Help on the subject of TISAX®

The Trusted Information Security Assessment EXchange, TISAX® for short, is a standard for information security defined by the automotive industry.

The member companies of the German Association of the Automotive Industry (VDA) have created a catalog derived from the international industry standard ISO 27001, which has been adapted to the specific requirements of the automotive industry.

TISAX® is operated by the legally independent organization ENX Association based in France, which accredits the assessment service providers and monitors the quality of implementation and the assessment results.

Since 2017, any company that works for customers in the automotive industry can be required to submit a TISAX® approval in accordance with VDA-ISA. Suppliers in the industry need them in order to continue to receive orders. And in order to avoid the threat of delisting, certification must take place as quickly as possible and be guaranteed.
Secure the decisive competitive advantage and join us on the path to your TISAX® approval. At OPTIQUM, we help you to reach your goal without any detours.

The VDA-ISA questionnaire uses the measures from ISO 27001. These are formulated as questions and must be rated by the company with a maturity level of 1 to 5. The actual evaluation of the result is carried out mathematically, always checking against the average target maturity level of 3. But beware: A high degree of maturity of one measure cannot compensate for the low maturity level of another measure.

First, a scope and gap analysis is carried out to map the status quo of your company. By comparing this with the catalog of requirements, it becomes clear which measures need to be implemented. On this basis, a specific procedure can now be developed to achieve the desired level of maturity for the certification audit. Once all measures to be taken have been completed and successfully implemented, approval and certification follow.

TheTISAX® label distinguishes between three assessment levels:

Assessment level 1
Normal protection requirements
The lowest level: The AL1 is a pure self-disclosure and is hardly used in common practice. They are primarily used for internal purposes, have little informative value and are not used in TISAX®. The AL1 is identical to the VDA-ISA questionnaire with the difference that the results are shared simultaneously via the TISAX® platform.

Assessment level 2
High protection requirements
In addition to its own assessment of the level of security, the AL2 undergoes a plausibility check by means of a telephone interview with an external testing service provider. An on-site visit can take place in addition to this telephone call, for example at:

• Ambiguities and deviations
• Test objective “prototype protection” (independent of the protection requirement)
• ATTENTION! The test objective “Connection of third parties” (regardless of protection requirements) is no longer included in the new version of the VDA-ISA catalog 5.0 (valid from 01.10.2020)

Further information on the VDA-ISA catalog 5.0, all changes and the associated impact on TISAX® can be found →
here
.

Assessment level 3
Very high protection requirements
With the AL3, a direct plausibility check of your self-assessment is always carried out on site by an accredited auditor.

This standard for information security affects ALL processes and procedures in your company. Third parties such as your suppliers and service providers as well as natural disasters or server failures must also be taken into account.
TISAX® is therefore a topic for the management and all departments of your company.

Yes, because:

• Instead of customer-specific audits, only a regular audit now needs to be carried out. This certification has created a standard that is recognized by all VDA members – making you as an entrepreneur independent in customer acquisition.
• You fulfill your customers’ requirements – and get the order faster.
• You get security and predictability and a significantly reduced risk in the company.
• The central platform for the exchange of assessment information can save time and money through mutual recognition in the TISAX® network.
• Your customer-specific data is protected against unauthorized access.
• You secure the competitive advantage of the reputation of your company and your brand.
• It protects your innovations and intellectual property as well as your know-how and your investment in products.

After successful completion, the certificate is valid for 3 years. There are no annual monitoring audits.

From the start of the initial inspection, you have nine months to implement deviations from the inspection according to the catalog. The testing process must be completed within these 9 months.

TISAX® is an inspection and exchange mechanism. If the test is successful, you do not receive a “certificate”, as is the case with ISO standards, but a label. We have compiled detailed information on this here.

A TISAX® assessment service provider accredited by ENX carries out the assessment as an external auditor. He is commissioned separately and independently of you. It should be noted that, as things currently stand, there are hardly any available dates for a certification audit until the end of the year. Act quickly and secure your TISAX® label.