White Paper: TISAX® Assessment in the Automotive Industry
TISAX® Certification
Prove your information security with TISAX®
Unfortunately, this video cannot be played back due to your data protection setting. You can change your settings here at any time.
Information security is an essential prerequisite for manufacturers, suppliers, and service providers across the automotive value chain. This is especially true for projects involving highly-sensitive data.
DEKRA offers all three levels of TISAX® (Trusted Information Security Assessment Exchange) assessments. Each level includes unique requirements appropriate for the level of complexity encountered.
Benefits of TISAX®
Avoid costly and time-consuming duplicate and multiple checks
Facilitate proof of information security between manufacturers, suppliers, and service providers
Maintain visibility and increase opportunities for contracts
Select suitable suppliers or service providers based on a trusted standard
In 2017, TISAX® was established by the German Association of the Automotive Industry (VDA), building upon existing Information Security Assessment (ISA) requirements, as well as the international ISO/IEC 27001 standard . The platform provides members throughout the automotive value chain standardized assessments of information security.
The ENX Association has defined the levels and scope of TISAX® assessments. A company can be audited to one of three different assessment levels, depending on the required level of information security.
Assessment Level 1
Most standard suppliers need only to complete the ISA questionnaire and publish this self-assessment in TISAX®.
Assessment Level 2
In cases of more complex suppliers, self-assessment will be followed by random plausibility checks by an approved audit provider over the phone.
Assessment Level 3
Suppliers who handle highly sensitive external data undergo on-site inspection by an approved audit provider such as DEKRA based on their self-assessment.
The Process
After initial registration, companies wishing to join the TISAX® platform commission a service provider, such as DEKRA, to assess their information security. Assessment begins with a basic test on the topic of information security and then offers further optional modules, such as prototype protection, data protection, and connection to third parties. This eliminates special requirements in the extensive individual catalogues of major automobile manufacturers. A final report showing the achieved protection class can then be conveniently shared with selected companies requesting your TISAX® status. (This exchange is only possible among registered participants and only after the express permission is granted by the assessed company.)
Your Trusted Partner in Information Security
Our experienced and independent experts provide comprehensive information security audit and assessment services. With over 40 accreditations to our name, DEKRA can tailor our services to your precise needs. Our audits are recognized by international manufacturers, suppliers, and service providers throughout the global automotive industry.
Frequently Asked Questions About TISAX®
- 1. What are the advantages of TISAX®?
- 2. What do the different assessment levels mean?
- 3. Do suppliers need TISAX® assessments?
- 4. Is TISAX® similar to ISO 27001?
- 5. What employees are relevant for a TISAX® assessment?
- 6. How long does a TISAX® assessment take?
- 7. How long does it take to become TISAX® certified?
- 8. Is there a minimum level of process documentation for TISAX®?
- 9. Can DEKRA help us prepare for a TISAX® assessment?
What are the advantages of TISAX®?
Recognized by participants across the global automotive industry supply chain, the Trusted Information Security Exchange (TISAX®) has established a uniform level of information security to boost confidence in audited companies. Standardized TISAX® assessment eliminates unnecessary and duplicate audits saving you both time and money. Certification is valid for a period of three years.
What do the different assessment levels mean?
TISAX® distinguishes between three assessment levels (protection requirements), depending on what protection is required: normal (level 1), high (level 2) and very high (level 3). Inspection methods and efforts are determined by the established security needs.
Do suppliers need TISAX® assessments?
TISAX® is not limited to manufacturing companies but covers the entire supply chain of the automotive industry. Your individual need to implement TISAX® depends on the particular requirements of your customer. If they do not reach out to you or change any accepted general terms and conditions, it is recommended to wait and see whether you will need a TISAX® assessment for further business with them.
Is TISAX® similar to ISO 27001?
TISAX® requirements were based on the international ISO 27001 standard and its defined controls. Instructions describe how the respective requirements can be implemented, how processes are to be ensured, and what tools can be used. A key difference between the two standards is that TISAX® contains three different maturity levels for differing security needs.
What employees are relevant for a TISAX® assessment?
All employees within the scope must be included. For example, this includes an employee in production who may work with customer information.
How long does a TISAX® assessment take?
The duration of the assessment will depend on the size of the company and the amount of travel between locations involved. Normally, 2-3 days on-site is sufficient to complete the assessment at a company of average size.
How long does it take to become TISAX® certified?
From start to finish, the entire TISAX® assessment process can take several months. If the process cannot be successfully completed, you will not receive a TISAX® label. If your company meets all the criteria or shows only minor deviations (so-called secondary deviations), the test report will be submitted to ENX. Once it has been accepted, you will receive your (temporary) TISAX® label. If there are major deviations that need to be corrected first, the label will be effective from the day the deviation is deemed to have been rectified.
Is there a minimum level of process documentation for TISAX®?
It is not possible to make a general statement here. This will depend on the size and activities of your business. In theory, you can cover everything in a single document, as long as it is clear. However, it is recommended to create several documents addressing relevant topics.
Can DEKRA help us prepare for a TISAX® assessment?
Yes! Our pre-assessment audit service enables you to find out how well you are positioned in the area of information security and what still needs to be done for a successful TISAX® assessment.
Contact Us
Management system certification is offered by DEKRA Certification, Inc., which operates independently from any consulting and training activities using the DEKRA brand.