Trusted Information Security Assessment Exchange (TISAX)

  1. Home
  2. Risk Compliance

Overview

Due to the rising prevalence of intelligent and connected cars, the automotive industry and its supply chain have become appealing targets for hackers and ransomware attackers. In response, the German Association of Automotive Industry (VDA) introduced the TISAX mark in 2017. This seal is an evaluation and exchange mechanism, ensuring organisations comply with VDA's Information Security Assessment (ISA) to improve supply chain security.

TISAX has achieved international acclaim and is trusted by automotive manufacturers and suppliers worldwide, with business giants like Audi, BMW, Mercedes Benz, and Volkswagen embracing TISAX. TISAX aims to ensure consistent standards of IT security throughout the value chain. It relies on three assessment levels based on protection requirements: standard, high, and very high. TISAX extends the ISO 27001 standard by incorporating its controls and instructions for implementation, process assurance, and tool utilisation.

TISAX, on the other hand, distinguishes itself by emphasising the attainment of a specified maturity level to obtain the designation. Unlike ISO 27001, which requires a yearly audit, TISAX requires a single three-year review. While ISO 27001 certification is available, TISAX awards a distinguishing label based on satisfying the assessment objectives stated in the VDA assessment catalogue.

ISO/IEC 27001 and TISAX have distinct differences in their focus and application:

ISO/IEC 27001:

  • Targets the organization's leadership and stakeholders, applicable across various sectors and business functions.
  • Allows flexibility in defining the scope based on the organization's context.
  • Evaluates information security risks from the organization's perspective.
  • Lacks a standardized way to integrate audit results into supplier management tools.
  • Lacks a centralized database or standardized exchange mechanism for audit results.
  • Involves a broader range of stakeholders in international standardization with less frequent revisions.

TISAX:

  • Targets business partners within the automotive supply chain.
  • Emphasizes standardized scoping, ensuring meaningful results for business partners.
  • Evaluates information security risks from the perspective of business partners.
  • Provides a standardized format for assessment results using labels stored in a central database with a standardized exchange mechanism.
  • Allows integration of assessment results into supplier management tools.
  • Involves a TISAX working group with significant stakeholders, enabling quick adaptation to changes in the requirements catalogue (annual revision).

TISAX therefore offers simplified group assessment as an optional evaluation approach for businesses with multiple locations. Users can use the standard process or the simplified group assessment. They must complete additional requirements once they choose the simplified group assessment. Register as a TISAX participant and describe the assessment goals. Then, TISAX audit providers request offers for a more straightforward group examination. The primary step is performing a precondition check to ensure the ISMS meets the requirements. If they pass, the assessment will proceed with reviews on the remaining sites based on their chosen assessment method.

TISAX is therefore an information security assessment (ISA) catalogue based on key elements of information security such as data protection and connection to third parties developed by the European automotive industry.

The simplified group assessment, based on samples:

  • WHO? This assessment is designed for companies that have a minimum of three locations.
  • WHAT? It offers a distinct evaluation method tailored for companies with multiple locations.
  • WHEN? It is usually conducted proactively before a partner requests TISAX Results.
  • WHERE? The focus is primarily on the headquarters and a subset of all the company's locations.
  • WHY? The goal is to minimize the effort required for companies with numerous locations by leveraging their centralized and well-established Information Security Management Systems (ISMS).
  • HOW? The assessment involves conducting an in-depth examination at the headquarters, along with validations conducted at a representative sample of locations.


It involves the following two assessment options:

  1. Sample-based simplified group assessment (S-SGA)
  2. Rotating-schedule-based simplified group assessment (R-SGA)

A representative sample of places is chosen for evaluation as part of the sample-based assessment procedure. On the other hand, the rotating schedule-based evaluation procedure ensures that every business falling under the established scope is evaluated over a set timeframe, usually three years. Both strategies attempt to assess and confirm adherence to TISAX standards but differ in how they choose and evaluate places within an organisation.

The conditions of applicability are:

  1. Minimum number of locations in the assessment scope
  2. Centralised and well developed ISMS

To qualify for the simplified group assessment in TISAX, companies must have a centralized and well-developed Information Security Management System (ISMS). It means the primary location ensures compliance with ISMS regulations at all areas, with dependable communication channels and feedback matching expectations. The simplified group assessment entails a thorough ISMS check at the primary location, allowing for less intense checks at other sites. The assessment requires a minimum of three places, preferably around twelve. For rotating-schedule-based evaluations, the total number of locations has a negligible effect on the effort necessary.


The present assessment objectives of TISAX include:

  • Information requiring high levels of protection.
  • Information demanding exceptionally high levels of protection.
  • Compliance with data protection regulations outlined in Article 28 (Processor) of the European General Data Protection Regulation (GDPR).
  • Compliance with data protection regulations for special categories of personal data, as specified in Article Nine of the European General Data Protection Regulation (GDPR).
  • Safeguarding prototype parts and components.
  • Safeguarding prototype vehicles.
  • Proper handling of test vehicles.
  • Ensuring protection for prototypes during events, film productions, or photo shoots.

The cost of TISAX certification is EUR 405.00 per location in one scope. There is a discount of 10% per location for 5-9 locations within a scope and a discount of 20% per location for 10 or more locations within a scope. Before the final approval of any registration application for TISAX, payment of all fees, subject to German value-added tax (VAT), is required within 30 days of the invoice date.

Features

There are three assessment levels in TISAX:

- Level 1 involves completing a questionnaire

- Level 2 includes random phone checks

- Level 3 entails an on-site inspection for suppliers handling highly sensitive data


TISAX Information Security Assessment comprises of the following parameters:

    1. Policies and Organizations: It ensures that the appropriate information security policies, procedures, and roles are in place to support effective information security management. It is subdivided into the following:

    1. Information Security Policies
    2. Organization of Information Security
    3. Asset Management
    4. IT Risk Management
    5. Assessments
    6. Incident Management

    2. Human Resources:It evaluates the organization's human resources practices, including employee training, awareness, and the establishment of roles and responsibilities related to information security, to ensure a well-prepared and security-conscious workforce.


    3. Physical Security and Business Continuity: It accesses the physical security measures implemented by the organization to safeguard physical assets and ensure business continuity in the event of disruptions or emergencies.


    4. Identity and Access Management: It scrutinizes the organization's processes and controls for managing user identities, access rights, and authentication mechanisms. It further ensures that proper measures are in place to protect sensitive information from unauthorized access and to manage user privileges effectively. It has the following two sub-parts:

    1. Identity Management
    2. Access Management


    5. IT Security/ Cyber Security: It ensures that appropriate safeguards are in place to mitigate cyber threats and protect sensitive information from unauthorized access, disclosure, or disruption. It is further classified into:

    1. Cryptography
    2. Operations Security
    3. System acquisitions, requirement management and development

    6. Supplier Relationships: It ensures that the organization has guidelines in place to assess the information security practices of its suppliers, monitor their compliance, and mitigate any potential risks to the organization's data and systems arising from those relationships.


    7. Compliance: This ensures that the organization has implemented necessary controls and measures to meet compliance requirements and minimize legal and regulatory risks related to information security.


    8. Prototype Protection: This ensures that appropriate controls are in place to safeguard prototypes from unauthorized access, theft, or compromise, reducing the risk of intellectual property theft and maintaining confidentiality during the development and testing stages. It is further classified into:

    1. Prototype protection- Physical and Environmental Security
    2. Prototype protection- Organizational Requirements
    3. Prototype protection- Handling Vehicles, components and parts
    4. Prototype protection- Requirements for trial vehicles
    5. Prototype protection- Requirements for events

    Process:

    The TISAX assessment process consists of six steps:

    Step 1. Classification - An OEM/client categorizes suppliers based on the criticality of the data they handle.

    Step 2. Registration - Suppliers register with ENX, providing their scope number to initiate the assessment process.

    Step 3. Assessment - An assessment is conducted according to the requested level of security. This assessment evaluates the supplier's information security measures.

    Step 4. Report - The assessed company receives a comprehensive report from an approved auditor. This report highlights the findings and recommendations based on the assessment.

    Step 5. Vulnerability Elimination - The assessed company takes necessary actions to address and resolve any identified vulnerabilities or weaknesses in its information security practices.

    Step 6. Report Upload - The final step involves uploading the assessment report to the relevant platforms or systems, and making it available for review and verification by OEMs/clients or other stakeholders.

    Therefore TISAX ensures that suppliers meet the required information security standards and address any vulnerabilities to maintain the integrity and security of data exchanged within the automotive industry.

Benefit

Following are the benefits of implementing TISAX:

  • Avoids redundant assessments and enables mutual recognition of assessment outcomes.
  • Streamlines the renewal process for supplier contracts.
  • Creates business development opportunities and connections through industry-wide recognition.
  • Addresses specific requirements of the automotive sector, establishing a standardized level of information security in the industry.
  • Instills confidence and trust throughout the entire automotive supply chain.
  • Improves efficiency for manufacturers and suppliers alike.

TISAX during the Coronavirus Pandemic:

During the coronavirus pandemic, TISAX (Trusted Information Security Assessment Exchange) continued to play a crucial role in ensuring information security in the automotive industry. Despite the challenges posed by the pandemic, TISAX assessments and certifications remained essential for companies involved in the automotive supply chain.

It continued to ensure information security in the automotive industry with remote assessments and virtual audits, implemented to adapt to the dire situation. TISAX helped companies maintain trust in their suppliers and secure data during increased digital interactions. It also played a crucial role in safeguarding information amidst the challenges of the pandemic.

How Valency Network can help you protect your personal information?

Valency Networks provides robust security solutions and cutting-edge technologies to keep your data safe and sound. Through comprehensive vulnerability assessments and penetration testing, we identify vulnerabilities in your systems and applications and provide actionable insights to strengthen your defenses. Valency Networks has also successfully completed a Trusted Information Security Examination Exchange (TISAX) examination, bringing a uniform, standardised approach to information security systems to help European clients from the automobile industry. So, please sit back and relax, knowing that we have your back, protecting your personal information like a trustworthy cyber security expert.

Why choose Valency Networks for Cyber Security?

We claim to be the ultimate defender in the realm of cyber security. Allow us to give a brief overview to support our claim:

Expertise: Valency Network has worked with the world’s top IT service and product companies to implement TISAX. We have customers worldwide, and they rate us as the leading Cyber Security Company for our dedication and subject matter expertise.

Comprehensive Solutions: Valency Networks offers a complete suite of cybersecurity services comprising Risk Assessment, Risk Compliance, Risk Management and Risk Solutions. We deliver cutting-edge solutions in the areas of Vulnerability Assessment and Penetration Testing services for IT Networks, Web apps, cloud apps, mobile apps and IoT/OT networks. We also provide Cyber Security Consultancy Services, Compliance Implementations and Cyber Security Auditing Services for ISO27001, HIPAA, GDPR, SOC2, PCI-DSS, Cyber Essentials, PIPEDA, TISAX and so forth.

Innovation: Valency Networks uses the latest technology and innovative approaches to address emerging challenges in the ever-evolving cyber landscape.

Reputation: Recognized as one of India's top cyber security companies, we have been accoladed as "The Top Cyber Security Company of India" for our excellence in delivering effective and reliable security solutions.

Client-Focused Approach: We take our customer data security very seriously, which has helped us establish ourselves as a country's top cyber security expert by gaining our customer's trust and loyalty. We work closely with clients, catering to their needs and ensuring maximum protection and assurance.

Hence, regarding cyber security, Valency Networks is the trusted armour that safeguards your business, allowing you to navigate the digital world confidently.

FAQ

What is TISAX certification?
TISAX certification is a recognized standard for information security in the automotive industry. It ensures that organizations have implemented appropriate measures to safeguard sensitive data and maintain a secure environment.

What is the purpose of TISAX?
TISAX aims to safeguard information security and data protection in the automotive industry by establishing standards and assessing companies' compliance with those standards' requirements.

What industries does TISAX apply to?
TISAX predominantly pertains to the automotive industry.

What is the cost of obtaining TISAX certification?
The cost of TISAX certification is EUR 405.00 per location in one scope. There is a discount of 10% per location for 5-9 locations within a scope and a discount of 20% per location for 10 or more locations within a scope

Are there any prerequisites for pursuing TISAX certification?
Yes, there are prerequisites for pursuing TISAX certification. These typically include adhering to pertinent legal and regulatory standards as well as having an information security management system (ISMS) in place. Organisations must also show that they are ready and prepared for the TISAX assessment procedure.

What are the benefits of obtaining TISAX certification?
TISAX certification offers an array of benefits including greater data security, increased trust from partners in the automotive sector, improved compliance with industry standards, and a competitive edge in the market.

How long does it take to achieve TISAX certification?
The duration of your assessment depends on the size of your organization and the amount of travel activity associated with the inspection of your locations. A company of average size generally requires 2-3 days on-site to finish the process.

How often is the TISAX certification required to be renewed?
TISAX certification is typically valid for three years. Therefore, it needs to be renewed every three years to maintain the certification status. However, it's important to remember that various contracts and agreements could have particular demands regarding how frequently certifications need to be renewed.

How long is a TISAX certification valid?
A TISAX accreditation is typically valid for a period of three years. The certification must be renewed through a reassessment procedure to maintain its validity after the three-year period is over.

Can a company self-assess for TISAX certification?
No, a company cannot self-assess for TISAX certification. TISAX certification requires an independent assessment conducted by accredited assessors who are authorized by the ENX Association, which manages the TISAX framework. This ensures objectivity and impartiality in the assessment process.

Is TISAX certification recognised internationally?
Yes, TISAX certification is recognized internationally, as the automotive industry is multinational. TISAX certification can help businesses that operate worldwide or have clients and business partners in several locations as it certifies adherence to generally accepted information security standards.

What are the consequences of non-compliance with TISAX?
The consequences of non-compliance with TISAX can vary depending on the severity of the non-compliance. Non-compliance can occasionally lead to economic loss, reputational harm, or legal consequences. Non-compliance may also result in the termination of agreements or business ties with TISAX-certified partners. Non-compliance may potentially result in penalties or legal action in extreme circumstances.

Can small businesses achieve TISAX certification?
Yes, small businesses can achieve TISAX certification. The TISAX certification procedure is intended to be flexible and scalable, which enables it to be adjusted to the organization's size and complexity. Small organisations might need to spend time and money developing a suitable information security management system (ISMS) and getting ready for the TISAX assessment procedure, nevertheless.

Is TISAX certification mandatory for suppliers to automotive manufacturers?
TISAX certification is not mandatory for all automotive suppliers, but it is frequently requested by automotive manufacturers to ensure information security and data protection across the supply chain.

Is TISAX certification limited to Germany?
No, TISAX certification is not limited to Germany. If they work in the automobile sector or have commercial connections with automakers who want TISAX compliance, organisations from other nations may seek TISAX certification. TISAX certification is applicable globally, beyond the borders of Germany.

Can TISAX certification be achieved remotely?
Yes, TISAX certification can be obtained through remote assessments, eliminating the need for on-site visits by assessors. For organisations with diverse geographic operations or in circumstances where in-person assessments are neither possible nor preferred, remote assessments can be effective and practical.

Can TISAX certification be revoked or suspended?
Yes, a company's TISAX accreditation may be revoked or suspended if it ceases to adhere to the necessary information security requirements. This can occur if there are significant breaches or non-compliance with TISAX requirements, or if the company fails to address and rectify identified issues within a specified timeframe.

Can TISAX certification be achieved for specific projects?
No, TISAX certification is not granted for specific projects. TISAX certification is presented to organizations based on their overall information security management system (ISMS) and compliance with TISAX requirements across their operations. It is not project-specific but rather demonstrates the organization's commitment to information security and data protection throughout its business processes.

Can TISAX certification help build customer trust?
TISAX certification enhances customer trust by assuring them that an organization has strong information security measures and adheres to industry standards. It demonstrates a commitment to data protection, strengthens relationships, and enhances the organization's reputation.

Are there any TISAX certification alternatives?
There are alternative certifications and frameworks to TISAX, such as ISO 27001, SOC 2, NIST Cybersecurity Framework, and GDPR compliance. These alternatives address information security and data protection in various industries, offering similar assurance and demonstrating a commitment to information security.