MENU

What is TISAX?

TISAX is a programme for assessing the information security systems of companies in the automotive sector. It is targeting data protection and integrity as well as availability in both in the automotive manufacturing process and during vehicle operation. Behind TISAX stands an Information Security Management System (ISMS) similar to that defined by the International Standard ISO 27001. Based on this standard, the German Association of the Automotive Industry (VDA) developed a set of catalogues of requirement (ISA) for the specific needs of the automotive industry.

The effectiveness of an ISMS can be demonstrated by successfully passing an independent assessment, by an authorized audit partner, for example TÜV NORD. If so, ENX*, the organisation which administers and manages the TISAX programme, issues a TISAX label on its online platform.

This label is recognised by all VDA members and vehicle manufacturers such as Audi, BMW, Mercedes Benz and Volkswagen, thus making it easier to participate in future tenders. Participants – there are active and passive ones – in the TISAX programme exchange information on the status of information security by applying the online-portal. Alongside contacting each other the exchange of assessment data via the portal generates confidence and trust within the entire supply chain. Registration on the TISAX portal is essential for those wishing to participate.

Passive participants

Passive participants are vehicle manufacturers, for example. These request another company (e.g. a supplier), to demonstrate that they hold certain TISAX labels and to undertake a corresponding assessment. They also request access to the assessment results.

Active participants

Active participants or auditees may be suppliers. A company is either required by another company (e.g. OEM or vehicle manufacturer) to undertake assessment based on the criteria catalogue, or it undertakes the assessment on its own initiative. Following the assessment, the active participant decides who within the TISAX network may have access to his assessment results.

Benefits of TISAX

  • The assessment criteria are particularly relevant for the automotive sector
  • The assessment and assessment results are consistent and of high quality
  • The assessment and assessment report procedures are standardised
  • The results are highly comparable and meaningful
  • Double and multiple assessments are avoided
  • A risk management system is established and risks are reduced
  • The scheme enjoys broad acceptance in the automotive sector
  • There is consistent focus on the requirements of the customer

Four steps to TISAX

What happens in a TISAX Assessment?

The ENX Association, as operator of the TISAX programme, has clearly defined the levels and scopes of the assessment. TISAX differentiates between three different data protection classes and assessment levels. These depend on the level of protection required for the data in question.

Assessment Level 1

This is intended for normal security requirements. The Auditee can achieve Level 1 by means of self-assessment.

Assessment Level 2

Assessment Level 2 is intended for suppliers and service providers with high data protection needs. The prerequisite is that a complete self-assessment has already been carried out. The Level 2 assessment has to be performed by an assessment organisation (XAP), and the steps are then as follows:

  • Kick-off meeting
  • Completeness and plausibility check of the self-assessment and of suitable evidences
  • Telephone interview of the employees responsible for Information Security Management System (ISMS) based on the plausibility check, or an on-site inspection if there is involvement of third parties and/or prototype protection.

Assessment Level 3

Assessment to Level 3 sets very strict requirements as regards data protection. Here also, an audit provider (XAP) has to be involved and a complete self-assessment has to be present. The assessment steps are similar to those in Level 2, but with the addition that significant aspects of the management system are considered in an on-site audit.

  • Kick-off meeting
  • Completeness and plausibility check of the self-assessment and of suitable evidences
  • Assessment of the effectiveness and maturity level of the ISMS by means of an on-site audit with those involved (expert interviews on site, inspection of relevant areas of the organization)

Following the assessment, the results and any necessary corrective actions are summarised in a preliminary report. Two further steps must then be completed in order to achieve the TISAX-Label:

  • Development of a corrective action plan by the auditee and assessment by the accredited assessment organisation (XAP).
  • Implementation of the corrective actions by the Auditee and evaluation of their effectiveness by the XAP.

Frequently asked questions

What does TISAX stand for?

TISAX stands for Trusted Information Security Assessment Exchange and describes an assessment and exchange procedure for information security in the automotive sector.

Who is behind TISAX?

TISAX was developed by the German Association of the Automotive Industry (Verband der Automobilindustrie e.V. (VDA)) and is managed by the ENX Association, which monitors the quality and results of the assessments.

Why should my company participate in the TISAX scheme?

All suppliers and service providers who work with sensitive information from the vehicle manufacturers should be interested in participating in TISAX. On the one hand, the scheme enables them to fulfil the requirements of their customers, and on the other they are saved repeat assessments by a variety of customers regarding identical information security content.

What must I do in order to participate in TISAX?

Companies gain access to the TISAX assessment exchange portal by registering as participants in the scheme. This is essential in order to commission an assessment from an accredited assessment organisation (XAP) such as TÜV NORD. 

Who is allowed to perform TISAX assessments?

Only assessment providers (XAP) approved by ENX are permitted to perform TISAX assessments. TÜV NORD CERT is an approved contractual partner of ENX.

How long does it take?

The scope and duration of the TISAX assessment are mainly dependent on the agreed objectives, the maturity and complexity of the ISMS and the number of sites to be assessed.

A period of nine months is allowed from the Closing Meeting (i.e. final meeting of the Initial Assessment) to completion of the entire assessment procedure (including review of the successful implementation of any necessary corrective actions). If it is not possible to keep to the deadline, the process has to start again from the beginning. The TISAX label is valid for three years, and then re-assessment is required.

I would like to receive an offer. What should I do?

In order to receive an offer for a TISAX assessment, the first step is to register on the ENX portal and enter the required information. We have put together detailed information regarding the inquiry process here.

Where can I find further information on TISAX?

The ENX Association has put together detailed information in a manual for participants on the website.

TISAX Assessments with TÜV NORD

TÜV NORD is your preferred partner when it comes to demonstrating the quality of your Information Security Management System (ISMS), and we have been accredited for ISMS auditing and certification with the official German accreditation body (DAkkS) for many years. Specifically for the automotive sector, TÜV NORD is approved as a TISAX Accredited Audit Provider (XAP) by the ENX Association, with authority to perform assessments throughout the world.

 

*Notice: TÜV NORD CERT GmbH is authorized by ENX to offer TISAX assessment services. The Intellectual Property associated with TISAX program and the related trademarks are hold by ENX.

We look forward to hearing from you