TISAX® - Automotive sector information security

Safeguard confidential information such as prototypes, protect brand reputations and build customer loyalty.

In an extremely innovative environment dependent upon multiple players to succeed, secure exchange of information is essential. The automotive industry demands an “ecosystemic” information security approach within its long and complex supply chains.  

In our digital age, information security needs span beyond automotive suppliers to marketing companies and other parties involved. The primary need is to protect: 

  • projects or design information, prototypes or secret plans of investment, 
  • big data and process data, linked to the new concepts of digitalization, the development of autonomous cars, 
  • interconnections within the supply chain network, 
  • and the personal data of customers

What is TISAX

TISAX (Trusted Information Security Assessment eXchange) is a global information security standard for the automotive industry. A maturity-based information security assessment approach it is targeted to the automotive industry’s needs.  Primarily applicable to 1st and 2nd tier suppliers but extendable to more complex supply chains, assessment is a requirement from certain OEMs. 

The goal of the scheme is to:

  • establish a common level of security for the automotive industry
  • ensure common recognition of assessments to reduce costs, efforts and complexity for manufacturers and suppliers
  • ensure the comparability and quality of the assessments
  • exchange best practices and lessons learned
  • let each participant decide to whom results will be revealed and degree of detail

TISAX combines the former Information Security Rules (ISA) of the German Verband der Automobilindustrie (VDA) with ISO/IEC 27001’s Appendix A (Technical Controls) as well as some Privacy requirements. 

TISAX® vs ISO/IEC 27001

TISAX builds on key elements in the information security management system standard ISO/IEC 27001, focusing on elements specifically relevant to the context of the automotive industry. 

The main differences are: 

ISO/IEC 27001TISAX
Management system standardCovers information security processes and parts relevant to partners in the automotive industry
On/off approach Maturity level approach
Scope defined before certificationScope is fixed
Company-based risk analysisVDA-ISA working group-based risk analysis
Certification body issues certificateTISAX issues label and exchange registration
Periodic audit and recertification after 3 years3-year validity, no periodic audits

Benefits of assessments

Beyond being a ticket-to-trade requirement from certain manufacturers, TISAX assessments contribute to building supply chain trust. Participating suppliers can benefit by: 

  • Being recognized by Automotive Manufacturers;
  • Preventing information security breaches and cyber-attacks;
  • Gaining customer trust;
  • Identifying and addressing risk;
  • Getting recognition for due information security processes;
  • Sharing assessment results through the ENX exchange.

Getting started

Companies entering the program must register with ENX as a participant.   

The process is set up in stages: 

  • Attention
    Get to know the TISAX requirements. 
  • Preparation
    Register on the TISAX portal, select your accredited auditing body, and prepare for the audit. This includes a self-assessment to measure your compliance and readiness.  
  • Assessment
    How the audit is executed depends upon whether you qualify for a remote (Level 2) or physical (Level 3) audit. The audit itself consists of interviews, a document review, clarification of possible findings and next steps.
  • Corrective action plan and follow-up
    Prepare a corrective action plan (CAP) to close any findings (gaps) which is submitted to the audit provider. The CAP is assessed through a follow up (or more, if necessary) and completes TISAX report. 
  • Exchange of results
    The audit provider uploads TISAX report to the platform. Audited company decides with whom the results should be shared. ENX issues the TISAX labels to the audited company.

DNV is an assurance provider approved by the ENX Association. Through our network of local offices and auditors, we can provide assessments to TISAX globally.  

ENX maintains the audit provider criteria and assessment requirements (TISAX ACAR). It approves audit providers and monitors the quality of implementation as well as the assessment results. ENX is supported by the TISAX Committee, consisting of representatives of manufacturers, suppliers and associations.

Training

Training

Relevant insight in an active learning environment.