Customer: IFA Group
The IFA Group develops and produces shafts, joints and components for renowned automobile manufacturers in countries such as Germany, the USA, China and Poland with approximately 2,600 employees. As a result, it is one of the top 50 companies in the German supplier industry and can count BMW, Ferrari, Ford, GM, Mercedes- Benz, Porsche and Volkswagen among its customers.
The company’s success factors include forward-looking research and sustainable development, which is why it is currently focusing on shafts for electric drives. It is interesting to know that the longitudinal and lateral shafts used in hybrid and purely electric vehicles must be able to withstand particularly high torques and at the same time exhibit only very low noise development.
Initial situation and challenges
Currently, many suppliers and service providers of the OEMs (Original Equipment Manufacturer) are contacted to present the TISAX label by a given deadline. TISAX (Trusted Information Security Assessment Exchange) is a questionnaire developed by the VDA (German Association of the Automotive Industry) and the ENX Association, which is based on ISO 27001 and has been expanded to include prototype and data protection. The focus is on information security, for which requirements have been defined that service providers and suppliers must meet towards their customers.
From planning and preparation to actual implementation, a great effort is required that must be compatible with the strict deadlines of the OEMs.
To gain an initial overview of the current status of information security at the IFA Group, a GAP analysis was carried out using the VDA-ISA catalog, for which selected key users were interviewed.
For the subsequent recording of the asset inventory and the risk assessment, all processes of the company were documented and analyzed with regard to information security, so that suitable measures could be defined.
Ensuring sufficient awareness among employees by emphasizing the importance of information security is fundamental for this process.
To regularly gain more knowledge, the company relies on training courses that employees can complete independently online. In this way, employees learn how to integrate information security into their daily work and how to deal with dangers, such as phishing.
An ISMS (Information Security Management System) was also introduced to ensure a central storage location for all information and documentation relevant to TISAX. A decisive advantage is the direct linking of assets with the associated risks and measures. In contrast to several endlessly long Excel lists, an ISMS provides a good overview and makes it much easier to maintain the data. The process of releasing documents is also significantly reduced and can be managed with the help of role assignment. It is very important to ensure intuitive use when setting up an ISMS, so that all employees can access the information they need fast and easy.
Eventually, the risk assessment was followed by the planning and implementation of appropriate measures to reduce the likelihood of occurrence and/or the consequences. For this step, so-called controls were used, which are based on ISO 27002 and adapted to the IFA Group.
As soon as the measures have been implemented or are still being implemented, an internal audit is carried out by an ISO (Information Security Officer).
In this audit the current maturity of the ISMS will be analyzed, so that further measures can be initiated if necessary. This is followed by the final audit by an external auditor from a accredited certification body, which in the case of the IFA Group is TÜV Süd.
In the meantime, the audit by TÜV Süd has taken place. Despite the challenge of having four sites with a large number of employees simultaneously TISAX certified, the IFA Group successfully acquired the TISAX label at the first attempt with a very good result.
Since the maturity level of information security is tracked in a PDCA cycle (Plan-Do-Check-Act), an internal audit is scheduled every year so that the TISAX label can also be confirmed every three years in the future without non-conformities.
As a future-oriented company, the IFA Group wants to guarantee its customers security in the exchange and processing of information. By obtaining the TISAX label, this security awareness is communicated to the OEMs, so that the decades-long trust is strengthened and further orders are worked on together. The advancement of digitization through the use of a cloud solution as ISMS also speaks for the progressiveness of the company. In the near future, the IFA Group plans to additionally use this process- supporting system in other areas of the company for the central management of documents and processes.