Standards and certifications (data protection / IT security)
Once you have established yourself as a company in a supply chain, you often have to meet certain standards that your client requires you to meet if you want to continue working for them.
OEMs (original equipment manufacturers) are increasingly auditing their suppliers to ensure that they also strictly adhere to their self-imposed compliance requirements and pass these requirements on to other subordinate suppliers. In the run-up, this is regularly done through tenders and the corresponding filtering of suppliers who comply or do not comply with these requirements, and in the existing contractual relationship through audits. Depending on the results of such audits, it can quickly happen that your company loses valuable orders if the minimum requirements for other competitors are not met.
In the following, we present some standards whose compliance and testing/certification can give you a competitive advantage in this respect that should not be underestimated.
Please feel free to contact us if you need support!
IDW PH 9.860.1
Little known, but of importance that should not be underestimated, especially in the context of due diligence, is (obviously) the auditing standard of the auditors compiled by the Institut der Wirtschaftsprüfer in Deutschland e. V. (Institute of Public Auditors in Germany) (cf. https://www.idw.de/idw/idw-aktuell/idw-ph-9-860-1-fuer-pruefungen-nach-der-dsgvo-und-dem-bdsg/109892 ).
Here you will find specifications for - from the auditors' point of view - required processes and controls in data protection, the implementation of which presents companies with enormous challenges. It is not that the processes (DSMS processes, DPO processes, DSV processes, VVT processes, etc.) must first be defined. No, these must be matched by controls of compliance with these processes. The very fact that, for example, certain requirements are placed on the data protection officer (DPO) in terms of qualifications and tasks, which must be subject to control, leads to organisational requirements (keyword: prohibition of self-control). The DPO still controls the data protection measures in the company. However, an internal body, which must be located in the management, in turn controls the DPO to ensure that he or she fulfils his or her duties properly. The DPO is not subject to directives in the execution of his duties, but not in the question of whether the DPO carries out the duties. This needs to be organised.
But even the best organisation, process and control description is of no use if compliance with the specifications cannot be proven to the IDM PH 9.860.1 auditor in an audit-proof manner. "He who writes, stays", says an old auditor's proverb. Transferred to the 21st century, however, this means nothing other than that audit-proof IT systems must be used for audit-proof documentation.
At THALES we have gained extensive experience over many years with audits in accordance with IDW PH 9.860.1 and would be happy to advise you in advance if you wish to undergo this audit. Please contact us in good time!
VdS 10000 / 10010
The set of rules VdS 10000 "Information Security Management System for SMEs" represents a regulated process for the introduction of an ISMS. The requirements of VdS 10000 represent a subset of the basic IT protection and form a basis for the implementation of an ISMS according to IT basic protection or ISO 27001.
The VdS 10010 supports small and medium-sized enterprises with regard to compliance with the requirements of the DSGVO with compact and practicable guidelines for the implementation of the EU regulation. With the VdS 10010 guidelines, SMEs can effectively ensure the required data protection measures, both auditable and certifiable.
If you need advice on the VdS 10000/10010 regulations, please do not hesitate to contact us!
ISO 27001 and ISO 27701
The standards of ISO 27001 on information security - which is assumed to be known at this point - and the more recent ISO 27701 are closely linked in terms of content.
ISO 27701 can be seen as an extension of ISO 27001 to include data protection aspects due to the new requirements of the GDPR. ISO 27701 refers exclusively to the processing of personal data. For certification according to ISO 27701, however, all requirements of ISO 27001 must also be fulfilled.
THALES can support you in the implementation of both ISO 27001 and ISO 27701, so feel free to contact us if you need us.
TISAX
Suppliers in the automotive industry must regularly implement the requirements of TISAX® (Trusted Information Security Assessment Exchange).
TISAX is a testing mechanism according to the VDA-ISA standard. The standard aims at secure processing of business partner information, prototype protection and data protection.
Should you have any corresponding needs, we at THALES will be happy to assist you.
NoteTISAX® is a registered trademark of the ENX Association. Thales Attorneys at Law have no business relationship with ENX. The mention of the trademark TISAX® does not imply any statement by the trademark owner as to the suitability of the services advertised herein.