The automotive industry is in the midst of a massive shift. The transformation is driven by digital advancements, including autonomous vehicles, increased in-car connectivity, and a surge in electric vehicle production. These tech-driven changes, along with sprawling global supply chains, are revolutionizing security and compliance needs.
Manufacturers face the complex task of securing vast networks of international suppliers and safeguarding extensive data streams. In response, the industry has rallied around a solution: TISAX, the Trusted Information Security Assessment Exchange, to meet these expanding security challenges head-on.
TISAX serves as an information security assessment and certification program for organizations operating within the automotive industry. It was created by the ENX Association, a trade association of European automotive businesses, and introduced by the Verband der Automobilindustrie (VDA), which is the German Association of the Automotive Industry. TISAX's primary focus is on ensuring the secure handling of business partners' information, safeguarding prototypes, and adhering to data protection standards as outlined by the General Data Protection Regulation (GDPR) for engagements between car manufacturers and their service providers or suppliers. The initiative was jointly launched by the VDA and the ENX Association in 2017. TISAX was developed with ISO 27001 as its foundation and, in terms of information security specifications, the two are nearly indistinguishable.
TISAX stands for Trusted Information Security Assessment Exchange (TISAX). The Verband der Automobilindustrie (German Association of the Automotive Industry or VDA) established TISAX in 2017 together with the ENX Association.
Every company that intends to conduct business with key entities in the German and European car industries should secure TISAX accreditation. This also applies to all automotive companies and service providers that manage confidential data. This confidential data encompasses any details that could lead to the identification of persons or vehicles, such as customer data, employee data, and technical details. Additionally, it includes any information connected to the creation or production of products that rivals could potentially exploit to secure a competitive edge.
Although obtaining TISAX certification is not legally required, in practice, it is essential for collaboration with any original equipment manufacturers (OEMs), as they are unlikely to enter into business without it. Most leading German OEMs mandate that their associates in the car manufacturing and distribution network obtain TISAX certification.
Speaking from an overly broad point of view, the TISAX requirements closely resemble those of ISO 27001, which encompass:
TISAX compliance evaluations are segmented into three distinct assessment levels (AL), corresponding to the sensitivity of the data processed by the supplier. As the sensitivity of the data escalates, so does the intensity of the scrutiny necessary to achieve a TISAX certification. These levels are aligned with the increasing degrees of data sensitivity.
Pertains to suppliers who manage data considered low to moderately sensitive. This initial "basic" or "normal" level involves a partial engagement with the TISAX standards, serving as an introductory phase for suppliers to gauge and enhance their data protection measures. At this stage, organizations conduct a self-assessment via a questionnaire called the Information Security Assessment (ISA).
Targets suppliers dealing with highly sensitive information. This "high" or "advanced" level encompasses the full scope of TISAX mandates, aiming for a thorough appraisal of the supplier's data security practices. Although it also utilizes the ISA questionnaire for self-assessment like Level 1, Level 2 mandates validation of this self-assessment by an independent external auditor.
Designed for suppliers handling extremely sensitive data. This "very high" or “very advanced” level extends beyond the comprehensive TISAX criteria to incorporate extra security measures tailored to highly sensitive data management. Building upon the self-assessment and external review found in the previous levels, Level 3 also demands on-site checks and face-to-face interviews conducted by an auditor.
The TISAX assessment procedure typically involves the following stages:
For an in-depth guide on these steps, consult the TISAX Participant Handbook.
The expense of TISAX certification is linked to the size of the company and the extent of the audit needed. Typically, the charge from the audit provider varies from 5,000 to 10,000 euros. In addition, there is a mandatory fee for registration that is about 500 euros. Additionally, companies incur operational expenses when gearing up for the audit, which may include the implementation, enhancement, or adjustment of an Information Security Management System (ISMS).
Evaluations under TISAX, particularly for service providers and suppliers, are conducted by authorized "TISAX test service providers". The ENX Association oversees these service providers and their TISAX compliance services, ensuring that the assessments are carried out effectively, that the results are both high-quality and impartial, and that the assessment complies with the Audit Provider Criteria and Assessment Requirements (TISAX ACAR). This oversight also ensures the protection of the participants' rights and responsibilities. The process enables a manufacturer to determine if a supplier's security maturity level fulfills their own procurement standards.