Skip to content
🚨 6clicks receives ISO 42001 certification for its AI Management System 🚨

What is TISAX?

Are you in the automotive industry and want to learn more about TISAX, become TISAX certified or maintain TISAX compliance? Explore our guide on everything TISAX.

Contents

Introduction to TISAX

TISAX (Trusted Information Security Assessment Exchange) is an essential standard for ensuring robust information security practices within the automotive industry supply chain. Developed by the German Association of the Automotive Industry (VDA), TISAX adapts the internationally recognized ISO/IEC 27001 standard to address the unique cybersecurity challenges that automotive suppliers and manufacturers face.

The need for TISAX

In today's interconnected automotive ecosystem, safeguarding sensitive data, such as intellectual property, design plans, and customer information, is paramount. A single data breach can have severe consequences, including financial losses, reputational damage, and legal implications. TISAX provides a standardized framework to mitigate these risks and foster trust among stakeholders in the global automotive supply chain.

What is TISAX?

TISAX is a set of requirements and assessment procedures tailored to the automotive industry. It originated from the common need to protect sensitive data and manage complex supply chain relationships involving numerous partners. The ENX Association, established by the VDA, administers the TISAX protocol, ensuring it remains up-to-date with the latest security practices and technologies.

TISAX assessment process

  1. Assessment scope: The scope of the TISAX assessment is defined during the registration process. Companies specify which parts of their business will be evaluated, considering the sensitivity of the information handled, potential risks, and the level of integration with automotive manufacturers (see below for more information).
  2. Assessment objectives:
    • Standardize information security assessments across the automotive industry supply chain.
    • Enhance overall protection against cybersecurity threats targeting sensitive data.
    • Support the integrity and trustworthiness of the automotive supply chain.
    • Streamline the assessment process, reducing redundant audits and fostering efficient collaboration.
  3. Importance of ISMS and relation to ISO 27001: TISAX requires the implementation of an Information Security Management System (ISMS) based on the ISO/IEC 27001 standard. The ISMS provides a systematic approach to managing information security risks, ensuring that policies, processes, and controls are continuously monitored, reviewed, and improved.
  4. Initial assessment: The initial TISAX assessment is conducted at one of three levels, depending on the sensitivity of the information handled:
    • Level 1: Self-Assessment (for companies handling less sensitive data)
    • Level 2: Document Review and Remote Audit (for moderately sensitive information)
    • Level 3: On-Site Audit (for highly sensitive or classified information)
  5. Corrective action plan: If the assessment identifies areas of non-compliance, the company must develop and implement a corrective action plan to address the identified vulnerabilities and implement the necessary security measures. This plan is crucial for achieving and maintaining TISAX compliance.

TISAX compliance requirements

TISAX compliance is based on the VDA Information Security Assessment (ISA) catalogue, which outlines the necessary security measures and controls. Key requirements include:

  • Information security management: Establishing and maintaining a comprehensive management system to oversee all aspects of information security, including policy development, risk management, and continuous improvement.
  • Access control: Implementing strict controls and protocols to ensure that only authorized personnel can access sensitive automotive data, based on the principles of least privilege and need-to-know.
  • Data protection: Safeguarding personal and operational data against unauthorized access, theft, or leakage, with a particular focus on protecting vehicle user data and proprietary automotive technology.
  • Third-party management: Ensuring that all third parties involved in the supply chain, such as suppliers, contractors, and service providers, adhere to the same security standards when handling or accessing sensitive information.
  • Incident management: Developing and implementing clear and effective processes for detecting, responding to, and mitigating information security incidents, minimizing their impact and preventing future occurrences.

Planning for TISAX compliance

Achieving TISAX compliance requires strategic planning and a comprehensive approach to align security practices with the standard's requirements. Key planning activities include:

  • Risk assessment: Conduct a comprehensive risk assessment to identify potential vulnerabilities within the organization's information security systems, focusing on areas critical to the automotive industry.
  • Resource allocation: Determine and allocate the necessary resources, including budget, personnel, and technology, to support the TISAX compliance efforts effectively.
  • Timeline development: Establish a realistic timeline for achieving compliance, with clearly defined milestones such as completion of initial risk assessments, policy development, employee training, and the final assessment.
  • Stakeholder engagement: Engage with all relevant stakeholders, including IT, legal, compliance, and executive teams, to gain their support, involvement, and alignment throughout the compliance process.
  • Compliance framework Setup: Based on the risk assessment and TISAX requirements, develop a compliance framework that outlines the policies, controls, and procedures necessary for meeting the standard's criteria.

Implementing TISAX compliance

Successful implementation of TISAX compliance involves a systematic approach and ongoing efforts to integrate security measures into the organization's operations. Key implementation steps include:

  • Develop detailed security policies: Create specific security policies that address each requirement of the TISAX standard, ensuring clarity and accessibility for all relevant personnel.
  • Systematic deployment of security measures: Roll out comprehensive security measures designed to protect both physical and digital assets, such as securing network infrastructures, implementing strong data encryption protocols, and ensuring physical security at all locations.
  • Comprehensive training programs: Conduct thorough training sessions for all employees, focusing on the importance of information security, the specific practices required by TISAX, and their individual responsibilities within these frameworks.
  • Regular monitoring and review: Establish a routine for regularly monitoring compliance with TISAX standards, including periodic reviews and audits of security practices and the effectiveness of the implemented measures.
  • Feedback and continuous improvement: Implement a feedback mechanism to gather insights from audits and reviews and use this feedback to drive continuous improvements to security policies and practices, ensuring they remain effective against evolving threats.

TISAX assessment objectives and assessment levels

TISAX offers 12 assessment objectives that companies can select from based on the specific information security requirements they need to meet. These assessment objectives serve as benchmarks for an organization's Information Security Management System (ISMS) and determine the applicable criteria catalogues from the VDA Information Security Assessment (ISA).

List of TISAX assessment objectives

No. Name Description
1 Info high Handling of information with high protection needs
2 Info very high Handling of information with very high protection needs
3 Confidential Handling of information with high protection needs in the context of confidentiality (access to confidential information)
4 Strictly confidential Handling of information with very high protection needs in the context of confidentiality (access to strictly confidential information)
5 High availability Handling of information with high protection needs in the context of availability (high availability of information)
6 Very high availability Handling of information with very high protection needs in the context of availability (very high availability of information)
7 Proto parts Protection of Prototype Parts and Components
8 Proto vehicles Protection of Prototype Vehicles
9 Test vehicles Handling of Test Vehicles
10 Proto events Protection of Prototypes during Events and Film or Photo Shoots
11 Data Data protection according to Article 28 ("Processor") of the European General Data Protection Regulation (GDPR)
12 Special data Data protection according to Article 28 ("Processor") of the European General Data Protection Regulation (GDPR) with special categories of personal data as specified in Article 9 of the GDPR

Note: The "Info high" and "Info very high" objectives can only be selected until March 31, 2024. From April 1, 2024, these will be replaced by "Confidential" and "Strictly confidential," respectively.

Selecting assessment objectives

Companies should select assessment objectives based on their specific information security requirements and the sensitivity of the information they handle. If partners provide precise requirements, companies should follow those guidelines. However, if no specific requirements are provided, companies should consider factors such as the potential impact of unauthorized disclosure, the availability needs of their products or services, and their involvement in handling prototypes or test vehicles.

It is recommended to consult with partners before initiating the TISAX assessment process if there are no precise requirements provided.

Assessment objectives and assessment levels

Each TISAX assessment objective maps to a specific assessment level (AL), which determines the rigor and depth of the assessment process. There are three assessment levels:

  1. Assessment Level 1 (AL 1): Self-assessment, primarily for internal purposes.
  2. Assessment Level 2 (AL 2): Document review, remote audit, and plausibility check of the self-assessment.
  3. Assessment Level 3 (AL 3): Comprehensive verification, including on-site audits, interviews, and thorough examination of evidence.

The higher the assessment level, the more rigorous the assessment process becomes, providing a higher level of assurance and trust in the company's information security practices.

No. TISAX assessment objective Assessment Level (AL)
1 Info high AL 2
2 Info very high AL 3
3 Confidential AL 2
4 Strictly confidential AL 3
5 High availability AL 2
6 Very high availability AL 3
7 Proto parts AL 3
8 Proto vehicles AL 3
9 Test vehicles AL 3
10 Proto events AL 3
11 Data AL 2
12 Special data AL 3

 

It is recommended to select assessment objectives that imply an assessment level 3 (AL 3) if there are no specific requirements from partners. This approach ensures that companies are prepared for future requests and do not have to undergo multiple assessments at different levels.

Assessment objectives and suppliers

TISAX does not necessarily require companies to subject their own suppliers to the same assessment objectives or levels. However, organizations must still assess the risks associated with their suppliers and determine if they need to meet specific TISAX requirements based on the nature of the information or services they provide.

By understanding the TISAX assessment objectives and their corresponding assessment levels, companies can ensure that they select the appropriate benchmark for their ISMS and undergo the necessary assessment process to demonstrate compliance with the required security standards within the automotive industry supply chain.

The TISAX exchange

One of the core components of TISAX is the secure platform managed by the ENX Association, which facilitates the exchange of assessment results among trusted partners within the automotive industry. This exchange mechanism streamlines the compliance process and minimizes redundant assessments, fostering efficient collaboration across the supply chain.

How the TISAX exchange works

  1. Central repository: The TISAX exchange acts as a central repository for storing and sharing assessment results. Participating companies can upload their TISAX assessment reports to the platform, making them accessible to authorized partners.
  2. Partner access: Automotive manufacturers and suppliers can access the exchange platform to retrieve assessment reports from their partners, suppliers, or service providers. This access is strictly controlled and limited to authorized personnel within each organization.
  3. Validity period: TISAX assessment reports have a defined validity period, typically ranging from 12 to 36 months, depending on the assessment level and the company's risk profile. After this period, companies must undergo a new assessment to maintain their compliance status.
  4. Assessment sharing: By sharing TISAX assessment reports through the exchange platform, companies can avoid redundant assessments from multiple partners, reducing the administrative burden and costs associated with repeated audits.
  5. Trust and rransparency: The TISAX exchange promotes trust and transparency among participants by providing a secure and centralized platform for sharing assessment results. This transparency enables partners to verify each other's compliance status and make informed decisions regarding data sharing and collaboration.

Benefits of the TISAX exchange

  • Streamlined assessments: Sharing assessment results through the exchange eliminates the need for companies to undergo multiple, redundant assessments from different partners, saving time and resources.
  • Enhanced collaboration: The exchange facilitates secure and efficient collaboration among automotive manufacturers, suppliers, and service providers by enabling the sharing of compliance information within a trusted network.
  • Reduced costs: By avoiding redundant assessments, companies can significantly reduce the costs associated with undergoing multiple audits and maintaining compliance with various partners.
  • Increased trust: The transparency and standardization provided by the TISAX exchange foster trust among participants, as they can verify their partners' compliance status and security posture.
  • Scalability: The exchange platform is designed to support the growing number of participants in the automotive supply chain, ensuring scalability and efficient information sharing as the industry evolves.

Participation in the TISAX exchange

To participate in the TISAX exchange, companies must first achieve TISAX compliance by undergoing the appropriate assessment level based on their risk profile and the sensitivity of the information they handle. Upon successful assessment, they can register with the ENX Association and gain access to the exchange platform.

By leveraging the TISAX exchange, automotive suppliers can streamline their compliance efforts, enhance collaboration with trusted partners, and contribute to the overall security and integrity of the global automotive supply chain.

Benefits of TISAX compliance

Achieving TISAX compliance offers numerous benefits for automotive suppliers, enhancing their operational, strategic, and competitive standing within the industry. Key advantages include:

  • Enhanced data security: Implementing the stringent security controls required by TISAX ensures that all forms of sensitive information, from personal data to intellectual property, are protected against unauthorized access and cyber threats, preventing costly data breaches.
  • Improved business opportunities: TISAX compliance is often a prerequisite for doing business with major automotive manufacturers, especially in Europe. By meeting these standards, suppliers can expand their business opportunities and become eligible to participate in projects that require certified levels of data protection.
  • Streamlined audits: With TISAX, suppliers undergo a standardized assessment process, reducing the frequency and complexity of audits from multiple manufacturers. This standardization minimizes the administrative burden associated with multiple, disparate security assessments.
  • Trust and reputation: Compliance with TISAX enhances a company's reputation within the automotive industry, signaling a commitment to high standards of information security and instilling greater confidence among partners, clients, and stakeholders.
  • Regulatory alignment: TISAX compliance helps organizations align with broader data protection regulations, such as the General Data Protection Regulation (GDPR), ensuring they meet both industry-specific and international legal requirements regarding data protection and privacy.
  • Cost efficiency: Implementing TISAX can lead to cost savings over time by preempting security breaches that could result in significant financial losses. Additionally, the efficiencies gained from streamlined audit processes and enhanced data management practices can reduce operational costs.

Download our free TISAX compliance checklist and scoping assessment

Power your TISAX certification program with 6clicks

AI-powered GRC

Go beyond tick-box risk and compliance for cyber with AI-powered solutions that engage the entire business

Anthony Stevens, CEO of 6clicks, discusses the company's mission and market differentiation.

Security compliance

Security compliance

Centralize and streamline multi-framework compliance from inception to audit.

Explore
IT risk management

IT risk management

Intelligently manage your risk profile to make better decisions while keeping your company safe.

Explore
Third-party management

Vendor management

Confidently engage vendors in line with their criticality and rapidly identify and treat vendor non-compliance.

Explore
Incident management

Incident management

Capture, respond and learn from incidents and breaches while ensuring minimal disruption to business operations.

Explore

Deploy AI responsibly with our downloadable expert guide

Comply with TISAX and the most in-demand security frameworks

Streamline multi-framework compliance with AI-powered cross-walking and turn-key content.

ISO 27001
ISO 27001
NIST CSF
NIST CSF
SOC 2
SOC 2
CMMC
CMMC
DORA
DORA
UK Cyber Essentials
Cyber Essentials

Discover how Hub & Spoke helps automotive suppliers balance control and autonomy for cyber GRC programs across sites and business units

Thought leadership

Fresh new thinking

Keep up to date with what's new and thought leadership in relation to all things 6clicks.

 
Past, present, and future themes in cybersecurity: Are you keeping up?

Past, present, and future themes in cybersecurity: Are you keeping up?

In the ever-evolving landscape of cybersecurity, understanding where we've been, where we are, and where we're going is essential. By examining the...

Why 6clicks is outpacing legacy GRC platforms like Archer, ServiceNow and Diligent

Why 6clicks is outpacing legacy GRC platforms like Archer and more

For years, Archer, ServiceNow, and Diligent were the go-to names in GRC software. Archer’s rich functionality made it a leader, while ServiceNow’s IT...

The full-stack GRC advantage: Beyond vulnerability scanning

The full-stack GRC advantage: Beyond vulnerability scanning

Organizations today face a complex cybersecurity landscape that exposes them to a multitude of threats. Thus, managing cyber governance, risk, and...

The 10 best cyber GRC software tools in 2024

The 10 best cyber GRC software tools in 2024

The role of cyber GRC in businesses has transcended traditional checkbox exercises. Cyber GRC now involves mastering digital transformations,...

Navigating AI in cyber GRC software: A comprehensive guide

Navigating AI in cyber GRC software: A comprehensive guide

We are thrilled to announce the release of our latest resource, a meticulously crafted spreadsheet designed to guide businesses in evaluating AI...

Featured blog

6clicks partners with TCS to enhance cyber risk and compliance

6clicks’ Platform and its AI-Driven Information Assimilation Technology will be at the Core of TCS’ GRC Services and Solutions to Help Clients with...

6clicks Wins Top Performer Award for GRC Software at SourceForge

6clicks Wins Top Performer Award for GRC Software at SourceForge

6clicks is proud to be a winner of the Top Performer award from SourceForge, the world’s largest software reviews and comparison website.

Eliminate cyber GRC reporting nightmares

Eliminate cyber GRC reporting nightmares

Andrew Robinson, CISO of 6clicks, and Andy Curtis, founder of Gadget Access, present and demonstrate how GRC reporting nightmares can be eliminated....

Addressing the cybersecurity and GRC gaps for organizations

Addressing the cybersecurity and GRC gaps for organizations

GRC implementations are on the rise with the global GRC market projected to reach USD 1881.9 million by 2028. But even as more and more businesses...

Intelligently accelerate your cyber risk and compliance program today

 

Stop wasting time with complicated pricing, longwinded consulting efforts and outdated technology.

 

 

 

badge-lilac-background

See 6clicks in action