Information security continues to gain importance within the automotive industry. However, information security plays a central role not only with regard to vehicles, but but also with regard to development and manufacturing processes and in the exchange of information and data.
German OEMs in particular now require a mandatory assessment of the information security management system (ISMS) according to TISAX (Trusted Information Security Assessment Exchange) as a prerequisite for cooperation.
The basis for this is the VDA-ISA question catalog developed by the VDA, which is based on key aspects and criteria of the internationally recognized ISO/IEC 27001 standard. This is supplemented by special criteria catalogs, particularly for prototype protection.
Good reasons for TISAX®certification
The renewal of existing supplier relationships is facilitated.
By implementing TISAX®requirements, you can protect your own Company assets against unauthorized access.
A TISAX® assessment is a uniform standard that is is recognized by all partner companies.
In the case of German automotive groups (especially VW Group and BMW), a TISAX certification is often a condition for (further) cooperation.
Optimal preparation for ISO/IEC 27001 certification.
What does a TISAX® assessment consist of?
TISAX® is based on the VDA-ISA questionnaire, which was developed by the Information Security Working Group of the German Association of the Automotive Industry (VDA). The catalog is based on the international standard ISO/IEC 27001.
The TISAX requirements catalog consists of several modules. Central to this is the main module of information security (entwerder high protection requirement or very high protection requirement). In addition, depending on customer requirements, the additional modules data protection and prototype protection are also possible.
How does certification work?
Any company can proactively get certified without being asked to do so by a customer. However, it is often the contracting process of a customer that requires TISAX certification. The purchasing department of the customer (often the OEM) determines whether TISAX certification is required and which test modules are relevant. is required and which test modules are relevant.
Depending on the modules required by the customer and the protection requirement (high or very high), the TISAX assessment is performed either remotely (AL2, Assessment Level 2) or on-site (AL3, Assessment Level 3).
A Level 3 TISAX assessment (on-site testing) is required if working with information with very high protection needs or the add-on module for prototype protection is part of the TISAX assessment.
The procedure of TISAX certification.
Anyone who wants to be certified must be registered destructively with the governance organization ENX. ENX, as the coordinating body, manages the registration and the test results. The test results are only available to approved partners, such as the company's own customers. The ENX does not store no details of the tests, but only the result.
Basically, a TISAX certification follows the following procedure:
- Registration with ENX .
- Selection of the test service provider
- Filling out a self-disclosure form
- Audit by the auditor, for level 2 by remote procedure, for Level 3 by an on-site audit.
- Closing and re-testing any gaps that may have been uncovered .
- Completion of the audit and transmission of the results to the ENX
How to prepare for TISAX certification?
If there is a request for certification, or it is evident in the tender documents, it must be determined which modules and which level are relevant for certification. Optimally, this should be coordinated with the OEM or supplier requesting the supplier, even if this sometimes proves to be not so easy. It is also advisable to distinguish between development and production sites when clarifying this.
After clarifying the requirements, the next step should be to determine the current status and maturity level of the ISMS (information security management system) should be determined. For this purpose, it is recommended to complete the self-disclosure with process, document and implementation references and evaluate them. At a minimum, the following questions should be clarified and written down for each audit point:
This allows open points (gaps) to be identified and then incorporated into a project plan.
BREAK & BOLD
Frequently asked questions and answers
What is the difference between a major deviation and a minor deviation?
During testing, deviations are evaluated according to criticality. A main deviation here means that a mandatory requirement according to the VDA-ISA catalog is not met. A side deviation indicates that a requirement has only been partially fulfilled. In the follow-up to an assessment, both major deviations and minor deviations must be corrected.
However, without a major non-conformance, a temporary TISAX label can usually be issued for a few months, so that the audited site can already be considered certified, even though not all minor deviations have been are fully closed.
What is a temporary TISAX label?
During a TISAX assessment, deviations are categorized as either a major deviation or a minor deviation.
Without a major deviation, a temporary TISAX label can usually be granted for a few months, so that the audited site can already be considered TISAX-certified, even though not all of the minor deviations have been are fully closed. This represents a major advantage in practice, as in practice clients already fully recognize temporary labels.
How can I obtain the VDA-ISA criteria catalog?
What is the cost of TISAX certification?
External costs arise from the registration with ENX (approx. 500€ per year), the testing service provider (from approx. 4,000€, depending on the test modules and travel costs for an on-site audit) as well as the incurred consulting activities in preparation for the Tisax audit.
How does a TISAX certification consultation work?
Our experienced TISAX auditors can guide you through every step, giving you the best possible preparation for the TISAX assessment:
Determine your requirements.
In a discussion with your management, we determine the requirements for a TISAX certification.
Performing a TISAX gap analysis.
Based on your requirements, we perform an internal assessment to determine potential gaps. For this purpose, you will receive a detailed report of the deviations found with specific recommendations for action.
Develop a TISAX roadmap and implementation strategy.
Together, we develop an efficient roadmap to close the discrepancies found.
In every process phase and also during the further implementation, we are your partnerly advisor on all matters relating to your strategic information security. In doing so, you will also benefit from our comprehensive TISAX template package.
certified and experienced
Qualifications and standards
A Trusted Partner
In-depth requirements analysis, consulting and training in all matters related to TISAX®
Years of experience in the implementation of TISAX® and ISO/IEC 27001 projects with both stock market-oriented international corporations and regionally active SMEs
Large TISAX template package
Solution-oriented and pragmatic
Have we sparked your interest?
Just give us a call or write us a message!