Information security & data protection

What is the difference between data protection and information security?

Let us first clarify the concept. It often happens that information security and data protection are used as synonyms or their fields of application are confused.

The two topics are interlinked, but information security is more comprehensive and can be described as an overarching topic that deals with some aspects of data protection.

Described in detail, the two terms mean the following:

Information security is about the integrity, confidentiality and availability of information in the enterprise. Companies can develop and implement concepts according to their own interests. In this way, the data in the system is to be protected against access by unauthorized persons and against manipulation.

In the field of data protection only personal data plays a role. The requirements here are prescribed by law, so that companies must adhere to strict guidelines. These have recently been tightened by the introduction of the DSGVO.

Since personal data is often collected and stored when dealing with customers, clients or patients, the requirements of data security and data protection apply equally.

The big challenge is the adherence to legal requirements, against the assertion of self-interests of the company.

Information security for SMEs

As new direction, we primarily advise SME companies on the target-oriented implementation of information security

When information security is discussed, the ISO 27001 standard always comes into play. In principle, this standard can be applied to any company, but in the automotive industry the application has been specified again.

TISAX, stands for Trusted Information Security Assessment Exchange and has been a standard for information security in the German automotive sector introduced by the industry association VDA in 2017.

From ISO/IEC 27001 to TISAX certification

ISO 27001 is the internationally recognized standard that stands for information security across all industries. The automotive industry has gone one step further with its own certification, because ISO 27001 did not take into account some essential points specific to the automotive industry.

The requirements for product protection in the German automotive industry are not taken into account by the ISO standard. This applies in particular to the protection of designs, prototypes and vehicle components.

These areas can also be covered with TISAX. In addition, the TISAX certification has a simpler test procedure than the ISO standard in combination with other tests.

The TISAX model is characterized by the following points:

• Reduction of testing effort for information security for customers and suppliers
• General testing standard VDA-ISA to ensure uniform industry requirements
• Trust and recognition of test results throughout the industry
• Avoidance of double and multiple tests

This is how the TISAX process works

1. Login to the TISAX platform

As a supplier you register on the TISAX platform of the ENX Association and indicate your assessment level, i.e. with or without prototype protection, etc. You can view your results later via the platform. The platform is used for control, so that the tests are carried out correctly.

2. Selection of testing service providers and testing

The inspection is carried out by an accredited inspection service provider.

The new direction supports you in choosing a suitable testing service provider.

The audit then takes place in two steps. A document check (not on site) is carried out using the TISAX questionnaire. The subsequent assessment takes place on site, depending on the protection requirement category.

3. Discussion of the interim report and measures

On the basis of an interim report, possible gaps are discussed and measures to close them are agreed.

4. Implementation of the measures

If measures are necessary, a period is agreed in which the individual steps are to be implemented. Once the gaps have been closed, a new needs assessment is carried out.

5. Upload final report and results

The result and the final report will be uploaded to the TISAX platform. There you can view it as a supplier. The examination is valid for 3 years. With certification, you can position yourself on the market as a TISAX-approved provider. Your advantage: you secure a competitive advantage in the awarding of contracts and receive a leap of faith in business relationships from the outset.

Questionnaire: These are the requirements of TISAX

The questionnaire "Information Security Assessment" serves to determine the state of your information security in the company. 

The implementation is evaluated by means of a maturity model. This model ranges from level 0 to level 5 and deals with the individual requirements.

Based on ISO 27001:2013 with additional controls for the verification of the Information Security Management System (ISMS), the questionnaire is continuously developed and updated. 

You can download the complete catalogue from the VDA and carry out an initial self-assessment.

TISAX Workshop - Guaranteed to pass certification

In a workshop, we jointly lay the ideal foundations so that your company is guaranteed to pass the TISAX certification.

• The presentation of the questionnaire and what the auditors pay attention to. Here we look at the requirements and the required documents.
• We examine the necessary processes in the company. We know from experience which processes are indispensable and how they must be optimized.
• Establish a schedule according to individual TISAX certification requirements.
• TISAX on trial - we clarify what this means for you and how the certification is carried out.

Our workshop provides an all-round view of the work involved in TISAX certification and the resources that need to be planned - compact and practical!

Long-term support with our TISAX consulting service

Permanent support with our TISAX consulting service

After a successful workshop, TISAX consulting is not finished for us. Together we will bring you to the passed certification. We are your competent contact for the individual steps:

• Together we create a GAP analysis to systematically identify strategic and operational gaps.
• In a project plan, we record which tasks are required for successful TISAX certification.
• We set a clear timetable for implementation and ensure compliance with the goals through controlling.
• In the implementation phase we take care of the review of the individual documents.
• We prepare your corporate audit together.
• If desired, we can also accompany you through the audit.

For a first meeting, please arrange a non-binding consultation in which we will take the first steps towards successful certification together.

Data protection in the company

The requirements of the DSGVO for companies

Since May 2018, the new Europe-wide data protection basic regulation has been in force. Compared to the previously applicable Federal Data Protection Act, it tightens up the handling of personal data.

In summary, the following points are important for companies to comply with the DSGVO:

• Check status quo - which personal data is processed in the company? Where is there a need for action?
• Appointment of a data protection officer, internal or external assignment?
• Creating process directories and documentation of the TOMS (technical and organisational measures)
• Define processes
• Implement measures

When is an external data protection officer necessary and what are his tasks?

The GDPR stipulates that it is mandatory for companies that process personal data (of employees or customers) automatically to appoint a data protection officer. The exception concerns small companies. This provision only applies if more than 9 persons in the company regularly deal with personal data.

In larger companies, either a data protection officer must be appointed internally or an external data protection officer must be appointed.

The tasks of a data protection officer shall include:

• Establish measures for compliance with the DSGVO
• Contact person for all questions concerning data protection
• Monitor data processing and analyze processes
• Check procedure directory
• Training employees in the handling of personal data  

Advantages of an external data protection officer

If, as a company, you have to appoint a data protection officer, you have two options:

1. You nominate an employee from your team to take over the post of data protection officer. You must then train this employee and reserve the necessary time for data protection tasks from his or her resources.
2. You appoint an external data protection officer who already has the necessary specialist knowledge and can also contribute far more experience from various projects.

In addition to the specialist knowledge, the second possibility of an external data protection officer has further advantages for your company:

• Certified actions can be started immediately
• Transparent costs for the company
• Representation is guaranteed
• Cancellation possible according to contract
• No conflicts of interest in the company
• No tying up of company resources

We advise you on the subject of data protection

In addition to our knowledge of information security, we at new direction also have expertise in data protection. This gives you the opportunity to get everything you need from a single source.

Secure your non-binding initial meeting and we will advise you which requirements need to be implemented for your company.

Free consultation