TISAX drives automotive

GKN Automotive is one of the world’s largest suppliers of driveline systems for the automotive industry, employing 25,000 people across 46 facilities in 21 countries. In Poland, it operates two manufacturing plants located in Oleśnica, near Wrocław. A company of this size faces countless challenges and threats to information security every day, which is why it places great emphasis on integrated management in this area.

In 2023, GKN Automotive carried out a project to implement the Information Security Management System compliant with VDA ISA TISAX®. This project included a zero audit for compliance with the standard, organizational and process adjustments, the launch of the ISMS, and a successful certification audit. All for One Poland was a partner in this project.

Managing information security at the enterprise level offers numerous advantages, allowing for the standardization of processes and proper scaling. GKN has a global security office. With such a process organization, a centrally implemented function can support multiple facilities across several countries.

However, it is still essential to involve a local team that can properly identify specific threats on-site and implement global processes. For standards like VDA ISA TISAX®, it is also necessary to ensure the physical security of facilities (such as access control systems, securing delivery areas, and employee training), which is practically impossible without the involvement of staff from the specific location.

In GKN Automotive Poland, such a corporate team has been established at the facility in Oleśnica. The team consists of key employees from the local IT and maintenance team, who, thanks to their knowledge and experience, were able to efficiently implement the specific requirements outlined in the global documentation. The challenge, however, was the proper interpretation of these requirements and their implementation in practical applications.

The solution that GKN Automotive opted for is the engagement of a Local Information Security Officer. This position is held by a consultant from All for One Poland, the company that partnered in the implementation of TISAX® requirements within the organization. As a member of the local team, they bring experience related to TISAX® requirements as well as systemic information security management and certification audit preparation.

Systemic information security management requires specific competencies. Even people who perform tasks in such areas on a daily basis, and who have knowledge and experience, may have problems interpreting requirements or applying procedures. In the case of TISAX®, this is particularly problematic as the standard provides examples of specific security measures, such as the installation of doors that meet the RC2 standard. On a plant-wide basis, the cost of such an operation would be enormous, and the impact on security would be negligible. However, not all areas require doors of this standard.

The involvement of an experienced consultant enabled GKN to cut unnecessary costs and concentrate on the most essential activities, leading to a successful certification audit by an external body and obtaining TISAX® certification.

The All for One consultant has become a permanent member of GKN Automotive Poland’s local information security team. In 2024, efforts will continue toward obtaining certification at the second location in Poland.

The cooperation with All for One Poland began in mid-2023 with a zero audit, during which the company’s consultant had the opportunity to learn about and assess our processes locally and globally. Based on the results, we began the process of further implementation of the Information Security Management System in accordance with VDA ISA requirements. The implementation included establishing a local Information Security Management Team, collaborating with the global team, exchanging experiences with other GKN Automotive plants around the world, and adjusting the system requirements within our organization to align with naturally existing corporate standards. The ISMS launched as a result received a fully positive evaluation during the audit conducted in February of this year. The success was achieved primarily due to our collaboration with the All for One consultant, whose commitment, expertise, and guidance across all areas were instrumental in obtaining the TISAX® label.

We are currently continuing to work with the lead consultant to prepare for the certification of another GKN Automotive Poland facility.

Katarzyna Turska, Technical Leader, GKN Driveline Polska

The implementation and subsequent improvement of the Information Security Management System (ISMS) in international organizations currently constitute a significant portion of our projects. Centralizing and standardizing aspects related to security regulations (policies, procedures), as well as technical solutions in the field of cybersecurity, facilitate monitoring and management across the entire corporate group. Differences among the individual companies within the group are often minimal and largely limited to local premises (physical security) and legal considerations (specific national legislation). When supporting clients in implementations, we need to advise on both the proper implementation of the “framework" regulations imposed within the corporate group and the development of company-specific regulations, while maintaining compliance with the requirements of a given standard.

IT work is also an important part of system implementation. Starting from diagnostics (auditing, vulnerability scanning, penetration testing), through the implementation of solutions for analytics and visualization of events in the IT environment, to the construction of large-scale security support solutions – network protection, high availability solutions, backup data centers.

The culmination of a multi-month project is the Information Security Management System (ISMS), which is custom-built to meet the specific needs of the organization. After operating within the ISMS environment for some time, many companies often decide to have it certified by an accredited body.

The implementation of an ISMS does not always stem from a purely business decision. A growing number of companies are also implementing similar systems, expanded to include aspects related to business continuity, due to mandated legal requirements – such as NIS/KSC several years ago, and currently, in an expanded scope, NIS2. Obligated entities include selected companies operating in sectors such as energy, transportation, finance, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, space, as well as public administration entities.

Rafał Grześkowiak, IT Project Manager, All for One Poland