TISAX Audit and Certification - Information security for the automotive industry

Trusted Information Security Assessment Exchange (TISAX) Audit and Certification

Your journey to the TISAX® label

Information security for the automotive industry

TISAX Audit and Certification - Information security for the automotive industry

 

What is TISAX?

 

Trusted Information Security Assessment Exchange (TISAX) is an assessment and exchange mechanism for information security in the automotive industry. The TISAX certification confirms that a company’s information security management system complies with defined security levels and allows sharing of assessment results across a designated platform.

 

WHY INFORMATION SECURITY IS IMPORTANT TO OEMS?

 

The Original Equipment Manufacturer (OEM) collaborates with multiple companies across the value chain for the design, manufacturing, and distribution of their vehicles. To facilitate collaboration, the OEM frequently shares confidential information, such as a prototype design, with the supplier base. If valuable data is not effectively protected, the exchanges along the supply chain may cause losses, manipulations or even theft of trade secrets. Consequently, OEMs will want to ensure that their suppliers and partners, including marketing and sales organisations, have a solid information security management system in place before they are contracted.

 

Many suppliers and service providers in the automotive industry process highly sensitive information from their clients. Given this, their clients regularly request evidence of compliance with stringent information security requirements.

 

In most cases, such evidence is provided with the help of the Information Security Assessment (ISA) criteria catalogues developed by the German Association of the Automotive Industry (VDA). However, as individual manufacturers have conducted these ISAs for their suppliers independently so far, many suppliers have had to undergo the same assessment several times.

 

To reduce these unnecessary efforts and expenses, in early 2017 VDA established TISAX (Trusted Information Security Assessment Exchange), a new assessment and exchange mechanism. TISAX standard has been designed to support cross-company recognition of information security assessments in the automotive industry. By sharing their ISA results online, companies enable OEMs to verify for themselves whether a service provider or supplier has already successfully completed the assessment. In addition, TISAX can be used to commission audit providers such as TÜV SÜD to carry out an assessment. The results of such assessments are valid for three years.

 

Following registration, companies and audit providers can access the platform and share information. VDA has opted for ENX Association as TISAX operator and third-party body.

 

With TISAX, participants using the platform can:

  • Commission accredited service providers to carry out assessments
  • Share the results of completed assessments with other participants
  • View the results of other participants

Benefits of attaining the TISAX label

  • No duplication or multiplication of assessments
  • Major time and cost savings based on cross-company recognition of assessments and information 
  • Trust in assessed companies

Assessments may only be performed by audit providers specifically accredited for TISAX.

TÜV SÜD is approved by ENX to perform TISAX assessments and to issue the respective report and label.

Important for you: You keep control over your results at all times – this information can only be exchanged and shared after prior approval.

 

What are the different TISAX Assessment Levels?

 

There are three TISAX assessment levels:

 

Level 1: Standard suppliers only need to complete the ISA questionnaire and publish this self-assessment in TISAX.

 

Level 2: In case of more complex suppliers, the self-assessment will be followed by random plausibility checks by telephone by an approved audit provider.

 

Level 3: Suppliers who handle highly sensitive external data undergo on-site inspection by an approved audit provider based on their self-assessment.

 

A STEP-BY-STEP GUIDE TO TISAX CERTIFICATION


Companies often embark on the TISAX certification process upon request of a potential customer. Others initiate the process to be well-positioned for future prospects. Your individual TISAX journey will depend on your objectives, as well as the status of your current information security system. Irrespective of the path chosen, TÜV SÜD offers training and certification services to support you through the process, step-by-step.

The TISAX process consists of two phases: preparation and certification

 

TISAX Certification process

 

PREPARE FOR YOUR TISAX ASSESSMENT

 

As a first step, identify the requirements your company are facing and map them against your implemented information security management system (ISMS).

  • If your company does not yet have an effective information security management system (ISMS) in place, one option could be to implement an ISMS according to the leading management system standard for information security, ISO/IEC 27001. The implementation and certification according to ISO/IEC 27001 is not a requirement for TISAX but ensures effective information security management for your company overall. Furthermore, it's regarded a solid foundation for a subsequent TISAX assessment. TÜV SÜD offers public training to support implementation of ISMS, as well as auditing and certification services for companies interested in ISMS according to ISO/IEC 27001

  • The TISAX certification process starts with a thorough self-assessment. A good understanding of the TISAX requirements and criteria is vital for the internal analysis and can help you take necessary steps to close critical gaps before the external audit. TÜV SÜD provides comprehensive training for professionals who would like to learn more about the TISAX requirements and structure, including the certification process. 

The TISAX Assessment in 6 steps

 

The initial and mandatory self-assessment is followed by a third-party assessment. The audit can either require a documentation-based plausibility check (Assessment Level 2), or a more comprehensive on-site-inspection (Assessment Level 3). Upon completion of the successful audit, the auditor uploads the final report to your TISAX platform, including your company’s TISAX-label. With your approval, OEMs and other partners can then access your TISAX status, thereby attaining a third-party confirmation of your security efforts.

 

Step 1: Classification

In step 1 suppliers are classified by an OEM/client depending on the sensitivity of the data involved.

 

Step 2: Registration

In the next step they register with ENX, including their scope number.

 

Step 3: Assessment

TÜV SÜD carries out the assessment in line with the requested level.

 

Step 4: Report

The assessed company receives the report from the TÜV SÜD auditors.

 

Step 5: Elimination of vulnerabilities

The assessed company eliminates identified vulnerabilities.

 

Step 6: Uploading of report

The completed report is uploaded to the exchange platform. Exchange of these summaries is only possible among registered participants and only after the assessed company has expressly released the results to the company that places the request.

 

Why Choose TÜV SÜD?

 

TÜV SÜD is a leading provider of auditing and training services for management system standards. With an international network of auditors and a broad training portfolio, we help customers worldwide to achieve stable operations and improved performance.

TÜV SÜD provides public training for professionals and companies of all sizes and industries. More than 300 experts at over 80 locations provide state-of-the-art technical and management qualification programs using a hands-on and practice-focused approach. Our qualifications and personnel certificates satisfy the highest quality standards and enjoy an excellent global reputation.

TÜV SÜD’s experienced auditors possess the accreditation and expertise to conduct ISO/IEC 27001 audits across industries. Furthermore, TÜV SÜD conducts TISAX assessments for the automotive industry, as approved by ENX. Through our worldwide network of professionals, we can provide TISAX certification in India no matter where your business is located. The TÜV SÜD certification mark is recognised throughout industries, instilling trust and transparency.

 

Frequently Asked Questions

 

  • What are the advantages that TISAX offers?
    • TISAX label helps you save time and cost by avoiding duplication of assessments based on customer requirements.
    • You can gain a competitive edge by fulfilling stringent requirements and creating customer trust.
    • It helps you in protecting critical data and reducing liabilities.
  • Why is TISAX important?

    The dedicated online platform is designed to support cross-company exchange of information security assessment results in the automotive industry. The platform enables companies to provide assessment information, thereby confirming to direct business partners, or any other company participating in the TISAX scheme, that their level of information security is in conformity with TISAX requirements.

  • What happens after a company registers on TISAX platform?

    Following registration, companies are granted access to the platform and can exchange information. Registered TISAX participants can:

    • Get a list of accredited audit providers commissioned to carry out the assessments
    • Share the results of completed assessments with other participants
    • Access the results of other participants (provided the results have been shared with them.
  • Who are authorised to perform TISAX assessments?

    TISAX assessments may only be performed by audit providers explicitly approved by ENX and specifically accredited, or in the process of being accredited, for TISAX. The platform contains a list of accredited service providers, such as TÜV SÜD.

  • For how long are the TISAX assessment results valid?

    The assessment results are valid for up to three years. At all times, the assessment data and results remain under the control of the assessed company and are only shared with the company’s prior consent and approval.

EXPLORE

TISAX Infosheet
Infosheet

TISAX® Label

Initiate your journey to TISAX® label today.

Learn More

ISO IEC 27001
White paper

ISO/IEC 27001 Whitepaper

Implement an Information Security Management System according to ISO / IEC 27001

Learn More

IATF 16949
White paper

IATF 16949 - Automotive Quality Management

Strengthen your competitive capabilities by demonstrating commitment to quality.

Learn more

Automotive Essentials
E-ssentials

Automotive Essentials

Gear up for safety and success in the automotive & transportation industry.

Learn more

VIEW ALL INDUSTRY RESOURCES

Next Steps

Site Selector