TISAX®

TISAX® is a program for assessing the information security systems of companies in the automotive sector. It targets data protection and integrity as well as availability both in the automotive manufacturing process and during vehicle operation. Behind TISAX® stands an Information Security Management System (ISMS) similar to that defined by the International Standard ISO 27001. Based on this standard, the German Association of the Automotive Industry (VDA) developed a set of catalogs of requirements (ISA) for the specific needs of the automotive industry.

The effectiveness of an ISMS can be demonstrated by successfully passing an independent assessment, by an authorized partner, for example, TÜV NORD. If so, ENX*, the organization which administers and manages the TISAX® program, issues a TISAX® label on its online platform.

In the era of digitization, information security increasingly represents a decisive factor in remaining competitive. This applies in particular to the automotive industry – here companies exchange a huge amount of sensitive data on a daily basis, data which needs to be protected against theft, loss or manipulation. Information security used to be considered as being the individual concern of each particular company, but this should change in future through the common assessment and exchange mechanism TISAX® (Trusted Information Security Assessment Exchange).

Companies in the automotive industry have to demonstrate at regular three-year intervals that they fulfill the required security criteria of their sector. The basis for this proof is the VDA-ISA catalog of requirements issued by the Association of the Automotive Industry (Verband der Automobilindustrie, VDA). The VDA ISA catalog comprises the key aspects and criteria of the internationally recognized standard ISO 27001 and additional lists of criteria which specifically apply to the automotive sector, such as the involvement of third parties and the protection of prototypes. Furthermore, there is a fully developed and comprehensive audit and exchange mechanism. The audit and reporting processes ensure a high degree of comparability and transparency and thus strengthen the feeling of confidence of the respective customers, who are therefore demanding to an increasing extent, the attainment of the relevant TISAX® labels to be a binding requirement. The TISAX® online platform makes it possible for participants to exchange assessment data and at the same time makes it easier for participants and audit providers to get in touch with one another.

The body responsible for TISAX® is the VDA, and the ENX Association monitors the quality of the execution and the assessment results.

There are two roles within the exchange model, which each participating company can assume, according to its needs:

• Passive participant (e.g. OEM, automotive manufacturer): Calls for another company (e.g. a supplier) to undergo an assessment and requests access to the assessment results.
• Active participant (e.g. supplier): A company is either called by another company (e.g. OEM or customer) to undergo an assessment, or undertakes to have an assessment done on their own initiative. After completion, the active participant makes it possible for selected companies (e.g. OEMs) to gain access to the assessment results.

Companies can gain access to the TISAX® portal by registering as a participant. This is a prerequisite for entrusting an accredited audit provider with the task of carrying out an assessment.

The ENX Association, as the operator of the TISAX® programme, has clearly defined level and scope of an assessment. TISAX® differentiates between three different “protection levels” (normal, high and very high) defining the needed level of protection of the information in question. Furthermore, TISAX® differentiates three “assessment levels” defining the depth of assessment and the assessment method:

• Information with normal protection level: Assessment level 1 in the form of self-assessment. Results of assessments with assessment level 1 are normally not used in TISAX® but may be requested outside the scheme.
• Information with high protection level: Assessment level 2 through an audit organisation, using the self-assessment as a basis, as well as various documents and a telephone interview (if required, on site inspection).
• Information with very high protection level: Assessment level 3 carried out by an independent audit provider on the basis of documentation and an on-site audit.

The scope and the duration of the TISAX® assessment are in each case essentially determined according to the list of criteria, which are to be dealt with, the objectives of the protection, the complexity of the ISMS and the number of sites involved.

Only audit providers accredited according to TISAX® are permitted to carry out the assessments. TÜV NORD CERT is in the process of gaining accreditation.

1. Online registration on the TISAX® platform
2. Selection and appointment of an accredited audit provider, e.g. TÜV NORD CERT
3. Performance of the assessment, using documentation or on-site audits
4. Exchange of information on the results of the audit with other selected TISAX® participants, based on explicit authorization by the audited company.

A TISAX® certification is required and recognized by all VDA members and OEMs, such as Audi, Volkswagen and BMW.

The advantages of the TISAX® procedure are as follows:

• relevant assessment criteria
• homogeneous assessment quality and a high level of transparency
• standardized and stringent testing and reporting procedures
• complete control of the assessment results
• avoidance of double and multiple assessments
• broad acceptance in the automotive sector
• consolidation of existing and promotion of new business relations
• consequent orientation to customer needs
• reduction of risks and establishment of a risk management
• Are you interested in gaining TISAX® certification? Feel free to get in touch with us!