TISAX® Certification and Assessment with DQS

TISAX® Assessment - Information security in the automotive industry

Are you an automotive supplier or service provider? Then you need to prove the availability of your services or the security of the sensitive information you receive. You are also expected to provide proof of the correct handling of prototypes. As a participant in the TISAX® process, this is possible through a corresponding assessment, which only needs to be carried out every three years. The TISAX® certification is valid for all industries and defines your company's information security requirements.

Mutual recognition among all TISAX® participants

Suppliers and service providers achieve greater trust in your audited company

The assessment for TISAX® certification takes place only every three years

Saving time and costs by participating in the TISAX® network

Basic information about the TISAX® assessment

TISAX® is a common assessment and exchange procedure for the automotive sector. It is based on the questionnaire (ISA - Information Security Assessment) developed by the VDA working group "Information Security", which in turn is based on key aspects of the international standard ISO/IEC 27001 and has been extended to include a maturity model.

ISA also refers to ISO/SAE 62443-2-1 for industrial control systems for the automation and monitoring of industrial production facilities (IACS) and operational technologies (OT).

In addition, the responsible bodies at the German Association of the Automotive Industry (VDA) have created the conditions for establishing the joint assessment and exchange mechanism under the name TISAX® (Trusted Information Security Assessment eXchange). TISAX® is a registered trademark of the ENX Association. The Association of European automotive manufacturers, automotive suppliers and automotive associations monitors the quality of TISAX® assessments and controls the approval of TISAX® audit service providers.

More than 10,000 locations have now been assessed according to TISAX®, making this standard the second most widely implemented set of rules for information security worldwide after ISO 27001. VDA and ENX have formed international working groups for TISAX® and the ISA catalog to develop the standard further. At the same time, this promotes closer cooperation with the global automotive industry. With TISAX 6.0, the updated form of the assessment and exchange procedure was published in the fall of 2023.

Show less

TISAX® 2.2 - Mandatory from April 1, 2024 - Transition notes

TISAX® assessments that were commissioned by March 31, 2024 can be performed according to the old ISA version 5.1. Initial or recertification assessments commissioned from April 1, 2024 onwards will be carried out exclusively according to the new TISAX® procedure in accordance with the ISA catalog 6.0. Audit activities that are dependent on existing audits, such as corrective action plan assessments, follow-up assessments, scope extension assessments or continued simplified group assessments, will continue to be performed in accordance with the version under which the original audit was performed.

Information on the key changes in the new ISA 6.0 can be found in our blog post "New ISA Catalog 6.0".

The new ISA Catalog 6.0 is an important milestone for TISAX®. The assessment catalog leads to adjustments of the requirements for audit providers, which were defined in the TISAX® ACAR 2.2 regulations. The change of the main language to English underlines the global perspective and the joint efforts for worldwide development. Further translations of TISAX VDA 6.0 are planned.

The most important changes in the new ISA catalog 6.0 are

Changes to the security labels:

The Information Security label is replaced by the Availability and Confidentiality labels. Depending on your role in the supply chain, Availability or Confidentiality or both may be relevant to you.
An existing "Information Security High" label will be replaced with the combined "Availability High" and "Confidential" labels. The same applies to an existing Information Security Very High label. It will be replaced by "Availability very high" and "Strictly confidential".
Both labels must meet the same set of baseline requirements. In addition, each label has specific requirements for high and very high protection needs. The assessment process is driven by the labels, taking into account your role in the supply chain. It is therefore worth checking with your customers which labels are relevant to your role.

Increased focus on information security and OT systems in the supply chain

Relevant companies in the supply chain must meet "high availability" or "very high availability" requirements.
Emphasis on Operational Technology (OT) systems in production and other areas in the TISAX® assessment.
References to IEC 62443-2-1 and new ISA catalog requirements promote OT focus.
Inclusion of Industrial Communication and Control Systems (IACS).
Companies in this category must demonstrate adequate protection of sensitive data in development and production.
Many of the requirements overlap with "High Sensitivity" or "Very High Sensitivity".
Companies in the supply chain that are not highly relevant but are entrusted with sensitive information must demonstrate that this information can be adequately protected.
The "Confidential" or "Strictly Confidential" labels are used to select the TISAX® requirements that contribute to this protection objective.
The main purpose of the selective assessment described above is to ensure that companies only have to meet the requirements of the ISA catalog that are relevant to their role.

New Challenges for Manufacturing Companies

OT systems must be subject to management similar to that which is generally required for TISAX® IT systems.
As a result, the OT in asset management is identified with its specific risks, analyzed for potential vulnerabilities, managed by competent employees, subjected to ISMS-compliant processes for remote maintenance and other best management practices.

Show less

What are the advantages of a TISAX® assessment for your company?

As a service provider or supplier in the automotive industry, you need to prove to your customers that you comply with information security requirements. Until now, these assessments were primarily performed by the manufacturers themselves. Registered participants in the TISAX® network can now select an audit service provider via a common online platform and request an assessment. The advantages for companies outweigh the disadvantages:

Duplicate and multiple assessments by different clients can be avoided, saving time and money.
Cross-company recognition of assessments for TISAX® participants
Reliable results thanks to the harmonized assessment catalog, which ensures a consistent assessment process
Increased trust in the assessed company through a TISAX® label

After a successful assessment you will receive a TISAX® label on the TISAX® online platform. This label is comparable to a certificate and serves to strengthen the trust in your company and to confirm your efforts to ensure information security.

Show less

How does TISAX® work?

In TISAX®, participants can take on two different roles: the "Information Consumer" (passive), for example is a manufacturer who would like to receive information about a vendor, and the "Information Contributor" (active), for example is a parts supplier or service provider who would like to be audited for suitability in order to receive orders from manufacturers.

A company can also take on both participant roles. Anyone wishing to participate in TISAX® as an Information Contributor must take the following four main steps:

1. Register online at www.enx.com/TISAX
2. Select an ENX-approved audit service provider such as DQS
3. Undergo a TISAX® assessment
4. Exchange the audit results on the TISAX® online platform.

If a company is interested in your TISAX® results, it can register with ENX as an "Information Consumer". You can decide for each Information Consumer whether you want to share your current TISAX® status with them.

How does a TISAX® assessment work?

Before you start with the TISAX^®assessment, your company must define a clear scope. This includes the assessment level, which defines the specific assessment requirements. These requirements may include ensuring the "availability" of production capacities, guaranteeing the "confidentiality" of entrusted information, or securing "prototype parts" and "personal data". These baseline criteria apply to all sites within the scope.

A key challenge is to combine sites with similar requirements into a single scope. DQS can provide valuable design guidance on whether it should be a single comprehensive scope or multiple scopes. In principle, there are advantages to combining sites under one scope in the form of a possible reduction in audit effort if all sites operate under a centralized ISMS.

In the first step, you select an approved audit service provider. In the second step, there is a kick-off, the document review (self-assessment, not on-site) and a subsequent assessment (Level 2: not on-site, Level 3: on-site).

Please note: There is an alternative method for conducting an assessment in Assessment Level 2. Instead of a plausibility check, your audit service provider conducts a full remote assessment. This method is sometimes referred to as "Assessment Level 2.5." The advantage of an Assessment Level 2.5 is that the approach is methodologically compatible with Assessment Level 3. It is therefore possible to upgrade to a full Assessment Level 3 exam at a later date with manageable effort.

The results of the TISAX^® audit are recorded in an interim report. In case of non-conformities, measures to be implemented are agreed upon. If necessary, the implementation of the measures is determined within an agreed upon period. This procedure ensures that all identified problems are addressed effectively and promptly.

Once the non-conformities have been closed, an effectiveness review is performed to validate the closure of the nonconformities and to assess the overall effectiveness of the corrective actions taken.

The final result will be published online in the ENX® portal. Your company will then be listed as a participant in the TISAX^® process with the corresponding test label. In contrast to other certifications, there is no TISAX^® certificate.

What does the TISAX® assessment cost?

Two important factors influence the scope of the entire assessment and thus the costs. TISAX® assessments are possible on the basis of an extended scope, a standard scope, or a restricted scope. Your decision for a scope should be well prepared and determined by the desired protection goals, but also by the size of your company.

The protection goals, for example, are about whether you want to include topics such as prototype protection or data protection in the assessment. If you want to get involved in the TISAX® procedure, talk to DQS, your approved audit service provider, as early as possible. This is the only way we can determine the correct calculation for the assessment scope, and provide you with a reliable quote for the cost of your TISAX® certification.

Show less

What you can expect from us

DQS is an approved audit service provider of the ENX Association
Value-adding insights into information security in your organization
Accreditations for all relevant regulations in the automotive industry
Industry-experienced auditors and experts from the field

More than 35 years of experience in the certification of management systems and processes
Certificates with international acceptance
Personal, smooth support from our specialists - regionally, nationally and internationally
Individual offers with flexible contract terms without hidden costs

Show less

TISAX® Assessment

DQS GmbH is a registered TISAX® participant and has undergone a TISAX® assessment for the "Information Security Very High" label at Assessment Level 3. TISAX® assessments are performed by ENX accredited assessment service providers. TISAX® assessment results are not intended for the general public. The result of the assessment at DQS GmbH is available to registered participants via the ENX portal: https://portal.enx.com/

Download the document here