App Entwicklung new direction

Information security & data protection

In the course of digitization, information security and data protection are among the most important tasks in a company. The focus is not only on data protection. With our topic page we would like to give you an overview of the topics and the connections of information security, data protection, DSGVO, TISAX and Co.

How can the new direction GmbH help you with the subject information security?
  • You want to check your business processes and data systems for data security, but don't know how to proceed?
  • Would you like to pass the TISAX certification with your company?

  • Are you looking for an external data protection officer who masters both data protection and information security?

As a software development and consulting company, we combine business processes with the latest technologies. We have the technical know-how you need.

Call us directly and we will discuss how we can support you in detail. Arrange now a free consultation appointment

Do you have questions regarding information security?
You can reach our expert Marianna under +49 (0) 821 543 70 00

What is the difference between data protection and information security?

Let us first clarify the concept. It often happens that information security and data protection are used as synonyms or their fields of application are confused.

The two topics are interlinked, but information security is more comprehensive and can be described as an overarching topic that deals with some aspects of data protection.

Described in detail, the two terms mean the following:

Information security is about the integrity, confidentiality and availability of information in the enterprise. Companies can develop and implement concepts according to their own interests. In this way, the data in the system is to be protected against access by unauthorized persons and against manipulation.

In the field of data protection only personal data plays a role. The requirements here are prescribed by law, so that companies must adhere to strict guidelines. These have recently been tightened by the introduction of the DSGVO.

Since personal data is often collected and stored when dealing with customers, clients or patients, the requirements of data security and data protection apply equally.

Information security and data protection pursue the same goals to 80%. The difference lies in data minimization (data protection) and data collection (information security).

The big challenge is the adherence to legal requirements, against the assertion of self-interests of the company.

Information security in the automotive industry

As a new direction, we primarily advise customers from the automotive industry on the targeted implementation of information security.

When information security is discussed, the ISO 27001 standard always comes into play. In principle, this standard can be applied to any company, but in the automotive industry the application has been specified again.

TISAX, stands for Trusted Information Security Assessment Exchange and has been a standard for information security in the German automotive sector introduced by the industry association VDA in 2017.

From ISO/IEC 27001 to TISAX certification

ISO 27001 is the internationally recognized standard that stands for information security across all industries. The automotive industry has gone one step further with its own certification, because ISO 27001 did not take into account some specific and essential points.

The requirements for product protection in the German automotive industry are not taken into account by the ISO standard. This applies in particular to the protection of designs, prototypes and vehicle components.

These areas can also be covered with TISAX. In addition, the TISAX certification has a simpler test procedure than the ISO standard in combination with other tests.

The TISAX model is characterized by the following points:

  • Reduction of testing effort for information security for customers and suppliers
  • General testing standard VDA-ISA to ensure uniform industry requirements
  • Trust and recognition of test results throughout the industry
  • Avoidance of double and multiple tests

This is how the TISAX process works

1. Login to the TISAX platform

As a supplier you register on the TISAX platform of the ENX Association and indicate your assessment level, i.e. with or without prototype protection, etc. You can view your results later via the platform. The platform is used for control, so that the tests are carried out correctly.

2. Selection of testing service providers and testing

The inspection is carried out by an accredited inspection service provider.

The new direction supports you in choosing a suitable testing service provider.

The inspection then takes place in two steps. On the basis of the TISAX questionnaire, a document check is carried out (not on site). The subsequent assessment takes place on site, depending on the protection requirement category.

3. Discussion of the interim report and measures

On the basis of an interim report, possible gaps are discussed and measures to close them are agreed.

4. Implementation of the measures

If measures are necessary, a period is agreed in which the individual steps are to be implemented. Once the gaps have been closed, a new needs assessment is carried out.

5. Upload final report and results

The result and the final report will be uploaded to the TISAX platform. There you can view it as a supplier. The examination is valid for 3 years. With the certification you can appear on the market as a TISAX tested supplier using the seal or test label. Your advantage: you secure a competitive advantage when placing orders and receive a trust in the business relationship right from the start.

Questionnaire: These are the requirements of TISAX

The questionnaire "Information Security Assessment" serves to determine the state of your information security in the company. 

The implementation is evaluated by means of a maturity model. This model ranges from level 0 to level 5 and deals with the individual requirements.

Based on ISO 27001:2013 with additional controls for the verification of the Information Security Management System (ISMS), the questionnaire is continuously developed and updated. 

You can download the complete catalogue from the VDA and carry out an initial self-assessment.

TISAX Workshop - Guaranteed to pass certification

In a workshop, we lay the ideal foundations together to ensure that your company passes the TISAX certification test. We will come to your site and work out the most important topics together with you. These include:

  • The presentation of the questionnaire and what the auditors pay attention to. Here we look at the requirements and the required documents.
  • We examine the necessary processes in the company. We know from experience which processes are indispensable and how they must be optimized.
  • Establishing a time schedule according to the individual requirements of the TISAX certification.
  • TISAX on trial - we clarify what this means for you and how the certification is carried out.

Our workshop provides an all-round view of the effort your company will have to make in the context of TISAX certification and which resources need to be planned - compact and practical!


Permanent support with our TISAX consulting service

After a successful workshop the TISAX consulting for us is not finished yet. Together we will bring you to a successful certification. We are your competent partner for the individual steps:

  • Together we create a GAP analysis to systematically identify strategic and operational gaps.
  • In a project plan, we specify which tasks are required for a successful TISAX certification.
  • We define a clear timetable for implementation and ensure compliance with the objectives through controlling.
  • In the implementation phase, we take care of the verification of the individual documents.
  • Together we prepare your company audit.
  • If required, we can also accompany you through the audit.

Arrange a non-binding consultation for an initial meeting in which we take the first steps towards successful certification together.

TISAX-consultation

Contact us now for more information about the TISAX workshop or a free and individual assessment of your situation.

Data protection in the company

When it comes to data protection, the current topic is the DSGVO. This has created legal requirements to protect personal data.

The requirements of the DSGVO for companies

Since May 2018, the new Europe-wide data protection basic regulation has been in force. Compared to the previously applicable Federal Data Protection Act, it tightens up the handling of personal data.

In summary, the following points are important for companies to comply with the DSGVO:

  • Check status quo - which personal data is processed in the company? Where is there a need for action?
  • Appointment of a data protection officer, internal or external assignment?
  • Creating process directories and documentation of the TOMS (technical and organisational measures)
  • Define processes
  • Implement measures

When is an external data protection officer necessary and what are his tasks?

The DSGVO stipulates that it is mandatory for companies that process personal data (of employees or customers) automatically to appoint a data protection officer. The exception concerns small companies. This provision only applies if more than 9 persons in the company regularly deal with personal data.

In larger companies, either a data protection officer must be appointed internally or an external data protection officer must be appointed.

The tasks of a data protection officer shall include:

  • Establish measures for compliance with the DSGVO
  • Contact person for all questions concerning data protection
  • Monitor data processing and analyze processes
  • Check procedure directory
  • Training employees in the handling of personal data  

Advantages of an external data protection officer

If, as a company, you have to appoint a data protection officer, you have two options:

  1. You nominate an employee from your team to take over the post of data protection officer. You must then train this employee and reserve the necessary time for data protection tasks from his or her resources.
  2. You appoint an external data protection officer who already has the necessary specialist knowledge and can also contribute far more experience from various projects.

In addition to the specialist knowledge, the second possibility of an external data protection officer has further advantages for your company:

  • Certified actions can be started immediately
  • Transparent costs for the company
  • Representation is guaranteed
  • Cancellation possible according to contract
  • No conflicts of interest in the company
  • No tying up of company resources

We advise you on the subject of data protection

In addition to information security, the new direction also has our expertise in the field of data protection. This gives you the opportunity to get everything from a single source.

Secure your non-binding initial meeting and we will advise you which requirements need to be implemented for your company.

Free consultation

Contact us now and we will arrange a non-binding consultation appointment with you.
Innovative Consultation?
Make an appointment now.               
Registration
Gabor
Our expert on this topic is Marianna.
Please contact us!