What is TISAX®?
TISAX® is a programme for assessing the information security systems of companies in the automotive sector. It is targeting data protection and integrity as well as availability in both in the automotive manufacturing process and during vehicle operation. Behind TISAX® stands an Information Security Management System (ISMS) similar to that defined by the International Standard ISO 27001. Based on this standard, the German Association of the Automotive Industry (VDA) developed a set of catalogues of requirement (ISA) for the specific needs of the automotive industry.
The effectiveness of an ISMS can be demonstrated by successfully passing an independent assessment, by an authorized partner, for example TÜV NORD. If so, ENX*, the organisation which administers and manages the TISAX® programme, issues a TISAX® label on its online platform.
This label is recognised by all VDA members and vehicle manufacturers such as Audi, BMW, Mercedes Benz and Volkswagen, thus making it easier to participate in future tenders. Participants – there are active and passive ones – in the TISAX® programme exchange information on the status of information security by applying the online-portal. Alongside contacting each other the exchange of assessment data via the portal generates confidence and trust within the entire supply chain. Registration on the TISAX® portal is essential for those wishing to participate.
Passive participants are vehicle manufacturers, for example. These request another company (e.g. a supplier), to demonstrate that they hold certain TISAX® labels and to undertake a corresponding assessment. They also request access to the assessment results.
Active participants or auditees may be suppliers. A company is either required by another company (e.g. OEM or vehicle manufacturer) to undertake assessment based on the criteria catalogue, or it undertakes the assessment on its own initiative. Following the assessment, the active participant decides who within the TISAX® network may have access to his assessment results.
Benefits of TISAX®
- The assessment criteria are particularly relevant for the automotive sector
- The assessment and assessment results are consistent and of high quality
- The assessment and assessment report procedures are standardised
- The results are highly comparable and meaningful
- Double and multiple assessments are avoided
- A risk management system is established and risks are reduced
- The scheme enjoys broad acceptance in the automotive sector
- There is consistent focus on the requirements of the customer
Four steps to TISAX®
What happens in a TISAX® Assessment?
The ENX Association, as operator of the TISAX® programme, has clearly defined the levels and scopes of the assessment. TISAX® differentiates between three different data protection classes and assessment levels. These depend on the level of protection required for the data in question.
This is intended for normal security requirements. The Auditee can achieve Level 1 by means of self-assessment.
Assessment Level 2 is intended for suppliers and service providers with high data protection needs. The prerequisite is that a complete self-assessment has already been carried out. The Level 2 assessment has to be performed by an assessment organisation (TISAX® AP), and the steps are then as follows:
- Kick-off meeting
- Completeness and plausibility check of the self-assessment and of suitable evidences
- Telephone interview of the employees responsible for Information Security Management System (ISMS) based on the plausibility check, or an on-site inspection if there is involvement of third parties and/or prototype protection.
Assessment to Level 3 sets very strict requirements as regards data protection. Here also, an assessment provider (TISAX® AP) has to be involved and a complete self-assessment has to be present. The assessment steps are similar to those in Level 2, but with the addition that significant aspects of the management system are considered in an on-site audit.
- Kick-off meeting
- Completeness and plausibility check of the self-assessment and of suitable evidences
- Assessment of the effectiveness and maturity level of the ISMS by means of an on-site audit with those involved (expert interviews on site, inspection of relevant areas of the organization)
Following the assessment, the results and any necessary corrective actions are summarised in a preliminary report. Two further steps must then be completed in order to achieve the TISAX®-Label:
- Development of a corrective action plan by the auditee and assessment by the accredited assessment organisation - TISAX® Assessment Provider (TISAX® AP).
- Implementation of the corrective actions by the Auditee and evaluation of their effectiveness by the TISAX® AP.
Frequently asked questions
TITISAX® stands for Trusted Information Security Assessment Exchange and describes an assessment and exchange procedure for information security in the automotive sector.
TISAX® was developed by the German Association of the Automotive Industry (Verband der Automobilindustrie e.V. (VDA)) and is managed by the ENX Association, which monitors the quality and results of the assessments.
All suppliers and service providers who work with sensitive information from the vehicle manufacturers should be interested in participating in TISAX®. On the one hand, the scheme enables them to fulfil the requirements of their customers, and on the other they are saved repeat assessments by a variety of customers regarding identical information security content.
Companies gain access to the TISAX® assessment exchange portal by registering as participants in the scheme. This is essential in order to commission an assessment from an assessment organisation (TISAX® AP) such as TÜV NORD.
Only assessment providers (TISAX® AP) approved by ENX are permitted to perform TISAX® assessments. TÜV NORD CERT is an approved contractual partner of ENX.
The scope and duration of the TISAX® assessment are mainly dependent on the agreed objectives, the maturity and complexity of the ISMS and the number of sites to be assessed.
A period of nine months is allowed from the Closing Meeting (i.e. final meeting of the Initial Assessment) to completion of the entire assessment procedure (including review of the successful implementation of any necessary corrective actions). If it is not possible to keep to the deadline, the process has to start again from the beginning. The TISAX® label is valid for three years, and then re-assessment is required.
In order to receive an offer for a TISAX® assessment, the first step is to register on the ENX portal and enter the required information. Feel free to contact us if you would like us to assist you in the process of requesting a quote.
The ENX Association has put together detailed information in a manual for participants on the website.
TISAX® Assessments with TÜV NORD
TÜV NORD is your preferred partner when it comes to demonstrating the quality of your Information Security Management System (ISMS), and we have been accredited for ISMS auditing and certification with the official German accreditation body (DAkkS) for many years. Specifically for the automotive sector, TÜV NORD is approved as a TISAX® Assessment Provider (TISAX® AP) by the ENX Association, with authority to perform assessments throughout the world.
*Notice: TÜV NORD CERT GmbH is authorized by ENX to offer TISAX® assessment services. The Intellectual Property associated with TISAX® program and the related trademarks are hold by ENX.