TISAX®, is an EU automotive industry-standard information security assessment catalogue based on critical aspects of information security, such as data protection & connection to third parties.
A single industry-specific security framework for assessing information security for the vast landscape of suppliers, Original Equipment Manufacturers, and partners was created by the German VDA (Verband der Automobilindustrie, the German Automobile Industry Association) on behalf of the ENX Association.
TISAX® combines the former ISA (Information Security Rules) of the VDA with ISO 27001’s Appendix A (technical controls) as well as several privacy requirements.
The Trusted Information Security Assessment Exchange, also known as TISAX®, is an information security assessment standard that was developed exclusively for the requirements of the automotive industry.
TISAX® is a self-assessment rather than an audit of an information security management system (ISMS) under ISO 27001.
TISAX® assessments provide building supply chain trust, suppliers that participate can gain by:
It’s easy for organisations to share their information security status with the TISAX® label.
Any company that wants to operate successfully in the automotive industry or as a supplier or partner for car manufacturers will need to have proof of TISAX® compliance.
If you don’t have evidence of TISAX® compliance, you more than likely won’t be able to work with any of the major manufacturers.
TISAX® is a European automotive information security assessment catalogue based on key aspects of sensitive information security, such as data protection & connection to third parties.
It’s not a legal requirement to have TISAX® certification. A company can’t be mandated to implement a TISAX®-compliant ISMS or to have their ISMS checked through TISAX®.
If you want to operate successfully in the automotive industry as a supplier or partner for car manufacturers, you realistically need to have proof of TISAX® compliance to show your commitment to the supply chain.
The requirements for TISAX® are similar to the requirements for ISO 27001. Data protection and industry-specific requirements for prototype protection are some of the additional requirements that your company will have to meet if you aspire to the TISAX® level.
TISAX® requires all controls to be indicated with a maturity level, which is the most significant difference between ISO 27001 and TISAX®.
The maturity levels are as follows:
A process doesn’t exist, or an existing process doesn’t achieve the required results.
There are requirements that need to be performed for the protection of information. There is a process in place that shows some signs of working. The document is not entirely documented. It cannot be guaranteed that it’s working at all times.
The objective is achieved through a process. This is documented with proof. Some documentations are available.
In order to show existing dependencies, the processes are linked to establish the process for achieving the objective. The documentation is kept current and up to date.
Requirements from Level 3 are measured. The results are also measured, such as KPIs, making the process predictable for parties involved.
Additional resources and requirements from Level 4 are included. The implementation of personnel and finances is being done in an optimal way. Continuous improvement of the process is the goal.
Book a tailored hands-on session
based on your needs and goals
Book your demo
A potential customer can request the TISAX® certification process from companies. Others start the process to be in a good position for the future. As well as the status of your current information security system, your TISAX® journey will depend on you and your organisational goals.
There are two phases of the TISAX® process. These are certification and preparation.
The first step is to identify the company’s requirements and map them against your implemented information security management system, also known as an ISMS.
If your company doesn’t have an effective ISMS in place, you could consider implementing an ISMS according to the leading management system standard for information security, ISO/IEC 27001.
The implementation and certification of ISO/IEC 27001 is required for effective information security management, but it is not required for TISAX®. As TISAX® requirements largely match those of ISO 27001, implementing an ISMS is regarded as a great starting point.
A third party assessment follows the first and mandatory self-assessment. The audit can either require a documentation-based plausibility check (assessment level 2) or a more comprehensive on-site inspection (assessment level 3). Suppliers who handle highly sensitive external data have their data inspected by an approved on-site audit provider.
ISMS.online is a
one-stop solution that radically speeded up our implementation.
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
TISAX® shapes key elements in the ISMS standard ISO/IEC 27001, focusing on aspects specifically relevant to the context of the automotive industry.
Some differences and similarities include:
As you can see, ISO/IEC 27001 complements TISAX® with very similar processes.
There is no formal connection between ISO 27001 and TISAX®. The standards are independent of one another and work separately from each other.
Even though there isn’t a formal connection, any company that has successfully undergone a company-wide ISO 27001 audit should be able to pass TISAX® easily.
TISAX® is focused on ensuring a secure supply chain for original equipment manufacturers that expect TISAX®-compliant management processes from suppliers.
TISAX® compliance can be said to improve an ISMS for the automotive industry. Depending on the maturity level of your TISAX®-compliant ISMS, it should at least meet the requirements for ISO 27001.
Book a tailored hands-on session
based on your needs and goals
Book your demo
ISMS.online will save you time and money
Get your quoteSince companies are allowed to publish their ISO 27001 certificate on their website in order to attest to their level of information security and position themselves on the market as information security leaders, it’s advisable to do so. Organisations also undertake ISO/IEC 27001 certification for PR reasons.
The VDA (Verband der Automobilindustrie) working group dealing with information security began adapting existing standards for information security management to the automotive industry’s needs in 2005.
The result of the joint work was a questionnaire that covered the industry-wide accepted requirements of the automotive industry for information security and supplements the security controls defined in ISO 27001 from Annex A with the following security controls:
The current version of the standard was released in 2020.
Important Information
TISAX® is a registered trademark of ENX Association. Alliantist Ltd. has no business relationship with ENX Association. The mention of the TISAX® trademark does not imply any statement by the trademark owner as to the suitability of the services advertised above.