MENU

TISAX - InfoSec for Automotive Industry

Information Security as Critical Success Factor

In the era of digitization, information security increasingly represents a decisive factor in remaining competitive. This applies in particular to the automotive industry – here companies exchange a huge amount of sensitive data on a daily basis, data which needs to be protected against theft, loss or manipulation. Information security used to be considered as being the individual concern of each particular company, but this should change in future through the common assessment and exchange mechanism TISAX (Trusted Information Security Assessment Exchange).

What is TISAX

Companies in the automotive industry have to demonstrate at regular three-year intervals that they fulfil the required security criteria of their sector. The basis for this proof is the VDA-ISA catalogue of requirements issued by the Association of the Automotive Industry (Verband der Automobilindustrie, VDA). The VDA ISA catalogue comprises the key aspects and criteria of the internationally recognized standard ISO 27001 and additional lists of criteria, which specifically apply to the automotive sector, such as the involvement of third parties and the protection of prototypes. Furthermore, there is a fully developed and comprehensive audit and exchange mechanism. The audit and reporting processes ensure a high degree of comparability and transparency and thus strengthen the feeling of confidence of the respective customers who are therefore demanding to an increasing extent the attainment of the relevant TISAX labels to be a binding requirement. The TISAX online platform makes it possible for participants to exchange assessment data and at the same time makes it easier for participants and audit providers to get in touch with one another.

The body responsible for TISAX is the VDA and the ENX Association monitors the quality of the execution and of the assessment results. You can find the associated TISAX handbook here.

Two pathways for certification

There are two roles within the exchange model, which each participating company can assume, according to its needs:

  • Passive participant (e.g. OEM, automotive manufacturer): Calls for another company (e.g. a supplier) to undergo an assessment and requests access to the assessment results.
  • Active participant (e.g. supplier): A company is either called by another company (e.g. OEM or customer) to undergo an assessment, or undertakes to have an assessment done on their own initiative. After completion, the active participant makes it possible for selected companies (e.g. OEMs) to gain access to the assessment results.

Companies can gain access to the TISAX portal by registering as a participant. This is a prerequisite for entrusting an accredited audit provider with the task of carrying out an assessment.

Various protection and assessment levels

The ENX Association, as the operator of the TISAX programme, has clearly defined level and scope of an assessment. TISAX differentiates between three different “protection levels” (normal, high and very high) defining the needed level of protection of the information in question. Furthermore, TISAX differentiates three “assessment levels” defining the depth of assessment and the assessment method:

  • Information with normal protection level: Assessment level 1 in the form of self-assessment. Results of assessments with assessment level 1 are normally not used in TISAX but may be requested outside the scheme.
  • Information with high protection level: Assessment level 2 through an audit organisation, using the self-assessment as a basis, as well as various documents and a telephone interview (if required, on site inspection).
  • Information with very high protection level: Assessment level 3 carried out by an independent audit provider on the basis of documentation and an on-site audit.

The scope and the duration of the TISAX assessment are in each case essentially determined according to the list of criteria, which are to be dealt with, the objectives of the protection, the complexity of the ISMS and the number of sites involved.

TISAX Assessments with TÜV NORD

TÜV NORD is your preferred partner when it comes to demonstrating the quality of your Information Security Management System (ISMS), and we have been accredited for ISMS auditing and certification with the official German accreditation body (DAkkS) for many years. Specifically for the automotive sector, TÜV NORD is approved as a TISAX Accredited Audit Provider (XAP) by the ENX Association, with authority to perform assessments throughout the world.

 

Roadmap to TISAX Certification - 4 Steps

  1. Online registration on the TISAX platform
  2. Selection and appointment of an accredited audit provider, e.g. TÜV NORD CERT
  3. Performance of the assessment, using documentation or on-site audits
  4. Exchange of information on the results of the audit with other selected TISAX participants, based on explicit authorization by the audited company.

Value of TISAX Certification

TISAX certification is recognized by all VDA members and OEMs, such as Audi, Volkswagen and BMW.

Key benefits of certification:

  • relevant assessment criteria
  • homogeneous assessment quality and a high level of transparency
  • standardized and stringent testing and reporting procedures
  • complete control of the assessment results
  • avoidance of double and multiple assessments
  • broad acceptance in the automotive sector
  • consolidation of existing and promotion of new business relations
  • consequent orientation to customer needs
  • reduction of risks and establishment of a risk management
  • Are you interested in gaining TISAX certification? Feel free to get in touch with us!

We look forward to your enquiry

TÜV NORD Singapore

25 International Business Park #03-107, German Centre
Singapore 609916

+65 6904 6700

singapore@tuv-nord.com