Introduction and certification of an Information Security Management System according to TISAX
Information security is one of the most important requirements for a cooperation of manufacturers and suppliers in the automotive industry. With the TISAX certification international standards have been created to prove that the handling of confidential information was safe. What do you need to know for a successful TISAX certification?
TISAX Certification: What is it?
TISAX, also known as Trusted Information Security Assessment Exchange, is a certification created for information security that meets the specific requirements of the automotive industry. In practice, it is an assessment procedure that aims to check an Information Security Management System according to the VDA ISA test catalog of the German Association of Automotive Industry. If the certification is successful, it is completed with the TISAX label.
The ENX Association
The ENX Association is an independent authority entrusted with the introduction and quality monitoring of the industry standard for TISAX certification. As a supporting organization, the ENX Association is an association of several manufacturers, suppliers, and associations of the automotive industry in Europe. In their so-called ENX YELLOW PAGES, or also TISAX participant handbooks, all companies that hold a TISAX label are listed with their location and registration number. Since many automotive manufacturers and suppliers now demand a successful TISAX certification from their customers and business partners, the ENX Association provides a daily updated insight into the current information security status of all successfully certified companies.
The Requirements for TISAX Certification
If TISAX certification is relevant to you, your company must fulfill certain requirements according to the TISAX standard. These are recorded in a TISAX catalog of questions VDA ISA, which in turn is oriented toward the international ISO/IEC 27001 standard. Good to know: you don’t necessarily need an ISO 27001 certification for TISAX. But you do need to be able to prove that your company is already working with an Information Security Management System.
The test catalog of a TISAX certification consists of three modules in total:
- Information security
- Data protection
- Prototype protection
A TISAX certification is always made in the main module information security. The data protection and the prototype protection are viewed as special modules and only subject to the audit when required. Do you have specific questions about the TISAX test catalog and its requirements? We will get you up to speed with TISAX and explain everything about the most important requirements and aspects of your TISAX certification. We also cover general questions concerning TISAX vs. ISO 27001 or the Information Security Officer. Arrange an initial consultation with us now.
Who needs to be TISAX certified?
According to the TISAX definition, certification is basically optional. There are no legal requirements that a company needs to be able to show the TISAX label. However, and since the label has established as an industry standard on the market, a successfully completed TISAX certification can offer your company various advantages.
TISAX Certified: The Benefits
These are the benefits of a TISAX certification:
- Uniform: The TISAX certification provides a uniform industry standard in the information security of the automotive industry.
- Trust: A TISAX certified company provides a company-wide trust towards business partners and customers.
- Cost and time saving: Costly and time-consuming multiple test mechanisms during the TISAX certification can be avoided because of the introduction of a uniform industry standard.
- Tenders: The TISAX standard is often assumed for the participation in tenders in the automotive industry. Companies that continuously want to qualify for tenders have a competitive advantage with the TISAX certification.
- Validation: The assessment for TISAX certification must only be repeated every three years.
What are your questions about the benefits? Contact us and arrange a TISAX consultation with us.
Our TISAX Certification Procedure
- Registration: For a certification by TISAX, you must register your company with the Governance Organization ENX. The ENX is responsible for the registration and the administration of the TISAX certification results.
- Selection of a TISAX Auditor: In the second step, you select an accredited testing services provider who has completed TISAX training. If you would like to find out more about our services, please feel free to contact us for an initial consultation.
- Fill in the Self-Assessment Form: Give a self-assessment based on the VDA ISA catalog of requirements. This TISAX checklist is used to evaluate the maturity level of your company and whether it meets the requirements of a TISAX certification.
- Initial Audit: Your audit services provider checks your self-assessment and your certificates for completeness.
- First Optimization: Any first weaknesses that emerge are being eliminated during the initial audit.
- Assessment: Your company is now ready for the TISAX assessment. The test in assessment level 2 is carried out remotely. The test in assessment level 3 takes place on-site at the company. In this case, the company’s premises or the company site will also be part of the evaluation.
- Optimization and Review: In case any weaknesses emerge, they will be eliminated in the course of the TISAX Assessments. In the following review, you will prove that all identified weaknesses have been eliminated.
- Transmission of the Results: The audit is completed with the transmission of the audit results to the ENX Association. If there are still deviations from the requirements, you will receive a provisional TISAX label that is valid for a limited period of time. You will receive a successful TISAX label when the deviations have been demonstrably eliminated.
TISAX Certification: The Assessment Level
The assessment level depends on your protection needs. Here we differentiate between assessment level 1 (normal), assessment level 2 (high), and assessment level 3 (very high). You decide which assessment level is suitable for your individual processes. Some suppliers actually expect a certain level of TISAX certification.
- Assessment Level 1 (normal): Companies with normal protection needs carry out the assessment in the form of self-assessment. This does not count as TISAX certification yet as it is not being verified.
- Assessment Level 2 (high): Companies with high protection needs carry out the assessment in the form of self-assessment and have an audit services provider verify the plausibility and completeness of the certificates. The audit is carried out remotely. If the special modules data protection and prototype protection are supposed to be object to the TISAX certification, the audit is carried out on-site at the company.
- Assessment Level 3 (very high): Companies with very high protection needs carry out the assessment in the form of self-assessment and also have a testing services provider verify the plausibility and completeness of the certificates. The difference to level 2: The audit is categorically carried out on-site.
With our TISAX advice, nothing stands in the way of your TISAX label. Get qualified advice on your choice of assessment level and arrange an initial meeting with us.
Duration: How long does a TISAX certification take?
There are a maximum of nine months between the initial audit and the transmission of the results to the ENX association. Any weaknesses or deviations must also be remedied within this period. If the audit cannot be completed within this time limit, your company unfortunately won’t receive a TISAX label. A successful TISAX certification is valid for three years and does not include annual surveillance audits as opposed to the ISO 27001 certification.
Costs: What does a TISAX certification cost?
The costs for a TISAX certification vary from company to company. Besides the fixed costs for the audit, you can expect the following investments:
- Development or expansion of your Information Security Management System (ISMS)
- New server
- New premises
- New alarm systems
- Other investments in the infrastructure of your company, e.g., doors and windows with privacy protection
The costs for a renewal of the TISAX certification after three years are significantly lower as you usually only have to make optimizations. Your benefit with us: since the TISAX certification has standardized requirements, the costs are previously well calculatable. We offer our services as a package as part of the TISAX certification. Please feel free to make an appointment for an initial consultation so that we can make you an individual offer.
TISAX Certification in Practice
The TISAX label allows the automotive industry to achieve a uniform level in the information security. Because of the TISAX catalog of questions, the requirements for TISAX certification are characterized particularly by transparency so that they can easily be put into practice. We support you every step throughout your TISAX certification and prepare you perfectly for the audit. Arrange the initial consultation for a TISAX consultation with us now.
Case study: TISAX certification
Backless is carefree, that is the motto under which Stigler & Roos carries out successful customer events for the automotive industry. The use of modern IT systems and digital technology is a matter of course. This is also the reason why Stigler & Roos GmbH was one of the first companies in the event industry to be certified according to the TISAX standard. Memex convinced with a practical implementation concept.