OPTIQUM has the answers - contact us, simply and without obligation at +49 221 82 95 91 0.
What is TISAX®?
The Trusted Information Security Assessment EXchange, or simply TISAX®, is a standard for information security defined by the automotive industry.
Why was TISAX® introduced?
The member companies of the German Association of the Automotive Industry (Verband der Automobilindustrie e.V.) (VDA) have compiled a catalogue which, based on the international industry standard ISO 27001, has been adapted to the specific requirements of the automotive industry.
Who operates TISAX®?
TISAX® is operated by the legally independent organisation ENX Association, based in France, which accredits testing service providers and monitors the quality of implementation and assessment results.
Why do you need TISAX®?
Since 2017, any company working for customers in the automotive industry can be required to submit a TISAX® approval according to VDA-ISA. Suppliers in the industry need it in order to continue to receive orders. And in order to avoid the being placed on business hold or not being considered for further projects, certification should be considered asap to maintain the partnership with the customer.
Having a TISAX label can either support you keeping or getting a competitive advantage . We at OPTIQUM help you to reach your goal.
What and how is evaluated?
The VDA-ISA questionnaire utilizes the measures from ISO 27001. These are formulated as questions and must be evaluated by the company with a maturity level of 1 to 5. The actual evaluation of the result takes place mathematically, whereby here always against the middle target maturity level of 3 is examined. NOTE: A high degree of maturity of one measure cannot compensate the low degree of maturity of another measure.
What is the basic procedure?
First, a Scope and GAP analysis is done to show the status quo of your company. The results of the comparison with the catalogue of requirements reveal which measures need to be implemented. On this basis, a specific procedure can now be developed to achieve the desired level of maturity for the certification audit. Once all measures to be implemented have been completed and successfully realized, release and certificate follow.
What are the assessment levels?
TheTISAX® label distinguishes between three assessment levels:
Assessment level 1
Normal need for protection
The lowest level: AL1 is purely a self-report and is hardly used in common practice. It is primarily used for internal purposes, has little informative value and is not used in TISAX®. The AL1 is identical to the VDA-ISA questionnaire with the difference that the results are shared simultaneously via the TISAX® platform.
Assessment level 2
High level of protection
In addition to the company's own assessment of the level of security, the AL2 involves a plausibility check by means of a telephone interview conducted by an external testing service provider.
An on-site visit can take place in addition to this telephone call, something in the case of:
Ambiguities and deviations
Test objective "prototype protection" (independent of the protection requirement)
ATTENTION! The test objective "Connection of third parties" (independent of the protection requirement) is omitted in the new version of the VDA-ISA catalog 5.0 (valid from 01.10.2020) or the VDA-ISA catalog in the new version 5.1.
for more information on the VDA-ISA catalog 5.x , all changes and the associated impact on TISAX®, click → here.
Assessment level 3
Very high protection requirement
At AL3, there is always a direct plausibility check of your self-assessment on site by an accredited auditor.
Who does TISAX® affect?
This standard for information security concerns ALL processes and procedures in your company. Third parties such as your suppliers and service providers must also be taken into account, as must natural disasters or server failures.
For this reason TISAX® is a topic for the management and all departments of your company.
Does TISAX® also bring me benefits?
• Instead of customer-specific audits, now only a regular audit has to be performed. With this certification, a standard has been created that is recognised
by all VDA members - making you as an entrepreneur independent in customer acquisition.
• You meet the requirements of your customers - and get your contract faster.
• You receive security and predictability and a significantly reduced risk in the company.
• The central platform for the exchange of test information can save time and money by mutually recognizing each other in the TISAX® network.
• Your customer-specific data is protected against unauthorized access.
• You secure the competitive benefit of the reputation of your company and your brand.
• It protects your innovations and intellectual property as well as your know-how and investment in products.
How long is the period of validity?
After successful completion, the certificate is valid for 3 years. There are no annual monitoring audits.
Which temporal factors are given?
With the start of the initial inspection, you have nine months to implement discrepancies from the inspection according to the catalogue. The inspection process must be completed within these 9 months.
Who issues the certificate?
A TISAX® testing service provider accredited by ENX is the external auditor for the certification audit. He is commissioned separately and independently of your company. It should be noted that according to the current status (05.09.2019) there are hardly any available dates for a certification audit until the end of the year.
Act quickly and secure your certificate.
We will be happy to help you competently and purposefully.
TISAX® is a registered trademark of the ENX Association.