Do you have to provide proof of the security of information provided to you in accordance with the requirements of the "VDA Information Security Assessment" (VDA ISA)? Our standards expert André Saeckel provides answers to important questions about TISAX® - the joint testing and exchange procedure in the automotive industry. The circle of companies affected by this is larger than perhaps initially assumed. In addition to the classic Tier 1 supplier, TISAX® certification is also increasingly required from suppliers at other sublevels - as well as from service providers in the areas of data processing or advertising, for example, i.e. from partner companies of the automotive industry in the broadest sense.

Loading...

What does TISAX® stand for?

TISAX® - Trusted Information Security Assessment eXchange

TISAX® is a common assessment and exchange procedure for the automotive sector. It is based on an information security questionnaire (ISA - Information Security Assessment) developed by the VDA working group "Information Security", which was first used by member companies of the German Association of the Automotive Industry (VDA) for audits of suppliers and service providers in whose companies sensitive information is processed. Version 5.0 of the VDA ISA questionnaire has been available since July 2020. Since October 1, 2020, this version has been mandatory for all new TISAX®-assessments.

In addition, TISAX® is based on essential requirements of the internationally recognized standard for information security: ISO 27001. It is applicable across all industries and defines requirements, rules and methods for ensuring the security of information within a company. In its requirements, the standard goes beyond the protection of IT technical systems and includes all corporate assets worthy of protection, e.g. premises, security controls and archives. In other words: ISO 27001 ensures the protection of all information that is of value to an organization.

What are the benefits of TISAX®?

  • TISAX® creates a uniform level of information security in the automotive industry
  • Assessment results are recognized across companies among all TISAX® participants, leading to greater confidence in audited companies
  • Unnecessary duplicate and multiple audits are avoided through mutual recognition in the TISAX® network
  • The assessment for TISAX® certification takes place only every three years, which saves time and money

Who monitors TISAX®?

TISAX® is a registered trademark of the ENX Association, based in Frankfurt am Main and Paris. As a neutral body, it is entrusted with the implementation of TISAX®. ENX is the association of European automotive manufacturers, suppliers and four national automotive associations, including the VDA, which founded ENX in 2000. The ENX Association monitors the quality of the implementation and grants approval to assessment service providers according to a strict procedure. DQS is listed with ENX as an approved audit service provider and can perform assessments worldwide. Our experts are always available to answer your questions.

In order to achieve mutual recognition of the assessments by the participants, ENX concludes corresponding contracts with all approved audit service providers as well as with the participants in the TISAX® network. Through standardization and quality monitoring, ENX achieves common recognition of assessment results among all participants. Unnecessary duplicate and multiple assessments are avoided.

Questions and answers about TISAX®: What is an assessment level?

TISAX® distinguishes between three assessment levels (protection requirements), depending on the protection required: normal (level 1), high (level 2) and very high (level 3). The audit method and the audit effort depend on this.

Level 1: Self-assessment without plausibility check, usually for internal purposes only. These assessment results have only limited significance and are not used in TISAX®.

Level 2: Plausibility check of your self-assessment by an audit service provider such as DQS. These information security audits are usually conducted as a telephone conference, not as on-site audits - unless one of the prototype protection audit objectives applies or you explicitly request this.

Level 3: Plausibility check of your self-assessment by an audit service provider through an in-depth, comprehensive on-site audit.

Is the introduction of TISAX® also a must for non-manufacturing companies?

The answer to this question depends on the context of your business: Whether or not you need to implement TISAX® depends on your OEM (original equipment manufacturer), or whether they require you to provide this proof of information security. Unless the car manufacturer specifically approaches you, or you see a change in the T&C, it is recommended to wait and see. In the past, companies were contacted by the OEM about the requirements for further cooperation when necessary. However, it is of course up to you to proactively inquire with your partners in the automotive industry.

Does it make sense to strive for TISAX® certification even without a customer requirement?

Taking a proactive approach to the topic of information security generally makes a lot of sense these days, and not just for suppliers in the automotive industry. If your OEM does not (yet) specify which TISAX® label is expected of you, it is a good idea to demonstrate Level 3 (Assessment Level 3: very high information security). In this way, you are prepared for all future requirements without having to duplicate work. Alternatively, the globally recognized ISO/IEC 27001 standard offers a good, cross-industry introduction to information security.

ISO 27001 - Information security management system

Holistic management system according to ISO standard ★ Effective implementation of a risk management process ★ Continuous improvement of the security level

Is the content of TISAX® analogous to ISO 27001?

The TISAX® assessment catalog is derived from the international standard ISO 27001 and draws on the "controls" (measures) defined therein. They describe how the respective requirements (must, should) can be implemented, how processes are to be ensured and which tools can be used. A key difference between the two standards is that TISAX® requires a certain maturity level to be reached.

Is a combined audit of TISAX® and ISO 27001 recommended?

A combined audit is definitely possible and can be performed by DQS at any time. All TISAX® auditors at DQS are also authorized auditors for ISO 27001, which means that both assessments for information security can be carried out at the same time with little additional effort.

"The TISAX® system is the first to offer the possibility of ensuring a uniform level of information security across the entire automotive industry, based on the robust foundation of the VDA questionnaire and the ISO 27001 principles."

Do I have to be certified to ISO 27001 before TISAX®?

The answer to this question is: No. Because there is no requirement that a certified information security management system in accordance with ISO 27001 must already exist. For the TISAX® assessment, you only have to prove that you work according to an information security management system and that the corresponding processes and procedures are implemented in a stable manner in the company. This assessment is carried out by the auditor, who also uses the documents to assign a maturity level.

What are the advantages of already having an ISO 27001 certification?

If you can already provide evidence of an ISO 27001 certificate, this is of course always an advantage. If only because for TISAX®you have to prove that you have an implemented information security management and both sets of rules have a similar coverage.

"Digitization of the automotive industry: The number of applications and data in vehicles is exploding, and with it the attack surfaces and damage potential in information security are also growing."

But please note: The definition of the TISA audit scope may differ from the definition required for ISO 27001 certification. The underlying concepts are not identical. For larger organizations, registration of multiple audit scopes may also be considered.

Is the "process definition" of ISO 9001 analogous to TISAX®?

The answer to this question is "yes". In principle, the definition and structure of the processes in the corresponding sets of rules is always the same. The TISAX® assessment catalog also states quite specifically from which controls KPIs must be determined and from which they must not. The creation of KPIs is backed up with examples to ensure information security in the automotive industry. A look at the VDA ISA questionnaire therefore helps with an initial overview.

Is an IT security officer recommended for the implementation of TISAX®?

It is not mandatory that the person responsible for introducing TISAX® come from the IT department. However, since IT-supported processes are involved, some IT knowledge is definitely advantageous.

How do I define the TISAX® assessment scope?

ENX offers a standard scope that is adopted by 90% of all TISAX® participants. The default scope is predefined and cannot be changed. If you find during the preparation for your assessment that the standard scope does not fit, you can adjust the scope of your exam under certain circumstances. In individual cases, OEMs may require the expanded scope. However, these special cases are rare and will be discussed in detail with you by the respective OEM. Normally, the standard scope is sufficient. It is the basis for a TISAX® assessment and is accepted by all participants.

Is one assessment scope sufficient for all sites?

A single  scope that includes all sites offers advantages but also disadvantages.

Advantages

  • Only one inspection result, one inspection report, one expiration date
  • Reduced costs, since central processes, procedures and resources only need to be assessed once

Disadvantages

  • The audit result is only available after all sites have been assessed
  • The audit result depends on all sites passing the audit, i.e. if only one site fails the audit, you will not receive a positive audit result

Can the assessment scope be isolated, e.g. to "security critical employees"?

ENX answers this question about TISAX® unambiguously: All employees who come into contact with sensitive information from the automotive industry must be included in the scope. This can also be, for example, a machine operator who works with a customer's construction plan. Your company must define for itself which employees are involved in processes that are relevant to information security.

Is it true that with ENX, the application for a TISAX® audit must be submitted first and only then can the audit provider be selected?

Yes, this is correct. Following your online registration at www.enx.com/tisax/ and approval of the assessment scope by ENX, you will receive a list of all approved assessment service providers. However, you can also view the list in advance at ENX. DQS is listed as a service provider at ENX and can perform assessments worldwide. For questions and answers regarding information security in the automotive industry, please do not hesitate to contact our experts.

Does an inquiry make sense at all if the maturity level is too low?

If you determine in a self-assessment that your company still has some catching up to do in terms of information security, a request for assessment does not make sense for the time being. It is recommended that you first close the identified gaps and then consider an audit.

How long do the individual assessments take?

The answer to the question about the duration of individual assessments depends on the size of your company and the travel involved in auditing your sites. For an average company size, 2-3 days on site are sufficient for the assessment process.

How long does it take for a company to be considered certified?

The entire TISAX® audit process can take a maximum of nine months. It begins with the initial audit and ends with the last follow-up audit. If the assessment process cannot be completed within the specified period, you will not receive a TISAX® label.

TISAX® assessment

We would also be happy to answer your questions in a personal meeting.

Without obligation and free of charge.

If your company meets all the criteria or shows only minor nonconformities, the assessment report is submitted to ENX. As soon as this has been accepted, you will receive your (temporary) TISAX® label. If there are major nonconformities that must first be rectified, the label is valid from the day on which the non-conformity is deemed to have been rectified.

Questions and answers about TISAX®: What are TISAX® labels?

Labels are the result of the assessment process and summarize your result. They are hierarchically linked to each other. I.e. if you receive a certain label, you automatically receive the "labels below" it. The labels can only be viewed in the ENX portal. Their validity period is usually three years.

What are major and minor nonconformities?

A major non-conformity is when the non-conformity raises doubts about the overall effectiveness of your information security management system or when it causes significant information security risks. This is the case, for example, if two-factor identification is required and this has not yet been implemented.

A minor non-conformity exists, for example, if the non-conformity neither calls into question the overall effectiveness of your information security management system nor poses a significant risk to information security in the automotive industry. For example, isolated or sporadic errors and implementation deficiencies.

Do I also need to submit evidence of the effectiveness of individual measures?

The answer is "yes." After you have created your catalog of measures and implemented them, their effectiveness will be verified. For this reason, the certification process also provides for a period of nine months.

How can I determine the number of employees "in advance"?

Specifically: How can I determine the exact number of employees in advance if additional employees may not be hired until after the contract with our client has been signed?

The range in which the employees are classified for TISAX® is significantly larger than for the international standard ISO 27001. TISAX® classifies the number of employees, for example, in 0-50, 51-150, etc. So if you know approximately how many new employees will be hired, you can place yourself in an appropriate range.

How many documents should be available in order to comply with TISAX®?

It is not possible to make a general statement here. It always depends on the size and activity of your company. Theoretically, you can cover everything in a single document, as long as you have a clear overview. However, it is advisable to create several documents that cover related topics.

Will TISAX® replace VDA prototype protection?

Since TISAX® includes a separate module for prototype protection, which goes into much more detail about the individual criteria than was previously the case, it can be assumed that in the long term TISAX® will replace the previous sets of rules for information security in the automotive industry. Currently, however, the VDA prototype protection version 3.0 of 2018 is still valid.

Questions and answers about TISAX® - What can DQS do for me?

DQS is listed with ENX as an approved audit service provider and can perform assessments worldwide. All our TISAX ®auditors are also approved auditors for the international standard ISO 27001, which means that both standards can be assessed by DQS at the same time and with little additional effort. Our experts will be happy to answer your questions about information security in the automotive industry. We look forward to talking to you.

Do you have any questions?

Contact us!

No obligation and free of charge.

Expertise and trust

Our technical articles are written exclusively by our in-house standards experts and long-term auditors. If you have any questions regarding the content or our authors, please feel free to contact us. 

Author
André Saeckel

Product manager at DQS for information security management. As a standards expert for the area of information security and IT security catalog (critical infrastructures), André Säckel is responsible for the following standards and industry-specific standards, among others: ISO 27001, ISIS12, ISO 20000-1, KRITIS and TISAX (information security in the automotive industry). He is also a member of the ISO/IEC JTC 1/SC 27/WG 1 working group as a national delegate of the German Institute for Standardization DIN.

Loading...
<p>DQS Standard Expert Information Security</p>