TISAX certificering van de informatiebeveiliging wordt besproken door een man en vrouw in een controlekamer

TISAX® Assessment

Use Information Security as a Competitive Advantage

With the TISAX® certification, you secure a decisive advantage as a supplier or service provider in the automotive industry. Whether you handle sensitive data, exchange confidential information, or must meet high requirements from your customers — with TISAX® you demonstrate that you take information security seriously.

A TISAX® assessment is not only a prerequisite for many contract awards but also a clear testament of trust toward your business partners. TISAX® creates a uniform level of information security across the entire supply chain and helps to systematically minimize risks.

DQS is an approved audit service provider of the ENX Association and holds the “Information Security Very High” audit label at Assessment Level 3. With our extensive experience in conducting TISAX® assessments, we provide customer-oriented support, respond quickly to your inquiries, and ensure a transparent and efficient assessment process.

Mutual recognition among all TISAX® participants

Suppliers and service providers gain more trust in your audited company

Assessments are carried out only once every three years

Time and cost savings as a member of the TISAX® network

Basic information about the TISAX® assessment

TISAX® is a common assessment and exchange procedure for the automotive sector. It is based on the questionnaire (ISA - Information Security Assessment) developed by the VDA working group "Information Security", which in turn is based on key aspects of the international standard ISO/IEC 27001 and has been extended to include a maturity model.

ISA also refers to ISO/SAE 62443-2-1 for industrial control systems for the automation and monitoring of industrial production facilities (IACS) and operational technologies (OT).

In addition, the responsible bodies at the German Association of the Automotive Industry (VDA) have created the conditions for establishing the joint assessment and exchange mechanism under the name TISAX® (Trusted Information Security Assessment eXchange). TISAX® is a registered trademark of the ENX Association. The Association of European automotive manufacturers, automotive suppliers and automotive associations monitors the quality of TISAX® assessments and controls the approval of TISAX® audit service providers.

More than 10,000 locations have now been assessed according to TISAX®, making this standard the second most widely implemented set of rules for information security worldwide after ISO 27001. VDA and ENX have formed international working groups for TISAX® and the ISA catalog to develop the standard further. At the same time, this promotes closer cooperation with the global automotive industry. With TISAX 6.0, the updated form of the assessment and exchange procedure was published in the fall of 2023.

Why a TISAX® Assessment Is Important for Your Company

High information security standards are indispensable in the automotive industry. For suppliers and service providers, a TISAX® assessment is now an integral part of collaborating with OEMs worldwide. More than 10,000 companies have successfully completed a TISAX® assessment.

Key Advantages of a TISAX® Assessment

Systematic identification and reduction of security-relevant risks
Access to new business opportunities within the automotive industry
Industry-wide standardized evidence of meeting OEM requirements
Increased efficiency by avoiding duplicate and multiple audits
Higher trust from customers and partner

TISAX® and ISO 27001

TISAX® is based on the ISA Catalog, which in large parts aligns with the international standard ISO/IEC 27001 and adopts its information security requirements. Both systems pursue the goal of establishing an effective information security management system — however, TISAX® supplements ISO 27001 with essential industry-specific requirements of the automotive industry.

How does TISAX® work?

In TISAX®, participants can take on two different roles: the "Information Consumer" (passive), for example is a manufacturer who would like to receive information about a vendor, and the "Information Contributor" (active), for example is a parts supplier or service provider who would like to be audited for suitability in order to receive orders from manufacturers.

A company can also take on both participant roles. Anyone wishing to participate in TISAX® as an Information Contributor must take the following four main steps:

1. Register online at www.enx.com/TISAX
2. Select an ENX-approved audit service provider such as DQS
3. Undergo a TISAX® assessment
4. Exchange the audit results on the TISAX® online platform.

If a company is interested in your TISAX® results, it can register with ENX as an "Information Consumer". You can decide for each Information Consumer whether you want to share your current TISAX® status with them.

ISA 6.0 in the TISAX® Procedure

Initial certifications or recertifications are carried out under the new TISAX® procedure in accordance with ISA Catalog 6.0. Assessment activities that depend on existing assessments—such as Corrective Action Plan assessments, follow-up assessments, scope extension assessments, or continued simplified group assessments—will continue to be conducted in accordance with the version under which the original assessment was performed.

How does a TISAX® assessment work?

Before you start with the TISAX^®assessment, your company must define a clear scope. This includes the assessment level, which defines the specific assessment requirements. These requirements may include ensuring the "availability" of production capacities, guaranteeing the "confidentiality" of entrusted information, or securing "prototype parts" and "personal data". These baseline criteria apply to all sites within the scope.

A key challenge is to combine sites with similar requirements into a single scope. DQS can provide valuable design guidance on whether it should be a single comprehensive scope or multiple scopes. In principle, there are advantages to combining sites under one scope in the form of a possible reduction in audit effort if all sites operate under a centralized ISMS.

In the first step, you select an approved audit service provider. In the second step, there is a kick-off, the document review (self-assessment, not on-site) and a subsequent assessment (Level 2: not on-site, Level 3: on-site).

Please note: There is an alternative method for conducting an assessment in Assessment Level 2. Instead of a plausibility check, your audit service provider conducts a full remote assessment. This method is sometimes referred to as "Assessment Level 2.5." The advantage of an Assessment Level 2.5 is that the approach is methodologically compatible with Assessment Level 3. It is therefore possible to upgrade to a full Assessment Level 3 exam at a later date with manageable effort.

The results of the TISAX^® audit are recorded in an interim report. In case of non-conformities, measures to be implemented are agreed upon. If necessary, the implementation of the measures is determined within an agreed upon period. This procedure ensures that all identified problems are addressed effectively and promptly.

Once the non-conformities have been closed, an effectiveness review is performed to validate the closure of the nonconformities and to assess the overall effectiveness of the corrective actions taken.

The final result will be published online in the ENX® portal. Your company will then be listed as a participant in the TISAX^® process with the corresponding test label. In contrast to other certifications, there is no TISAX^® certificate.

What does the TISAX® assessment cost?

Several factors influence the scope of the entire assessment and therefore the costs. These include the required assessment level, the required audit labels, the locations involved, and the selected audit approach.

You should also keep the needs of interested parties in mind for the next three years. If you are currently required to complete Assessment Level 2, but expect that within three years an interested party will require Assessment Level 3, it is better to opt directly for Assessment Level 2.5. This level can easily be upgraded to Assessment Level 3 through a delta assessment.

With regard to audit labels, the question is, for example, whether you would like to include topics such as prototype protection or data protection in the assessment from the outset. Here as well, it is more cost-effective to conduct the assessment as comprehensively as possible rather than subsequently adding further audit labels through a scope extension.

If a larger number of locations are involved, it is important to select an audit procedure that helps reduce the audit effort in your interest. The sample-based simplified group assessment has proven particularly effective in this regard. In this approach, the headquarters and a sample of locations are examined in detail, while locations outside the sample undergo a simplified review. As a result, personnel and travel expenses for your procedure are reduced.

If you would like to enter the TISAX® process, speak with DQS — your approved audit service provider — as early as possible. This enables us to calculate alternative approaches for larger procedures and provide you with a reliable quotation for the costs of your TISAX® certification.

What you can expect from us

Customer-centered excellence: You, as our customer, are at the center of our mission. We adapt our processes to your individual needs and ensure fast response times, clear guidance, full transparency, and highly efficient procedures.

Enabling professional performance: DQS helps your company unlock growth potential, enter new markets, and achieve rapid product launches. We offer certifications for all relevant standards, including TISAX®, from a single source.

Thinking one step ahead: DQS goes beyond mere compliance with standards. We support you in establishing new sustainable practices and advancing your operational transformation.

Global presence, local expertise: With activities in 60 countries and deep understanding of local requirements, we ensure region-specific service and facilitate your path to international expansion.

Trusted expertise: With four decades of experience, DQS is a strong partner at your side. Our team of highly qualified auditors actively shapes the future of certification.

TISAX® Assessment

DQS GmbH is a registered TISAX® participant and has undergone a TISAX® assessment for the "Information Security Very High" label at Assessment Level 3. TISAX® assessments are performed by ENX authorized assessment service providers. TISAX® assessment results are not intended for the general public. The result of the assessment at DQS GmbH is available to registered participants via the ENX portal: https://portal.enx.com/

Download the document here