Your journey to the TISAX® label
Information security for the automotive industry
Trusted Information Security Assessment Exchange (TISAX) is an assessment and exchange mechanism for information security in the automotive industry. The TISAX certification confirms that a company’s information security management system complies with defined security levels and allows sharing of assessment results across a designated platform.
The Original Equipment Manufacturer (OEM) collaborates with multiple companies across the value chain for the design, manufacturing, and distribution of their vehicles. To facilitate collaboration, the OEM frequently shares confidential information, such as a prototype design, with the supplier base. If valuable data is not effectively protected, the exchanges along the supply chain may cause losses, manipulations or even theft of trade secrets. Consequently, OEMs will want to ensure that their suppliers and partners, including marketing and sales organisations, have a solid information security management system in place before they are contracted.
Many suppliers and service providers in the automotive industry process highly sensitive information from their clients. Given this, their clients regularly request evidence of compliance with stringent information security requirements.
In most cases, such evidence is provided with the help of the Information Security Assessment (ISA) criteria catalogues developed by the German Association of the Automotive Industry (VDA). However, as individual manufacturers have conducted these ISAs for their suppliers independently so far, many suppliers have had to undergo the same assessment several times.
To reduce these unnecessary efforts and expenses, in early 2017 VDA established TISAX (Trusted Information Security Assessment Exchange), a new assessment and exchange mechanism. TISAX standard has been designed to support cross-company recognition of information security assessments in the automotive industry. By sharing their ISA results online, companies enable OEMs to verify for themselves whether a service provider or supplier has already successfully completed the assessment. In addition, TISAX can be used to commission audit providers such as TÜV SÜD to carry out an assessment. The results of such assessments are valid for three years.
Following registration, companies and audit providers can access the platform and share information. VDA has opted for ENX Association as TISAX operator and third-party body.
With TISAX, participants using the platform can:
Assessments may only be performed by audit providers specifically accredited for TISAX.
TÜV SÜD is approved by ENX to perform TISAX assessments and to issue the respective report and label.
Important for you: You keep control over your results at all times – this information can only be exchanged and shared after prior approval.
There are three TISAX assessment levels:
Level 1: Standard suppliers only need to complete the ISA questionnaire and publish this self-assessment in TISAX.
Level 2: In case of more complex suppliers, the self-assessment will be followed by random plausibility checks by telephone by an approved audit provider.
Level 3: Suppliers who handle highly sensitive external data undergo on-site inspection by an approved audit provider based on their self-assessment.
Companies often embark on the TISAX certification process upon request of a potential customer. Others initiate the process to be well-positioned for future prospects. Your individual TISAX journey will depend on your objectives, as well as the status of your current information security system. Irrespective of the path chosen, TÜV SÜD offers training and certification services to support you through the process, step-by-step.
The TISAX process consists of two phases: preparation and certification
As a first step, identify the requirements your company are facing and map them against your implemented information security management system (ISMS).
The initial and mandatory self-assessment is followed by a third-party assessment. The audit can either require a documentation-based plausibility check (Assessment Level 2), or a more comprehensive on-site-inspection (Assessment Level 3). Upon completion of the successful audit, the auditor uploads the final report to your TISAX platform, including your company’s TISAX-label. With your approval, OEMs and other partners can then access your TISAX status, thereby attaining a third-party confirmation of your security efforts.
In step 1 suppliers are classified by an OEM/client depending on the sensitivity of the data involved.
In the next step they register with ENX, including their scope number.
TÜV SÜD carries out the assessment in line with the requested level.
The assessed company receives the report from the TÜV SÜD auditors.
The assessed company eliminates identified vulnerabilities.
The completed report is uploaded to the exchange platform. Exchange of these summaries is only possible among registered participants and only after the assessed company has expressly released the results to the company that places the request.
TÜV SÜD is a leading provider of auditing and training services for management system standards. With an international network of auditors and a broad training portfolio, we help customers worldwide to achieve stable operations and improved performance.
TÜV SÜD provides public training for professionals and companies of all sizes and industries. More than 300 experts at over 80 locations provide state-of-the-art technical and management qualification programs using a hands-on and practice-focused approach. Our qualifications and personnel certificates satisfy the highest quality standards and enjoy an excellent global reputation.
TÜV SÜD’s experienced auditors possess the accreditation and expertise to conduct ISO/IEC 27001 audits across industries. Furthermore, TÜV SÜD conducts TISAX assessments for the automotive industry, as approved by ENX. Through our worldwide network of professionals, we can provide TISAX certification in India no matter where your business is located. The TÜV SÜD certification mark is recognised throughout industries, instilling trust and transparency.
The dedicated online platform is designed to support cross-company exchange of information security assessment results in the automotive industry. The platform enables companies to provide assessment information, thereby confirming to direct business partners, or any other company participating in the TISAX scheme, that their level of information security is in conformity with TISAX requirements.
Following registration, companies are granted access to the platform and can exchange information. Registered TISAX participants can:
TISAX assessments may only be performed by audit providers explicitly approved by ENX and specifically accredited, or in the process of being accredited, for TISAX. The platform contains a list of accredited service providers, such as TÜV SÜD.
The assessment results are valid for up to three years. At all times, the assessment data and results remain under the control of the assessed company and are only shared with the company’s prior consent and approval.
Implement an Information Security Management System according to ISO / IEC 27001
Strengthen your competitive capabilities by demonstrating commitment to quality.
Gear up for safety and success in the automotive & transportation industry.