TISAX® - How Information Security Empowers the Automotive Industry
June 8, 2023
10 min
TISAX® - this term is often used when talking about information security management systems (ISMS). It is a special standard in information security - and we take a look at what TISAX® is all about.
In this article, you will learn:
- what exactly TISAX® is and who developed it,
- for which companies the so-called TISAX® label is particularly suitable,
- what benefits TISAX® certification brings with it
In addition we will show you the special features, benefits, and requirements of TISAX® and explain the associated process.
What is TISAX®?
TISAX® is considered the standard for information security management systems (ISMS) in the German automotive industry.
Information security management systems consist of a set of guidelines and processes that have the task of protecting sensitive information. This includes, for example, customer data or accounting data, but also trade secrets or designs for new products.
You can think of an ISMS as a watchdog for company information. It's a system that helps you identify potential security risks and take action to prevent them.
There are various standards for setting up such an ISMS. These standards are intended to help establish the same level of protection in all information security management systems. In addition, by certifying these standards, companies signal that the data of customers and business partners is in particularly safe hands with them.
TISAX® - strong ISMS standard for information security in the automotive industry
Corporate information security - a foundation of trust
TISAX® is a assessment and exchange mechanism for corporate information security. The requirements are significantly influenced by ISO 27001, the globally recognized standard for information security management systems.
However, TISAX® extends the catalog of requirements to include areas in information security that are particularly important for the automotive industry. For example, the topic of prototype protection (e.g., the protection of new car models, so-called "prototypes") has an important status.
This is also the reason why automotive manufacturers and their subsidiaries generally expect a TISAX® label from their suppliers and service providers.
By the industry, for the industry
The TISAX® standard for information security management systems was developed in 2017 by the German Association of the Automotive Industry (VDA) and is managed by the European umbrella organization of the automotive industry, the ENX Association.
Thanks to the overarching organization that specifies uniform standards, customers no longer have to request proof and certificates from their suppliers themselves, as they used to, and check them if necessary. Thus, TISAX® not only simplifies cooperation, but also contributes to a business relationship characterized by transparency.
Today, TISAX® is a very important standard for information security in the automotive industry. A company that receives the TISAX® label after a successful audit process demonstrates that its audited ISMS meets a clearly outlined set of requirements.
This is why automotive companies want to obtain the TISAX® label
TISAX® is a door opener for contractors in the automotive industry. Customers or clients (usually automotive manufacturers) often specify desired information security requirements that a supplier must meet.In the automotive industry, these clients are also called "original equipment manufacturers" (OEMs), meaning vehicle manufacturers.
Depending on the level of protection required for the OEM's information, suppliers must meet different requirements.
In particular, prototypes are strictly protected by the industry: These test models depict planned products of automotive manufacturers, which are subject to the utmost secrecy during the development and testing phase.
The reason for the high level of confidentiality is that companies do not want competitors to be able to tap into information about the development status of the product range.A TISAX® label can also significantly strengthen the perception of information security internally and externally: It is not only a particularly demanding and secure standard that is specifically geared to the requirements of the automotive industry, but also signals to business partners that data on prototypes and developments are handled with the utmost care by the audited company.
This is how the assessment process works - in 3 steps
1. Setting up an information security system
Before a company can receive a TISAX® label, it must set up an information security system - because that is what the TISAX® label assesses. This setup usually takes a lot of time and effort - because an ISMS wants to be well thought out in order to meet TISAX®'s rigorous standards. Fortunately, for companies that want to get the TISAX® label especially quickly, there is an option to automate their ISMS.
SECJUR's Digital Compliance Office (DCO) saves companies hundreds of hours of work in establishing a TISAX®-compliant ISMS.
2. Preparation for the audit
Using a questionnaire provided by the VDA, the company should first check internally what the status of information security is.
If necessary, the weaknesses of the existing ISMS are remedied. The more structured this process is, the better. Support from external specialists can be helpful or even indispensable for this, depending on the size of the company and the quality of its ISMS. Automated ISMS solutions help to speed up the process and set up the ISMS in compliance with TISAX® right from the start.
3. Select assessment land request an audit
In the next step, the company that wants to obtain the TISAX® label registers with the ENX Association. The company specifies the scope and selects an auditor.
Basically, three important areas of information security can be examined in this process:
- Information security (this area is always audited by the auditor)
- Data protection (audited on request)
- Prototype protection (audited on request)
Which of the three areas a company wants to see audited by TISAX® usually depends on the requirements of its clients. Depending on the data it passes on to the company to be audited, these request lower or higher levels of protection for their information.
These levels of protection exist
The TISAX® assessment process distinguishes between three different levels of protection (assessment levels).
Assessment Level 1 is limited to the pure self-assessment of the company and plays no role in obtaining the TISAX® label.
Assessment Level 2 stands for "Handling information with a high "need for protection". Here, the auditor reviews the submitted documents and conducts an audit interview, for example via video interview.
Important: Prototype protection does not fall within the scope of this level. If "very high protection requirements" are involved, the more stringent assessment level 3 applies.
Assessment Level 3:
At this level, all three areas mentioned, including prototype protection, are checked. In addition, the auditor compares the information on site at the company with reality. The appointed auditor is independent and accredited by ENX.
The company completes the questionnaire on its own and sends it to the auditor with the complete ISMS documentation and evidence. After the audit, corrections may be necessary in the event of deviations.
A major deviation is when a mandatory requirement of the audit scope is not met - the company must demonstrably rectify this circumstance, otherwise it will not receive the TISAX® label. In the case of a minor deviation, a requirement is partially not fulfilled. The company then receives a provisional label. However, it is required to close security gaps promptly.The audit must be completed after nine months at the latest. The results are then submitted to ENX and the TISAX® label is issued.
TISAX®: These are the advantages for companies
Obtaining the TISAX® label can not only significantly strengthen information security in a company, but also brings other benefits:
1. Information security awareness:
In the course of the TISAX® process, companies have to deal intensively with the topic of information security and establish an ISMS with well-structured processes, which experience has shown leads to a higher level of understanding and day-to-day attention to the topic. After all, most companies want their employees to handle data carefully.
2. Simplification of processes:
The TISAX® label is valid for three years, which has saved manufacturers and suppliers several supplier audits per year since its introduction. It also enables transparency and simplifies processes, as companies that have registered with ENX for the TISAX® portal can view the results of all other participating companies.
3. Transparency for stakeholders:
With the TISAX® label, a company shows that its ISMS meets strict requirements. This means that current and future business partners can be confident that their data is being kept in the best possible way.
How much does TISAX® cost? The cost of a TISAX® label usually depends on the size of the company, the complexity of the ISMS, and the requirements. The cost of a TISAX® label usually depends on the size of the company, the complexity of the ISMS, and the assessment level, i.e., the scope of the audit. On average, the costs amount to several thousand euros.
The decision for TISAX® - what does my company need to prepare?
An existing ISMS is a basic requirement for obtaining the TISAX® label. If you as a company have not yet established an information security system, you must address this step first. Faster to TISAX® with SECJUR's ISMS solution!
At SECJUR, we know what matters when it comes to TISAX®-compliant information security management systems.
With SECJUR's Digital Compliance Office, you can quickly, flexibly and effectively build an automated ISMS that can lead you directly to the TISAX® label!
The DCO combines all relevant guidelines and activities and saves you hundreds of hours of work through clarity and intelligent, automated processes.
SECJUR stands for a world where companies are always compliant, but never have to think about compliance. With the Digital Compliance Office, companies automate time-consuming work steps and achieve compliance standards such as GDPR, ISO 27001 or TISAX® up to 50% faster.
Compliance, completed.
Automate and streamline your compliance processes with our Digital Compliance Office