Test mules, auto shows and revelations: In the automotive industry, new or updated models are often the result of an enormous effort. Involving hundreds of engineers and suppliers. Given this expense, it comes as no surprise that original equipment manufacturers (OEMs) only trust suppliers that meet the highest information security standards. This is guaranteed within the industry by gaining the TISAX® certification.
The facts in a nutshell
- The TISAX® defines the standard for information security management systems (ISMS) within the automotive industry.
- TISAX® builds on the ISO 27001 standard for certified ISMSs.
- Part of the ENX platform, TISAX® serves participants as an assessment and exchange mechanism. (ENX is an association of European automotive manufacturers and suppliers.)
- ENX has set up TISAX® as a way to ensure a unified level of information security, prototype protection and data protection among all TISAX® participants.
- Companies that want to undergo a TISAX assessment should plan and prepare in good time because the entire assessment process takes about one year.
In this article
- What is TISAX® and what does the acronym stand for?
- How does TISAX® relate to ISO 27001?
- Who needs TISAX® certification? What are the requirements?
- How many TISAX® levels are there in a TISAX® assessment?
- What are the advantages of TISAX® certification?
- Do participants get a TISAX® certificate after undergoing a TISAX® assessment?
- What are the concrete stages of TISAX® assessment?
- How much does it cost a company that need a TISAX® assessment?
What is TISAX® and what does the acronym stand for?
TISAX® stands for Trusted Information Security Assessment Exchange, an information security standard that was developed exclusively for the requirements of the automotive industry. Originally established by the German Association of the Automotive Industry (VDA), the standard has long been a mainstay across Europe – TISAX® has been a registered trademark of the ENX Association, an organisation consisting of European automotive manufacturers and suppliers.
ENX Association is responsible for carrying out the TISAX® procedure, based on the VDA’s Information Security Assessment (ISA) catalogue of questions. Unlike ISO 27001 audits of information security management systems (ISMS), TISAX® is largely a self-assessment.
How does TISAX® relate to ISO 27001?
Both standards define the requirements that an ISMS must meet in terms of design, implementation, and operation. ISO 27001 sets out the groundwork that TISAX® builds on. As far as their requirements for information security go, ISO 27001 and TISAX® are practically identical. But the TISAX® catalogue of requirements also covers optional areas focusing specifically on prototype protection and data protection. So you might say that TISAX® compliance optimises an ISMS for the automotive industry. Depending on the maturity level of your TISAX®-compliant ISMS, it should at minimum meet the requirements for ISO 27001 and might even far exceed them.
Who needs TISAX® certification? What are the requirements?
TISAX® certification is not a legal requirement. No company can be mandated to implement a TISAX®-compliant ISMS or to have their ISMS checked through a TISAX® assessment. But realistically, proof of TISAX® compliance is a requirement for any company wanting to operate successfully in the automotive industry or as a supplier or partner for car manufacturers. Without proof of TISAX® compliance, you can forget about working with any of the major OEMs.
The TISAX® requirements largely match those of ISO 27001. But depending on the TISAX® level you’re aspiring to, your company will have to meet additional requirements – especially for data protection and the industry-specific requirements for prototype protection.
How many TISAX® levels are there in a TISAX® assessment?
Depending on your company’s unique needs, the three TISAX® assessment levels can reflect one of three different levels of protection – from normal to high to very high or Level 1, Level 2, and Level 3.
Good to know: Similar to ISO 27001, the TISAX® Basic Assessment covers information security. Every company that wants TISAX® certification must implement these basic measures. By contrast, the additional areas of prototype protection and data protection are optional requirements. Whether you endorse these additional requirements will depend on the TISAX® expectations of the OEMs that you want to cooperate with.
The scope of the assessment as well as the efforts your company will face increase from level to level (see graph). Take the Basic assessment for example: this involves completing self-assessment using the TISAX® questionnaire for Level 1 protection. For TISAX® Level 2, an independent external auditor accredited by the ENX Association gets involved. This auditor reviews the self-assessment, performs a plausibility check and has the opportunity to ask remote questions e.g., by telephone. Level 3 goes one step further: for the highest protection level, the external auditor verifies the self-assessment with an onsite visit.
What are the advantages of TISAX® certification?
For the automotive industry and its major players, the TISAX® standard presents a number of advantages. The key one? TISAX® provides a recognised and agreed standard for information security within the automotive industry. Moreover, as the industry standard, TISAX® serves as a trusted anchor for all participating companies, preventing costly repeat auditing and making it easier for businesses to collaborate. Suppliers who have verified their TISAX® compliance immediately benefit from recognition as a potential partner throughout the automotive industry.
TISAX® compliance gives audited companies a clear competitive edge and qualifies them to do business with the major OEMs. This is an additional highly effective marketing asset.
Do participants get a TISAX® certificate after undergoing a TISAX® assessment?
No, there is no certificate. Strictly speaking, TISAX® is not a certification process, it’s an assessment and exchange mechanism. The result is a type of report that compiles all the findings of the information security audit. Nonetheless, it is standard in the industry to speak of TISAX® certification, even if audited companies don’t have an official certificate.
To enable companies to advertise their TISAX® compliance even without a certificate, the ENX Association awards the TISAX® label (see below). Companies that have successfully undergone a TISAX® assessment are allowed to use the label. You will have noticed the label says, “Result available”.
What does that mean? ENX keeps a data base of all TISAX®-compliant companies. TISAX® participants, among them the major OEMs, have access to the data base, allowing them to check immediately if a potential supplier complies to the industry standards.
*TISAX® is a registered trademark of the ENX Association.
What are the stages of TISAX® assessment?
The first stage for each interested company is to register with ENX for the TISAX® assessment. After registering, companies receive the TISAX® questionnaire enabling them to complete the required self-assessment before finally selecting an accredited external independent auditor. The chosen auditor will review the self-assessment may carry out either remote or on-site spot checks if necessary. If the self-assessment uncovers any weak points the auditor will trigger an iterative optimisation process to address these. Once resolved, the company will then meet the requirements for TISAX® certification and be entered into the ENX data base.
How much does it cost a company that need a TISAX® assessment?
There is no one-size-fits-all answer to this question. It will depend on a number of factors. What TISAX® Level does your company want to meet? Does your company already have an ISMS, perhaps even one that already meets the ISO 27001 requirements? Or is there still a lot of groundwork left to do before you can even start implementing an ISMS? All of these will impact the cost of implementing a TISAX certification.
One thing is certain: An experienced service partner like DataGuard can provide valuable assistance when it comes to preparing and carrying out your TISAX® assessment, saving your company both time and money. But you shouldn’t underestimate the effort! Also, and even especially, in terms of the time commitment. Our experience shows that companies typically need about a year of lead time before undergoing TISAX® assessment. Suppliers whose customers require TISAX® compliance should act fast to avoid losing business to their competitors.