TISAX Informations - TISAX - solution

TISAX® Implementation guide with TX® solution
ISO 22301 Beratung
Advantage through knowledge
TISAX® Implementation guide
Advantage - through knowledge
Beratung zu TISAX VDA ISA
Go to content

Information about TISAX

TISAX® Overview

Basics about TISAX®

Trusted Information Security Assessment eXchange (TISAX®) is an exchange procedure of the automotive industry to prove an implemented maturity level of information security.

As early as 2005, the German Association of the Automotive Industry (VDA) and its members recognized the need to protect sensitive data and information in the value chain (supply chain). To this end, it developed the "Framework requirements for product security in the German automotive industry (prototype protection)" in a working group with Audi, BMW, Daimler-Chrysler, Opel,TGA and VW. In terms of content, points such as camouflage, test site, testing and trial, photography and transport were safeguarded at that time. This is the basis for today's part (25) of the VDA Information Security Assessment (VDA ISA).

This procedure has been steadily developed into today's VDA ISA test catalog. The VDA thus created the part of the test basis. This responsibility still lies with the VDA today.

However, up to now, it was the case that each automotive manufacturer used this VDA ISA audit catalog itself for its supplier audits and thus audited its suppliers. This meant that the supplier had to endure not only one assessment from VW, for example, but many from each of his customers.  This created a lot of work for the car manufacturer as well as for the audited suppliers. For this reason, the VDA and its members came up with the idea of developing a recognized procedure in the automotive industry for proving implemented information security - and that is TISAX® - An exchange procedure for proving the maturity level of information security.

Since May 2017, the TISAX® test procedure has been established and piloted by ENX under the umbrella of the VDA. The basis for this was the VDA ISA audit catalog 3.0. The VDA has commissioned ENX with the operation of TISAX. ENX was founded as a European association of the automotive industry under the leadership of the VDA in 2000. TISAX® and ENX® are registered trademarks of ENX.

What is TISAX?

TISAX® is an exchange procedure for assessment results for maturity levels in information security. For this purpose, the ENX organization offers an electronic exchange platform (database) in which the security levels achieved are entered in the form of "TISAX labels". The respective business partners activate themselves for viewing and thus communicate the security level. This is based on assessments that use the VDA ISA audit catalog and evaluate a maturity level of information security implementation as a result.

TISAX test objectives / assessment level
To demonstrate information security, TISAX labels are used in eight categories and two levels of protection.

Each TISAX label indicates a maturity level in the areas of information (ISMS), data protection and prototype protection based on the requirements of the VDA ISA audit catalog.

On the basis of the TISAX labels, a customer can then assess the classification and suitability of a supplier or determine its suitability for orders.



What is the TISAX procedure?

The TISAX procedure and registration with ENX is carried out in four steps.

Step 1 - is the registration on the TISAX portal.

In the first step the company has to enter different data on the ENX portal:

  • Type of the company (agency, consulting, development, forwarding .....) and the sites
  • Scope, processes and systems
  • Goals - according to the labels

A company that does not work with information to be protected, in the area of data protection or such as prototype information, also does not need these objectives/objectives for this audit area.

Step 2 - Perform TISAX Self-Assessment according to VDA-ISA

A TISAX self-assessment must be performed. For this purpose, the VDA ISA audit form is used and must be filled in. A maturity level of 3 should be available for a self-assessment.

A testing service provider, such as SGS, TÜV, DEKRA, PWC, etc.. - which will carry out the TISAX® assessment - must not provide support here.

This is where the need for external consulting usually arises. Very few companies have the know-how to fully implement TISAX.

Step 3 - Selection of a TISAX assessment company

ENX offers the possibility to accredit auditing companies. The company can commission one of these audit companies with the audit.

Step 4 - TISAX audit by certified body

The auditor performs several steps:

  • Kick-off meeting
  • Pausibility check / stocktaking
  • TISAX audit in the form of an assessment
  • Preparation of TISAX assessment (audit) report
  • Decision on awarding the TISAX® label
  • Transmission of the results to ENX

If the assessment (audit) shows that the TISAX management system is not yet fully compliant, the audited company can submit a corrective action plan. The corrective actions must then be remedied within 9 months at the latest. A follow-up audit will be performed. This must be paid for separately.

The corrective action plan can be recognized by the TISAX auditing company so that temporary TISAX labels can be issued. In the post-audit, these temporary labels can be converted into permanent ones at a later date.

The duration of the TISAX confirmation is 3 years. In contrast to ISO 27001 certification, there are no annual audits. If a new application for TISAX is submitted after 3 years, the 3 years must of course also have been "lived" - i.e. corresponding evidence must be available.

The audit result is published on the ENX TISAX platform for all participants or selected business partners by the audited company. The audited company decides what is to be documented and published and can specify the level of detail.

After three years, the process starts all over again.

Who is allowed to conduct TISAX® assessments?

A TISAX assessment is often mistakenly referred to as a TISAX certification or TISAX audit. This is incorrect. A certification is performed at ISO 27001. It is a TISAX Assessment. The TISAX® assessments are carried out by auditing companies such as SGS, DEKRA, TÜV, etc.. The audit companies must register with ENX, train and appoint assessors accordingly and are then allowed to perform the TISAX® assessments.

Here you can find ENX approved certified bodies:   ENX Certified Bodies

An audit firm is not allowed to provide advice on the implementation of TISAX®.

Importance of TISAX

BMW and VW make this assessment process mandatory as an admission criterion for supplier approval or for consideration in tenders or contract award. VW has determined since 2021 that the VW Group will no longer recognize other security standards such as ISO 27001. Other members of the VDA will follow suit.

What is new with TISAX is that a supplier only has to be audited once by the ENX certification body according to the TISAX test procedure - the previous supplier audits for information security are no longer required. The TISAX labels are then valid for all companies affiliated with the VDA and are recognized among themselves.

It is interesting to note that this procedure may also be used for the pharmaceutical and financial industries. Siemens and Telekom may also go down this route.

Both large and small companies already have TISAX labels. Amazon or Telekom Cloud already have a TISAX label as proof of audit. However, the scope of application must always be taken into account.

www.consuvation.com
This site is operated by CONSUVATION GmbH.
(C) CONSUVATION GmbH
+49 (0) 7031.4181-860
contact(@)consuvation.com
CONSUVATION GmbH
Ziegelstraße 20
71063 Sindelfingen
Deutschland
WE ADVISE WORLDWIDE
Here you will find information
about our company
MONDAY - FRIDAY
09:00  - 17:00
SATURDAY - SUNDAY
closed

If you do not want to use the contact form, you can also send us an email or call us directly. We process your data from the contact form or email exclusively for processing your request and do not pass them on to third parties. We comply with the requirements of the Data Protection Regulation (DS GVO) and BDSG-neu.
Here you will find information about
Data protection
Back to content