been expanded to include data protection and prototype protection. Depending on the required assessment level, service providers and suppliers must provide evidence for the fulfilment of these requirements. A review takes place in the form of an audit.
The process requires foresighted planning and good preparation, as implementing the requirements at all seven locations worldwide at the same time is a challenge.
Solution
At the beginning of the project, together with the department heads, all processes and the information security assets used were recorded for the asset inventory and a risk assessment was carried out. At the same time, key users were defined who would be responsible for the TISAX requirements in the respective departments in future. In order to get an idea of the current status of information security within the Willi Elbe Group, they were interviewed, which was followed by a GAP analysis based on the VDA-ISA catalogue. The analyses carried out up to this point were used to define initial measures, from which the tasks of the key users and departments could be defined.
During this time, it is important to familiarise employees with the topic of information security and its importance for the company. To raise awareness not only among the key users, but also across the entire workforce, mandatory online training courses were implemented for all employees via the SoSafe platform. These courses explain how to ensure information security in everyday working life and how to deal with threats such as phishing.
The coordination of the seven locations was a particular challenge. With an Information Security Management System (ISMS) based on the Q.wiki software from Modell Aachen GmbH, we ensured that all TISAX-related policies and documents are centrally accessible to all employees. The information security assets, risks and measures are also integrated in this system and linked to one another. This clearly organized administration simplifies future maintenance compared to extensive Excel lists. Even the approval process for all documents is embedded in the ISMS so that the document owners, the ISO and finally the management can review the content and publish it company-wide by using a role assignment. To be able to implement the guidelines at each site, the ISMS was set up in English. For employees who do not speak English, selected documents were translated into their respective native languages, which, in the case of the Willi Elbe Group, meant five additional languages. t quickly became essential that, in addition to the central Information Security Officer (ISO), a Local Information Security Officer (LISO) was needed at each site to ensure the exchange of knowledge and implementation of the necessary measures. In addition, the LISO is responsible for ensuring compliance with information security at the individual plants. For this purpose, suitable employees were selected by the management level, for whom a special training concept was developed.
To prepare the Willi Elbe Group for the TISAX audit, internal audits were previously carried out by the ISO and the LISOs to assess the status of previous implementations regarding information security and, if necessary, to define further measures to meet the requirements.
Eventually, the audit by the TÜV Süd took place in the beginning of the year, which, thanks to the good cooperation of all employees and despite the challenges, led to an excellent result with a full score in the maturity level and no non-conformities. Looking ahead, it is important that, despite successfully acquiring the TISAX label, information security is continuously reviewed and improved in an iterative PDCA cycle. This is ensured by an annual internal audit so that in three years the TISAX labels can be confirmed to the Willi Elbe Group without any non-conformities.
Passing an initial TISAX audit with the highest possible maturity level is an excellent result that can be attributed to the good cooperation of the teams under the management of Ida Mußack from digatus.
Lukas Krahé
CRO
Willi Elbe Gelenkwellen GmbH & Co. KG
Customer benefits
Whether as a legal requirement or as a demand from OEMs, the importance of information security is increasing enormously and is being scrutinized ever more closely. However, the requirements also offer the company itself a major advantage, as processes are improved, and the IT infrastructure is modernized. Furthermore, the company’s progressiveness is demonstrated by the use of a cloud solution as an ISMS, which allows policies and documents to be managed and viewed centrally from seven locations worldwide.
As a future-orientated company, the Willi Elbe Group can guarantee its customers the necessary security in the exchange and handling of information. This not only strengthens trust, but also lays the foundation for good and secure cooperation in the future.
