Request a quote
Your local contact
We would be happy to provide you with a customized offer for the TISAX process.
Mutual recognition among all TISAX® participants
Suppliers and service providers achieve greater trust in your audited company
The assessment for TISAX® certification takes place only every three years
Saving time and costs by participating in the TISAX® network
ISA also refers to ISO/SAE 62443-2-1 for industrial control systems for the automation and monitoring of industrial production facilities (IACS) and operational technologies (OT).
In addition, the responsible bodies at the German Association of the Automotive Industry (VDA) have created the conditions for establishing the joint assessment and exchange mechanism under the name TISAX® (Trusted Information Security Assessment eXchange). TISAX® is a registered trademark of the ENX Association. The Association of European automotive manufacturers, automotive suppliers and automotive associations monitors the quality of TISAX® assessments and controls the approval of TISAX® audit service providers.
More than 10,000 locations have now been assessed according to TISAX®, making this standard the second most widely implemented set of rules for information security worldwide after ISO 27001. VDA and ENX have formed international working groups for TISAX® and the ISA catalog to develop the standard further. At the same time, this promotes closer cooperation with the global automotive industry. With TISAX 6.0, the updated form of the assessment and exchange procedure was published in the fall of 2023.
The most important changes in the new ISA catalog 6.0 are Changes to the security labels:
Increased focus on information security and OT systems in the supply chain
After a successful assessment you will receive a TISAX® label on the TISAX® online platform. This label is comparable to a certificate and serves to strengthen the trust in your company and to confirm your efforts to ensure information security.
A company can also take on both participant roles. Anyone wishing to participate in TISAX® as an Information Contributor must take the following four main steps:
If a company is interested in your TISAX results, it can register with ENX as an "Information Consumer". You can decide for each Information Consumer whether you want to share your current TISAX status with them.
Before you start with the TISAX® assessment, your company must define a clear scope. This includes the assessment level, which defines the specific assessment requirements. These requirements may include ensuring the "availability" of production capacities, guaranteeing the "confidentiality" of entrusted information, or securing "prototype parts" and "personal data". These baseline criteria apply to all sites within the scope.
A key challenge is to combine sites with similar requirements into a single scope. DQS can provide valuable design guidance on whether it should be a single comprehensive scope or multiple scopes. In principle, there are advantages to combining sites under one scope in the form of a possible reduction in audit effort if all sites operate under a centralized ISMS.
In the first step, you select an approved audit service provider. In the second step, there is a kick-off, the document review (self-assessment, not on-site) and a subsequent assessment (Level 2: not on-site, Level 3: on-site).
Please note: There is an alternative method for conducting an assessment in Assessment Level 2. Instead of a plausibility check, your audit service provider conducts a full remote assessment. This method is sometimes referred to as "Assessment Level 2.5." The advantage of an Assessment Level 2.5 is that the approach is methodologically compatible with Assessment Level 3. It is therefore possible to upgrade to a full Assessment Level 3 exam at a later date with manageable effort.
The results of the TISAX® audit are recorded in an interim report. In case of non-conformities, measures to be implemented are agreed upon. If necessary, the implementation of the measures is determined within an agreed upon period. This procedure ensures that all identified problems are addressed effectively and promptly.
Once the non-conformities have been closed, an effectiveness review is performed to validate the closure of the nonconformities and to assess the overall effectiveness of the corrective actions taken.
The final result will be published online in the ENX® portal. Your company will then be listed as a participant in the TISAX® process with the corresponding test label. In contrast to other certifications, there is no TISAX® certificate.
The protection goals, for example, are about whether you want to include topics such as prototype protection or data protection in the assessment. If you want to get involved in the TISAX® procedure, talk to DQS, your approved audit service provider, as early as possible. This is the only way we can determine the correct calculation for the assessment scope, and provide you with a reliable quote for the cost of your TISAX® certification.