TISAX Compliance: A Comprehensive Guide to Certification

The automotive industry is in the midst of a massive shift. The transformation is driven by digital advancements, including autonomous vehicles, increased in-car connectivity, and a surge in electric vehicle production. These tech-driven changes, along with sprawling global supply chains, are revolutionizing security and compliance needs.

Manufacturers face the complex task of securing vast networks of international suppliers and safeguarding extensive data streams. In response, the industry has rallied around a solution: TISAX, the Trusted Information Security Assessment Exchange, to meet these expanding security challenges head-on.

What Is TISAX Compliance?

TISAX serves as an information security assessment and certification program for organizations operating within the automotive industry. It was created by the ENX Association, a trade association of European automotive businesses, and introduced by the Verband der Automobilindustrie (VDA), which is the German Association of the Automotive Industry. TISAX's primary focus is on ensuring the secure handling of business partners' information, safeguarding prototypes, and adhering to data protection standards as outlined by the General Data Protection Regulation (GDPR) for engagements between car manufacturers and their service providers or suppliers. The initiative was jointly launched by the VDA and the ENX Association in 2017. TISAX was developed with ISO 27001 as its foundation and, in terms of information security specifications, the two are nearly indistinguishable.

What Does TISAX Stand For?

TISAX stands for Trusted Information Security Assessment Exchange (TISAX). The Verband der Automobilindustrie (German Association of the Automotive Industry or VDA) established TISAX in 2017 together with the ENX Association.

Who Needs to Be TISAX Compliant?

Every company that intends to conduct business with key entities in the German and European car industries should secure TISAX accreditation. This also applies to all automotive companies and service providers that manage confidential data. This confidential data encompasses any details that could lead to the identification of persons or vehicles, such as customer data, employee data, and technical details. Additionally, it includes any information connected to the creation or production of products that rivals could potentially exploit to secure a competitive edge.

Is TISAX Compliance Mandatory?

Although obtaining TISAX certification is not legally required, in practice, it is essential for collaboration with any original equipment manufacturers (OEMs), as they are unlikely to enter into business without it. Most leading German OEMs mandate that their associates in the car manufacturing and distribution network obtain TISAX certification.

TISAX Compliance Requirements

Speaking from an overly broad point of view, the TISAX requirements closely resemble those of ISO 27001, which encompass:

• Establishing a robust information management system that encompasses risk assessment and mitigation
• Showcasing secure practices in software development
• Conforming to established best practices for information security
• Ensuring a secure IT infrastructure is in place
• Formulating plans for incident response and disaster recovery
• Instituting suitable security measures and controls
• Conducting frequent security assessments and monitoring
• Abiding by relevant legal and regulatory mandates, including the GDPR

TISAX Assessment Levels

TISAX compliance evaluations are segmented into three distinct assessment levels (AL), corresponding to the sensitivity of the data processed by the supplier. As the sensitivity of the data escalates, so does the intensity of the scrutiny necessary to achieve a TISAX certification. These levels are aligned with the increasing degrees of data sensitivity.

Assessment level 1 (AL 1)

Pertains to suppliers who manage data considered low to moderately sensitive. This initial "basic" or "normal" level involves a partial engagement with the TISAX standards, serving as an introductory phase for suppliers to gauge and enhance their data protection measures. At this stage, organizations conduct a self-assessment via a questionnaire called the Information Security Assessment (ISA).

Assessment level 2 (AL 2)

Targets suppliers dealing with highly sensitive information. This "high" or "advanced" level encompasses the full scope of TISAX mandates, aiming for a thorough appraisal of the supplier's data security practices. Although it also utilizes the ISA questionnaire for self-assessment like Level 1, Level 2 mandates validation of this self-assessment by an independent external auditor.

Assessment level 3 (AL 3)

Designed for suppliers handling extremely sensitive data. This "very high" or “very advanced” level extends beyond the comprehensive TISAX criteria to incorporate extra security measures tailored to highly sensitive data management. Building upon the self-assessment and external review found in the previous levels, Level 3 also demands on-site checks and face-to-face interviews conducted by an auditor.

How Do You Get TISAX Certified?

The TISAX assessment procedure typically involves the following stages:

1. Registration: Begin by setting up an account on the ENX Portal and complete the registration process as guided on the site.
2. Scope Definition: Determine the specific certification you need, including the number of locations it will cover, among other factors. A deeper discussion on scope will follow.
3. Self-Assessment: TISAX is not about passing or failing but ensuring your Information Security Management System (ISMS) meets the anticipated level of maturity before contacting auditors.
4. Self-Optimizations: Should you identify any issues during self-assessment, address these discrepancies prior to engaging an auditor. If needed, hire a security expert with TISAX expertise.
5. Audit: Choose an auditing firm that aligns with your requirements. The audit might be a detailed on-site evaluation or a simpler online plausibility check, depending on your defined scope.
6. Further Optimizations: If the auditor points out additional areas for improvement, implement these changes within nine months to be eligible for a re-assessment.
7. Exchange: Upon successful assessment, you can then inform your automotive partner of your status and optionally publish your results on the TISAX Exchange.

For an in-depth guide on these steps, consult the TISAX Participant Handbook.

How Much Does TISAX Certification Cost?

The expense of TISAX certification is linked to the size of the company and the extent of the audit needed. Typically, the charge from the audit provider varies from 5,000 to 10,000 euros. In addition, there is a mandatory fee for registration that is about 500 euros. Additionally, companies incur operational expenses when gearing up for the audit, which may include the implementation, enhancement, or adjustment of an Information Security Management System (ISMS).

TISAX Compliance Solutions

Evaluations under TISAX, particularly for service providers and suppliers, are conducted by authorized "TISAX test service providers". The ENX Association oversees these service providers and their TISAX compliance services, ensuring that the assessments are carried out effectively, that the results are both high-quality and impartial, and that the assessment complies with the Audit Provider Criteria and Assessment Requirements (TISAX ACAR). This oversight also ensures the protection of the participants' rights and responsibilities. The process enables a manufacturer to determine if a supplier's security maturity level fulfills their own procurement standards.