Checklists

Checklist on TISAX®

Prepare effectively for your assessment on TISAX®

Learn how to assemble your team, identify essential deliverables, and navigate the assessment process with ease.

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

You'll find answers to the following questions:

  • Who from your organisation needs to be involved?
  • How long the assessment on TISAX® typically takes?
  • What result you should aim for?
  • Plus, a 5-step checklist to help you prepare well for your assessment on TISAX®
Look Inside TISAX® Checklist UK - title page Look Inside TISAX® Checklist UK - Page 02 Look Inside TISAX® Checklist UK - Page 04

Why TISAX®?

Automotive OEMs (Original Equipment Manufacturers) and their suppliers form one of the world’s most complex supply chains. In the past, the stringent requirements prevalent in this industry meant that many individual manufacturers conducted audits of their suppliers independently. This led to suppliers having to complete multiple audits by multiple customers, costing a lot of effort, time, and money.

The Trusted Information Security Assessment Exchange (TISAX®) was developed to prevent multiple audits for companies and drive efficiency in the industry. By creating one mutually accepted standard, TISAX® can be applied across companies and even other industries without the need for additional audits. Thanks to TISAX®, a uniform level of information security is now visible and understood.

 

Who from your organisation needs to be involved?

While this topic is often pushed to the IT team, TISAX® affects all business processes. For example, external auditors will examine what security measures you have in place when offboarding and onboarding new employees. The tasks involved (handover of keys or key cards, signing contracts and agreements, the creation of new email accounts) will usually be split across multiple departments. As such, all departments that play a role in the landscape of your core processes will be involved in some way: HR, Legal, IT, Office Managers, Leadership and more.

 

How long should I prepare for the assessment?

The implementation of a strong Information Security Management System (ISMS) takes six months to complete on average. You can be slightly faster, especially with the help of an expert who specialises in preparing for assessments on TISAX®.

The duration of the assessment by the external auditor depends on the size of your company and the amount of travel required between your locations. Around 2-3 days on-site to complete the assessment can be expected for an SMB-size company with around 50 employees.

 

What happens during the assessment?

This assessment can only be performed by certification companies accredited for TISAX® by the ENX Association, which runs the TISAX® scheme. The auditor will look under the hood of your ISMS to assess your processes. For example, they will take a close look at your approach to data privacy and how personal and confidential data is processed in your organisation.

Auditors will also examine your premises and what protective measures you have in place (for example, in the delivery and dispatch areas or the IT rooms).

The process is made up three assessments:

  • Initial assessment

  • Corrective action plan assessment

  • Follow-up assessment

The second and third assessments can often take place several times. This will occur until your organisation has closed all the gaps - all within a maximum period of nine months. If nine months is exceeded, you must complete the initial assessment again.

 

What result should I aim for?

  • Conform: This means you have fulfilled all requirements. This should be your primary goal.

  • Minor non-conform: This means you have at least one minor non-conformity. With this result, you can get temporary labels on TISAX® until the issues are resolved.

  • Major non-conform: This means you have at least one major non-conformity. With this result, you will not receive any labels until the issues are resolved.

The result is valid for a period of three years after which your business must repeat the assessment again.

Get ready for your certification on TISAX® in as little as 3 months



Slash costs by up to 50% compared to conventional, external information security consultants

Book a Demo
Dataguard TISAX Certificate

Section 1: Your ISMS

Define and document the scope of your ISMS

Scope defines your limits/boundaries for which your information security management system ISMS implementation will be applicable. Your scope should cover all your organisation’s systems, processes, physical locations, services, products and departments that need to be protected.

Create a list of all the information you are protecting

Examples include information stored in cloud services (Office, G-Suite), or inside tools like Salesforce, Pipedrive, Workday, Cognos, and Slack. It also includes prototyping tools like Figma and Miro or any other cloud-based tool or platform that your team uses. It should also include information on servers, information that resides with subcontractors/suppliers, information received from customers, etc.

Define and document your information security objectives

This should cover all the ways you intend to ensure confidentiality, integrity, and availability of company information.

Define principles for the secure operation of your systems

Your principles should ensure that your information is protected against unauthorised disclosure and unauthorised or accidental modifications (e.g., deletion or editing of the data). All information should be easily accessible for authorised users.

 

Section 2: Your Team

Define roles and responsibilities

Nominate the responsible members of your team who will help prepare for the assessment. As noted previously, this should include a cross-section of staff, not just IT.

Define and implement a method for training your employees

Regular trainings should take place to ensure that all staff are up to date on information security topics and how this affects their daily work.

Create a guideline for access controls

You need to define rules and guidelines for how access to your information is given, controlled, and monitored.

 

Section 3: Risk Assessment and Treatment

Define a risk assessment methodology

This should cover both natural and physical risks, legal and contractual risks, compliance risks and financial risks.

Create a risk treatment plan and document the results

Your plan should cover what possible risks can occur and how they will be responded to. For example, what would happen if your servers crash, or an important cloud service became unavailable.

Create a risk assessment report

This report is a detailed summary of any potential threats to your organisation. For each risk, you should determine the probability of occurrence, the resulting impact, and the security controls required to prevent it.

 

Section 4: Customers, suppliers and partners

Create a guideline for compliance with suppliers

This document is critical to clarify your company’s requirements, expectations, and penalties regarding matters relating to business operations (e.g. service standards, deliveries, product conditions).

Include clauses for your greatest concern (e.g. how information about confidential prototypes is shared and processed).

Document how you protect the data of your customers

Are you processing the personal or sensitive data of your customers? If so, auditors will check that you have the necessary measures in place to protect this data.

Ensure all legal and contractual requirements are recorded and fulfilled

Define a clear method for documenting requirements for each business relationship.

 

Section 5: Testing and evaluation

Devise a method for monitoring and measuring your ISMS

The best way to determine this is to evaluate how detailed your ISMS is and how smoothly it is running. For example, your progress on risk identification, evaluation and treatment, the status of your documentation, regular management reviews and analysis, etc. An auditor will look to see if the ISMS is working in practice.

Evaluate the results of your monitoring and measuring process

What incidents have occurred, and how many? What incidents have been prevented? Has each staff member been trained effectively? Is each objective you set out at the beginning being met?

Document the corrective measures you have taken based on your findings

This could be anything that you do to avoid or neutralise threats. For example, setting up a new fence or relocating your servers.

Complete a self-assessment on TISAX®

To be ready for an assessment on TISAX®, you must ensure that your ISMS is stable and effective. To find out whether it matches the expected level, you should conduct a self-assessment based on the ISA.

newsletter-image-cta-700

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.

 

Bringing complete peace of mind
to over customers

Canon-4
Hyatt-3
Holiday Inn Düsseldorf
The Cheeky Panda

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk