TISAX Compliance Audits

  1. Home
  2. Risk Compliance

About TISAX Audit Services

Due to the rising prevalence of intelligent and connected cars, the automotive industry and its supply chain have become appealing targets for hackers and ransomware attackers. In response, the German Association of Automotive Industry (VDA) introduced the TISAX mark in 2017. This seal is an evaluation and exchange mechanism, ensuring organisations comply with VDA's Information Security Assessment (ISA) to improve supply chain security.

TISAX has achieved international acclaim and is trusted by automotive manufacturers and suppliers worldwide, with business giants like Audi, BMW, Mercedes Benz, and Volkswagen embracing TISAX. TISAX aims to ensure consistent standards of IT security throughout the value chain. It relies on three assessment levels based on protection requirements: standard, high, and very high. TISAX extends the ISO 27001 standard by incorporating its controls and instructions for implementation, process assurance, and tool utilisation.

TISAX, on the other hand, distinguishes itself by emphasising the attainment of a specified maturity level to obtain the designation. Unlike ISO 27001, which requires a yearly audit, TISAX requires a single three-year review. While ISO 27001 certification is available, TISAX awards a distinguishing label based on satisfying the assessment objectives stated in the VDA assessment catalogue.

ISO/IEC 27001 and TISAX have distinct differences in their focus and application:

ISO/IEC 27001:

  • Targets the organization's leadership and stakeholders, applicable across various sectors and business functions.
  • Allows flexibility in defining the scope based on the organization's context.
  • Evaluates information security risks from the organization's perspective.
  • Lacks a standardized way to integrate audit results into supplier management tools.
  • Lacks a centralized database or standardized exchange mechanism for audit results.
  • Involves a broader range of stakeholders in international standardization with less frequent revisions.

TISAX:

  • Targets business partners within the automotive supply chain.
  • Emphasizes standardized scoping, ensuring meaningful results for business partners.
  • Evaluates information security risks from the perspective of business partners.
  • Provides a standardized format for assessment results using labels stored in a central database with a standardized exchange mechanism.
  • Allows integration of assessment results into supplier management tools.
  • Involves a TISAX working group with significant stakeholders, enabling quick adaptation to changes in the requirements catalogue (annual revision).

TISAX therefore offers simplified group assessment as an optional evaluation approach for businesses with multiple locations. Users can use the standard process or the simplified group assessment. They must complete additional requirements once they choose the simplified group assessment. Register as a TISAX participant and describe the assessment goals. Then, TISAX audit providers request offers for a more straightforward group examination. The primary step is performing a precondition check to ensure the ISMS meets the requirements. If they pass, the assessment will proceed with reviews on the remaining sites based on their chosen assessment method.

TISAX is therefore an information security assessment (ISA) catalogue based on key elements of information security such as data protection and connection to third parties developed by the European automotive industry.

The simplified group assessment, based on samples:

  • WHO? This assessment is designed for companies that have a minimum of three locations.
  • WHAT? It offers a distinct evaluation method tailored for companies with multiple locations.
  • WHEN? It is usually conducted proactively before a partner requests TISAX Results.
  • WHERE? The focus is primarily on the headquarters and a subset of all the company's locations.
  • WHY? The goal is to minimize the effort required for companies with numerous locations by leveraging their centralized and well-established Information Security Management Systems (ISMS).
  • HOW? The assessment involves conducting an in-depth examination at the headquarters, along with validations conducted at a representative sample of locations.

It involves the following two assessment options:

  1. Sample-based simplified group assessment (S-SGA)
  2. Rotating-schedule-based simplified group assessment (R-SGA)

A representative sample of places is chosen for evaluation as part of the sample-based assessment procedure. On the other hand, the rotating schedule-based evaluation procedure ensures that every business falling under the established scope is evaluated over a set timeframe, usually three years. Both strategies attempt to assess and confirm adherence to TISAX standards but differ in how they choose and evaluate places within an organisation.

The conditions of applicability are:

  1. Minimum number of locations in the assessment scope
  2. Centralised and well developed ISMS

To qualify for the simplified group assessment in TISAX, companies must have a centralized and well-developed Information Security Management System (ISMS). It means the primary location ensures compliance with ISMS regulations at all areas, with dependable communication channels and feedback matching expectations. The simplified group assessment entails a thorough ISMS check at the primary location, allowing for less intense checks at other sites. The assessment requires a minimum of three places, preferably around twelve. For rotating-schedule-based evaluations, the total number of locations has a negligible effect on the effort necessary.


The present assessment objectives of TISAX include:

  • Information requiring high levels of protection.
  • Information demanding exceptionally high levels of protection.
  • Compliance with data protection regulations outlined in Article 28 (Processor) of the European General Data Protection Regulation (GDPR).
  • Compliance with data protection regulations for special categories of personal data, as specified in Article Nine of the European General Data Protection Regulation (GDPR).
  • Safeguarding prototype parts and components.
  • Safeguarding prototype vehicles.
  • Proper handling of test vehicles.
  • Ensuring protection for prototypes during events, film productions, or photo shoots.

The cost of TISAX certification is EUR 405.00 per location in one scope. There is a discount of 10% per location for 5-9 locations within a scope and a discount of 20% per location for 10 or more locations within a scope. Before the final approval of any registration application for TISAX, payment of all fees, subject to German value-added tax (VAT), is required within 30 days of the invoice date.

Features

There are three assessment levels in TISAX:

- Level 1 involves completing a questionnaire

- Level 2 includes random phone checks

- Level 3 entails an on-site inspection for suppliers handling highly sensitive data


TISAX Information Security Assessment comprises of the following parameters:

    1. Policies and Organizations:

    It ensures that the appropriate information security policies, procedures, and roles are in place to support effective information security management. It is subdivided into the following:
    1. Information Security Policies
    2. Organization of Information Security
    3. Asset Management
    4. IT Risk Management
    5. Assessments
    6. Incident Management

    2. Human Resources:

    It evaluates the organization's human resources practices, including employee training, awareness, and the establishment of roles and responsibilities related to information security, to ensure a well-prepared and security-conscious workforce.

    3. Physical Security and Business Continuity:

    It accesses the physical security measures implemented by the organization to safeguard physical assets and ensure business continuity in the event of disruptions or emergencies.

    4. Identity and Access Management:

    It scrutinizes the organization's processes and controls for managing user identities, access rights, and authentication mechanisms. It further ensures that proper measures are in place to protect sensitive information from unauthorized access and to manage user privileges effectively. It has the following two sub-parts:
    1. Identity Management
    2. Access Management

    5. IT Security/ Cyber Security:

    It ensures that appropriate safeguards are in place to mitigate cyber threats and protect sensitive information from unauthorized access, disclosure, or disruption. It is further classified into:
    1. Cryptography
    2. Operations Security
    3. System acquisitions, requirement management and development

    6. Supplier Relationships:

    It ensures that the organization has guidelines in place to assess the information security practices of its suppliers, monitor their compliance, and mitigate any potential risks to the organization's data and systems arising from those relationships.

    7. Compliance:

    This ensures that the organization has implemented necessary controls and measures to meet compliance requirements and minimize legal and regulatory risks related to information security.

    8. Prototype Protection:

    This ensures that appropriate controls are in place to safeguard prototypes from unauthorized access, theft, or compromise, reducing the risk of intellectual property theft and maintaining confidentiality during the development and testing stages. It is further classified into:
    1. Prototype protection- Physical and Environmental Security
    2. Prototype protection- Organizational Requirements
    3. Prototype protection- Handling Vehicles, components and parts
    4. Prototype protection- Requirements for trial vehicles
    5. Prototype protection- Requirements for events

    Process:

    The TISAX assessment process consists of six steps:

    Step 1. Classification - An OEM/client categorizes suppliers based on the criticality of the data they handle.

    Step 2. Registration - Suppliers register with ENX, providing their scope number to initiate the assessment process.

    Step 3. Assessment - An assessment is conducted according to the requested level of security. This assessment evaluates the supplier's information security measures.

    Step 4. Report - The assessed company receives a comprehensive report from an approved auditor. This report highlights the findings and recommendations based on the assessment.

    Step 5. Vulnerability Elimination - The assessed company takes necessary actions to address and resolve any identified vulnerabilities or weaknesses in its information security practices.

    Step 6. Report Upload - The final step involves uploading the assessment report to the relevant platforms or systems, and making it available for review and verification by OEMs/clients or other stakeholders.

    Therefore TISAX ensures that suppliers meet the required information security standards and address any vulnerabilities to maintain the integrity and security of data exchanged within the automotive industry.

Benefit

Following are the benefits of implementing TISAX:

  • Avoids redundant assessments and enables mutual recognition of assessment outcomes.
  • Streamlines the renewal process for supplier contracts.
  • Creates business development opportunities and connections through industry-wide recognition.
  • Addresses specific requirements of the automotive sector, establishing a standardized level of information security in the industry.
  • Instills confidence and trust throughout the entire automotive supply chain.
  • Improves efficiency for manufacturers and suppliers alike.

TISAX during the Coronavirus Pandemic:

During the coronavirus pandemic, TISAX (Trusted Information Security Assessment Exchange) continued to play a crucial role in ensuring information security in the automotive industry. Despite the challenges posed by the pandemic, TISAX assessments and certifications remained essential for companies involved in the automotive supply chain.

It continued to ensure information security in the automotive industry with remote assessments and virtual audits, implemented to adapt to the dire situation. TISAX helped companies maintain trust in their suppliers and secure data during increased digital interactions. It also played a crucial role in safeguarding information amidst the challenges of the pandemic.

FAQ

What is TISAX certification?

TISAX certification is a recognized standard for information security in the automotive industry. It ensures that organizations have implemented appropriate measures to safeguard sensitive data and maintain a secure environment.

What is the purpose of TISAX?

TISAX aims to safeguard information security and data protection in the automotive industry by establishing standards and assessing companies' compliance with those standards' requirements.

What industries does TISAX apply to?

TISAX predominantly pertains to the automotive industry.

What is the cost of obtaining TISAX certification?

The cost of TISAX certification is EUR 405.00 per location in one scope. There is a discount of 10% per location for 5-9 locations within a scope and a discount of 20% per location for 10 or more locations within a scope

Are there any prerequisites for pursuing TISAX certification?

Yes, there are prerequisites for pursuing TISAX certification. These typically include adhering to pertinent legal and regulatory standards as well as having an information security management system (ISMS) in place. Organisations must also show that they are ready and prepared for the TISAX assessment procedure.

What are the benefits of obtaining TISAX certification?

TISAX certification offers an array of benefits including greater data security, increased trust from partners in the automotive sector, improved compliance with industry standards, and a competitive edge in the market.

How long does it take to achieve TISAX certification?

The duration of your assessment depends on the size of your organization and the amount of travel activity associated with the inspection of your locations. A company of average size generally requires 2-3 days on-site to finish the process.

How often is the TISAX certification required to be renewed?

TISAX certification is typically valid for three years. Therefore, it needs to be renewed every three years to maintain the certification status. However, it's important to remember that various contracts and agreements could have particular demands regarding how frequently certifications need to be renewed.

How long is a TISAX certification valid?

A TISAX accreditation is typically valid for a period of three years. The certification must be renewed through a reassessment procedure to maintain its validity after the three-year period is over.

Can a company self-assess for TISAX certification?

No, a company cannot self-assess for TISAX certification. TISAX certification requires an independent assessment conducted by accredited assessors who are authorized by the ENX Association, which manages the TISAX framework. This ensures objectivity and impartiality in the assessment process.

Is TISAX certification recognised internationally?

Yes, TISAX certification is recognized internationally, as the automotive industry is multinational. TISAX certification can help businesses that operate worldwide or have clients and business partners in several locations as it certifies adherence to generally accepted information security standards.

What are the consequences of non-compliance with TISAX?

The consequences of non-compliance with TISAX can vary depending on the severity of the non-compliance. Non-compliance can occasionally lead to economic loss, reputational harm, or legal consequences. Non-compliance may also result in the termination of agreements or business ties with TISAX-certified partners. Non-compliance may potentially result in penalties or legal action in extreme circumstances.

Can small businesses achieve TISAX certification?

Yes, small businesses can achieve TISAX certification. The TISAX certification procedure is intended to be flexible and scalable, which enables it to be adjusted to the organization's size and complexity. Small organisations might need to spend time and money developing a suitable information security management system (ISMS) and getting ready for the TISAX assessment procedure, nevertheless.

Is TISAX certification mandatory for suppliers to automotive manufacturers?

TISAX certification is not mandatory for all automotive suppliers, but it is frequently requested by automotive manufacturers to ensure information security and data protection across the supply chain.

Is TISAX certification limited to Germany?

No, TISAX certification is not limited to Germany. If they work in the automobile sector or have commercial connections with automakers who want TISAX compliance, organisations from other nations may seek TISAX certification. TISAX certification is applicable globally, beyond the borders of Germany.

Can TISAX certification be achieved remotely?

Yes, TISAX certification can be obtained through remote assessments, eliminating the need for on-site visits by assessors. For organisations with diverse geographic operations or in circumstances where in-person assessments are neither possible nor preferred, remote assessments can be effective and practical.

Can TISAX certification be revoked or suspended?

Yes, a company's TISAX accreditation may be revoked or suspended if it ceases to adhere to the necessary information security requirements. This can occur if there are significant breaches or non-compliance with TISAX requirements, or if the company fails to address and rectify identified issues within a specified timeframe.

Can TISAX certification be achieved for specific projects?

No, TISAX certification is not granted for specific projects. TISAX certification is presented to organizations based on their overall information security management system (ISMS) and compliance with TISAX requirements across their operations. It is not project-specific but rather demonstrates the organization's commitment to information security and data protection throughout its business processes.

Can TISAX certification help build customer trust?

TISAX certification enhances customer trust by assuring them that an organization has strong information security measures and adheres to industry standards. It demonstrates a commitment to data protection, strengthens relationships, and enhances the organization's reputation.

Are there any TISAX certification alternatives?

There are alternative certifications and frameworks to TISAX, such as ISO 27001, SOC 2, NIST Cybersecurity Framework, and GDPR compliance. These alternatives address information security and data protection in various industries, offering similar assurance and demonstrating a commitment to information security.

What is TISAX?

TISAX, which stands for Trusted Information Security Assessment Exchange, is a framework designed to ensure a standardized and secure approach to handling information security in the automotive industry. TISAX compliance is the certification that an organization operating in the automotive sector receives after successfully undergoing a comprehensive assessment of its information security management system (ISMS) against the TISAX standards.

What is included in TISAX?

Key elements of TISAX compliance include:

  1. Assessment Levels:

    TISAX categorizes assessments into different levels (e.g., AL2, AL3) based on the sensitivity of the information being handled. Assessment Levels determine the depth and rigor of the evaluation.
  2. Scope and Assessment: Organizations seeking TISAX compliance define the scope of their ISMS, outlining the systems and processes relevant to information security. TISAX auditors then conduct assessments to verify the effectiveness of these security measures.

  3. Information Security Requirements:

    TISAX compliance encompasses a set of information security requirements aligned with international standards. These requirements cover areas such as access controls, data protection, incident management, and communication security.

  4. Auditors and Assessors:

    TISAX assessments are conducted by accredited assessors who evaluate the organization's ISMS against the defined criteria. These assessors ensure that the organization's practices meet the standards set by TISAX.

  5. Data Protection and Confidentiality:

    Given the sensitivity of information in the automotive industry, TISAX places a strong emphasis on data protection and confidentiality. Compliance ensures that organizations handle and protect sensitive information appropriately.

  6. Continuous Improvement:

    TISAX compliance is not a one-time achievement. Organizations are encouraged to continuously improve their information security practices, staying vigilant against evolving cyber threats.

  7. Label Certification:

    Upon successful completion of the TISAX assessment, organizations receive a label certification. This certification signifies that the organization adheres to TISAX standards, providing a level of trust and assurance to partners and stakeholders in the automotive supply chain.

Your TISAX Implementation Partners

TISAX Implementation in Pune, India

We, a leading cybersecurity company based in India, demonstrated its prowess as a TISAX consultant when approached by an esteemed Automotive company in Pune, India. The client, recognizing the importance of achieving TISAX certification for their operations, sought the expertise of We to navigate the intricate process. As a TISAX implementation consultancy, we embarked on a systematic journey to guide the client through each crucial step towards obtaining the TISAX label certification.

The initial phase involved a comprehensive assessment of the client's existing cybersecurity infrastructure, identifying potential vulnerabilities, and aligning current practices with TISAX standards. We, armed with a team of seasoned TISAX auditors, meticulously examined the company's information security management system (ISMS) to ensure compliance with the stringent requirements laid out by TISAX. Following the assessment, we collaborated closely with the client to develop and implement a customized roadmap for TISAX compliance. This involved introducing robust security measures, implementing secure data handling protocols, and integrating cutting-edge technologies to fortify the automotive company's cybersecurity posture. Throughout the process, we maintained a client-centric approach, tailoring solutions to the specific needs and challenges faced by the Automotive company in Pune.

As part of their TISAX implementation consultancy, we facilitated and guided the client through the TISAX audit. This meticulous process involved the scrutiny of the implemented measures by accredited TISAX auditors, ensuring that every aspect aligned with the stringent TISAX standards. We also actively participated in addressing any identified gaps and continuously refined the cybersecurity framework to meet the evolving TISAX criteria.

The culmination of this collaborative effort was the successful TISAX audit, resulting in the Automotive company in Pune achieving the coveted TISAX label certification. Valency Networks not only demonstrated its technical expertise but also showcased its commitment to enhancing cybersecurity in the automotive industry. This success story stands as a testament to the effectiveness of we as a TISAX consultant and highlights their dedication to making businesses more resilient to cyber threats.

TISAX Implementation in Aurangabad, India

Valency Networks, a distinguished cybersecurity firm with a proven track record, played a pivotal role as a TISAX consultant for an esteemed Automotive parts manufacturer based in Aurangabad, India. Focused on achieving Assessment Level 3 (AL3) compliance, the client enlisted our expertise to navigate the intricate process of elevating their cybersecurity standards to meet the rigorous AL3 requirements.

The engagement kicked off with a thorough assessment conducted by us, wherein the existing cybersecurity infrastructure of the Automotive parts manufacturer was meticulously scrutinized. This initial phase, led by experienced TISAX auditors, aimed to identify potential vulnerabilities and gaps in the company's information security management system (ISMS). We ensured a comprehensive understanding of the client's unique challenges and objectives to tailor an effective strategy for AL3 implementation.

In collaboration with the client, we formulated a customized roadmap for achieving AL3 compliance, integrating advanced security measures and technologies into the existing framework. The TISAX implementation consultancy was marked by a strategic and methodical approach, ensuring that every facet of the Automotive parts manufacturer's cybersecurity aligns with the stringent AL3 standards.

As part of the AL3 implementation process, we actively guided the client through the TISAX audit, working closely with accredited auditors to validate the effectiveness of the implemented measures. The audit process, conducted with precision and attention to detail, was a collaborative effort to address any identified gaps promptly. We demonstrated its commitment to excellence by refining the cybersecurity framework iteratively, ensuring that the Automotive parts manufacturer in Aurangabad met the exacting AL3 criteria.

The successful outcome of this partnership was the attainment of AL3 compliance, solidifying the Automotive parts manufacturer's commitment to robust cybersecurity practices. We not only showcased its technical acumen as a TISAX consultant but also demonstrated a keen understanding of the specific challenges faced by the Automotive industry. This success story stands as a testament to our capability to elevate cybersecurity standards for businesses, particularly in the realm of Automotive parts manufacturing.

Author Avatar

Prashant Phatak

Founder & CEO, Valency Networks

Location: Pune, India

Prashant Phatak is an accomplished leader in the field of IT and Cyber Security. He is Founder and C-level executive of his own firm Valency Networks. Prashant specializes in Vulnerability assessment and penetration testing (VAPT) of Web, Networks, Mobile Apps, Cloud apps, IoT and OT networks. He is also a certified lead auditor for ISO27001 and ISO22301 compliance.As an proven problem solver, Prashant's expertise is in the field of end to end IT and Cyber security consultancy to various industry sectors.