Trusted Information Security Assessment Exchange (TISAX)

In early 2017 VDA established TISAX (Trusted Information Security Assessment Exchange), a new assessment and exchange mechanism. The dedicated TISAX online platform is designed to support cross-company recognition of information security assessments in the automotive industry. By sharing their ISA results online on TISAX, companies enable OEMs to verify for themselves whether a service provider or supplier has already successfully completed the assessment. In addition, TISAX can be used to commission audit providers such as TÜV SÜD to carry out an assessment. 

Your Benefits at a Glance  

• Assessments will be performed only by local experts
• No duplication or multiplication of assessments
• Major time and cost savings based on cross-company recognition of assessments and information 
• Trust in assessed companies

TISAX Assessment Services from TÜV SÜD

TÜV SÜD is currently undergoing the accreditation process and is allowed to carry out TISAX assessments. 

There are three assessment levels:

Level 1: Standard suppliers only need to complete the ISA questionnaire and publish this self-assessment in TISAX.

Level 2: In case of more complex suppliers, the self-assessment will be followed by random plausibility checks by telephone by an approved audit provider.

Level 3: Suppliers who handle highly sensitive external data undergo on-site inspection by an approved audit provider based on their self-assessment.

THE TISAX ASSESSMENT IN 6 STEPS
 
The initial and mandatory self-assessment is followed by a third-party assessment. The audit can either require a documentation-based plausibility check (Assessment Level 2), or a more comprehensive on-site-inspection (Assessment Level 3). Upon completion of the successful audit, the auditor uploads the final report to your TISAX platform, including your company’s TISAX-label. With your approval, OEMs and other partners can then access your TISAX status, thereby attaining a third-party confirmation of your security efforts.

STEP 1: CLASSIFICATION
In step 1 suppliers are classified by an OEM/client depending on the sensitivity of the data involved.

STEP 2: REGISTRATION
In the next step they register with ENX, including their scope number.

STEP 3: ASSESSMENT
TÜV SÜD carries out the assessment in line with the requested level.

STEP 4: REPORT
The assessed company receives the report from the TÜV SÜD auditors.

STEP 5: ELIMINATION OF VULNERABILITIES
The assessed company eliminates identified vulnerabilities.

STEP 6: UPLOADING OF REPORT
The completed report is uploaded to the exchange platform. Exchange of these summaries is only possible among registered participants and only after the assessed company has expressly released the results to the company that places the request.