TISAX®

Information security as a factor in remaining competitive

In the era of digitization, information security increasingly represents a decisive factor in remaining competitive. This applies in particular to the automotive industry – here companies exchange a huge amount of sensitive data on a daily basis, data which needs to be protected against theft, loss or manipulation. Information security used to be considered as being the individual concern of each particular company, but this should change in future through the common assessment and exchange mechanism TISAX® (Trusted Information Security Assessment Exchange).

TISAX® – what does this mean?

Companies in the automotive industry have to demonstrate at regular three-year intervals that they fulfil the required security criteria of their sector. The basis for this proof is the VDA-ISA catalogue of requirements issued by the Association of the Automotive Industry (Verband der Automobilindustrie, VDA). The VDA ISA catalogue comprises the key aspects and criteria of the internationally recognized standard ISO 27001 and additional lists of criteria, which specifically apply to the automotive sector, such as the involvement of third parties and the protection of prototypes. Furthermore, there is a fully developed and comprehensive audit and exchange mechanism. The audit and reporting processes ensure a high degree of comparability and transparency and thus strengthen the feeling of confidence of the respective customers who are therefore demanding to an increasing extent the attainment of the relevant TISAX® labels to be a binding requirement. The TISAX® online platform makes it possible for participants to exchange assessment data and at the same time makes it easier for participants and audit providers to get in touch with one another.
The body responsible for TISAX® is the VDA and the ENX Association monitors the quality of the execution and of the assessment results. You can find the associated TISAX® handbook here

Two possible roles in terms of participation

There are two roles within the exchange model, which each participating company can assume, according to its needs:

  • Passive participant (e.g. OEM, automotive manufacturer): Calls for another company (e.g. a supplier) to undergo an assessment and requests access to the assessment results.
  • Active participant (e.g. supplier): A company is either called by another company (e.g. OEM or customer) to undergo an assessment, or undertakes to have an assessment done on their own initiative. After completion, the active participant makes it possible for selected companies (e.g. OEMs) to gain access to the assessment results.

Companies can gain access to the TISAX® portal by registering as a participant. This is a prerequisite for entrusting an approved audit provider with the task of carrying out an assessment.

 

Various different protective classes and assessment levels

The ENX Association, as the operator of the TISAX® programme, has clearly defined level and scope of an assessment. TISAX® differentiates between three different “protection levels” (normal, high and very high) defining the needed level of protection of the information in question. Furthermore, TISAX® differentiates three “assessment levels” defining the depth of assessment and the assessment method:

  • Information with normal protection level: Assessment level 1 in the form of self-assessment. Results of assessments with assessment level 1 are normally not used in TISAX® but may be requested outside the scheme.
  • Information with high protection level: Assessment level 2 through an audit organisation, using the self-assessment as a basis, as well as various documents and a telephone interview (if required, on site inspection).
  • Information with very high protection level: Assessment level 3 carried out by an independent audit provider on the basis of documentation and an on-site audit.

The scope and the duration of the TISAX® assessment are in each case essentially determined according to the list of criteria, which are to be dealt with, the objectives of the protection, the complexity of the ISMS and the number of sites involved.

Who is authorized to carry out audits in accordance with TISAX®?

Only approved audit provider according to TISAX® are permitted to carry out the assessments.

The four stages in gaining TISAX® certification

  • Online registration on the TISAX® platform
  • Selection and appointment of an approved audit provider, e.g. TÜV NORD CERT
  • Performance of the assessment, using documentation or on-site audits
  • Exchange of information on the results of the audit with other selected TISAX® participants, based on explicit authorization by the audited company.

Who recognizes TISAX®?

TISAX® certification is required and recognized by all VDA members and OEMs, such as Audi, Volkswagen and BMW.
The advantages of the TISAX® procedure are as follows:

  • relevant assessment criteria
  • homogeneous assessment quality and a high level of transparency
  • standardized and stringent testing and reporting procedures
  • complete control of the assessment results
  • avoidance of double and multiple assessments
  • broad acceptance in the automotive sector
  • consolidation of existing and promotion of new business relations
  • consequent orientation to customer needs
  • reduction of risks and establishment of a risk management

Where can i find further information on TISAX®

The ENX Association has put together detailed information in a manual for participants on the ENX TISAX® Website

TISAX® Assessments with TÜV NORD

TÜV NORD is your preferred partner when it comes to demonstrating the quality of your Information Security Management System (ISMS), and we have been accredited for ISMS auditing and certification with the official German accreditation body (DAkkS) for many years. Specifically for the automotive sector, TÜV NORD is approved as a TISAX® Assessment Provider (TISAX® AP) by the ENX Association, with authority to perform assessments throughout the world.

*Notice: TÜV NORD CERT GmbH is authorized by ENX to offer TISAX® assessment services. The Intellectual Property associated with TISAX® program and the related trademarks are hold by ENX.

Please contact us

Arkadia Green Park, Tower F 6th Floor, Suite 602-604, Jl. TB. Simatupang Kav.88, Kebagusan, Pasar Minggu, 12520 Jakarta Selatan

Tety YohantiSales Manager
Certification Services

tety@tuv-nord.com