Login
TISAX CONSULTING
TRUSTED INFORMATION SECURITY ASSESSMENT EXCHANGE
Contact Us

Introduction to TISAX

Why is TISAX Crucial for Your Business?

In any business relationship, the exchange of confidential information is vital for value creation. When you receive sensitive data from partners, they need assurance that their information is protected with utmost care. The challenge arises in demonstrating your commitment to security in a tangible way. TISAX addresses this need by providing a standardized framework that defines and verifies secure information handling practices, ensuring partners can trust you with their critical data.

Who Sets the Benchmark for “Secure”?

In the vast landscape of information security, defining what constitutes “secure” handling of information is not a novel challenge. Standards such as ISO/IEC 27001 exist to offer a consolidated approach to managing information security, offering a blueprint that saves companies from reinventing security protocols. By adhering to established standards, businesses can ensure a harmonized, secure exchange of information, crucial for maintaining trust and efficiency in partnerships.

The Automotive Industry’s Unique Security Needs

General security standards may not fully cater to the specific requirements of the automotive industry. Recognizing this, automotive industry associations, such as the Verband der Automobilindustrie (VDA), have developed tailored standards that address these unique needs. The Information Security Assessment (ISA), a product of collective efforts within the automotive sector, defines security benchmarks specifically designed for this industry, ensuring that automotive companies can secure their information in line with industry-specific challenges.

Streamlining the Proof of Security

Repeatedly proving the same level of information security management to various partners is inefficient and burdensome. This challenge has been acknowledged by OEMs and suppliers alike within the automotive industry. To alleviate this redundancy and enhance efficiency, the Trusted Information Security Assessment Exchange (TISAX) was introduced. TISAX allows companies to prove their security measures effectively through a universally accepted assessment, reducing the need for multiple audits and fostering a more streamlined process for verifying information security across the automotive industry.

TISAX Process

Registration

Start your TISAX compliance with the essential ENX online registration, which collects your company's information and sets the assessment's scope. This initial step involves a fee. Visit enx.com/en-US/TISAX/.

Learn More
Assessment

Involving preparation based on the ISA catalogue, selecting a TISAX audit provider, and undergoing the audit tailored to your partner's requirements. The process, starting with an initial audit, may extend with additional steps.

Learn More
Exchange

Share your assessment result with your partner. The content of the TISAX assessment report is structured in levels. You can decide up to which level your partner will have access. Your assessment result is valid for three years.

Learn More

Registration

Important concepts for registration

Assessment Scope

The TISAX assessment scope is critical for ensuring your company meets partner requirements for information security. It encompasses all areas of your business that handle confidential partner information. Defining a precise scope is vital for accurate audit and cost estimation. TISAX distinguishes between your Information Security Management System (ISMS) scope and the assessment scope, allowing flexibility in what’s audited versus your overall ISMS. The standard assessment scope, recommended for most, simplifies participation by setting a predefined audit area accepted across TISAX participants.

The scope encompasses all aspects of your organization that handle confidential and sensitive partner information. It’s crucial to accurately define this to ensure relevant areas are included in the TISAX assessment.

A Predefined Assessment Scope Designed To Simplify The Process For Most Organizations. It Focuses On Areas Universally Accepted As Critical For Information Security, Making It A Suitable Choice For A Wide Range Of Participants.
Offers Flexibility By Allowing Organizations To Adjust The Predefined Standard Scope To Better Fit Their Specific Needs, Ensuring A More Relevant And Effective Assessment.
Physical And Virtual Locations Included In The Assessment. This Can Range From Entire Sites To Specific Departments Or Systems, Depending On Where Relevant Information Is Processed, Stored, Or Accessed.

Assessment Objectives

During the registration process for TISAX (Trusted Information Security Assessment Exchange), it’s essential to define your assessment objectives. These objectives are critical as they outline the specific requirements your information security management system (ISMS) must meet, depending on the type of data you manage for your partner. Selecting the appropriate assessment objectives is key to simplifying communication with both your partner and TISAX auditors, as it provides a clear reference point for the assessment process. This section will guide you on how to choose suitable assessment objectives.

Information Security

Handling of information with high protection needs in the context of confidentiality (access to confidential information)

Companies handling information deemed highly sensitive regarding confidentiality, or typically marked as confidential under their own classification scheme (for example, as outlined in the VDA white paper on the harmonization of classification levels), should opt for this specific TISAX label. This recommendation applies particularly if the unauthorized release of such information might lead to significant repercussions, such as damage to reputation, legal penalties, or financial losses.

Criteria Catalogue: Information Security (Must, Should, High [Marked with "C"] )

AL2

Handling Of Information With Very High Protection Needs In The Context Of Confidentiality (Access To Strictly Confidential Information)

Companies that manage information requiring very high confidentiality measures, or that is usually classified as strictly confidential or secret according to their classification system (such as detailed in the VDA white paper on classification level harmonization), should choose this particular TISAX label. This label is advised especially when the risk of unauthorized disclosure could lead to dire or catastrophic consequences, including severe damage to reputation, significant legal repercussions, or extensive financial losses.

Criteria Catalogue: Information Security (Must, Should, High [Marked with "C"] , Very High [Marked with "C"] )

AL3

Handling of information with high protection needs in the context of availability (high availability of information)

For companies whose products or services are critical to their customers' production or delivery capabilities, and where any disruption could lead to significant harm to those customers in a short timeframe, this specific guidance applies. An example of such companies includes just-in-time suppliers of production materials, where timely delivery is essential to prevent production halts and substantial losses.

Criteria Catalogue: Information Security (Must, Should, High [Marked with "A"] )

AL2

Handling of information with very high protection needs in the context of availability (very high availability of information)

For all companies whose customers' ability to produce and deliver depends on the short-term availability of the companies' products and services, and where a failure would cause significantly high damage to customers within a very short period of time. Example: Just-in-time suppliers where a failure can result in a comprehensive production standstill with a very long restart time within a short period of time.

Criteria Catalogue: Information Security (Must, Should, High [Marked with "A"] , Very High [Marked with "A"] )

AL3

Prototype Protection

Protection of Prototype Parts and Components

This directive is aimed at companies involved in manufacturing, storing, or utilizing components or parts supplied by customers that are deemed to need protection, at their own premises. The evaluation includes aspects of physical security and security concerning the surrounding environment. It also encompasses organizational requirements and particular stipulations for managing prototypes.

Criteria Catalogue: Prototype Protection - Chapters 8.1, 8.2, 8.3 (Must, Should)

AL3

Protection of Prototype Vehicles

This guideline is tailored for companies engaged in manufacturing, storing, or utilizing customer-provided vehicles that are classified as needing protection at their premises. The assessment includes requirements for physical security and considerations of the surrounding area, such as the availability of secure garages and workshop spaces. Additionally, organizational requirements and specific protocols for managing prototypes are evaluated. Upon passing this assessment, companies are awarded the TISAX label "Protection of prototype parts and components."

Criteria Catalogue: Prototype Protection - Chapters 8.1, 8.2, 8.3 (Must, Should, Additional Requirements for Vehicles)

AL3

Handling of Test Vehicles

This guideline applies to companies engaged in conducting tests and test drives, including those on public roads or test tracks, with vehicles provided by customers that are identified as needing protection. The assessment encompasses organizational requirements and specific protocols for managing prototypes, including camouflage techniques and the handling of vehicles during public test drives and on test tracks. While requirements for physical security and considerations of the surrounding area may not be central to this assessment, companies with appropriately equipped facilities are encouraged to also choose the assessment objective titled “Protection of prototype vehicles.”

Criteria Catalogue: Prototype Protection - Chapters 8.2, 8.3, 8.4 (Must, Should)

AL3

Protection of Prototypes during Events and Film or Photo Shoots

This guideline is for companies involved in showcasing or hosting events (such as market research, marketing events) and conducting film and photo shoots with vehicles, components, or parts provided by customers and classified as needing protection. The assessment covers organizational requirements and specific protocols for managing prototypes, including stipulations for conducting presentations, events, and filming or photography sessions both in secure environments and in public spaces. While the focus may not necessarily include requirements for physical security and the security of the surrounding area, companies with facilities that are suitably equipped should consider choosing the "Protection of prototype vehicles" as an additional assessment objective.

Criteria Catalogue: Prototype Protection - Chapters 8.2, 8.3, 8.5 (Must, Should)

AL3

Data Protection

Data protection according to Article 28 (“Processor”) of (GDPR)

If you handle personal data as a processor according to Article 28 of the GDPR, you probably have to select “Data”.

Criteria Catalogue: Information Security (Must, Should, High [Marked with "C"] )
Criteria Catalogue: Data Protection (Must)

AL2

Data protection according to Article 28 (“Processor”) of (GDPR) with special categories of personal data as specified in Article 9 of the GDPR

If you handle special categories of personal data (like health or religion) as a processor according to Article 28 of the GDPR, then you probably have to select “Special Data”.

Criteria Catalogue: Information Security (Must, Should, High [Marked with "C"], Very High [Marked with "C"] )
Criteria Catalogue: Data Protection (Must)

AL3

Assessment Levels

TISAX categorizes information protection into three levels: normal, high, and very high, based on your partner’s classification. Correspondingly, there are three assessment levels (AL), with higher levels demanding more rigorous audit methods, thus ensuring increased precision and security in handling sensitive information.

Assessment Level 1

The auditor confirms only the existence of a self-assessment, without content analysis. Level 1 results, having low trust, are not utilized in TISAX, though partners may request them separately.

Asessment Level 1

Evidence: No
Interviews: No
On-Site Inspection: No

NO TISAX LABEL

Assessment Level 2

Audits involve evidence checks and an interview, which can be web-based or in-person. For sensitive evidence, request an on-site inspection.

Assessment Level 2

Evidence: Plausibility Check
Interviews: Via Web Conference
On-Site Inspection: At your request

Assessment Level 2.5

A "Level 2.5" assessment offers a full remote review by the audit provider, verifying ISMS requirements fulfillment without the on-site activities of Level 3. It's formally recognized as Level 2.

Assessment Level 2.5

Opt for "Level 2.5" if aiming for Level 2 TISAX labels with potential future needs for Level 3, or if creating a detailed self-assessment is challenging. It facilitates future upgrades and reduces initial efforts.

Assessment Level 3

The audit process involves a thorough examination of relevant documents, conducting interviews with those in charge of processes, assessing the workplace environment, monitoring how processes are carried out, and spontaneous discussions with team members involved in the processes.

Assessment Level 3

Evidence: Thorough Verification
Interviews: In person, on site
On-Site Inspection: Yes

Assessment

Important concepts for assessment

Assessment Process

The TISAX assessment involves a cyclical process where companies prepare their information security management systems (ISMS), undergo audits to identify gaps, address these gaps within specified timelines, and undergo further checks until all issues are resolved. Companies control the initiation of each phase and can exit the process at any point.

Assessment Macro Structure

You and the audit provider are planning the details of the assessment process

The audit provider checks your self-assessment

The audit provider conducts the assessment(s)

Assessment Types

The TISAX assessment begins with an opening meeting, typically held via conference call, to verify prerequisites, introduce the project leader and team, and plan the assessment. The process varies based on assessment objectives and includes conference calls, interviews, and inspections. Findings are presented by the audit provider following the initial assessment.

The corrective action plan assessment ensures compliance with TISAX requirements. Submit your plan to the audit provider for review; if compliant, an updated TISAX assessment report is issued. This process, often brief, may involve a call, web conference, or email. Your plan should detail the finding addressed, root cause, corrective actions, implementation dates, compensating measures for critical risks, and justify the timeframes for implementation, with a maximum period of nine months. Upon completion, request the assessment.

The follow-up assessment verifies the resolution of all previously noted non-conformities. It’s initiated once all issues are believed to be addressed, with the option for multiple follow-ups if needed. Should new or existing non-conformities be found, the corrective action plan is updated for re-assessment. This process can occur through physical meetings or virtual calls.

About Conformity

The core aim of a TISAX assessment is to evaluate if your information security management system meets a specific set of criteria, with the audit provider determining its compliance with these requirements.

Step 1: Individual Requirement Checks
In the first step, each requirement is checked individually for conformity. Full compliance results in passing the assessment and earning corresponding TISAX labels. Any deviation is noted as a finding, with TISAX categorizing findings into four distinct types.

Major Nonconformity

Major nonconformities pose immediate significant risks to information security or cast doubt on the ISMS's effectiveness, requiring immediate compensatory measures and prompt corrective action.

Addressing Major Nonconformities

These include critical security risks and deficits in implementing confidential information protection, necessitating immediate and suitable corrective actions.

Minor Nonconformity

Minor nonconformities, which do not significantly threaten information security or question the ISMS's overall effectiveness, require prompt correction but represent less urgent issues.

Addressing Minor Nonconformities

These include isolated errors or non-compliance with specific requirements or policies, requiring timely corrective measures to prevent future risks.

Observations

Observations point out non-compliance that doesn't pose an immediate threat but could become a risk, necessitating careful monitoring and evaluation.

Managing Observations

Requires a thorough investigation of potential risks and a strategic approach to addressing the findings to mitigate future security issues.

Room for Improvement

Highlights deviations that aren't immediate risks but present clear opportunities for enhancing information security practices.

Approaching Improvement Opportunities

Provides flexibility in determining if and how to address these findings to strengthen information security measures.

Maturity Levels

The ISA evaluates your ISMS using “maturity levels” to reflect its sophistication. A “target maturity level” of 3 is set for each evaluation question.

Your overall score:

  • Reflects the cumulative maturity level of your ISMS.

  • Is calculated as the average of all individual question-level maturity scores.

  • Can equal but not exceed the highest possible score, aiming to closely match this maximum for a better chance at receiving TISAX labels.

Deviation Allowance:

  • More than 10% short, the assessment result is a “minor non-conform”.

  • More than 30% short, the result escalates to a “major non-conform”.

A process is not available, not followed or not suitable for achieving the objective

A process is not implemented or fails to achieve its process purpose. Little or no evidence exists of any systematic achievement of the process purpose.

An undocumented or incompletely documented process is followed and indicators exist that it achieves its objective.

Possible Evidence:

  • Work products providing evidence of process outcomes.

A process achieving its objectives is followed. Process documentation and process implementation evidence are available.

Possible Evidence:

  • Process documentation
  • Process plan
  • Quality plan/records
  • Process implementation records

A standard process integrated into the overall system is followed. Dependencies on other processes are documented and suitable interfaces are created. Evidence exists that the process has been used sustainably and actively over an extended period.

Possible Evidence:

  • Process documentation
  • Process plan
  • Quality records
  • Policies and Procedures
  • Process implementation records

An established process is followed. The effectiveness of the process is continually monitored by collecting key figures. Limit values are defined at which the process is considered to be insufficiently effective and requires adjustment. (Key Performance Indicators)

Possible Evidence:

  • Process documentation
  • Process control plan
  • Process Improvement Plan
  • Process Measurement Plan
  • Process implementation records

A predictable process with continual improvement as a major objective is followed. Improvement is actively advanced by means of dedicated resources.

Possible Evidence:

  • Process Improvement Plan
  • Process Measurement Plan
  • Process implementation records

Step 2: Merging Results
In the second step, individual findings are consolidated into an overall assessment outcome. A “minor non-conform” allows for temporary TISAX labels, while a “major non-conform” requires resolution before any labels are granted. Implementing approved corrective actions can shift a “major non-conform” to “minor,” enabling temporary label issuance.

Major Nonconformity

An overall "major non-conform" result occurs if there's at least one major nonconformity, barring you from receiving TISAX labels until resolved. Approved corrective actions can alter this status, allowing for temporary labels.

Resolving Major Non-Conforms

To move from "major non-conform" to "minor non-conform," and thus qualify for temporary TISAX labels, you must implement compensatory measures and corrective actions must be approved by audit provider.

Minor Nonconformity

The overall assessment result is “minor non-conform” if you have at least one “minor nonconformity” for a requirement.

This outcome still allows for the receipt of temporary TISAX labels.

Addressing Minor Nonconformities

Having unaddressed (minor) non-conformities always results in an overall assessment result of “major non-conform”. Your overall assessment result can only be “minor nonconform” once you defined actions that will implement measures to address the nonconformities.

Conform

The overall assessment result is “conform”. All requirements are fulfilled.

Label Validity

TISAX labels typically have a three-year validity, beginning from the conclusion of the assessment process, which can occur even prior to the issuance of the TISAX assessment report. However, this validity period may be reduced if there are significant changes related to the scope of the TISAX assessment.

Exchange

Important concepts for exchange

Exchange Platform

he ENX portal serves as the platform for exchanging information. Initially, your audit provider will upload sections A and B of your TISAX assessment report to the portal, which will be accessible solely to you. Through the account established during registration, you can log into the portal to utilize its exchange features.
The portal can be accessed at: enx.com/en-US/SignIn.

Sharing Levels

On the exchange platform, you have the option to make your assessment results available to all TISAX participants by publishing them. This enables access to your results at the level of sharing you permit. Publication is permitted only if your overall assessment outcome is “conform.”

Publishing:

The sharing levels for publishing your assessment result on the exchange platform are limited to these options:

▪ Do not publish (Default)
▪ A. Assessment Related Information
▪ A + Labels
▪ A + Labels + B. Summarized Results

Sharing with a particular participant:

In contrast to the publication, you can share your assessment result even if the overall assessment result is (major/minor) non-conform.

The options for sharing your assessment result on the exchange platform are:

A: Assessment Related Information
A + Labels
A + Labels + B: Assessment Summary
A + Labels + B + C: Summarized Results
A + Labels + B + C + D: Detailed Assessment Results
A + Labels + B + C + D + E: Maturity Levels according to ISA

Our TISAX Services

TISAX GAP Analysis

Our TISAX gap assessment services are tailored for companies familiar with Information Security Management Systems (ISMS) but new to the TISAX framework. This specialized offering is designed to bridge the gap between your existing ISMS knowledge and the specific requirements of TISAX, ensuring a smooth transition and compliance with its standards. By focusing on identifying discrepancies and areas for improvement in your current ISMS setup against TISAX expectations, we provide a clear path to achieving TISAX compliance. This service is ideal for organizations seeking to align with TISAX without starting from scratch, leveraging their existing ISMS groundwork for a streamlined assessment process.
Request Information
GAP Analysis

TISAX PreAssessment

Our TISAX pre-assessment services are specifically designed for companies on the verge of undergoing a formal TISAX audit. This preparatory step is crucial for organizations seeking to ensure full readiness and compliance with TISAX standards before entering the formal assessment phase. Conducted by our certified personnel, who are experienced TISAX AL2/AL3 lead auditors, our pre-assessment not only prepares you for the TISAX audit but also fulfills the independent assessment requirements of TISAX control 1.5.2.
Request Information
Internal Audit

TISAX Consulting

Our TISAX consulting services extend beyond gap and pre-assessment support, offering comprehensive guidance throughout the entire TISAX accreditation process. We specialize in tailoring our consulting to meet the unique needs of each client, ensuring not just compliance but also the strategic integration of TISAX standards into your business operations. Our team, comprised of experts with deep knowledge of TISAX AL2/AL3 requirements, works closely with your organization to develop a robust Information Security Management System (ISMS) that aligns with TISAX's stringent standards.
Request Information
Consulting

Our TISAX References

Our team boasts extensive experience as contract auditors for TISAX assessment providers and has successfully guided numerous Tier 1 and Tier 2 suppliers through their TISAX assessment preparation journey.

Riverned Technology
Nisshinvo Automotiv Manufacturing
Nexteer Automotive
Muth Mirror Systems
Mitchell 1
MGA Research Coorporation
Means Industries
Magna Seating
Kalkaska Screw Products, Inc.
Green Hills Software
E&E Manufacturing
Auria
Wolfspeed
Vendavo
University of New Hampshire Interoperability Laboratory
TOYOTA BOSHOKU
TISAX Adobe logo
The Act1 group
Qualcomm
PTC
Paramount Transportation System
Palo Alto Network
Nvida
Jefferson Southern Coorporation
Integrity Security Services
Good Year
Gemini Group
Fortinet
Fluor Enterprises
Ficosa NA
Draxlmaier Group
Dekra
BMW
Benore Logistic Systems
AgileOne
Snap-on-Logo