Which label you will get for four assessment on TISAX®

What is a label for TISAX®?

A label for TISAX® is something like a ticket for admission to the market for companies who wish to sell products and services to automotive sector OEMs. By way of background information: up until 2017, every car manufacturer made the effort on their own to verify whether suppliers met their conditions of purchase, especially in relation to compliance and information security. This arrangement cost all involved a great deal of effort and money. Suppliers were subjected to countless audits: each OEM had to perform their own audit, based on their own framework and according to their own criteria.

Then, in 2017, the umbrella organisation of the European automotive sector, the ENX Association, established the TISAX® testing and exchange mechanism. TISAX® has standardized the way the information security management system (ISMS) is assessed for all participating companies. The results are exchanged between member organisations via a central online platform, the ENX Portal. TISAX® reflects various assessment objectives and encompasses multiple labels. Companies that meet a given assessment objective receive the corresponding label for this assessment on TISAX®.

How many labels exist, and what is the difference between them?

The ENX Association has defined eight different assessment on TISAX® objectives. That means there is a total of eight different labels for TISAX®: two in the information security sector, four related to prototype protection and two more for data protection. So a company can have multiple labels at once, but no more than eight. But in practice, having that many is not always necessary.

For example, if a company fulfils the assessment objective ‘Handling of information with very high protection needs’, it simultaneously covers the one called ‘Handling of information with high protection needs’. A company that meets the requirements of both objectives can have both labels – or just the higher-level one. The choice is up to you. This also holds true in the area of data protection (see Ill. 1).

Ill. 1: Objectives of an assessment on TISAX®

What exactly does having a label mean?

A label...

• Is the result of an assessment process of TISAX®
• Summarizes the audit result
• Serves as confirmation that the audited ISMS meets a defined catalogue of requirements

Who needs which label for TISAX®?

There is no conclusive answer to this question. In the end, the decisive factor are the requirements and associated assessment objectives specified by the OEMs that a given company wishes to cooperate with. In order to start doing business together, the supplier must provide the required label.

How long is a label valid?

Once issued, a label is usually valid for three years. After that, it must be renewed. To renew a label, companies have to pass another assessment on TISAX®. Companies need undergo no external audits during the three-year validity period. But participating companies are required to regularly carry out and document what are known as TISAX® self-assessments. A company that fails to provide evidence of self-assessments at the end of a corresponding label’s three-year validity period will be faulted for it at the next assessment, and the auditor might reconsider renewing the label.

Exceptions: If a company moves or opens additional locations, the validity of their labels will expire prematurely. But in this case, a company has the option of applying to the ENX Association for a scope extension assessment, which can extend the scope of a label to a new location or locations.

In what cases is a temporary label issued?

After personal on-site inspections by a provider of the audit on TISAX®, which are carried out for all assessment objectives with assessment level 3 objectives, often only temporary TISAX® labels are issued. This is the case when the auditor identifies minor non-conformities from the TISAX® criteria during the audit. These issues have to be rectified before a temporary label can come into full effect. This is not the case with what are known as major non-conformities. If major non-conformities are identified, the respective label for the assessment on TISAX® only becomes valid on the day on which the respective issues are shown to have been resolved.

How can you get a label?

The steps to getting a label are simple – at least to lay out. First, register your company with the ENX Portal and specify the scope of the assessment on TISAX® your company needs. Then get your ISMS ready for the assessment process – ideally with the help of a partner such as DataGuard – and pick an accredited audit provider. After you’ve successfully passed the audit, the ENX Association issues the label/labels. After that, nothing stands in the way of working with your target customers in the automotive sector.

We are happy to assist you throughout the entire process and support you on your way to getting the label for your assessment on TISAX®. Don’t hesitate to get in touch now! We wish you every success.

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.