TISAX® Assessment - Information Security in the Automotive Industry in the United States

Are you an automotive supplier or service provider? Then you need to prove the availability of your services or the security of the sensitive information you receive. You are also expected to provide proof of the correct handling of prototypes. As a participant in the TISAX® process, this is possible through a corresponding assessment, which only needs to be carried out every three years. The TISAX® certification is valid for all industries and defines your company's information security requirements.

Mutual recognition among all TISAX® participants

Suppliers and service providers achieve greater trust in your audited company

TISAX® assessments are conducted only every three years.

Save time and costs by participating in the TISAX® network

Beschreibung Standard/Regelwerk

All you need to know about the TISAX® assessment in the United States

In the United States, the TISAX® certification is a standardized and efficient procedure tailored to the automotive sector. It is founded on the Information Security Assessment (ISA) catalog, with its origins in the German Association of the Automotive Industry (VDA) and its Information Security working group. This process incorporates various essential components from the global ISO/IEC 27001 standard and other standards, supplemented by the inclusion of a maturity model.

Moreover, the VDA has set the foundation for the creation of the assessment and data exchange system, recognized as TISAX® (Trusted Information Security Assessment eXchange). TISAX® is a registered trademark held by the ENX Association, an organization consisting of European automotive manufacturers, suppliers, and industry associations. This association is responsible for maintaining the quality of TISAX® assessments and managing the selection of TISAX® audit service providers both in the United States and around the world.

ISA also refers to ISO/SAE 62443-2-1 for industrial control systems for the automation and monitoring of industrial production facilities (IACS) and operational technologies (OT).

With over 10,000 locations evaluated in accordance with TISAX®, this standard ranks as the second most widely adopted information security framework worldwide, trailing only ISO/IEC 27001. As a result, international working groups for TISAX® and the ISA catalog have been formed by VDA and ENX to jointly influence the standard's future, fostering closer collaboration with the U.S. automotive industry. At the same time, this promotes closer cooperation with the global automotive industry. With TISAX 6.0, the updated form of the assessment and exchange procedure was published in the fall of 2023.

Show more
Show less

TISAX® 2.2 - Mandatory from April 1, 2024 - Transition notes

TISAX® assessments that were commissioned by March 31, 2024 can be performed according to the old ISA version 5.1. Initial or recertification assessments commissioned from April 1, 2024 onwards will be carried out exclusively according to the new TISAX® procedure in accordance with the ISA catalog 6.0. Audit activities that are dependent on existing audits, such as corrective action plan assessments, follow-up assessments, scope extension assessments or continued simplified group assessments, will continue to be performed in accordance with the version under which the original audit was performed.

Information on the key changes in the new ISA 6.0 can be found in our blog post "New ISA Catalog 6.0"

The new ISA Catalog 6.0 is an important milestone for TISAX®. The assessment catalog leads to adjustments of the requirements for audit providers, which were defined in the TISAX® ACAR 2.2 regulations. The change of the main language to English underlines the global perspective and the joint efforts for worldwide development. Further translations of TISAX VDA 6.0 are planned.

The most important changes in the new ISA catalog 6.0 are:

Changes to the security labels:

  • The Information Security label is replaced by the Availability and Confidentiality labels. Depending on your role in the supply chain, Availability or Confidentiality or both may be relevant to you.
  • An existing "Information Security High" label will be replaced with the combined "Availability High" and "Confidentiality High" labels. The same applies to an existing Information Security Very High label. It will be replaced by "Availability very high" and "Confidentiality strict".
  • Both labels must meet the same set of baseline requirements. In addition, each label has specific requirements for high and very high protection needs. The assessment process is driven by the labels, taking into account your role in the supply chain. It is therefore worth checking with your customers which labels are relevant to your role.

Increased focus on information security and OT systems in the supply chain

  • Relevant companies in the supply chain must meet "high availability" or "very high availability" requirements.
  • Emphasis on Operational Technology (OT) systems in production and other areas in the TISAX® assessment.
  • References to IEC 62443-2-1 and new ISA catalog requirements promote OT focus.
  • Inclusion of Industrial Communication and Control Systems (IACS).
  • Companies in this category must demonstrate adequate protection of sensitive data in development and production.
  • Many of the requirements overlap with "High Sensitivity" or "Very High Sensitivity".
  • Companies in the supply chain that are not highly relevant but are entrusted with sensitive information must demonstrate that this information can be adequately protected.
  • The "High Confidentiality" or "Strict Confidentiality" labels are used to select the TISAX® requirements that contribute to this protection objective.
  • The main purpose of the selective assessment described above is to ensure that companies only have to meet the requirements of the ISA catalog that are relevant to their role.

New Challenges for Manufacturing Companies

  • OT systems must be subject to management similar to that which is generally required for TISAX® IT systems.
  • As a result, the OT in asset management is identified with its specific risks, analyzed for potential vulnerabilities, managed by competent employees, subjected to ISMS-compliant processes for remote maintenance and other best management practices.
Show more
Show less

What are the advantages of a TISAX® assessment for your North American company?

If your business operates in the automotive industry as a supplier or service provider, it is essential to demonstrate a strong commitment to information security. Historically, manufacturers would conduct these assessments themselves. However, as a registered member of the TISAX® network in the United States, you can now easily select an audit service provider through a user-friendly online platform and request an assessment. The benefits of this approach are clear:

  • Avoid Redundant Assessments: Eliminate the need for duplicate assessments from different customers, saving time and resources.
  • Mutual Recognition: Your information security assessments gain recognition from multiple TISAX® participants, reducing the need for redundant audits.
  • Reliable Results: Trust in the consistency of your assessment results, thanks to the standardized ISA catalog, ensuring a uniform evaluation process.
  • Boost Trust: Enhance confidence in your audited company by directing interested parties to the assessment results available on the TISAX® exchange platform, demonstrating your commitment to information security. This fosters trust among your stakeholders.

After a successful assessment you will receive a TISAX® label on the TISAX® online platform. This label is comparable to a certificate and serves to strengthen the trust in your company and to confirm your efforts to ensure information security.

Show more
Show less
Wie funktioniert

How does TISAX® work in the US and Canada?

TISAX® provides a straightforward process with two primary roles: the Information Consumer (passive) and the Information Contributor (active).

Information Consumer: This role is intended for manufacturers who are seeking information about suppliers that are crucial to their operations. These may include suppliers tightly integrated with the manufacturer's information systems, suppliers vital to the manufacturer's supply chain, or suppliers engaged in the development and production of prototype parts for the manufacturer.
Information Contributor: This role is designed for parts suppliers and service providers who wish to demonstrate their suitability to receive orders from manufacturers or to highlight their ability to effectively manage prototype parts and prepare for new prototype-related projects.

It is important to note that a company can assume both roles. If you are considering becoming an Information Contributor in TISAX®, here are the essential steps:

  • 1. Register online at www.enx.com/TISAX
  • 2. Select an ENX-approved audit service provider such as DQS Inc.
  • 3. Undergo a TISAX® assessment
  • 4. Exchange the audit results on the TISAX® online platform.

By following these steps, you are on the path to undergoing assessment within the TISAX® framework. Upon successful assessment, you will be awarded with TISAX® labels on the TISAX® online platform. These labels can be compared to receiving certificates, serving to bolster trust and guarantee the security of your information assets.

If a company is interested in your TISAX® results, it can register with ENX as an "Information Consumer". You can decide for each Information Consumer whether you want to share your current TISAX® status with them.

Show more
Show less

The TISAX® Assessment Process

Before you start with the TISAX® assessment, your company must define a clear scope. This includes the assessment level, which defines the specific assessment requirements. These requirements may include ensuring the "availability" of production capacities, guaranteeing the "confidentiality" of entrusted information, or securing "prototype parts" and "personal data". These baseline criteria apply to all sites within the scope.

A key challenge is to combine sites with similar requirements into a single scope. DQS can provide valuable design guidance on whether it should be a single comprehensive scope or multiple scopes. In principle, there are advantages to combining sites under one scope in the form of a possible reduction in audit effort if all sites operate under a centralized ISMS.

As a TISAX® participant you must first register online. The scope ID will then be assigned by ENX. Please note that there are service fees associated with this registration process, which will be charged for each location within your scope.

Acquiring TISAX® labels is a straightforward process that involves two key steps. The first step begins with the selection of an approved audit service provider, such as DQS Inc. In the second step, the process initiates with a document review, which is conducted as a self-assessment and does not involve on-site visits. Subsequently, a follow-up assessment is carried out. The depth of this assessment is contingent on the assessment level (AL):

AL 2 assessments do not include on-site visits and primarily focus on checking the plausibility of the implemented Information Security Management System (ISMS) based on documentation.

AL 3 assessments include an on-site visit and entail in-depth verification of the implemented ISMS by evaluating evidence.

For a slightly different approach, there's an alternative method referred to as AL 2.5 assessment. In this approach, your audit service provider performs a fully remote assessment instead of solely conducting a plausibility check. Notably, this method aligns methodologically with AL 3. It provides the flexibility to later upgrade to a full AL 3 by concentrating only on physical aspects and on-site evidence through a delta assessment.

AL 2.5 is particularly recommended for clients who presently only need to meet AL 2 but anticipate that AL 3 will likely be required by the manufacturers they work with in the future. This approach ensures a smoother transition when more stringent requirements come into play.

The results of the TISAX® audit are recorded in an interim report. In case of non-conformities, measures to be implemented are agreed upon. If necessary, the implementation of the measures is determined within an agreed upon period. This procedure ensures that all identified problems are addressed effectively and promptly.

Once the non-conformities have been closed, an effectiveness review is performed to validate the closure of the nonconformities and to assess the overall effectiveness of the corrective actions taken.

The final result will be published online in the ENX® portal. Your company will then be listed as a participant in the TISAX® process with the corresponding test label. In contrast to other certifications, there is no TISAX® certificate.


What Does the TISAX® Assessment Cost?

The cost of a TISAX® assessment is contingent on two primary factors: the scope of assessment and the protection goals you intend to accomplish. Assessments come in different scopes with different numbers of locations per scope. Your selection of the scope should be in line with your unique protection goals and the size of your organization. The complexity and extent of the assessment will influence the overall cost.

If you are interested in participating in the TISAX® process, it is advisable to initiate a conversation with DQS Inc., your approved audit service provider, at the earliest opportunity. This early engagement enables us to assess the scope of your assessment accurately and provide a customized quote tailored to your organization's specific TISAX® assessment requirements.

Show more
Show less

What you can expect from DQS Inc.

  • DQS Inc. is an approved audit service provider for TISAX®
  • Value-adding insights into information security in your organization
  • Accreditations for all relevant regulations in the automotive industry
  • Our team of auditors and experts are experienced professionals with industry-specific knowledge, ensuring that you receive specialized and experienced guidance.
  • Over 35 years of Global experience in the certification of management systems and processes
  • Certificates and Labels with international acceptance
  • Receive personalized and continuous assistance from our team of specialists based in the United States, with the added benefit of international support when needed.
  • Customized quotes with flexible contract terms and no hidden costs
Show more
Show less

Request a quote

Your local contact

We are happy to provide you with a customized quote for TISAX .

Free TISAX® Webinar - Assessments FAQ and Lessons Learned

Join Sandeep Pauddar on Wednesday, May 1st 2024 from 10:00 AM - 11:00 AM CST for an engaging session where he'll provide a comprehensive overview of TISAX®, offering valuable insights into key concepts, requirements, and best practices. Whether you're new to TISAX® or seeking a refresher, this webinar is will act as a comprehensive guide to understanding this framework. Plus, stick around for a live Q&A session to get all of your questions answered by our industry expert.

Register Now