Data Protection Academy » Data Protection Wiki » TISAX®
TISAX® requirements: Prepare certification step by step
TISAX and the VDA-ISA question catalogue are two important standards for information security in the automotive industry. TISAX® is a certification scheme developed by the ENX Association that assesses the information security requirements of companies in the automotive industry. The VDA-ISA question catalogue is a questionnaire that forms the basis for the TISAX® assessment.
In this blog post, you will learn how to optimally prepare for the TISAX certification or the TISAX audit can prepare. What steps are necessary, where there are parallels to information security and data protection and what innovations VDA-ISA Version 6 brings with it.
Most important information about TISAX®
- TISAX is a international standard for information security in the automotive industry. It was developed by the VDA together with the ENX Association.
- TISAX is a Standard for information security management systems and is based on the Requirements of ISO/IEC 27001. However, it contains additional requirements resulting from the special needs of the automotive industry.
- TISAX is used by companies that work with the Automotive industry work together. This includes Suppliers, service providers and manufacturers of vehicles and vehicle components.
- TISAX certification is voluntary. However, it is recognised by many car manufacturers as Prerequisite for cooperation required.
- Certification in accordance with TISAX is a complex process. It requires a self-assessment and regular recertification.
Content on TISAX®, TISAX® assessment and TISAX® certification:
What is TISAX®?
Definition of TISAX®
TISAX® stands for "Trusted Information Security Assessment Exchange" and is a standardised test procedure for information security in the automotive industry. TISAX® was developed to ensure that companies processing sensitive information and data in the automotive industry fulfil the necessary security standards and requirements. This security assessment process enables organisations to review, improve and demonstrate their information security to business partners. TISAX® is an important step towards ensuring data security and protection against cyber threats in the automotive industry.
Relationship between TISAX®, VDA and ISA
TISAX, VDA and ISA are closely linked concepts that play an important role in the automotive industry.
TISAXTrusted Information Security Assessment Exchange
VDAAssociation of the Automotive Industry
ISAInformation Security Assessment
TISAX® is a standardised assessment procedure for information security in the automotive industry and was developed by the ENX Association to ensure that companies that process sensitive information in the automotive industry meet the necessary security standards and requirements. TISAX is based on international standards and is a platform on which companies can certify and exchange their information security.
The VDA is the German Association of the Automotive Industry, represents the interests of automotive manufacturers and suppliers in Germany and has helped to develop the TISAX standards and requirements together with other organisations and players from the industry. The VDA supports the dissemination and implementation of TISAX in the automotive industry.
ISA is an instrument used within the framework of TISAX to assess the information security of organisations. The so-called ISA assessments are carried out by authorised TISAX assessment bodies to check compliance with security standards and requirements. The results of ISA assessments are decisive for the TISAX certification of organisations.
How does TISAX® work?
Participants in the TISAX® procedure must commit to a Online portal register in order to exchange information on the status of information security, the so-called assessment data, among other things. The portail also serves to exclude contact with other participants in the TISAX procedure:
- ENX Association: The ENX Association maintains the criteria framework ("TISAX ACAR"). It authorises assessment service providers and monitors the quality of the implementation of the assessment results.
- Testing service provider: The audit service provider is authorised by the ENX Association and carries out the audit at the participant's premises. The audit service provider makes the assessment result available to the assessed participant.
- Participants: The participant is a company registered in TISAX and is assessed by an assessment service provider.
1. preparation
Organisations seeking TISAX certification must prepare for the process. This includes selecting the relevant TISAX maturity levels based on the security requirements and needs of the organisation.
2. selection of a TISAX assessment centre
The company selects an authorised TISAX assessment body to carry out the TISAX assessment. These bodies are authorised by the ENX Association and carry out independent security assessments.
3rd TISAX assessment:
The TISAX assessment centre carries out the assessment, in which the company's information security measures and processes are reviewed. This includes aspects such as data protection, cybersecurity, IT infrastructure and risk management.
4. ISA assessment
During the assessment, the Information Security Assessment (ISA) is used as a tool to evaluate the security of the organisation. ISA serves as the basis for the review of information security standards.
5 Report and recommendations
The results of the assessment are recorded in a report. This report contains recommendations for improving information security and shows whether the company fulfils the TISAX requirements.
6. preparation for the TISAX audit
After the TISAX assessment, the company prepares for the TISAX audit, which is the final step in the certification process.
7th TISAX audit
An authorised TISAX audit team carries out the TISAX audit. This checks whether the company fulfils the security standards in accordance with the selected TISAX maturity levels.
8. certification
Upon successful verification and fulfilment of the TISAX requirements, the company is awarded TISAX certification. This confirms that it fulfils the high standards for information security in the automotive industry.
Background information on TISAX®
Origin and development of TISAX®
The origins and development of TISAX, the Trusted Information Security Assessment Exchange, are closely linked to the automotive industry and the challenges of information security in this sector.
The ENX Associationa European network operator for the automotive industry, plays a central role in the origin of TISAX. The ENX Association aims to promote secure data exchange and collaboration in the automotive industry. With the increasing use of digital technologies and increased networking in the automotive industry, the need for robust Establish safety standards. Sensitive information, particularly in the area of product development and the supply chain, required a greater protection against cyber threats.
The ENX Association worked closely with various stakeholders in the automotive industry, including manufacturers, suppliers and service providers. Together, they recognised the importance of a standardised method for assessing and certifying information security. Based on this realisation, the ENX Association developed TISAX as a standardised assessment procedure for information security. The focus was on creating a standardised and recognised system that would enable companies to certify their information security and have this certification recognised across the industry.
TISAX is orientated towards international standards for information security and data protectionto ensure that the measures and requirements developed are recognised globally. TISAX has become a standard in the automotive industry that is accepted by many companies. The industry-wide acceptance is reflected in the increasing number of companies seeking TISAX certifications to prove their information security.
Differentiation of TISAX® from ISO 27001
TISAX (Trusted Information Security Assessment Exchange) and ISO 27001 are two different approaches to information security that are used in different contexts. TISAX is specifically geared towards the automotive industry, while DIN EN ISO 27001 offers more general applicability. Companies choose their approach depending on their industry, their specific requirements and the expectations of their business partners.
Here are the main differences between TISAX and ISO 27001:
Industry specificity
- TISAX is specially designed to meet the requirements of the automotive industry. It was developed to ensure the protection of sensitive information in this specialised sector.
- ISO 27001 on the other hand, is an international standard that provides general guidelines for information security management in various industries.
Target group
- TISAX is primarily aimed at companies that are active in the automotive industry supply chain, such as manufacturers, suppliers and service providers.
- ISO 27001 is more general and can be applied to companies in any industry, regardless of their role in the supply chain.
Focus on the supply chain
- TISAX places a special focus on security in the automotive industry supply chain. Companies must not only guarantee their information security internally, but also ensure that partners and suppliers implement appropriate security measures.
- ISO 27001 is broader in scope and focuses less explicitly on the specific requirements within a supply chain.
Assessment and certification
- TISAX uses the TISAX assessment and TISAX audit to assess and certify information security. The certification is geared towards specific maturity levels.
- ISO 27001 relies on an information security management system (ISMS) that is developed and implemented in accordance with the requirements of the standard. Certification is carried out by an independent testing centre.
International applicability
- TISAX is specific to the automotive industry and is mainly used by companies within this sector.
- ISO 27001 is internationally recognised and can be applied in companies worldwide.
Connection between TISAX® and data protection
TISAX and data protection are closely linked. The VDA-ISA standard, on which the TISAX certification is based, also contains data protection requirements. These requirements are defined in the following areas:
- Organisation of data protection: Appointment of a data protection officer, if required by law, otherwise by appointing a data protection officer
- Meeting of technical and organisational measuresn in relation to the lawful processing of personal data
- Implementation of a Data protection management system and regular updating and quality checks.
- Documentation essential activities in relation to the legal requirements in the area of data protection.
Implementing data protection in preparation for TISAX certification
The consultants at Robin Data GmbH will help you to organise your organisational data protection. From the implementation of a data protection management system to the development of measures specifically for your organisation and the documentation of activities.
Advantages of TISAX®
The TISAX certification in detail
Which companies need TISAX®?
TISAX, the Trusted Information Security Assessment Exchange, is generally required by organisations in the automotive industry. In particular, organisations operating in the automotive supply chain should seek TISAX certifications. The decision to seek TISAX certification often depends on an organisation's role in the supply chain and whether it processes sensitive information that is subject to TISAX security standards. Organisations should consult with their customers and business partners to determine whether TISAX certification is required.
Actors that are involved in the automotive industry supply chain and typically require TISAX certification are
- Car manufacturer
- Supplier of vehicle parts
- Service providers in the automotive industry (e.g. IT service providers, consulting companies or logistics service providers)
- Software developer for vehicle systems
- Production companies in the automotive supply chain
TISAX® protection classes and assessment levels
TISAX distinguishes between three assessment levels (protection requirements), depending on the level of protection required: normal (level 1), high (level 2) and very high (level 3). The assessment methods and the effort required are determined by the specified security requirements.
The choice of the right TISAX assessment level depends on the specific requirements of the organisation. Companies should therefore seek advice from a qualified consultant in order to select the right level for their organisation.
Depending on how high the need for data protection is categorised, the scope and effort of the checks also increases.
TISAX Assessment Level 1
The TISAX Assessment Level 1 is the basic level of the TISAX certification. It covers the requirements of the VDA-ISA standard for information security in the automotive industry. The potential damage to the organisation is limited and manageable.
Inspection scope: Basic check or self-assessment
The Level 1 assessment is for organisations with normal protection requirements thought that:
- Do not process sensitive data
- Do not execute any critical processes
- do not have high information security requirements
TISAX Assessment Level 2
The TISAX Assessment Level 2 is the intermediate level of the TISAX certification. It includes all the requirements of the VDA-ISA standard plus additional information security requirements. The potential damage to the organisation can be considerable.
Inspection scope:
- Self-assessment
- Plausibility check of the self-assessment by an accredited auditor
- Audit of the ISMS
The Level 2 assessment is for organisations with high protection requirements thought that:
- Process sensitive data
- Execute critical processes
- have high information security requirements
TISAX Assessment Level 3
TISAX Assessment Level 3 is the highest level of TISAX certification. It includes all the requirements of the VDA-ISA standard plus additional information security requirements that are necessary for organisations with very high security requirements. The potential damage can reach existentially threatening or catastrophic proportions for the organisation.
Inspection scope:
- Self-assessment
- Plausibility check of the self-assessment by an accredited auditor on site
- Assessment of the effectiveness and maturity of the ISMS on site
The Level 3 assessment is for organisations with Very high protection requirements thought that:
- process very sensitive data
- Execute very critical processes
- have very high information security requirements
TISAX® maturity levels
The TISAX maturity model is a 5-stage model that assesses the implementation of the requirements of the TISAX standard. The maturity levels range from 0 for "incomplete" to 5 for "optimising". When auditing the information security management system (ISMS), the implementation of partial results is assessed using the TISAX maturity levels. An average is calculated from the evaluation of these partial results; this value corresponds to the maturity level of the ISMS. At least maturity level 3 must be achieved for successful certification in accordance with TISAX®.
Maturity level | Description |
---|---|
0: Incomplete | At maturity level 0, the requirements of the TISAX standard are not met. There is no process within the organisation, no process is followed or the process is not suitable for achieving the objective. |
1: Carried out | At maturity level 1, the requirements of the TISAX standard are generally fulfilled. However, the measures are not or only incompletely documented and there is no systematic monitoring or improvement. |
2: Controlled | At maturity level 2, the requirements of the TISAX standard are documented and there is systematic monitoring and improvement. However, the measures are not always implemented effectively. |
3: Established | At maturity level 3, the requirements of the TISAX standard are implemented effectively. The measures are integrated into the corporate culture and there is a continuous improvement process. |
4: Predictable | At maturity level 4, the requirements of the TISAX standard are implemented so well that deviations from the targets are predictable. There is a high level of security and reliability. |
5: Optimising | The requirements of the TISAX standard are continuously optimised at maturity level 5. There is an active exchange with stakeholders and new findings and technologies are utilised. |
Steps to TISAX® certification
TISAX certification is a process carried out by an organisation to demonstrate that it meets the requirements of the VDA-ISA standard for information security.
Although the term "TISAX certification" has been established, the organisation does not receive a certificate in the traditional sense. Rather, certification refers to the process by which the TISAX requirements are checked. As a result of the review, a Expert opinion created. If the review is positive, the organisation receives a Labelwhich are used for advertising purposes.
Preparation
Organisations aiming for TISAX certification must prepare for the process. In the preparation phase, the organisation finds out about the requirements of the VDA-ISA standard and selects the appropriate assessment objectives. The company also begins preparing the necessary documents. These include, among other things
- Overview of the organisational structure
- Description of the information security organisation
- Risk analysis
- Action plan for risk minimisation
Registration
TISAX registration is one of the first steps on the way to TISAX certification. Registration takes place via the ENX Portalwhich is operated by the European Network Exchange GmbH. When registering, the organisation submits requirement documents such as the self-assessment based on the VDA-ISA question catalogue including the desired labels.
Selection of a TISAX assessor
The testing service provider is responsible for carrying out the assessment and producing a report on the results. Testing service providers are authorised by the ENX Association and carry out independent safety assessments.
You should consider the following when selecting a testing service provider:
- Accreditation: The testing service provider must be accredited by an accredited accreditation service provider. Accreditation ensures that the testing service provider has the necessary qualifications and experience to carry out the assessment.
- Experience: The audit provider should have experience in conducting TISAX assessments. This ensures that the assessment provider is familiar with the requirements of the VDA-ISA standard and can carry out the assessment properly.
- Competence: The audit service provider should have the necessary expertise in the areas of information security, data protection and the automotive industry. This ensures that the audit service provider can carry out the assessment in a comprehensive and well-founded manner.
You will find an Overview of authorised testing service providers can be found on the ENX website.
Plausibility or initial check
The TISAX plausibility or initial check is part of the TISAX process. It is carried out by an accredited assessment service provider and serves to check the completeness and plausibility of the requirements documents.
The plausibility or initial check usually takes place after registration and selection of the assessment level. The audit service provider checks the requirements documents that the organisation has submitted as part of the registration process. The documents contain information about the organisation, its processes and its information security systems.
The testing service provider checks the requirement documents against the following criteria:
- Completeness: The documents must contain all required information.
- Plausibility: The information in the documents must be plausible.
If the testing service provider determines that the requirements documents are complete and plausible, the test is deemed to have been completed successfully. The company can then start preparing for the actual assessment.
Possible optimisation
If the audit service provider determines that the requirement documents are incomplete or implausible, the organisation is requested by the audit service provider to supplement or correct the documents. The organisation then has a period of two weeks to make the necessary changes.
If the organisation does not make the necessary changes, the assessment is cancelled and the whole process starts again from the beginning.
Assessment
Depending on the assessment level selected, the audit provider will either audit the organisation in a remote audit (level 2) or an on-site audit (level 3). The choice between a TISAX assessment remote audit and an on-site audit depends on several factors, including the size and complexity of the organisation, the type of data processed and the specific requirements of the organisation's customers.
The assessment includes interviews with the organisation's employees and an examination of the IT infrastructure by the audit service provider.
Report and recommendations
The results of the assessment are recorded in a report. This report contains recommendations for improving information security and shows whether the company fulfils the TISAX requirements.
Optimisation and preparation for the TISAX audit
After the TISAX assessment, the company prepares for the TISAX audit, which is the final step in the certification process. The company eliminates all errors and problems identified during the TISAX assessment.
TISAX audit
In the final TISAX audit, the organisation must prove that all weaknesses identified during the assessment have been optimised. Once the audit has been completed, the audit service provider prepares a report on the results of the audit. The report contains an assessment of the audited organisation's information security based on the requirements of the VDA-ISA standard.
TISAX certification and label
Upon successful verification and fulfilment of the TISAX requirements, the company is awarded TISAX certification.
This confirms that it fulfils the high standards for information security in the automotive industry. If the company fulfils the requirements of the VDA-ISA standard, it is awarded a TISAX certificate. The TISAX certificate is valid for three years.
The TISAX label is part of the TISAX certification. The label indicates the test objectives for which the company is certified.
Entry in database
Entry of the organisation in the ENX Association database. All audited organisations are listed in this database. All TISAX participants have access to this database, suppliers or service providers are selected from this database or their label is checked before a contract is signed.
ISMS audit in preparation for the TISAX® assessment
In preparation for the assessment, the current maturity level of your ISMS is checked for compliance with the current version of the TISAX standard. Any outstanding measures are documented during the audit and prioritised at the end of the audit.
Important requirements and criteria for TISAX® certification
The criteria and requirements for TISAX certification are based on the VDA-ISA standard. The most important requirements and criteria for TISAX certification are
Information security management system (ISMS)
Organisations must implement and operate an ISMS that meets the requirements of the VDA-ISA standard. The ISMS must cover the following areas and include the following components:
- Policy and organisation of information security management, including regular effectiveness reviews
- Recording, classification into protection requirements and management of assets
- Implemented risk management
- Training and sensitisation of employees
- Implemented business continuity management
- Implemented access and access concepts
- Use of cryptographic processes
- Consistent implementation of information security even in the event of organisational changes
- Consideration of information security in IT systems
- Implementation of information security in collaboration with contractors and co-operation partners
- Adherence to compliance regulations
Prototype protection
Prototype protection covers vehicles, components and parts classified as requiring protection which have not yet been presented to the public by the OEM and/or published in a suitable form.
The commissioning department of the OEM is responsible for classifying the protection requirements of vehicles, components and parts. The minimum requirements for prototype protection are to be applied for the protection classes high and very high in accordance with VDA ISA.
Data protection
Organisations must comply with the following data protection requirements:
- Organisation of data protection: Appointment of a data protection officer, if required by law, otherwise by appointing a data protection officer
- Meeting of technical and organisational measuresn in relation to the lawful processing of personal data
- Implementation of a Data protection management system and regular updating and quality checks.
- Documentation essential activities in relation to the legal requirements in the area of data protection.
Tips for successful TISAX® certification
TISAX certification is a complex process that requires thorough preparation. Here are some tips that can help you to be successful:
- Start preparing early. TISAX certification is an ongoing process that requires time and resources. You should therefore start your preparations at an early stage in order to have enough time to implement the necessary measures.
- Get the support of the management. Management support is essential for successful TISAX certification. Ensure that management understands the importance of information security and is committed to implementing the necessary measures.
- Create a clear understanding of the requirements. The TISAX requirements are complex and extensive. Make sure you have a clear understanding of the requirements before you start implementation.
- Set realistic goals. TISAX certification is a challenging goal. Set yourself realistic goals to avoid frustration and disappointment.
- Use external support. The support of an experienced consultancy can help you to understand and implement the TISAX requirements.
Here are some more concrete tips to help you prepare for the TISAX assessment:
-
Carry out an inventory of your current information security landscape. This inventory should include the following aspects:
- The most important information assets of your company
- The existing information security processes and controls
- The risks to your information security
-
Identify the areas in which your company does not fulfil the requirements of TISAX. Create a plan for the implementation of the necessary measures.
-
Train your employees in the areas of information security and TISAX. Employees are the most important pillar of your information security. Ensure that they have the necessary knowledge and skills to fulfil the requirements of TISAX.
Preparation for TISAX certification with software
TISAX certification has established itself as a cross-industry safety standard in the automotive industry and is becoming increasingly important. Careful preparation is essential in order to fulfil this standard efficiently. The use of specialised software solutions be of inestimable value.
The first step is to precisely analyse and document your own security processes and standards. The TISAX requirements are extensive and demand comprehensive documentation of all relevant processes, from data processing and access protection through to the crisis management strategy. Dedicated software enables companies to fulfil these Process requirements in a structured manner and document them in a comprehensible manner. Integrated requirements lists help to ensure that none of the essential requirements are overlooked.
Furthermore, a software solution offers functions for identifying and eliminating security vulnerabilities. Regular risk analyses and audits allow potential vulnerabilities to be identified and rectified at an early stage. This not only ensures compliance with TISAX standards, but also increases the overall security of the organisation.
In summary, the use of a specialised software solution offers an efficient and structured approach to TISAX certification. It helps companies to fulfil the required standards, close security gaps and continuously raise awareness of information security.
Structured processing and simultaneous documentation of TISAX® requirements with ComplianceOS
The use of Robin Data ComplianceOS® supports organisations in working through all relevant TISAX® requirements step by step and ensuring that no requirement is overlooked. At the same time, Robin Data ComplianceOS® documents all the measures taken and results achieved.
Conclusion
TISAX certification is an important step for companies that want to work with automotive manufacturers and their suppliers. The certification shows that the company fulfils the information security requirements and is therefore a trustworthy partner.
TISAX certification is a complex process that requires thorough preparation. Companies wishing to obtain TISAX certification should therefore start their preparations at an early stage.
The advantages of TISAX certification are manifold:
- Improved information security: The certification helps companies to improve their information security and reduce the risks of losing sensitive data.
- Improved co-operation: The certification facilitates co-operation with car manufacturers and their suppliers.
- More business opportunities: The certification can lead to new business opportunities, as companies with TISAX certification are seen as trustworthy partners.
Companies that are active in the automotive industry or would like to work with the automotive industry should therefore consider TISAX certification.
- Internal control system - 10 September 2024
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023