April 9, 2015

Last Updated on January 19, 2024

It’s always interesting to me to see how different industries handle vendor risk management. Often when we see a wave of leads/opportunities from a particular industry, we can trace it to new vendor risk management practices (or a new RFP of note) that hit the streets referring to a particular information security framework.
The last few months we have seen a fair amount interest in information security in the automotive suppliers vertical. It looks as though the major auto suppliers’ vendor risk management practices are ratcheting up.  Not surprisingly given the growing penetration of ISO 27001 certification in Japan, it appears that the major Japanese automobile manufacturers are pushing key vendors to move towards ISO 27001. For example, we recently had the opportunity to help an automotive supplier get ISO 27001 certified to meet a contractual obligation with Toyota.
Meanwhile, today I was exposed to the “Verband der automobilindustrie” (VDA) Information Security Assessment questionnaire, which Audi had issued to a potential client of ours. The questionnaire is interesting: VDA selected 51 of the 134 controls in ISO 27002:2005, and the questionnaire requires a vendor to assess their maturity for each control on a 0-to-5 scale (Incomplete -> Optimized).
I’m a bit of a fan of Capability Maturity Modeling, so I was intrigued to see it used in conjunction with ISO 27002 in this way. However, I was disappointed that there was no indication of the rationale (vendor risk assessment?) for only assessing those 51 controls. I was also surprised that they were using a version of the standard that is outdated by almost two years.
So does this difference in approach by Audi and Toyota mean anything?
Logically, the quality of an automaker’s vendor risk management practices should correlate with the quality of their cars. Toyota is holding vendors to the current gold standard in attestation (ISO 27001), and their Lexus nameplate finished in first place in the 2015 J.D. Power Vehicle Dependability study by a wide margin. The Toyota brand finished in third place—pretty remarkable.
Audi, which is using 38% of an outdated version of ISO 27002 for its vendor risk management, finished in fifteenth place.  Just saying …