TISAX® (Trusted Information Security Assessment Exchange): A quick Guide

Key Takeaways

• TISAX® as a standard: TISAX® is an internationally recognized standard for information security management, specifically developed for the automotive industry and based on the ISO 27001 standard.  

• Protection of sensitive data: The aim is to protect confidential information along the supply chain and to create trust through standardized verification procedures.  

• Relevance for companies: TISAX® is relevant for automotive manufacturers (OEMs), suppliers and IT service providers who exchange or process sensitive information.  

• Advantages of certification: Companies benefit from increased trust, reduced risks, improved efficiency, and a competitive advantage through a TISAX® label.  

• Structured process: The certification process includes registration, a self-assessment, external audits, and the issuance of the TISAX® label, adapted to the security requirements of the respective company. 

What is TISAX®? 

TISAX® (Trusted Information Security Assessment Exchange) is an internationally recognized standard for information security management, specifically developed for the automotive industry. The aim is to protect sensitive information within the supply chain, create trust and ensure automotive compliance through a uniform assessment procedure. 

Origin and Goal 

TISAX® was developed by the ENX Association in collaboration with the German Association of the Automotive Industry (VDA) and is based on the ISA (Information Security Assessment) catalogue, which integrates the requirements of ISO 27001. It enables companies to communicate security standards transparently. The increase in efficiency is achieved through standardized test procedures that reduce redundant efforts and promote collaboration along the digital supply chain. 

Who needs TISAX®? 

TISAX® is relevant for all companies operating in the automotive industry that exchange confidential information such as prototype data or production plans. Typical target groups are: 

• Automotive Manufacturers (OEMs): To protect sensitive data in the supply chain.  
• Automotive Suppliers: Those who process or share technical and business-critical information.  
• IT service providers: Those who have direct access to data and systems in the automotive industry.  

In addition, many companies outside the automotive industry rely on TISAX® to improve their information security standards and position themselves as a trusted partner. 

Who is allowed to audit for TISAX®? 

Only accredited testing service providers approved by the ENX Association are allowed to carry out TISAX® certifications in the form of assessments including from self-disclosures to extensive on-site audits. Among the best-known testing service providers are, for example, organizations such as TÜV, Dekra or SGS.  

Why TISAX® Certification: Benefits for companies 

A certification can offer numerous advantages: 

• Build trust: Companies with the TISAX® label signal that they comply with the highest security standards.  
• Meeting customer expectations: Many OEMs require TISAX® to work together.  
• Increase efficiency: Uniform test procedures avoid redundant audits and reduce costs.  
• Improve risk management: The protection needs analysis and risk analysis help to identify vulnerabilities and proactively minimize risks.  
• Secure market advantage: TISAX® offers companies the opportunity to position themselves as a safe and reliable partner in the industry.  

The steps to TISAX® simplified 

1. Cost and time required for certification 

The path to TISAX® certification requires targeted preparation, the effort of which depends on several factors: 

• Company size and complexity: Extensive processes and a large TISAX scope increase the effort.  
• Assessment level: The depth of the exam is determined by the requirements or assessment level (e.g. “AL 1”, “AL 2” or “AL 3”).  
• Level of preparation: Companies that have already implemented an information security management system (ISMS) in accordance with ISO 27001 can significantly speed up the process.  

The duration of the entire process – from registration to the issuance of the TISAX® label – is usually three to nine months. The costs also depend on factors such as the chosen testing service provider, the location and the specific requirements.  

2. The TISAX® process at a glance 

A structured process is crucial for successful certification. The steps include: 

1. TISAX registration: Login via the TISAX platform (ENX portal) and definition of the TISAX scope.  
2. Self-assessment: Conduct a TISAX® self-assessment to review existing security measures.  
3. Hire a testing service provider: Selection of an accredited TISAX testing service provider.  
4. External audit: Conducting an audit, which can take place on-site depending on the assessment level.  
5. Receipt of the TISAX® label: After successful testing, companies receive the label, which can be viewed online.  

2. Assessment levels and requirements 

TISAX® certification is divided into three assessment levels (AL): 

• AL 1: Self-disclosure without external verification.  
• AL 2: External audit.  
• AL 3: Comprehensive audit with in-depth on-site inspections.  

The assessment level to be chosen depends on the selected assessment objectives, which in turn can be derived from the requirements and the need for protection. These requirements are often dictated by customers, such as OEMs. There are twelve assessment objectives: 

1. Info High: Information with a high need for protection is processed.  
2. Info Very High: Information with a very high need for protection is processed.  
3. Confidential: Information with a high need for confidentiality is processed.  
4. Strictly Confidential: Information with a very high need for confidentiality is processed.  
5. High Availability: A high availability of the products/services is required.  
6. Very High Availability: A very high availability of the products/services is required.  
7. Proto Parts: Components or parts in need of protection are manufactured.  
8. Proto Vehicles: Vehicles in need of protection are manufactured, stored or made available.  
9. Test Vehicles: Tests and test drives are carried out with vehicles in need of protection. 
10. Proto Events: Vehicles, components or parts are used for exhibitions or other events.  
11. Data: Personal data is processed.  
12. Special Data: Special categories of personal data are processed.   

3. Stakeholders involved: vendors, testing service providers, and customers 

The success of a TISAX® certification is based on the cooperation of several stakeholders: 

• Provider: Companies that carry out TISAX®.  
• Testing service providers: Organizations such as TÜV or Dekra that carry out tests.  
• Customers: OEMs and other partners who require certification as a prerequisite for collaboration.  

The importance of TISAX® for the future 

TISAX® has established itself as the standard for information security in the automotive industry. The changes in the ISA catalogue version 6.0 show how dynamic and future-oriented this standard is. Companies that want to survive in an increasingly digitized and networked market benefit from continuous adaptation to new security requirements.  

TISAX® 2024: Changes after ISA version 6.0 

The switch to the ISA catalog version 6.0 on April 1, 2024 was not an April Fool’s joke: The revision of the Information Security Assessment (ISA) catalogue, which was already announced in October 2023, comes with significant changes and updates to the well-known testing standard.  

What changes does ISA 6.0 bring? 

Ransomware attacks are and will remain one of the most lucrative businesses for attackers. With the rising number of such incidents, the resulting risk and the need to take preventive measures also increases. As a result, ISA 6.0 focuses on incident and crisis management. An overview of the new controls makes this clear:
   

Detect attacks 

• Control 1.6.1: Establishment of a functioning reporting system for security incidents 

Respond to incidents 

• Control 1.6.2: Fast and coordinated response to security incidents 
• Control 5.2.8: IT Service Continuity Planning to Ensure Essential Business Processes 
• Control 1.6.3: Preparedness for crisis situations and appropriate crisis management 

Enable recovery 

• Control 5.2.9 Implementing a Solid Backup and Restore Concept 

Increase resilience 

• Control 1.3.4: Secure management of software on clients 

One language to rule them all – Transition to English as the leading language 

Not only Continuity fans, but also multilingual talents can rejoice – the official switch to English as the leading language for the ISA catalog is intended to enable consistency and global reach. Consequently, the English original can always be consulted if doubts or incomprehensibilities arise in other versions. This means that personal approval of the various translations by the expert group is no longer necessary. Eight official translations are currently planned, all derived from the English master version. 

More requirements – but also more assistance 

The revision not only ends with the update of controls, but is expanded with additional guidance and references to international standards such as NIST SP-800-52, BSI IT-Grundschutz, ISO/IEC 27001:2022 and a completely revised data protection catalogue to support compliance with the GDPR (General Data Protection Regulation).  

What does the changeover now mean for companies? 

As a general rule, since 1 April 2024, ISA 6.0 has been mandatory for all TISAX® assessments commissioned after this date.  

• TISAX ® assessments in accordance with the outdated ISA 5 that were commissioned before the cut-off date may also be completed after the cut-off date. This also applies to assessments of corrections, scope extensions and follow-ups. 
• If an assessment on an ISA 5 basis was requested before 1 April, but a switch to ISA 6.0 is desired, this is possible in consultation with the inspection service provider. 

Examinations that have already been completed remain valid. A new assessment is only necessary when the existing TISAX® label expires. 

Support on the way to TISAX® certification 

EFS Consulting offers holistic support on the way to the certification. The experienced team analyses your existing information security management system, identifies optimization potentials and accompanies you through the entire certification process.  

From the definition of the TISAX® scope to the implementation of a self-assessment to the selection and cooperation with accredited testing service providers – EFS Consulting is at your side with expertise and practical support. 

With EFS Consulting at your side, you ensure that your company is optimally prepared for the requirements of TISAX® and benefits from the advantages of certification in the long term. 

Conclusion

TISAX® is an indispensable standard for companies that want to ensure information security in the automotive industry. The constant further development, such as the switch to ISA 6.0, shows the relevance for the future. Contact EFS Consulting today to implement your TISAX® certification efficiently and successfully.