TiSAX (Trusted Information Security Assessment Exchange) is an audit and exchange mechanism for corporate information security that enables mutual recognition of audit results between participants. It is based on the VDA ISA catalogue and provides a reusable assessment result that signals the security maturity of service providers to clients. TiSAX is an assessment label and not a traditional certificate.

The organisational foundations of the assessment were laid during the kick-off meeting with the audit service provider: presentation of the audit methodology, definition of the scope and coordination of the timeline, including milestones for self-assessment, remote audit and follow-up.

A self-assessment was carried out based on the VDA-ISA questionnaire. This assessment serves to identify exceptions from the required controls and generates a detailed list of evidence. The audit service provider then performed a plausibility check of this self-assessment and defined the scope for the remote assessment.

The quality and auditability of the evidence is crucial for the remote assessment. The existing ISO 27001 certification of BDO Cyber Security GmbH made the preparation considerably easier. Many processes, documents and responsibilities were already formalised and auditable. However, targeted mapping between ISO 27001 controls and VDA ISA requirements is recommended in order to identify missing, specific evidence (e.g. physical access regulations, industry-specific requirements).

The TiSAX Assessment Label Level 2 makes it easier for BDO Cyber Security GmbH to offer its services to customers in the automotive sector, as it is often a requirement for performing projects in this sector.

With our expertise, we support you in testing embedded devices, IoT ecosystems and identifying potential attack vectors. Core test areas in the IoT penetration test include:

  • User interfaces: Auditing of touch displays, microphones, cameras, hidden configuration areas and associated control applications.
  • Radio interfaces: Detailed analysis of Wi-Fi, Bluetooth/BLE, ZigBee, LoRaWAN, mobile communications (2G–5G), RFID/NFC for eavesdropping, manipulation and other risks.
  • Physical interfaces: Testing Ethernet, USB, OBD-II and similar to determine direct access paths to firmware and data.
  • On-board/debugging: Audit of bus systems (SPI, I²C), debug interfaces (JTAG, UART) and authentication/encryption mechanisms.
  • Memory & firmware: Firmware analyses, audit of update mechanisms (local & OTA), reading of memory modules and identification of sensitive content.

Our state-of-the-art hardware test lab also supports our specialists in performing penetration tests.

This article was written by