TISAX: the stan­dard for infor­ma­ti­on secu­ri­ty in the auto­mo­ti­ve industry

After an exten­ded deve­lo­p­ment pro­cess, the Ger­man Auto­mo­ti­ve Indus­try Asso­cia­ti­on (VDA) crea­ted a new indus­try stan­dard in 2017 based on the ISO/IEC 27001 standard.

TISAX: Trus­ted Infor­ma­ti­on Secu­ri­ty Assess­ment Exchange

TISAX is desi­gned to offer com­ple­te infor­ma­ti­on secu­ri­ty for all stages of the sup­p­ly chain while at the same time sim­pli­fy­ing the reco­gni­ti­on pro­cess for exter­nal pro­vi­ders. Fol­lo­wing the two-year pilot test­ing pha­se in 2016 and 2017, as of 2018, the­re is no lon­ger any alter­na­ti­ve to the TISAX label in the medi­um term for busi­nesses which intend to work with or for auto­mo­ti­ve com­pa­nies. TISAX is ope­ra­ted by the ENX Asso­cia­ti­on, an asso­cia­ti­on of Euro­pean auto­mo­ti­ve manu­fac­tu­r­ers, sup­pli­ers and asso­cia­ti­ons which was enga­ged by VDA as a neu­tral body.

The TISAX process

The enti­re TISAX pro­cess con­sists of three steps: regis­tra­ti­on, the actu­al assess­ment and the exch­an­ge of the assess­ment results.

It is par­ti­cu­lar­ly important to defi­ne the scope and goals of the assess­ment when regis­tering for TISAX, as the­se form the basis for the actu­al assess­ment in the second stage of the pro­cess. In defi­ning the scope of the assess­ment, a distinc­tion is made bet­ween the stan­dard scope and a cus­tom (exten­ded or nar­ro­wed) scope. Only assess­ment results from the stan­dard scope of the assess­ments are (gene­ral­ly) accept­ed by other TISAX par­ti­ci­pan­ts, while a nar­ro­wed scope is not sui­ta­ble for the TISAX label and an exten­ded scope is accept­ed only inso­far as it includes standard-scope assess­ment results. In addi­ti­on to the scope, the goals of the assess­ment are also defi­ned upon regis­tra­ti­on. The­se goals deter­mi­ne the appli­ca­ble requi­re­ments for the participant’s infor­ma­ti­on secu­ri­ty manage­ment sys­tem (ISMS) and are to be deter­mi­ned depen­ding on the type of data which is to be pro­ces­sed and its level of pro­tec­tion. Types of assess­ment goals may include infor­ma­ti­on secu­ri­ty, pro­to­ty­pe pro­tec­tion, data pro­tec­tion and pro­tec­tion upon invol­vement of third par­ties, and may ent­ail a high or very high level of pro­tec­tion in each case. The hig­her the level of pro­tec­tion for the indi­vi­du­al data, the hig­her the assess­ment level and the more inten­si­ve the assess­ment will be, ran­ging from self-reporting by the par­ti­ci­pant and document-based assess­ments to on-site assessments.

The actu­al assess­ment in the second stage of the pro­cess beg­ins with a VDA self-assessment by the par­ti­ci­pant (pre­pa­ra­to­ry assess­ment). This is per­for­med using the ques­ti­on­n­aire which has been deve­lo­ped for this pur­po­se, who­se assess­ment is imple­men­ted using a matu­ri­ty level model (Level 0 – Level 5). 

The results of the assess­ment are sum­ma­ri­zed and com­pared against the tar­get matu­ri­ty levels. Only after this self-assessment is per­for­med is a TISAX-accredited assess­ment ser­vice pro­vi­der sel­ec­ted in order to per­form and super­vi­se an infor­ma­ti­on secu­ri­ty assess­ment (ISA) or assess­ments based on the assess­ment scope and the self-assessment. This assess­ment beg­ins in each case with an “initi­al assess­ment”; if this initi­al assess­ment reve­als that the par­ti­ci­pant is con­forming (i.e. that it adhe­res to requi­re­ments and actu­al ISMS), it leads direct­ly to an offi­ci­al TISAX report and the issu­an­ce of a TISAX label. Other­wi­se, if the results of the initi­al assess­ment are not “con­forming” and reve­al a “major non-conformity,” the assess­ment ser­vice pro­vi­der will prepa­re a plan of action based on the initi­al assess­ment and a sub­se­quent assess­ment is per­for­med once the par­ti­ci­pant com­ple­tes this plan of action. The pre­pa­ra­ti­on and exe­cu­ti­on of plans of action and sub­se­quent assess­ments are then to be repea­ted until the par­ti­ci­pant meets the requi­re­ments and is issued a TISAX label, or until the maxi­mum dura­ti­on of nine months is rea­ched. If no TISAX label is issued in this nine-month peri­od, a new initi­al assess­ment is required.

Once the par­ti­ci­pant recei­ves a TISAX label, its assess­ment results are exch­an­ged on the ENX portal’s exch­an­ge plat­form, in the final stage of the TISAX pro­cess. TISAX labels can gene­ral­ly assu­med to be valid for three years, begin­ning with the time of the initi­al assessment.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.