TISAX® - Answers to important questions

CONTENT

• What does TISAX® mean?
• What are the advantages of TISAX®?
• Who monitors TISAX®?
• What is an assessment level?
• TISAX® also for non-manufacturing companies?
• TISAX® certification also without customer requirement?
• Is the content of TISAX® analogous to ISO 27001?
• Combined audit of TISAX® and ISO 27001 recommended?
• How do I define the TISAX® audit scope?
• How long do the individual assessments take?
• What are major and minor non-conformances?
• Will TISAX® replace VDA prototype protection?
• What can DQS do for you?

What does TISAX® mean?

TISAX® - Trusted Information Security Assessment eXchange

TISAX® is a common testing and exchange procedure for the automotive sector. It is based on a questionnaire on information security (ISA - Information Security Assessment) developed by the VDA working group "Information Security", which was first used by member companies of the German Association of the Automotive Industry (VDA) for audits of suppliers and service providers in whose companies sensitive information is processed. Version 5.0 of the VDA ISA questionnaire has been available since July 2020. Since October 1, 2020, this version has been mandatory for all new TISAX^®-assessments.

In addition, TISAX® is based on essential requirements of the internationally recognized standard for information security: ISO 27001. It is applicable across all industries and defines requirements, rules and methods for ensuring the security of information within a company. In its requirements, the standard goes beyond the protection of IT technical systems and includes all corporate assets worthy of protection, e.g. premises, security controls and archives. In other words: ISO 27001 ensures the protection of all information that is of value to an organization.

What are the benefits of TISAX®?

• TISAX® creates a uniform level of information security in the automotive industry.
• Assessment results are recognized across companies among all TISAX® participants, leading to greater confidence in audited companies.
• Unnecessary duplicate and multiple audits are avoided through mutual recognition in the TISAX® network.
• The assessment for TISAX® certification takes place only every three years, which saves time and money.

Who monitors TISAX®?

TISAX® is a registered trademark of the ENX Association, based in Frankfurt am Main and Paris. It is entrusted with the implementation of TISAX® as a neutral body. ENX is the association of European automotive manufacturers, suppliers and four national automotive associations, including the VDA, which founded ENX in 2000. The ENX Association monitors the quality of the implementation and grants approval to testing service providers according to a strict procedure. DQS is listed with ENX as an approved testing service provider and can perform assessments worldwide. Our experts are always available to answer your questions.

In order to achieve mutual recognition of the assessments by the participants, ENX concludes corresponding contracts with all approved testing service providers as well as with the participants in the TISAX® network. Through standardization and quality monitoring, ENX achieves common recognition of assessment results among all participants. Unnecessary duplicate and multiple testing is avoided.

Questions and answers about TISAX®: What is an assessment level?

TISAX® distinguishes between three assessment levels (protection requirements), depending on the protection required: normal (level 1), high (level 2) and very high (level 3). The testing method and the testing effort depend on this.

Level 1: Self-assessment without plausibility check, usually for internal purposes only. These test results have only limited significance and are not used in TISAX®.

Level 2: Plausibility check of your self-assessment by a testing service provider such as DQS. These information security audits are usually conducted as a telephone conference, not by on-site audits - unless one of the prototype protection audit objectives applies or you explicitly request this.

Level 3: Plausibility check of your self-assessment by a testing service provider through an in-depth, comprehensive on-site audit.

Is the introduction of TISAX® also a must for non-manufacturing companies?

The answer to this question depends on the context of your business: Whether or not you need to implement TISAX® depends on your OEM (original equipment manufacturer) or whether they require you to provide this proof of information security. Unless the car manufacturer specifically approaches you or you see a change in the T&C, it is recommended to wait and see. In the past, companies were contacted by the OEM about the requirements for further cooperation if necessary. However, it is of course up to you to proactively inquire with your partners in the automotive industry.

Does it make sense to strive for TISAX® certification even without a customer requirement?

Taking a proactive approach to the topic of information security generally makes a lot of sense these days, and not just for suppliers in the automotive industry. If your OEM does not (yet) specify which TISAX® label is expected of you, it is a good idea to demonstrate Level 3 (Assessment Level 3: very high information security). In this way, you are prepared for all future requirements without having to duplicate work. Alternatively, the globally recognized DIN ISO/IEC 27001 standard offers a good, cross-industry introduction to information security.

Is the content of TISAX® analogous to ISO 27001?

The TISAX® test catalog is derived from the international standard ISO 27001 and draws on the "controls" (measures) defined therein. They describe how the respective requirements (must, should) can be implemented, how processes are to be ensured and which tools can be used. A key difference between the two standards is that TISAX® requires a certain maturity level to be reached.

Is a combined audit of TISAX® and ISO 27001 recommended?

A combined audit is definitely possible and can be performed by DQS at any time. All TISAX® auditors at DQS are also accredited auditors for ISO 27001, which means that both assessments for information security can be carried out at the same time with less additional effort.

Is it mandatory to have ISO 27001 certification for TISAX®?

The answer to this question is: No. Because there is no requirement that a certified information security management system in accordance with ISO 27001 must already exist. For the TISAX® assessment, you only have to prove that you work according to an information security management system and that the corresponding processes and procedures are implemented in a stable manner in the company. This assessment is carried out by the auditor, who also uses the documents to assign a maturity level ("Maturity Level").

What are the advantages of already having an ISO 27001 certification?

If you can already provide evidence of an ISO 27001 certificate, this is of course always an advantage. If only because for TISAX®you have to prove that you have an implemented information security management and both sets of rules have a similar coverage.

But please note: The definition of the TISAX® audit scope may differ from the definition required for ISO 27001 certification. The underlying concepts are not identical. For larger organizations, registration of multiple audit scopes may also be considered.

Is the ,,process definition" of ISO 9001 analogous to TISAX®?

The answer to this question is "yes". In principle, the definition and structure of the processes in the corresponding sets of rules is always the same. The TISAX® test catalog also states quite specifically from which controls KPIs must be determined and from which they must not. The creation of KPIs is backed up with examples to ensure information security in the automotive industry. A look at the VDA ISA question catalog therefore helps to get an initial overview.

Is an IT security officer recommended for the implementation of TISAX®?

It is not mandatory that the person responsible for introducing TISAX® comes from the IT department. However, since IT-supported processes are involved, certain IT knowledge is definitely an advantage.

How do I define the TISAX®-PROOF-SCOPE?

ENX offers a standard scope that is adopted by 90% of all TISAX® participants. The default scope is predefined and cannot be changed. If you find during the preparation for your assessment that the standard scope does not fit, you can adjust the scope of your exam under certain circumstances. In individual cases, OEMs may require the expanded scope. However, these special cases are rare and will be discussed in detail with you by the respective OEM. Normally, the standard scope is sufficient. It is the basis for a TISAX® assessment and is accepted by all participants.

Is one PRÜF-SCOPE sufficient for all sites?

A single review scope that includes all sites offers advantages but also disadvantages.

Advantages

• only one inspection result, one inspection report, one expiration date
• reduced costs, as central processes, procedures and resources only need to be assessed once

Disadvantages

• the audit result is only available after all sites have been assessed
• the assessment result depends on all sites passing the assessment, i.e. if only one site fails the assessment, you will not receive a positive assessment result

Can the PRÜF-SCOPE be isolated, e.g. to "safety critical employees"?

ENX answers this question about TISAX® clearly: All employees who come into contact with sensitive information from the automotive industry must be included in the test scope. This can also be, for example, a machine operator who works with a customer's construction plan. Your company must define for itself which employees are involved in information security-relevant processes.

Is it true that with ENX, the application for a TISAX® audit must be submitted first and only then can the certifier be selected?

Yes, this is correct. Following your online registration at www.enx.com/tisax/ and approval of the testing scope by ENX, you will receive a list of all approved testing service providers. However, you can also view the list in advance at ENX. DQS is listed as a testing service provider at ENX and can perform assessments worldwide. For questions and answers regarding information security in the automotive industry, please do not hesitate to contact our experts.

Does an inquiry make sense at all if the maturity level is too low?

If you determine in a self-assessment that your company still has some catching up to do in terms of information security, a request for assessment does not make sense for the time being. It is recommended that you first close the identified gaps and then consider an audit.

How long do the individual assessments take?

The answer to the question about the duration of individual assessments depends on the size of your company and the travel involved in auditing your sites. For an average company size, 2-3 days on site are sufficient for the assessment process.

How long does it take for a company to be considered certified?

The entire TISAX® audit process can take a maximum of nine months. It begins with the initial audit and ends with the last follow-up audit. If the inspection process cannot be completed within the specified period, you will not receive a TISAX® label.

If your company meets all the criteria or shows only minor deviations (so-called minor deviations), the assessment report is submitted to ENX. As soon as this has been accepted, you will receive your (temporary) TISAX® label. If there are major deviations that must first be rectified, the label is valid from the day on which the deviation is deemed to have been rectified.

Questions and answers about TISAX®: What are TISAX® labels?

Labels are the result of the inspection process and summarize your inspection result. They are hierarchically linked to each other. I.e. if you receive a certain label, you automatically receive the "labels below" it. The labels can only be viewed in the ENX portal. Their validity period is usually three years.

What are major and minor deviations?

A major non-conformity is when the non-conformance raises doubts about the overall effectiveness of your information security management system or when it causes significant information security risks. This is the case, for example, if two-factor identification is required and this has not yet been implemented.

A minor non-conformity exists, for example, if the non-conformity neither calls into question the overall effectiveness of your information security management system nor poses a significant risk to information security in the automotive industry. For example, isolated or sporadic errors and implementation deficiencies.

Do I also need to submit evidence of effectiveness of individual measures?

The answer is "yes." After you have created your catalog of measures and implemented them, their effectiveness will be verified. For this reason, the certification process also provides for a period of nine months.

How can I determine the number of employees "in advance"?

Specifically: How can I determine the exact number of employees in advance if, if necessary, additional employees will only be hired after the contract with our client has been signed?

The range in which employees are classified for TISAX®is significantly larger than for the international standard ISO 27001. TISAX® classifies the number of employees, for example, into 0-50, 51-150, etc. So if you know approximately how many new employees will be hired, you can place yourself in an appropriate range.

How many documents should be available in order to comply with TISAX®?

It is not possible to make a general statement here. It always depends on the size and activity of your company. Theoretically, you can cover everything in a single document, as long as you have a clear overview. However, it is advisable to create several documents that cover related topics.

Will TISAX® replace VDA prototype protection?

Since TISAX® includes a separate module for prototype protection, which goes into much more detail about the individual criteria than was previously the case, it can be assumed that in the long term TISAX® will replace the previous sets of rules for information security in the automotive industry. Currently, however, the VDA prototype protection version 3.0 of 2018 is still valid.

Questions and answers about TISAX® - What can DQS do for you?

DQS is listed with ENX as an approved testing service provider and can perform assessments worldwide. All of our TISAX® auditors are also approved auditors for the international standard ISO 27001, which means that both standards can be assessed by DQS at the same time and with less additional effort. Our experts will be happy to answer your questions about information security in the automotive industry. We look forward to talking to you.

Expertise and trust

Our technical articles are written exclusively by our in-house standards experts and long-term auditors. If you have any questions regarding the content or our authors, please feel free to send us an e-mail to [email protected]. You will receive an answer immediately.