Levels in the assessment on TISAX®: Get the right one for your business

What is an assessment level on TISAX®?

The Trusted Information Security Assessment Exchange – TISAX® for short – is a testing and exchange mechanism for the automotive sector. The task of TISAX® is to set binding standards for information and cyber security that all suppliers in the industry must adhere to. As cooperation between OEMs and suppliers is of different types and scales, TISAX® has also defined different assessment objectives. Whether a company meets each objective is checked against the associated assessment level on TISAX®. Basically, the more demanding an assessment objective, the higher the assessment level.

Which assessment level on TISAX® is relevant for my company?

Every company can decide for itself which assessment objectives for TISAX® it wants to meet. This decision will determine which assessment levels on TISAX® are relevant in each case. That’s the theory, anyway. But in practice, things are different. Certification on TISAX® is a must for any company that wants to do business in and with the automotive sector. And as a rule, it’s the OEMs themselves who specify which assessment objectives and levels a supplier must fulfil.

Which assessment levels on TISAX® exist?

There are three different levels. The handbook for the certification on TISAX® – published by the umbrella organisation for the European automotive sector, the ENX Association – defines assessment level 1, assessment level 2 and assessment level 3.

What is assessment level 1 of the assessment on TISAX®?

TISAX® level 1 reflects ‘normal’ protection needs. This level of assessment only requires a company to complete a self-assessment based on a questionnaire known as the ‘Information Security Assessment’ or ISA. Whether the self-assessment is correct or not, is not objectifiable. As such, assessment level 1 on TISAX® is not associated with an official assessment objective. This assessment level is purely theoretical and not relevant in practice.

What is assessment level 2 of the assessment on TISAX®?

Assessment level 2 on TISAX® reflects ‘high’ protection needs. As for level 1, level 2 is based on the company’s self-assessment using the ISA questionnaire. The difference is that, during a level 2 assessment on TISAX®, an external auditor verifies the company’s self-assessment. To do this, he or she will conduct a telephone interview as well as perform comprehensive plausibility checks of the evidence provided. The checks are usually done remotely. The assessment is primarily document-based.

What is assessment level 3 of the assessment on TISAX®?

Level 3 on TISAX® reflects ‘very high’ protection needs. The majority of the defined assessment objectives require assessment level 3. The procedure is identical to that for assessment level 2 on TISAX®: first, the company to be audited submits a self-assessment, which the external auditor will then check against the documentation and evidence. But for level 3, the assessment process doesn’t stop there. In order to be able to assess the effectiveness and maturity level of the ISMS actually implemented by the company, the auditor also carries out on-site inspections and in-person interviews – all of this not only at the company headquarters, but potentially at every location.

How much does an assessment on TISAX® cost? 

It depends. Blanket statements about costs are sure to be unreliable, as the preparation, procedure and scope of an assessment on TISAX® depend on many variables. For example, what are the assessment scope and assessment levels? How effective is the company’s organisational structure already? Does the company maintain one or more locations? Are all of them located domestically, or is the company globally positioned? What ISMS optimisations and measures does a company need to carry out for a successful assessment? Are the measures then implemented sufficiently, or is another final round of checking and optimisation necessary?

What is an assessment on TISAX®? 

During an assessment on TISAX®, an external auditor checks whether the company’s established ISMS that is described in the application for the assessment actually does what it is supposed to do. To this end, the auditor will look at all processes, documents and measures as well as the appropriate evidence and – depending on the assessment objective and the associated level of TISAX® – also check these on site. Assessments are based on a questionnaire drawn up by the German Association of the Automotive Industry (VDA) for conducting Information Security Assessments (ISA), in short referred to as the ISA.

Who certifies TISAX®? 

Certification on TISAX® may only be granted by audit providers who are approved for this purpose and accredited by the ENX Association. The ENX Association provides country-specific information online via the TISAX® Portal about audit providers accredited to perform TISAX® audits. Good to know: Companies are free to choose which accredited audit provider they commission. That means that audit providers are in competition with each other. This arrangement is supposed to ensure fair, performance-based costs for assessment services.

Is TISAX® mandatory?

There are no legal requirements for certification on TISAX®. However, for companies that can’t prove they are TISAX® certified, cooperation with the major manufacturing companies in the automotive sector is out of the question. For anyone who wants to do business in this market, there is no way around certification. So, at the end of the day, TISAX® is a must for many companies.

Do you still have questions about which level on TISAX® is suitable for the requirements of your organisation? We will be happy to help you. Simply schedule a free consultation.

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.