Skip to content

TISAX®

Frau fährt ein Auto, Hände am Lenkrad, durch die Windschutzscheibe gesehen.

What is TISAX®?

TISAX® is a cross-company testing and exchange procedure for information security in the automotive industry. It is concerned with the protection of data, its integrity and availability in the manufacturing process and in the operation of vehicles.

This is achieved by means of an information security management system (ISMS) analogous to the ISO 27001 standard, on the basis of which the VDA has developed the special ISA requirements and test catalogue for the automotive sector.

The effectiveness of an ISMS can be verified via assessments (audits) against the ISA catalogue. If the assessment is successful, e.g. by TÜV NORD, ENX* - the administrator of the TISAX® programme - issues a TISAX® label in its database. This is recognised and required by all VDA members and vehicle manufacturers such as Audi, Volkswagen or BMW.

Contact us

How does TISAX® work?

The participants in the TISAX® process exchange information via a shared online portal information on the status of information security . Registration on the portal is mandatory for participation in a TISAX® procedure. In addition to the exchange of assessment data, the portal also enables participants and assessment service providers to contact each other. Within the exchange model, there are two roles that each company can take on as required.

Passive participants are, for example, vehicle manufacturers. They request another company (e.g. their supplier) to provide evidence of certain TISAX® labels and thus carry out an assessment with the appropriate assessment objectives and request access to the assessment results.

Active participants or auditees are, for example, suppliers: A company is either requested by another company (e.g. OEM, car manufacturer) to be audited against the catalogue of criteria or undergoes an audit on its own initiative. Once the assessment has been completed, the active participant decides who in the TISAX® network will have access to its assessment results.

Target groups for TISAX® certification

  • Vehicle manufacturers
  • Suppliers and service providers of car manufacturers and suppliers

The participants in the TISAX® process exchange information via a joint online portal information on the status of information security . Registration on the portal is mandatory for participation in a TISAX® process. In addition to the exchange of assessment data, the portal also enables participants and assessment service providers to contact each other. Within the exchange model, there are two roles that each company can take on as required.

Advantages of TISAX® certification

  • The test criteria are relevant for the automotive industry
  • The test quality and results are homogeneous and high
  • The test and reporting procedures are standardised
  • The comparability and informative value of the results are high
  • Duplicate and multiple tests are avoided
  • Risk management is established and risks are reduced
  • There is broad acceptance in the automotive sector
  • There is a consistent focus on customer needs

Audit process for TISAX® certification

1

01

Online registration ENX platform

2

02

Selection and commissioning of testing service providers (TÜV NORD)

3

03

Arrangement of appointments with auditors & provision of documentation

4

04

Audit level 1: Focus on documentation review

5

05

Audit stage 2: Focus on processes & interviews with stakeholders

6

06

Management of deviations

7

07

Provision of the label on the ENX platform

The TISAX® procedure essentially consists of three phases: Registration, Assessment and Exchange. Would you like to know in detail how to master these three phases? Our guide "How do TISAX® assessments work?" will help you understand the entire process.

Guide (PDF)

How are TISAX® assessments conducted?

As the operator of the TISAX® programme, the ENX Association has clearly defined the levels and scope of the assessments. TISAX® differentiates between three different protection classes and assessment levels according to which an organisation can be assessed. These assessment objectives depend on the protection requirements of the information.

 

Assessment Levels

Is intended for normal protection requirements. The auditor can carry out the assessment in the form of a self-assessment.

Assessment level 2 is aimed at suppliers and service providers with high protection requirements. The prerequisite for this is that a complete self-assessment is available. The audit provider then carries out the following test steps:

  • Opening meeting (kick-off)
  • Completeness and plausibility check of the self-assessment and corresponding evidence
  • Telephone interview with the person responsible for the information security management system (ISMS) based on the plausibility check or an on-site audit with third parties and/or prototype protection

Assessment level 3 has very high protection requirements. An audit provider (TISAX® AP) must also be involved here and a complete self-assessment must be available. The subsequent audit steps are similar to the Level 2 assessment, except that key aspects are considered during an on-site audit.

  • Opening meeting
  • Completeness and plausibility check of the self-assessment and corresponding evidence
  • Assessment of the effectiveness and maturity of the ISMS through an on-site audit with those involved (on-site expert interviews, inspection of relevant areas and premises)

After the assessments, the results and the requirements for corrective measures are summarised in a preliminary report. In this case, two further assessment steps are required to obtain a TISAX® label:

  • Development of a corrective action plan by the auditor and assessment by the authorised audit provider - TISAX® Audit Provider (TISAX® AP).
  • Implementation of the corrective actions by the auditor and assessment of the effectiveness of the actions by the TISAX® AP.

FAQs about a TISAX® certification

FAQ on TISAX® assessments

TISAX® stands for Trusted Information Security Assessment Exchange and describes an assessment and exchange procedure for information security in the automotive industry.

Only assessment service providers authorised by ENX (TISAX® AP) are permitted to carry out TISAX® assessments. TÜV NORD CERT is a contractual partner of ENX for this purpose.

Developed by the German Association of the Automotive Industry (VDA), TISAX® is managed by the ENX Association, which monitors the quality of the implementation and results of the assessments.

The scope and duration of the TISAX® assessment are essentially determined by the agreed assessment objectives, the maturity and complexity of the ISMS and the number of sites to be assessed.

A limited period of nine months is available from the closing meeting (final discussion of the initial assessment) to the completion of the entire assessment process (including verification of the successful implementation of any necessary corrective measures). If the deadline cannot be met, the process must be restarted from the beginning. After three years (period of validity of the TISAX® label), the procedure must be repeated.

All suppliers and service providers of automotive manufacturers and suppliers who process sensitive information from the respective companies should be interested in participating in TISAX®. On the one hand, this enables them to meet the requirements of their customers. On the other hand, they avoid having to undergo identical audits by customers again and again. This is because clients regularly demand proof from their suppliers that they fulfil the information security requirements.

To receive a quote for a TISAX® assessment, interested parties must first register on the ENX portal and enter the relevant information. Please contact us if we can help you with the quotation request process.

Companies can access the TISAX® portal, which facilitates the exchange of assessment data, by participant registration. This is a prerequisite for commissioning an assessment service provider (TISAX® AP) such as TÜV NORD with an assessment.

ENX has published detailed information on TISAX® in a participant handbook on its website summarised.

TISAX® assessments with TÜV NORD

TÜV NORD is the partner at your side when it comes to the quality of your information security management system (ISMS). We have been accredited by the German Accreditation Body (DAkkS) for the auditing and certification of ISMS for many years. Specifically for the automotive sector, TÜV NORD is authorised by the ENX Association as a TISAX® Audit Provider (TISAX® AP) and can carry out assessments worldwide.

*Note: TÜV NORD CERT GmbH is authorised by ENX to offer TISAX® assessment services. The brands and trademarks associated with the TISAX® programme and the related intellectual property belong to ENX.

Would you like to learn more about TISAX® certification? Please feel free to contact us.

ISMS Sales & Projectmanagement

sales.isms@tuev-nord.de
Send Email

Further services for you

ENX Vehicle Cybersecurity

ENX VCS

Vehicle Cybersecurity (VCS) is a new audit programme from the ENX Association that focuses on cybersecurity in the automotive industry.
ENX VCS