TISAX (Trusted Information Security Assessment eXchange) is a global information security standard for the automotive industry. A maturity-based information security assessment approach it is targeted to the automotive industry’s needs. Primarily applicable to 1st and 2nd tier suppliers but extendable to more complex supply chains, assessment is a requirement from certain OEMs.
The goal of the scheme is to:
- establish a common level of security for the automotive industry
- ensure common recognition of assessments to reduce costs, efforts and complexity for manufacturers and suppliers
- ensure the comparability and quality of the assessments
- exchange best practices and lessons learned
- let each participant decide to whom results will be revealed and degree of detail
TISAX combines the former Information Security Rules (ISA) of the German Verband der Automobilindustrie (VDA) with ISO/IEC 27001’s Appendix A (Technical Controls) as well as some Privacy requirements.
TISAX® vs ISO/IEC 27001
TISAX builds on key elements in the information security management system standard ISO/IEC 27001, focusing on elements specifically relevant to the context of the automotive industry.
The main differences are:
|Management system standard||Covers information security processes and parts relevant to partners in the automotive industry|
|On/off approach||Maturity level approach|
|Scope defined before certification||Scope is fixed|
|Company-based risk analysis||VDA-ISA working group-based risk analysis|
|Certification body issues certificate||TISAX issues label and exchange registration|
|Periodic audit and recertification after 3 years||3-year validity, no periodic audits|
Benefits of assessments
Beyond being a ticket-to-trade requirement from certain manufacturers, TISAX assessments contribute to building supply chain trust. Participating suppliers can benefit by:
- Being recognized by Automotive Manufacturers;
- Preventing information security breaches and cyber-attacks;
- Gaining customer trust;
- Identifying and addressing risk;
- Getting recognition for due information security processes;
- Sharing assessment results through the ENX exchange.
Companies entering the program must register with ENX as a participant.
The process is set up in stages:
Get to know the TISAX requirements.
Register on the TISAX portal, select your accredited auditing body, and prepare for the audit. This includes a self-assessment to measure your compliance and readiness.
How the audit is executed depends upon whether you qualify for a remote (Level 2) or physical (Level 3) audit. The audit itself consists of interviews, a document review, clarification of possible findings and next steps.
- Corrective action plan and follow-up
Prepare a corrective action plan (CAP) to close any findings (gaps) which is submitted to the audit provider. The CAP is assessed through a follow up (or more, if necessary) and completes TISAX report.
- Exchange of results
The audit provider uploads TISAX report to the platform. Audited company decides with whom the results should be shared. ENX issues the TISAX labels to the audited company.
DNV is an assurance provider approved by the ENX Association. Through our network of local offices and auditors, we can provide assessments to TISAX globally.
ENX maintains the audit provider criteria and assessment requirements (TISAX ACAR). It approves audit providers and monitors the quality of implementation as well as the assessment results. ENX is supported by the TISAX Committee, consisting of representatives of manufacturers, suppliers and associations.