How can you assure your customers and partners that large volumes of sensitive data in the automotive industry are well protected against theft, loss, or manipulation? TISAX assessment is the answer. We provide a modern GRC solution for the TISAX assessment, which is flexible and accustomed to the individual requirements, protection needs, and best practices.
What is TISAX compliance
- Overview: TISAX structure
- TISAX ISA & levels of protection
- How to get TISAX certification
- How TISAX works in Infopulse SCM
What is TISAX
Information security is no more just an individual concern of each company but a common matter for automotive firms and is reflected in the TISAX standard assessment and exchange mechanism.
It enables companies to regularly validate their conformity by sharing the results of information security assessments (ISA) at three-year intervals proving their ability to meet security criteria in the industry. These security requirements classes were issued by the Association of the Automotive Industry (German – Verband der Automobilindustrie, VDA) and are available on the VDA-ISA website.
What is TISAX certification? It is an established validation mechanism of your compliance with the requirements of VDA. It is executed by presenting the ISA (information security assessments) results in the online platform of the ENX Association, which is an official operator of the TISAX program.
Benefits of TISAX certification
Companies certified with TISAX VDA get the following advantages of the VDA ISA:
- Trusted partnerships for OEM manufacturers & strengthened credibility.
- Promotion of new business relations.
- A substantial uniform standard for information security across the automotive industry.
- Maturity assessment of the information security controls in the company.
- Improved employees’ awareness about information security.
- Cost and effort reduction concerning multiple information security assessments.
TISAX Information Security Assessment & VDA Catalogue
ISA incorporates significant aspects of ISO 27001 with additional criteria applicable to the automotive industry, i.e., prototype protection. The assessments are shared on the TISAX VDA ISA catalog, which grants transparency and simplicity to all the involved companies. They can select an audit provider and get standardized ISA results that other participants in the automotive industry accept. How big is the TISAX exchange? Currently, there are about 2500 automotive companies registered on the platform.
TISAX Assessment Levels and Protection Needs
TISAX defines three levels of protection: normal, high, and very high, and three assessment levels.
TISAX assessment level 1 – normal protection need. It is not used in TISAX but can be implemented for internal purposes in the true sense of a self-assessment. An assessor checks if a completed self-assessment exists but does not examine its content of the self-assessment. Can be requested by your partner for a self-assessment outside of TISAX.
Assessment level 2 – high protection need. Assessments are carried out by an audit organization with the self-assessment as a basis, documents, and a phone interview.
TISAX level 3 – a very high protection need. An independent audit company does the assessment based on documentation and an onsite audit.
Getting TISAX certified
The whole process of TISAX certification is set up in the following stages:
1. Learn. Get to know the TISAX requirements.
2. Get ready. To gain access to the TISAX portal, companies need to register as participants on the official ENX association website. Choose your auditing body, and prepare for the audit. Conduct a self-assessment to measure your compliance and readiness.
3. Assess. The way an audit is conducted depends on whether you qualify for a Level 2 or Level 3 assessment. Level 2 audits are done remotely, while Level 3 audits require onsite inspections. The audit consists of a document review, interviews, clarification of possible findings, and may include the following steps.
4. Improve. A corrective action plan (CAP) must be prepared and submitted to the audit provider to resolve gaps revealed during the assessment. Afterward, the CAP is assessed through a follow-up and completes the TISAX report.
5. Share your results. After you decide which ENX participants to share your ISA results with, the audit provider will upload a TISAX report to the platform.
Large corporations with many locations can undergo the simplified group assessment. You are eligible for this option if:
- you have at least three locations in your scope;
- your ISMS is in top form and centrally organized.
For a simplified group assessment, the initial effort is higher. However, this pays off the more locations you have.
How to Implement TISAX with the Infopulse SCM
SCM supports VDA Information Security Assessment based on VDA ISA catalogue version 5.0.
- The new catalog is fully implemented in SCM and is easy to work with. It contains the requirements from the spreadsheets “Information security“, “Data protection“ and “Prototype protection” grouped in corresponding modules. Each requirement/control question is assessed by assigning levels of maturity.
- To make the assessment easier and more transparent, the requirements are displayed granularly and can be assessed separately. It crucially simplifies the decision-making process regarding the maturity level.
- You can see the criticality of each requirement (must, should, high) and its implementation status, making it much easier while answering the control question if you see that e.g., all related requirements are implemented. You can go into details and see further information on the requirement, such as responsible person, documents and tasks assigned, individually added information. The implementation of requirements can be supported by the creation of corresponding tasks or by adding individual controls. You also have the possibility to conduct a self-assessment.
- The assessment results of each topic can be seen on a dashboard, so you always know where you are at.
- SCM allows you to succeed in TISAX assessments in one place and can track the progress.
- SCM also supports a PDCA cycle, so it can help get certified and continuously improve your ISMS.
Furthermore, there is much more behind SCM than TISAX alone – you get a comprehensive solution for managing multiple standards: ISO 27001, BSI IT Grundschutz, sharing the efforts, understanding dependencies, current statuses, etc.
Effective and easy-to-use IT security management system based on the latest standards and regulations — from planning and establishing the security concept to certification.