ZF (ZF對供應商取得TISAX要求的全文連結)
TISAX at ZF
In our connected and information-driven business environment it is critical that proper information safeguards are in place. Many of ZF's customers have included TISAX requirements in their Terms & Conditions, which require us (and our supply chain) to prove a mature Information Security Management System (ISMS). ZF Group has already worked to certify many of our locations based on customer requirements and risk analysis. Beginning in 2020 we began implementation of a TISAX certification requirement for those suppliers who met the applicable criteria. For suppliers deemed TISAX relevant by ZF, maintenance of a proper TISAX certification in SupplyOn Business Directory is a condition of sourcing.
ZF Group's commitment to the TISAX standard and our intention to implement this with our supply base were communicated a supplier letter distributed in August 2020. Click here to read the communication.
TISAX Relevance
Not all suppliers are considered "TISAX Relevant" by ZF Group. For TISAX to be required, a supplier must meet one or more of the following criteria:
Work with confidential ZF data
Have system access to ZF information
Obtain copies of sensitive ZF documentation (e.g. Drawings)
Provide parts specific to ZF requirements
If the necessary criteria is met, ZF Group will designate a supplier as "TISAX Relevant" and your supplier ID will receive a flag in our systems. You will be notified directly by your ZF Group buyer if certification is a requirement so that you can provide an existing certification or begin the process.
Assessment Level
There are three Assessment levels outlined in the TISAX certification, however ZF requires Assement level 3 (AL3)
16. Information Security
16.1 BMW Data shall be treated as industrial and commercial secrets of BMW Group. The Contractor is obligated to ensure that BMW Data and own Data necessary for the Service Provision is protected by appropriate measures according to customary industry standards against unauthorised access, alteration, destruction and other misuse (“Information Security”). The Contactor shall in particular strictly treat and keep BMW
Data separated from Data of other customers and in addition establish appropriate protective measures to
prevent access of BMW Data by other customers. Insofar as the storage of BMW Data is part of the Service
Provision, the Contractor takes any and all necessary precautions currently state of the art in order to be
able to restore the BMW Data legally admissible and without loss at any time.
16.2 Depending on the protection requirements of the respective BMW Data or the importance of the Contractor’s service for BMW Group’s business operations, BMW may request a particular amount of protective
measures as well as proof of an appropriate level of Information Security within the Contractors business of
a kind specified by BMW, especially by submission of appropriate certificates (e.g. ISO/IEC 27001 “Information Technology – IT security procedures – Information Security Management Systems-Requirements”) or by
attestation according to the VDA-model “TISAX” (Trusted Information Security Assessment Exchange).
16.3 The Contractor shall ensure that no potentially harmful software (e.g. viruses, worms or Trojans) is deployed
during the Service Provision, e.g. via drivers or firmware included in the delivery. The Contractor shall inspect this by appropriate means and, at BMW’s request, confirm in writing that it has found no indications of
harmful software during such inspections.
16.4 The Contractor ensures that the software deployed within the scope of the Service Provision does not contain any functions that jeopardize the integrity, confidentiality or accessibility of the contractually agreed services, other hard- and/or software or Data, e.g. by way of functions
a) for unwanted extraction or removal of Data,
b) for unwanted alteration/manipulation of Data or the processing logic, or
c) for unwanted induction of Data or unwanted functional expansions.
“Unwanted” for the purpose of these GTC shall refer to any function that was neither demanded by BMW,
nor offered by the Contactor with a specific description of the function and its consequences and that was
also not accepted in particular by BMW.
16.5 If the Contractor gains knowledge of an incident that involves a violation of Information Security (e.g. security gaps, Data losses, disruptive incidents, security threats, attack by harmful software, Data misuse), especially an unauthorized access to BMW Data (e.g. Data leak or cyber attack), or if there are indications for the
Contractor that justify the suspicion of such an incident given a reasonable evaluation, the Contractor shall
without undue delay and free of charge for BMW
a) inform BMW thereof,
b) take all necessary measures to clarify the facts of the matter and to limit damages and to support
BMW therewith,
c) if the violation of Information Security causes a disruption of the Service Provision, a reduction of business efficiency, or a loss of Data, support BMW with the recovery of the Data and
d) upon BMW’s request, provide a security report for a prescribed observation period. Essential contents
of such a report are especially the results of security inspections, identified Information Security risks,
as well as identified Information Security incidents and their treatment.
16.6 If the Contractor is obliged to provide proof of a particular level of Information Security according to clause
16.2, the Contractor shall
a) advise BMW of a central contact person for Information Security,
b) permit BMW upon request to convince itself of the compliance with Information Security and the
agreed guidelines (cf. clause 2.5) on Data protection and security (“Audits”). The Contractor shall tolerate such Audits by BMW and provide contributions such as information, as far as it is necessary for
the Audit. BMW may also convince itself of the compliance with the agreed technical and organisational measures within the business premises of the Contractor including the IT systems after timely
announcement during customary business hours and, as far as possible and reasonable, without disturbance of the business procedures. BMW is authorised to let an external qualified partner that is
contractually bound to confidentiality towards third parties conduct such Audits. BMW’s statutory
rights of control and information are neither limited nor excluded by this provision.
16.7 The Contractor shall ensure that all and any of its subcontractors are contractually bound in an appropriate
manner to comply with the terms of this section 16 ("Information Security").
Volvo