Introduction and certification of an Information Security Management System according to TISAX®

Certification according to TISAX®: What is it?

TISAX®, also known as Trusted Information Security Assessment Exchange, is a certification created for information security that meets the specific requirements of the automotive industry. In practice, it is an assessment procedure that aims to check an Information Security Management System according to the VDA ISA test catalog of the German Association of Automotive Industry. If the certification is successful, it is completed with the TISAX® label.

The ENX Association

The ENX Association is an independent authority entrusted with the introduction and quality monitoring of the industry standard for TISAX® certification. As a supporting organization, the ENX Association is an association of several manufacturers, suppliers, and associations of the automotive industry in Europe. In their so-called ENX YELLOW PAGES, or also TISAX® participant handbooks, all companies that hold a TISAX® label are listed with their location and registration number. Since many automotive manufacturers and suppliers now demand a successful TISAX® certification from their customers and business partners, the ENX Association provides a daily updated insight into the current information security status of all successfully certified companies.

The Requirements for a certification according to TISAX®

If TISAX® certification is relevant to you, your company must fulfill certain requirements according to the TISAX® standard. These are recorded in a TISAX® catalog of questions VDA ISA, which in turn is oriented toward the international ISO/IEC 27001 standard. Good to know: you don’t necessarily need an ISO 27001 certification for TISAX®. But you do need to be able to prove that your company is already working with an Information Security Management System.

The test catalog of a TISAX® certification consists of three modules in total:

• Information security
• Data protection
• Prototype protection

A TISAX® certification is always made in the main module information security. The data protection and the prototype protection are viewed as special modules and only subject to the audit when required. Do you have specific questions about the TISAX® test catalog and its requirements? We will get you up to speed with TISAX® and explain everything about the most important requirements and aspects of your certification according to TISAX®. We also cover general questions concerning TISAX® vs. ISO 27001 or the Information Security Officer. Arrange an initial consultation with us now.

Who needs to be TISAX® certified?

According to the TISAX® definition, certification is basically optional. There are no legal requirements that a company needs to be able to show the TISAX® label. However, and since the label has established as an industry standard on the market, a successfully completed TISAX® certification can offer your company various advantages.

Certified according to TISAX®: The Benefits

These are the benefits of a certification according to TISAX®:

• Uniform: The TISAX® certification provides a uniform industry standard in the information security of the automotive industry.
• Trust: A TISAX® certified company provides a company-wide trust towards business partners and customers.
• Cost and time saving: Costly and time-consuming multiple test mechanisms during the TISAX® certification can be avoided because of the introduction of a uniform industry standard.
• Tenders: The TISAX® standard is often assumed for the participation in tenders in the automotive industry. Companies that continuously want to qualify for tenders have a competitive advantage with the TISAX® certification.
• Validation: The assessment for TISAX® certification must only be repeated every three years.

What are your questions about the benefits? Contact us and arrange a TISAX® consultation with us.

Our Procedure to prepare for a TISAX® certification

1. Registration: For a certification by TISAX®, you must register your company with the Governance Organization ENX. The ENX is responsible for the registration and the administration of the TISAX® certification results.
2. Selection of a TISAX® Auditor: In the second step, you select a testing services provider who is ENX accredited. We will be happy to assist you with your selection.
3. Fill in the Self-Assessment Form: Give a self-assessment based on the VDA ISA catalog of requirements. This TISAX® checklist is used to evaluate the maturity level of your company and whether it meets the requirements of a TISAX® certification.
4. Initial Audit: Your audit services provider checks your self-assessment and your certificates for completeness.
5. First Optimization: Any first weaknesses that emerge are being eliminated after the initial audit.
6. Assessment: Your company is now ready for the TISAX® assessment. The test in assessment level 2 is carried out remotely. The test in assessment level 3 takes place on-site at the company. In this case, the company’s premises or the company site will also be part of the evaluation.
7. Optimization and Review: In case any weaknesses emerge, they will be eliminated after the TISAX® Assessments. In the following review, you will prove that all identified weaknesses have been eliminated.
8. Transmission of the Results: The audit is completed with the transmission of the audit results to the ENX Association. If there are still deviations from the requirements, you will receive a provisional TISAX® label that is valid for a limited period of time. You will receive a successful TISAX® label when the deviations have been demonstrably eliminated.

Certification according to TISAX®: The Assessment Level

The assessment level depends on your protection needs. Here we differentiate between assessment level 1 (normal), assessment level 2 (high), and assessment level 3 (very high). You decide which assessment level is suitable for your individual processes. Some suppliers actually expect a certain level of TISAX® certification.

• Assessment Level 1 (normal): Companies with normal protection needs carry out the assessment in the form of self-assessment. This does not count as TISAX® certification yet as it is not being verified.
• Assessment Level 2 (high): Companies with high protection needs carry out the assessment in the form of self-assessment and have an audit services provider verify the plausibility and completeness of the certificates. The audit is carried out remotely. If the special modules data protection and prototype protection are supposed to be object to the TISAX® certification, the audit is carried out on-site at the company.
• Assessment Level 3 (very high): Companies with very high protection needs carry out the assessment in the form of self-assessment and also have a testing services provider verify the plausibility and completeness of the certificates. The difference to level 2: The audit is categorically carried out on-site.

With our consulting services on TISAX®, nothing stands in the way of your TISAX® label. Get qualified advice on your choice of assessment level and arrange an initial meeting with us.

Duration: How long does a certification according to TISAX® take?

There are a maximum of nine months between the initial audit and the transmission of the results to the ENX association. Any weaknesses or deviations must also be remedied within this period. If the audit cannot be completed within this time limit, your company unfortunately won’t receive a TISAX® label. A successful TISAX® certification is valid for three years and does not include annual surveillance audits as opposed to the ISO 27001 certification.

Costs: What does a certification according to TISAX® certification cost?

The costs for a certification according to TISAX® vary from company to company. Besides the fixed costs for the audit, you can expect the following investments:

• Development or expansion of your Information Security Management System (ISMS)
• New server
• New premises
• New alarm systems
• Other investments in the infrastructure of your company, e.g., doors and windows with privacy protection

The costs for a renewal of the TISAX® certification after three years are significantly lower as you usually only have to make optimizations. Your benefit with us: since the TISAX® certification has standardized requirements, the costs are previously well calculatable. We offer our services as a package as part of the TISAX® certification. Please feel free to make an appointment for an initial consultation so that we can make you an individual offer.

Certification according to TISAX® in Practice

The TISAX® label allows the automotive industry to achieve a uniform level in the information security. Because of the TISAX® catalog of questions, the requirements for TISAX® certification are characterized particularly by transparency so that they can easily be put into practice. We support you every step throughout the TISAX® process and prepare you perfectly for the audit. Arrange the initial consultation for a TISAX® consultation with us now.