Information Security Holds the ”Key” to the Changing Automotive Business

TISAX certification is Asahi Kasei Europe’s key to the automotive industry

Asahi Kasei Europe (AKEU), the European headquarters of the Asahi Kasei Group, obtained TISAX certification in October 2024. TISAX is an information security assessment published by the German Association of the Automotive Industry (Verband der Automobilindustrie, VDA) which sets standards for information security management systems (ISMS) required from Tier 1 and Tier 2 suppliers and service providers sharing sensitive information with vehicle manufacturers (OEMs). Meeting the stringent conditions to obtain TISAX certification is quickly becoming an essential requirement for companies looking to enter the automotive business in Europe. Increasing information security risks and changes in the structure of the automotive industry are said to be behind this move, but what kind of issues and challenges are actually involved? Fumio Fujimori of Asahi Kasei Europe’s Düsseldorf office headed the project to obtain TISAX certification. In this special interview, he tells us how the project came about, what the company implemented, and what is happening in the international automotive business.

▲Fumio Fujimori / Senior IT Manager / Asahi Kasei Europe GmbH

Protecting sensitive information throughout the supply chain to speed up vehicle development and production

Fujimori: “With recent advances in IT and digital transformation, we are seeing more frequent reports of ransomware attacks and other security incidents in every industry, and the automotive industry is no exception. Security incidents disrupt the whole supply chain in the automotive industry, so all companies involved are increasingly required to implement Business Continuity Management (BCM) and enhance information security.

▲ The automotive industry used to have a hierarchical structure (left) where only Tier 1 suppliers would talk directly to the OEM, but these days, there is a growing trend towards a more collaborative structure (right) where companies work together regardless of their position in the supplier hierarchy.

Meanwhile, the structure and business model of the automotive industry is changing. In the past, a materials manufacturer like Asahi Kasei would deal with Tier 1 or Tier 2 component suppliers, and usually only the Tier 1 suppliers would be in direct contact with the OEM. But in recent years, vehicle development lead times are getting ever shorter to gain a competitive edge in the market, so materials manufacturers need to make proposals and produce results within a shorter timeframe. This means we are increasingly involved from the early stages of the development process: speaking directly to the OEM to promote the strengths of our materials, obtaining development requirements and drawings of new vehicle models with Tier 1 and Tier 2 suppliers, and providing CAE analysis and test data if our materials are selected.”

TISAX certification is becoming crucial to expanding business opportunities

Fujimori: “TISAX stands for Trusted Information Security Assessment eXchange, an information security standard established by the German Association of the Automotive Industry which requires suppliers and service providers to ensure information security when handling sensitive information from OEMs. Under this scheme, suppliers are audited by a certifying body to check that they satisfy the requirements set out in the assessment catalog, and are granted the TISAX label if they pass the audit. Certification information can be checked on the European Network Exchange (ENX) platform.

The TISAX scheme began in 2017 and quickly became a powerful force. By 2022, major OEMs required their Tier 1 and Tier 2 suppliers to be certified. At Asahi Kasei Europe, as we became more deeply involved in business with OEMs, we found they were increasingly calling for TISAX certification for certain projects, so we came up against restrictions as we were not certified at the time. This is what made us realize the importance of obtaining TISAX certification in order to expand our business opportunities.

The head of Asahi Kasei Europe listened to those in the business division who were saying “we need to get TISAX certified” and made a top-down order to launch a certification project in February 2023, headed by the IT division. TISAX certification applies to a company location as a whole, going beyond the scope of the IT department alone. As well as technical security measures, it requires an information security management system (ISMS) covering business risk analysis, supplier management, documentation of rules, and maintaining and operating an organizational structure. The whole company had to work together to obtain this certification.”

Meticulous preparation and collaboration to pass the rigorous inspection

Fujimori: “This was the first time an overseas subsidiary of Asahi Kasei had worked on a project to obtain certification, so at first, we were groping around with no previous expertise to draw on. We focused our efforts on advance research and planning. We compared external consultants to find partner companies that could support us, and prepared carefully by planning the schedule to ensure that we could obtain certification within as short a timeframe as possible, keeping the burden on employees to a minimum.

We spent around eight months on the preparation phase before asking a consulting company to conduct a gap analysis to indicate what level we were currently at in terms of meeting the TISAX assessment criteria, and how far we were falling short of the mark. We found that the biggest gap was in documentation, such as checklists and agreements for training when employees join and leave the company. Although we had security measures in place, some of the documentation was insufficient. We spent about six months working hard on creating rules to improve the situation.

At first, some employees found it hard to understand why this was necessary. The TISAX certification project involves cross-sectional initiatives across the whole company, so every employee needs to be on board. During the audit, the auditors interview employees, who are required to explain and give evidence of how information security measures are being implemented. Even with the help of external consultants, at the end of the day it is up to employees to understand and take action themselves. We enlisted support from the business division to explain the background of the project, as well as support from the IT division, to get everyone on side.

Asahi Kasei Europe is a relatively small company consisting of business, R&D and service divisions. I believe that leveraging this compact organization and working together organically allowed us to move in a flexible and speedy way. The whole company tackled this project as one, and as a result, we had already achieved a high level in the top 5 to 10% at the first audit. We successfully passed the assessment and achieved TISAX certification in October 2024.”

* Asahi Kasei Europe (AKEU) and Asahi Kasei Microdevices Europe (AKMEU), located together at C-View Offices in Düsseldorf, obtained TISAX certification in October 2024.

What did the Asahi Kasei Group gain from the TISAX certification project?

Fujimori: “There have been several benefits to Asahi Kasei Europe obtaining TISAX certification. The first benefit is that we can now share certification information within the automotive supply chain via the ENX platform, which is increasingly being used in actual business discussions. Existing customers are also starting to require security assessments, and TISAX certification proves that we reliably meet security requirements.

The second benefit is the ripple effect on the rest of the group. Around half of the requirements of TISAX relate to IT infrastructure and security, so when obtaining TISAX certification, we improved the “One-IT Service” – the standard IT environment for Asahi Kasei Group’s subsidiaries outside Japan. If other subsidiaries want to obtain this certification in the future, they will be starting from a point where they already meet the requirements in terms of IT infrastructure and security, which should significantly reduce the time and work involved in obtaining certification. We can also share the expertise we have gained, such as the difficulties we faced, which I believe will make for a shorter preparation period and a smoother process.

Another benefit was that this project provided an opportunity for the staff division and business division to work together and achieve results. This mutual cooperation has deepened employees’ understanding, with a higher level of interaction and communication between the departments, which I feel has made subsequent work easier.”

Timely response to regulations and standards in the automotive industry

Fujimori: “TISAX is not just a matter of obtaining the certification once and that’s it. We have to conduct annual internal audits to confirm the operating status and undergo an external audit every three years. Security standards improve in response to changing market risks, so we need to respond too, by continuously upgrading our procedures. We will maintain and improve our ISMS as we prepare to renew the certification in three years’ time.

▲ Fumio Fujimori (front row, second from left) and project team members at the main entrance of Asahi Kasei Europe

Now that we have gone through the whole process of obtaining TISAX certification, I think this experience will be useful in various ways. Japanese companies on the whole tend to lag behind slightly when it comes to responding to standardization and regulations in international business. This project has given us valuable experience in complying with regulations in Europe, which might make it easier to understand where Japanese companies can improve security standards in the future and the direction we should be aiming for.

As well as TISAX, Asahi Kasei Europe is also part of Catena-X, a supply chain standardization initiative in the European automotive industry. We are taking a central role in getting to grips with regulations and standardization in Europe. With Catena-X, we hope to work out the appropriate timing to respond to regulations and standards required in the market, boost the presence of the entire Asahi Kasei Group in the European automotive industry, and expand our business.”

Please contact us using this form if you have any questions, ideas, or collaboration proposals relating to the automotive business in Europe.

Editor’s note:

Asahi Kasei operates in a wide range of business areas with our diverse portfolio of materials. In the past, different projects have been positioned as Tier 1, Tier 2 or Tier 3, but these boundaries are gradually disappearing. By bringing together knowledge and strengths from different parts of the world, we are starting to collaborate across different projects in the mobility sector, making these changes themselves more and more interesting.

This article was published on 16th May 2025.