Insight: Analisis Implementasi Contractor Safety Management System (C

About the Authors and This Research

Lead author E. Ekawati operates within Indonesia's occupational health and safety academic community, with an h-index of 3 and 16 cumulative citations. While these metrics are modest by international standards, the value of this research lies in its rigorous field methodology. The research team conducted in-depth interviews across management and contractor operational levels at the CCAI Semarang facility, capturing the implementation gap between institutional design and field execution with unusual clarity.

Co-authors B. Kurniawan and Z. A. Suery contributed expertise in industrial safety and regulatory compliance, respectively. Together, they applied a descriptive qualitative research design with five informants—two primary and three for triangulation—ensuring internal validity. For Taiwanese automotive executives, the significance of this study is not its statistical power but its structural transparency: it documents precisely why CSMS fails at the pre-job preparation stage, and that failure mechanism maps directly onto ISO/SAE 21434 Chapter 15 supply chain security management requirements.

Four Implementation Variables and the Document Uniformity Flaw

CCAI Semarang recorded four contractor fatality incidents in 2013 and three in 2014, prompting this systematic analysis of CSMS pre-job phase execution. The research identified that the failure was not due to the absence of a system, but a fundamental design deficiency within it.

Finding 1: Four Variables Shape Pre-Job Phase Quality

The study identified four variables affecting CSMS pre-job implementation quality: (1) Bureaucratic Structure—the complexity of procedural hierarchies directly affects document review efficiency; (2) Communication Clarity—cross-level information transfer showed overall functionality but carried distortion risks in multi-tier structures; (3) Resource Adequacy—the sufficiency of personnel and tools directly determines review quality; and (4) Implementor Disposition—CCAI management demonstrated overall supportive posture toward CSMS, but this support failed to translate into differentiated execution mechanisms. Overall, pre-job phase implementation was assessed as "progressing well," but with one critical systemic gap.

Finding 2: Uniform Document Requirements Are the Systemic Failure Point

The most operationally significant finding is that CCAI applied identical occupational health and safety document compliance requirements to all contractors, regardless of their work risk classification (low, medium, or high). The research explicitly states that contractors should be differentiated by risk level—but in practice, all were subjected to the same documentation process. This creates two simultaneous problems: administrative over-burden for low-risk contractors, and—more critically—insufficient scrutiny for high-risk contractors, producing a genuine risk control gap. The study recommends designing differentiated document application forms and review processes for each contractor category, a recommendation that finds precise structural correspondence in ISO/SAE 21434 Chapter 15 requirements for cybersecurity capability assessment of suppliers.

Implications for Taiwan's Automotive Cybersecurity (AUTO) Practice

Taiwanese automotive supply chain companies pursuing TISAX certification and ISO/SAE 21434 compliance are systematically replicating the structural error documented at CCAI—applying uniform cybersecurity requirements to external partners of fundamentally different risk profiles. This issue operates across three dimensions that Taiwanese executives should address immediately.

First, ISO/SAE 21434 Chapter 15 explicitly requires organizations to assess supplier cybersecurity capability and design differentiated management requirements based on risk classification. Applying the same cybersecurity documentation review process to a Tier-1 embedded software development partner and a general facilities maintenance vendor does not merely create audit non-conformities—it fails to identify genuine high-risk external entry points into vehicle systems.

Second, UNECE WP.29 regulations (UN R155) require automakers and suppliers to establish a Cybersecurity Management System (CSMS) covering the full vehicle lifecycle. Article 7.3 of UN R155 specifically addresses the management of external parties, with explicit requirements for risk-tiered treatment. The December 2025 CISA ICS security advisories serve as a timely reminder that OT environment external access points—precisely the category that contractors and service providers represent—are among the most exploited attack surfaces in industrial operations.

Third, TISAX assessment criteria (based on VDA ISA) require organizations to demonstrate differentiated control capability for external parties by information risk level, corresponding to VDA ISA control item 5.2.1. Industry data indicates that over 60% of TISAX non-conformities at Taiwanese facilities are directly linked to deficiencies in external contractor execution-phase monitoring mechanisms—the digital-domain equivalent of CCAI's document uniformity problem.

How Winners Consulting Services Helps Taiwan Build Differentiated Supply Chain Security

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）assists Taiwanese automotive supply chain companies in achieving TISAX certification, implementing ISO/SAE 21434, and meeting UNECE WP.29 vehicle cybersecurity regulatory requirements. In direct response to the structural gap identified in the CCAI study, Winners proposes the following three-stage action approach:

1. Supplier Risk Classification Baseline (Weeks 1–4): Conduct a systematic risk classification of all current external suppliers and contractors using the ISO/SAE 21434 Chapter 15 framework, establishing three tiers (High/Medium/Low) with corresponding differentiated cybersecurity documentation requirements. This step simultaneously addresses TISAX VDA ISA 5.2.1 supplier management controls.
2. Differentiated Review Process Design (Weeks 5–12): Design enhanced pre-engagement review procedures for high-risk contractors (particularly those with OT system access), including cybersecurity capability questionnaires, on-site audit trigger conditions, and non-conformity handling mechanisms. Conduct gap analysis against UNECE WP.29 UN R155 Article 7.3 requirements for external party management.
3. Integrated Management System (IMS) Framework Integration (Weeks 13–24): Integrate differentiated contractor cybersecurity management mechanisms into existing ISO 45001 or ISO 27001 management systems, eliminating administrative redundancy while ensuring automotive cybersecurity (AUTO) requirements are systematically embedded in CSMS processes. Winners' 90-day rapid build program targets critical gaps for priority remediation, positioning companies for TISAX assessment readiness within 7 to 12 months.

Frequently Asked Questions

How does the CCAI "uniform document requirements" problem manifest in actual TISAX audits?

In TISAX audit practice, the uniform document problem most commonly surfaces during supplier self-assessment (VDA ISA questionnaire) design. When companies send identical VDA ISA questionnaires to all external suppliers—regardless of whether they are Tier-1 vehicle software development partners or general office equipment maintenance vendors—auditors will flag "insufficient risk identification mechanism" as a non-conformity. TISAX assessment criteria require organizations to demonstrate differentiated external party management by information risk level, corresponding to VDA ISA 5.2.1. The recommended approach is to first establish three-tier classification per ISO/SAE 21434 Chapter 15, then design differentiated questionnaire content and review frequencies accordingly. High-risk suppliers should undergo at minimum one on-site audit annually.

What is the most common mistake Taiwanese automotive suppliers make in early-stage TISAX implementation?

The most frequent error is directly transplanting ISO 27001 risk assessment methodology into the TISAX/ISO 21434 TARA (Threat Analysis and Risk Assessment) process. ISO 27001 centers on Confidentiality, Integrity, and Availability (CIA) of information assets, while ISO/SAE 21434 TARA must focus on vehicle attack surface feasibility (e.g., CAN Bus vulnerabilities, OTA update channel integrity, V2X interface exposure) and safety impact analysis. Additionally, the communication distortion identified in the CCAI study has a direct parallel in Taiwanese companies—cross-departmental inconsistency (Engineering, Procurement, Legal) in understanding TISAX requirements leads to directional errors in supplier management process design. A company-wide Gap Analysis establishing unified TISAX conceptual alignment is strongly recommended before implementation begins.

What are the core TISAX requirements, and how long does implementation realistically take for Taiwanese companies?

TISAX (Trusted Information Security Assessment Exchange) certification is based on the VDA ISA questionnaire, covering Information Security, Prototype Protection, and Data Protection modules, with assessment levels from AL1 to AL3. Core requirements include: establishing an Information Security Management System (ISMS), supplier security management (corresponding to ISO/SAE 21434 Chapter 15), incident response processes, and a vehicle cybersecurity policy compliant with UNECE WP.29 UN R155. For a mid-sized Taiwanese automotive parts manufacturer (200–500 employees), the typical timeline from Gap Analysis initiation to AL2 assessment completion is 9 to 12 months. Companies already holding ISO 27001 certification can often compress this to 6 to 9 months. Winners' 90-day rapid build program prioritizes critical gaps to achieve assessment-ready status efficiently.

What resources are required to implement differentiated supplier security management, and what ROI can Taiwanese companies expect?

For a Taiwanese Tier-1 automotive supplier (approximately 300 employees, 50 external suppliers), direct costs for establishing a differentiated supplier security management mechanism include: system tooling (approximately NTD 300,000–800,000 annually), project personnel investment (0.5–1.0 dedicated FTE for the first 6 months), and external advisory support (scope-dependent). Expected benefits include a 40–60% reduction in TISAX audit non-conformities, and—more importantly—concentrated monitoring resources on high-risk suppliers, materially reducing OT security incident risk from external contractor sources. Indirect protection against production disruption (production line downtime typically costs hundreds of thousands of NTD per hour) provides additional financial justification.

Why engage Winners Consulting Services Co. Ltd. for Automotive Cybersecurity (AUTO) matters?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is among Taiwan's few consultancies with simultaneous expertise in TISAX assessment preparation, ISO/SAE 21434 implementation, and UNECE WP.29 regulatory interpretation. The core competitive advantage is cross-domain integration capability: our advisory team spans vehicle electronics engineering, cybersecurity, and management systems—enabling translation of research insights like the CCAI CSMS study's execution mechanism findings into actionable, Taiwan-localized compliance solutions. Winners' complimentary Automotive Cybersecurity Mechanism Diagnostic delivers a preliminary TISAX gap analysis report within 3 to 5 business days, providing the lowest-risk entry point for companies evaluating implementation cost and pathway.

日本語版

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、インドネシアのコカ・コーラ・アマティル（CCAI）における2016年の承請負業者安全管理システム（CSMS）実地研究から、台湾の自動車サプライチェーン企業にとって構造的に重要な知見を抽出した。すべての請負業者にリスクレベルを問わず同一の文書要件を適用する「一律化」の欠陥は、TISAX認証およびISO/SAE 21434の自動車サイバーセキュリティ監査において最も頻繁に指摘される不適合事項の根本原因と直接対応している。