TISAX®
TISAX® is an assessment program for the information security systems of companies in the automotive sector. It focuses on the protection, integrity, and availability of data, both in the vehicle manufacturing process and during the use of the vehicle.
Behind TISAX® stands an Information Security Management System (ISMS) similar to the one defined by the international standard ISO 27001. Based on this standard, the German Association of the Automotive Industry (VDA) developed a set of Information Security Assessment (ISA) requirement catalogs tailored to the specific needs of the automotive industry.
The effectiveness of the ISMS can be demonstrated through the successful completion of an independent assessment by an authorized partner, such as TÜV NORD. Subsequently, ENX*, the organization that administers and manages the TISAX® program, issues a TISAX® label on its online platform.
is recognized by all members of the VDA and by vehicle manufacturers such as Audi, BMW, Mercedes-Benz, and Volkswagen, facilitating participation in future tenders.
Participants in the TISAX® program—both active and passive—exchange information about their level of information security through the online portal. In addition to direct contact between participants, the exchange of assessment data through the portal builds confidence and trust across the entire supply chain.
Registration in the TISAX® portal is essential for participants.
Passive participants are, for example, vehicle manufacturers. They require another organization (e.g., a supplier) to demonstrate that it holds a specific TISAX® label and to undergo the relevant assessment. They also request access to the assessment results.
Active participants, or audited participants, may include suppliers. Another company (e.g., an OEM or vehicle manufacturer) may require a company to undergo an assessment based on the criteria catalog, or the company may initiate the assessment on its own. After the assessment, the active participant decides who within the TISAX® network may have access to the assessment results.
4 Steps to TISAX®
The ENX Association, as the organization responsible for the TISAX® program, has clearly defined the levels and scope of the assessment. TISAX® distinguishes between three different data protection classes and assessment levels, which depend on the level of protection required for the specific data.
This level is intended for standard security requirements. The audited organization can achieve Level 1 through a self-assessment.
Assessment Level 2 is intended for suppliers and service providers with high data protection requirements. It assumes that a full self-assessment has already been completed. The Level 2 assessment must be conducted by an authorized assessment provider (TISAX® AP) and includes the following steps:
Assessment Level 3 sets very strict requirements regarding data protection. Like Level 2, it must involve an authorized assessment provider (TISAX® AP) following a completed full self-assessment. The assessment steps are similar to those of Level 2, with the addition that key aspects of the management system are reviewed through an on-site audit.
After the assessment, the results and all necessary corrective actions are summarized in a preliminary report. Two additional steps must then be completed to obtain the TISAX® label:
TISAX® was developed by the German Association of the Automotive Industry (Verband der Automobilindustrie e.V., VDA) and is managed by the ENX Association, which oversees the quality and results of the assessments.
TISAX® was developed by the German Association of the Automotive Industry (Verband der Automobilindustrie e.V., VDA) and is managed by the ENX Association, which monitors the quality and outcomes of the assessments.
All suppliers and service providers handling sensitive information from vehicle manufacturers should consider participating in the TISAX® scheme. On one hand, the scheme enables them to meet their clients’ requirements, and on the other, it eliminates the need for repeated assessments by different clients on the same information security content.
Companies gain access to the TISAX® assessment exchange portal by registering as participants in the scheme. This is essential to commission an assessment from an authorized assessment provider (TISAX® AP), such as TÜV NORD.
Only approved assessors (TISAX® AP) authorized by ENX are allowed to conduct TISAX® assessments. TÜV NORD CERT is an approved contractual partner of ENX.
The scope and duration of a TISAX® assessment primarily depend on the agreed objectives, the maturity and complexity of the ISMS, and the number of sites to be assessed.
A period of nine months is allowed from the Final Meeting (i.e., the last meeting of the initial assessment) to the completion of the entire assessment process, including the review of the successful implementation of all necessary corrective actions. If the deadline cannot be met, the process must be restarted.
The TISAX® label is valid for three years, after which a reassessment is required.
To receive a quote for a TISAX® assessment, the first step is to register in the ENX portal and provide the required information. Feel free to contact us if you would like assistance with the quote request process.
The ENX Association has compiled detailed information in the Participant’s Guide available on their website.
TÜV NORD is your preferred partner when it comes to demonstrating the quality of your Information Security Management System (ISMS). We have been accredited for auditing and certifying ISMS by the official German accreditation body (DAkkS) for many years. Specifically for the automotive sector, TÜV NORD is approved as a TISAX® Assessment Provider (TISAX® AP) by the ENX Association, with the authority to conduct assessments worldwide.
Note: TÜV NORD CERT GmbH is authorized by ENX to offer TISAX® assessment services. The intellectual property related to the TISAX® program and associated trademarks is owned by ENX.
13 Nayden Gerov St., 4000 Plovdiv, Bulgaria
Tel.: +359 32 624 243
bulgaria@tuev-nord.de