Do you have to provide proof of the security of information provided to you in accordance with the requirements of the "VDA Information Security Assessment" (VDA ISA)? Our standards expert André Saeckel provides answers to important questions aboutTISAX® - the joint testing and exchange procedure in the automotive industry. The circle of companies affected by this is larger than perhaps initially assumed. In addition to the classic Tier 1 supplier,TISAX® certification is also increasingly required from suppliers at other sublevels - as well as from service providers in the areas of data processing or advertising, for example, i.e. from partner companies of the automotive industry in the broadest sense.
- What doesTISAX® stand for?
- What are the benefits ofTISAX®?
- Who monitorsTISAX®?
- What is an assessment level?
- Is TISAX® also for non-manufacturing companies?
- TISAX® certification without customer requirement?
- Is the content ofTISAX® analogous to ISO 27001?
- Is a combined audit ofTISAX® and ISO 27001 recommended?
- How do I define theTISAX® assessment scope?
- How long do the individual assessments take?
- What are major and minor non-conformities?
- WillTISAX® replace VDA prototype protection?
- What can DQS do for me?
What doesTISAX® stand for?
TISAX® - Trusted Information Security Assessment eXchange
TISAX® is a common assessment and exchange procedure for the automotive sector. It is based on an information security questionnaire (ISA - Information Security Assessment) developed by the VDA working group "Information Security", which was first used by member companies of the German Association of the Automotive Industry (VDA) for audits of suppliers and service providers in whose companies sensitive information is processed. Version 5.0 of the VDA ISA questionnaire has been available since July 2020. Since October 1, 2020, this version has been mandatory for all new TISAX®-assessments.
In addition,TISAX® is based on essential requirements of the internationally recognized standard for information security: ISO 27001. It is applicable across all industries and defines requirements, rules and methods for ensuring the security of information within a company. In its requirements, the standard goes beyond the protection of IT technical systems and includes all corporate assets worthy of protection, e.g. premises, security controls and archives. In other words: ISO 27001 ensures the protection of all information that is of value to an organization.
What are the benefits ofTISAX®?
- TISAX® creates a uniform level of information security in the automotive industry
- Assessment results are recognized across companies among allTISAX® participants, leading to greater confidence in audited companies
- Unnecessary duplicate and multiple audits are avoided through mutual recognition in theTISAX® network
- The assessment for TISAX® certification takes place only every three years, which saves time and money
TISAX® is a registered trademark of the ENX Association, based in Frankfurt am Main and Paris. As a neutral body, it is entrusted with the implementation ofTISAX®. ENX is the association of European automotive manufacturers, suppliers and four national automotive associations, including the VDA, which founded ENX in 2000. The ENX Association monitors the quality of the implementation and grants approval to assessment service providers according to a strict procedure. DQS is listed with ENX as an approved audit service provider and can perform assessments worldwide. Our experts are always available to answer your questions.
In order to achieve mutual recognition of the assessments by the participants, ENX concludes corresponding contracts with all approved audit service providers as well as with the participants in theTISAX® network. Through standardization and quality monitoring, ENX achieves common recognition of assessment results among all participants. Unnecessary duplicate and multiple assessments are avoided.
Questions and answers aboutTISAX®: What is an assessment level?
TISAX® distinguishes between three assessment levels (protection requirements), depending on the protection required: normal (level 1), high (level 2) and very high (level 3). The audit method and the audit effort depend on this.
Level 1: Self-assessment without plausibility check, usually for internal purposes only. These assessment results have only limited significance and are not used inTISAX®.
Level 2: Plausibility check of your self-assessment by an audit service provider such as DQS. These information security audits are usually conducted as a telephone conference, not as on-site audits - unless one of the prototype protection audit objectives applies or you explicitly request this.
Level 3: Plausibility check of your self-assessment by an audit service provider through an in-depth, comprehensive on-site audit.
Is the introduction ofTISAX® also a must for non-manufacturing companies?
The answer to this question depends on the context of your business: Whether or not you need to implementTISAX® depends on your OEM (original equipment manufacturer), or whether they require you to provide this proof of information security. Unless the car manufacturer specifically approaches you, or you see a change in the T&C, it is recommended to wait and see. In the past, companies were contacted by the OEM about the requirements for further cooperation when necessary. However, it is of course up to you to proactively inquire with your partners in the automotive industry.
Does it make sense to strive forTISAX® certification even without a customer requirement?
Taking a proactive approach to the topic of information security generally makes a lot of sense these days, and not just for suppliers in the automotive industry. If your OEM does not (yet) specify whichTISAX® label is expected of you, it is a good idea to demonstrate Level 3 (Assessment Level 3: very high information security). In this way, you are prepared for all future requirements without having to duplicate work. Alternatively, the globally recognized ISO/IEC 27001 standard offers a good, cross-industry introduction to information security.
ISO 27001 - Information security management system
Holistic management system according to ISO standard ★ Effective implementation of a risk management process ★ Continuous improvement of the security level
Is the content ofTISAX® analogous to ISO 27001?
TheTISAX® assessment catalog is derived from the international standard ISO 27001 and draws on the "controls" (measures) defined therein. They describe how the respective requirements (must, should) can be implemented, how processes are to be ensured and which tools can be used. A key difference between the two standards is that TISAX® requires a certain maturity level to be reached.
Is a combined audit ofTISAX® and ISO 27001 recommended?
A combined audit is definitely possible and can be performed by DQS at any time. AllTISAX® auditors at DQS are also authorized auditors for ISO 27001, which means that both assessments for information security can be carried out at the same time with little additional effort.
"TheTISAX® system is the first to offer the possibility of ensuring a uniform level of information security across the entire automotive industry, based on the robust foundation of the VDA questionnaire and the ISO 27001 principles."
Do I have to be certified to ISO 27001 beforeTISAX®?
The answer to this question is: No. Because there is no requirement that a certified information security management system in accordance with ISO 27001 must already exist. For the TISAX® assessment, you only have to prove that you work according to an information security management system and that the corresponding processes and procedures are implemented in a stable manner in the company. This assessment is carried out by the auditor, who also uses the documents to assign a maturity level.
What are the advantages of already having an ISO 27001 certification?
If you can already provide evidence of an ISO 27001 certificate, this is of course always an advantage. If only because for TISAX®youhave to prove that you have an implemented information security management and both sets of rules have a similar coverage.
"Digitization of the automotive industry: The number of applications and data in vehicles is exploding, and with it the attack surfaces and damage potential in information security are also growing."
But please note: The definition of theTISAX® audit scope may differ from the definition required for ISO 27001 certification. The underlying concepts are not identical. For larger organizations, registration of multiple audit scopes may also be considered.
Is the "process definition" of ISO 9001 analogous toTISAX®?
The answer to this question is "yes". In principle, the definition and structure of the processes in the corresponding sets of rules is always the same. The TISAX® assessment catalog also states quite specifically from which controls KPIs must be determined and from which they must not. The creation of KPIs is backed up with examples to ensure information security in the automotive industry. A look at the VDA ISA questionnaire therefore helps with an initial overview.
Is an IT security officer recommended for the implementation ofTISAX®?
It is not mandatory that the person responsible for introducingTISAX® come from the IT department. However, since IT-supported processes are involved, some IT knowledge is definitely advantageous.
How do I define theTISAX® assessment scope?
ENX offers a standard scope that is adopted by 90% of allTISAX® participants. The default scope is predefined and cannot be changed. If you find during the preparation for your assessment that the standard scope does not fit, you can adjust the scope of your exam under certain circumstances. In individual cases, OEMs may require the expanded scope. However, these special cases are rare and will be discussed in detail with you by the respective OEM. Normally, the standard scope is sufficient. It is the basis for aTISAX® assessment and is accepted by all participants.
Is one assessment scope sufficient for all sites?
A single scope that includes all sites offers advantages but also disadvantages.
- Only one inspection result, one inspection report, one expiration date
- Reduced costs, since central processes, procedures and resources only need to be assessed once
- The audit result is only available after all sites have been assessed
- The audit result depends on all sites passing the audit, i.e. if only one site fails the audit, you will not receive a positive audit result
Can the assessment scope be isolated, e.g. to "security critical employees"?
ENX answers this question about TISAX® unambiguously: All employees who come into contact with sensitive information from the automotive industry must be included in the scope. This can also be, for example, a machine operator who works with a customer's construction plan. Your company must define for itself which employees are involved in processes that are relevant to information security.
Is it true that with ENX, the application for aTISAX® audit must be submitted first and only then can the audit provider be selected?
Yes, this is correct. Following your online registration at www.enx.com/tisax/ and approval of the assessment scope by ENX, you will receive a list of all approved assessment service providers. However, you can also view the list in advance at ENX. DQS is listed as a service provider at ENX and can perform assessments worldwide. For questions and answers regarding information security in the automotive industry, please do not hesitate to contact our experts.
Does an inquiry make sense at all if the maturity level is too low?
If you determine in a self-assessment that your company still has some catching up to do in terms of information security, a request for assessment does not make sense for the time being. It is recommended that you first close the identified gaps and then consider an audit.
How long do the individual assessments take?
The answer to the question about the duration of individual assessments depends on the size of your company and the travel involved in auditing your sites. For an average company size, 2-3 days on site are sufficient for the assessment process.
How long does it take for a company to be considered certified?
The entireTISAX® audit process can take a maximum of nine months. It begins with the initial audit and ends with the last follow-up audit. If the assessment process cannot be completed within the specified period, you will not receive aTISAX® label.
We would also be happy to answer your questions in a personal meeting.
Without obligation and free of charge.
If your company meets all the criteria or shows only minor nonconformities, the assessment report is submitted to ENX. As soon as this has been accepted, you will receive your (temporary)TISAX® label. If there are major nonconformities that must first be rectified, the label is valid from the day on which the non-conformity is deemed to have been rectified.
Questions and answers aboutTISAX®: What areTISAX® labels?
Labels are the result of the assessment process and summarize your result. They are hierarchically linked to each other. I.e. if you receive a certain label, you automatically receive the "labels below" it. The labels can only be viewed in the ENX portal. Their validity period is usually three years.
What are major and minor nonconformities?
A major non-conformity is when the non-conformity raises doubts about the overall effectiveness of your information security management system or when it causes significant information security risks. This is the case, for example, if two-factor identification is required and this has not yet been implemented.
A minor non-conformity exists, for example, if the non-conformity neither calls into question the overall effectiveness of your information security management system nor poses a significant risk to information security in the automotive industry. For example, isolated or sporadic errors and implementation deficiencies.
Do I also need to submit evidence of the effectiveness of individual measures?
The answer is "yes." After you have created your catalog of measures and implemented them, their effectiveness will be verified. For this reason, the certification process also provides for a period of nine months.
How can I determine the number of employees "in advance"?
Specifically: How can I determine the exact number of employees in advance if additional employees may not be hired until after the contract with our client has been signed?
The range in which the employees are classified for TISAX® is significantly larger than for the international standard ISO 27001.TISAX® classifies the number of employees, for example, in 0-50, 51-150, etc. So if you know approximately how many new employees will be hired, you can place yourself in an appropriate range.
How many documents should be available in order to comply withTISAX®?
It is not possible to make a general statement here. It always depends on the size and activity of your company. Theoretically, you can cover everything in a single document, as long as you have a clear overview. However, it is advisable to create several documents that cover related topics.
WillTISAX® replace VDA prototype protection?
SinceTISAX® includes a separate module for prototype protection, which goes into much more detail about the individual criteria than was previously the case, it can be assumed that in the long termTISAX® will replace the previous sets of rules for information security in the automotive industry. Currently, however, the VDA prototype protection version 3.0 of 2018 is still valid.
Questions and answers aboutTISAX® - What can DQS do for me?
DQS is listed with ENX as an approved audit service provider and can perform assessments worldwide. All our TISAX ®auditors are also approved auditors for the international standard ISO 27001, which means that both standards can be assessed by DQS at the same time and with little additional effort. Our experts will be happy to answer your questions about information security in the automotive industry. We look forward to talking to you.
Do you have any questions?
No obligation and free of charge.
Expertise and trust
Our technical articles are written exclusively by our in-house standards experts and long-term auditors. If you have any questions regarding the content or our authors, please feel free to contact us.