What is the certification on TISAX®?

The facts in a nutshell

• TISAX® defines the standard for information security management systems (ISMS) within the automotive industry.
• TISAX® builds on the ISO 27001 standard for certified ISMSs.
• Part of the ENX platform, TISAX® serves participants as an assessment and exchange mechanism. (ENX is an association of European automotive manufacturers and suppliers.)
• ENX has set up TISAX® as a way to ensure a unified level of information security, prototype protection and data protection among all TISAX® participants.
• Companies that want to undergo an assessment for TISAX® should plan and prepare in good time because the entire assessment process takes about one year.

Please note: TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

In this article

• What is TISAX® and what does the acronym stand for?
• How does TISAX® relate to ISO 27001?
• Who needs a certification on TISAX®? What are the requirements?
• How many levels does the assessment on TISAX® contain?
• What are the advantages of a certification on TISAX®?
• Do participants get a certificate for the successful assessment on TISAX®?
• What are the concrete stages of an assessment on TISAX®?
• How much does it cost a company that need an assessment on TISAX®?

What is TISAX® and what does the acronym stand for?

TISAX® stands for Trusted Information Security Assessment Exchange, an information security standard that was developed exclusively for the requirements of the automotive industry. Originally established by the German Association of the Automotive Industry (VDA), the standard has long been a mainstay across Europe – TISAX® has been a registered trademark of the ENX Association, an organisation consisting of European automotive manufacturers and suppliers.

ENX Association is responsible for carrying out the TISAX® procedure based on the VDA’s Information Security Assessment (ISA) catalogue of questions. Unlike ISO 27001 audits of information security management systems (ISMS), TISAX® is largely a self-assessment.

Who needs a certification on TISAX®? What are the requirements?

Certification on TISAX® is not a legal requirement. No company can be mandated to implement a TISAX®-compliant ISMS or to have their ISMS checked through an assessment on TISAX®. But realistically, proof of compliance to TISAX® is a requirement for any company wanting to operate successfully in the automotive industry or as a supplier or partner for car manufacturers. Without proof of compliance with TISAX®, you can forget about working with any of the major OEMs.

The requirements for certification on TISAX® largely match those of ISO 27001. But depending on the level of the assessment on TISAX® you’re aspiring to, your company will have to meet additional requirements – especially for data protection and the industry-specific requirements for prototype protection.

How many levels does the assessment on TISAX® contain?

Depending on your company’s unique needs, the three assessment levels on TISAX® can reflect one of three different levels of protection – from normal to high to very high or Level 1,  Level 2, and Level 3.

Good to know: Similar to ISO 27001, the Basic Assessment on TISAX® covers information security. Every company that wants a certification on TISAX® must implement these basic measures. By contrast, the additional areas of prototype protection and data protection are optional requirements. Whether you endorse these additional requirements will depend on the TISAX® expectations of the OEMs that you want to cooperate with.

The scope of the assessment, as well as the efforts your company will face, increase from level to level (see graph). Take the Basic assessment, for example: this involves completing a self-assessment using the questionnaire on TISAX® for Level 1 protection. For Level 2 of the assessment on TISAX®, an independent external auditor accredited by the ENX Association gets involved. This auditor reviews the self-assessment, performs a plausibility check and has the opportunity to ask remote questions, e.g., by telephone. Level 3 goes one step further: for the highest protection level, the external auditor verifies the self-assessment with an onsite visit.

What are the advantages of the certification on TISAX®?

For the automotive industry and its major players, the TISAX® standard presents a number of advantages. The key one? TISAX® provides a recognised and agreed standard for information security within the automotive industry. Moreover, as the industry standard, TISAX® serves as a trusted anchor for all participating companies, preventing costly repeat auditing and making it easier for businesses to collaborate. Suppliers who have verified their TISAX® compliance immediately benefit from recognition as potential partners throughout the automotive industry.

Compliance with TISAX® gives audited companies a clear competitive edge and qualifies them to do business with the major OEMs. This is an additional highly effective marketing asset.

Do participants get a certificate for the assessment on TISAX®?

No, there is no certificate. Strictly speaking, TISAX® is not a certification process. It’s an assessment and exchange mechanism. The result is a type of report that compiles all the findings of the information security audit. Nonetheless, it is standard in the industry to speak of the certification on TISAX®, even if audited companies don’t have an official certificate.

To enable companies to advertise their TISAX® compliance even without a certificate, the ENX Association awards the label for a successful assessment on TISAX® (see below). Companies that have successfully undergone an assessment on TISAX® are allowed to use the label. You will have noticed the label says, “Result available”.

What does that mean? ENX keeps a database of all TISAX®-compliant companies. TISAX® participants, among them the major OEMs, have access to the database, allowing them to check immediately if a potential supplier complies with the industry standards.

*TISAX® is a registered trademark of the ENX Association.

What are the stages of an assessment on TISAX®?

The first stage for each interested company is to register with ENX for the assessment on TISAX®. After registering, companies receive the questionnaire for the assessment, enabling them to complete the required self-assessment before finally selecting an accredited external independent auditor. The chosen auditor will review the self-assessment and may carry out either remote or on-site spot checks if necessary. If the self-assessment uncovers any weak points, the auditor will trigger an iterative optimisation process to address these. Once resolved, the company will then meet the requirements for the certification on TISAX® and be entered into the ENX database.

Tip: Ensure you're fully prepared with our comprehensive TISAX® Checklist. From setting up your ISMS to final certification, our checklist guides you step-by-step, ensuring no detail is overlooked. Access the complete TISAX® Checklist here."

How much does it cost a company that needs an assessment on TISAX®?

There is no one-size-fits-all answer to this question. It will depend on a number of factors. What Level of the assessment on TISAX® does your company want to meet? Does your company already have an ISMS, perhaps even one that already meets the ISO 27001 requirements? Or is there still a lot of groundwork left to do before you can even start implementing an ISMS? All of these will impact the cost of implementing a certification on TISAX®.

How does TISAX® relate to ISO 27001?

Both standards define the requirements that an ISMS must meet in terms of design, implementation, and operation. ISO 27001 sets out the groundwork that TISAX® builds on. As far as their requirements for information security go, ISO 27001 and TISAX® are practically identical. But the catalogue of requirements on TISAX® also covers optional areas focusing specifically on prototype protection and data protection. So you might say that TISAX® compliance optimises an ISMS for the automotive industry. Depending on the maturity level of your TISAX®-compliant ISMS, it should, at minimum, meet the requirements for ISO 27001 and might even far exceed them.

Tip: Confused about the interplay between ISO 27001 and TISAX®? Discover which one best suits your business needs. Read our comprehensive comparison of ISO 27001 and TISAX® now!

Consultancy on TISAX©

One thing is certain: An experienced service partner like DataGuard can provide valuable assistance when it comes to preparing and carrying out your assessment on TISAX®, saving your company both time and money. But you shouldn’t underestimate the effort! Also, and even especially, in terms of the time commitment.

Our experience shows that companies typically need about a year of lead time before undergoing an assessment on TISAX®. Suppliers whose customers require TISAX® compliance should act fast to avoid losing business to their competitors.

Do you have any unanswered questions about TISAX®? Don't hesitate to reach out to one of our experts for a free consultation.

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.