TISAX® audits and what distinguishes them from an assessment
A TISAX® audit is the assessment process a company undergoes to obtain a TISAX® label. The term is often confused with ‘an assessment on TISAX®’, although in reality both basically mean the same thing. The confusion is probably due to the terms being translated inconsistently in publications on the topic. Originally written in English, the TISAX® Participant Handbook is the authoritative guide for the TISAX® process.
In the English version, the assessment process is consistently referred to as an ‘assessment’, and the examiners as ‘auditors’. In the German version of the manual, however, ‘assessment’ is usually translated as Prüfung (audit), but the manual nonetheless still refers to three ‘assessment’ levels, not ‘audit’ levels. To make things even more confusing, the manual sometimes uses the German Prüfer to refer to the auditors, while at other times it borrows the English, calling them ‘Auditor’. So, in practice, both terms are used synonymously: a TISAX® audit is an assessment on TISAX® . There are no substantial differences.
What is meant by assessment level?
TISAX® reflects a total of eight different assessment objectives. So theoretically, a company could collect eight different TISAX® labels (see Ill. 1).
| Nr. | TISAX® Profile | Assessment Level |
| 1 | Handling of information with high proetction needs | AL 2 |
| 2 | Handling of information with very high protection needs | AL 3 |
| 3 | Protection of prototype parts and components | AL 3 |
| 4 | Protection of prototype vehicles | AL 3 |
| 5 | Handling of test vehicles | AL 3 |
| 6 | Protection of prototypes during events and film or photoshoots | AL 3 |
| 7 |
Data Protection According to Article 28 ("Processor") of the European General Data Protection Regulation (GDPR) |
AL 2 |
| 8 |
Data protection with special categories of personal data According to Article 28 ("Processor") with special categories of personal data as specified in Article 9 of the European General Data Protection Regulation (GDPR) |
AL 3 |
TISAX® differentiates three assessment levels (ALs). Put simply, the assessment levels define the auditor’s level of involvement as demanded by the respective assessment scope. For AL 1, an auditor is not involved. The company merely provides a self-assessment, in the form of a questionnaire, on the effectiveness of its own information security management system (ISMS). The questionnaire is not subject to any further scrutiny or checks. So when it comes down to it, TISAX® assessment level 1 plays no real role. It’s a mere formality but does not lead to an assessment label.
For AL 2, the company undergoing the assessment must complete the ISA questionnaire and send it to the auditor of their choice, along with complete ISMS documentation. The auditor will check the documents and set up an interview using the information provided. Generally, the audit provider will conduct the interview via web conference.
The main difference between AL 3 and AL 2 is the assessment procedure. For AL 3, it is done live instead of remotely. The auditor will visit the company’s location or locations to verify that the guidelines and measures defined in the ISMS have actually been implemented effectively.
Companies should note that the assessment levels are not freely selectable; instead, they are determined by the assessment objectives and associated TISAX® labels (see Ill. 1). A company that wishes to obtain a TISAX® label that demands AL 3 must undergo an AL 3 assessment.
Who carries out an assessment on TISAX®, and who is involved?
Assessments on TISAX® may only be carried out by audit providers who have TISAX® accreditation. The ENX Association, an association of the European automotive sector, is the sole accrediting body. No party is involved in an AL 2 and AL 3 assessment other than the company undergoing the audit and the audit provider. The assessment results are published in the ENX Portal members’ area.
In order to implement a TISAX®-compliant ISMS and successfully prepare for an assessment, companies usually turn to professional support – for example by working with the TISAX experts at DataGuard.
What is the purpose of an assessment on TISAX®?
The purpose of assessments carried out by TISAX® audit providers is to verify that participating companies comply with the TISAX® requirements. The assessment objectives defined for each TISAX® label and the assessment levels they are based on serve as benchmarks to determine compliance. From the point of view of participating companies, the purpose is to obtain the TISAX® labels they want or require for market participation in the automotive sector.
What is the procedure of an assessment on TISAX®?
In order to participate in the assessment process of TISAX®, interested companies must register on the online ENX Portal. When registering, companies will need to define, among other things, the assessment objectives they wish to pursue. Only after companies have registered and defined their assessment objectives can they go on to choose an accredited audit provider and commission said party to perform the assessment. For the procedure, the company provides the auditor with the completed ISA questionnaire and documentation of the implemented ISMS. After reviewing these documents and the corresponding evidence, and after a remote or on-site inspection, the auditor will finally issue the desired TISAX® label or labels, as the case may be.
It is important to know that the ISA questionnaire requires participants to give a self-assessment of the maturity level for each measure implemented in the company. The auditor will check this information and compare it with the on-the-ground reality by asking to see suitable evidence. As you can see, it is therefore not enough to merely draft internal guidelines and policies. TISAX® participants must be able to demonstrate that they have actually implemented these policies.
How long does an assessment on TISAX® take?
While preparation can take weeks, months or even years, the assessment on TISAX® itself takes only a few days at most – depending on the TISAX® label you are trying to obtain and your company’s organisational structure. A company with multiple international locations and assessment objectives that require AL 3 on-site inspection should plan for more time than a supplier with only one location who needs to undergo an AL 2 inspection. This holds true even if some audit providers have international teams that can share the job.
Conclusion
There is no difference between the assessments on TISAX® and TISAX® audits. There are three clearly defined assessment levels of TISAX®. And for each of the eight available TISAX® assessment objectives, the assessment level a company needs to complete is predefined. Level 1 exists merely as a formality; it is not associated with any assessment objective. Assessment level 2 applies to the assessment objectives ‘Handling of information with high protection needs’ and ‘Data protection’. All other assessment objectives and TISAX® labels require companies to complete assessment level 3.
We are happy to assist you throughout the entire process and support you on your way to getting the TISAX® label you need. Don’t hesitate to get in touch now! We wish you every success.
TISAX® Assessment Checklist
Our checklist will give you a clear picture of how to prepare for the assessment in practice.
Get your free guide
