TISAX ®

Trusted Information Security

Assessment Exchange

TECHNICAL GUIDE
TISAX Assessment
®
DEKRA On the safe side.
 In today’s digitized business environment, information security has become an increasingly critical prerequisi-
te for manufacturers, supplies and service providers cooperating across the automotive value chain. The Trus-
ted Information Security Assessment Exchange (TISAX®) provides members a standardized information secu-
rity status to be shared among partners working throughout the automotive industry.

Contents 1. TISAX® overview and benefits

Goals
1. TISAX® overview and benefits TISAX® has been developed specifically for the automotive
industry and aims to ensure the recognized integrity of your
2. Roles of participation
information security system. The TISAX® platform provides members
3. TISAX® scopes of assessment standardized assessment of their information security status to be
shared with partners working throughout the value chain. Your
4. Established VDA ISA requirements
achieved protection class is conveniently registered on a dedicated
5. Registered TISAX® subscriber digital platform and provided to selected members requesting your
TISAX® status. Partners in the TISAX® assessment include:
6. ISO 27001 vs. TISAX®

7. Defined TISAX® protection and assessment levels  The ENX association

8. Test marks and labels  An authorized audit provider

9. Assessment objectives for TISAX® prototype protection  A participant company applying for certification

Technical Guide TISAX® 2

 TISAX® certification is valid for a period of three years. Registered partners share
confidential information and need to be absolutely sure that others are
continuously handling information according to established TISAX® standards.
Based on assessment results, the information security status of each registered t
c
participants is available on the online platform. No TISAX® member has automatic tra
ENX Association

n
access to the assessment results and the status of others. Selected partners with

Co

Re
g
which information is shared are determined by each TISAX® participant on a case-

r/

ist r
by-case basis.

ide

at io
prov

n
TISAX®, VDA and ENX
Interaction
Interaction

Audit
Established in early 2017, the TISAX® testing and exchange mechanism was
founded on the German Association of the Automotive Industry (VDA) catalog of
ISA (Information Security Assessment) requirements. during the
during the
Founded in 2000, the ENX Association is a legally-independent union of assessment
assessment
process
companies and national associations including Audi, BMW, Bosch, Continental,
Daimler, DGA, Ford, Magna, PSA Peugeot Citroën, Renault, Volkswagen ANFAC process
(Spain), GALIA (France), SMMT (UK) and VDA (Germany) which supervises the
performance of certified service providers, operates central ENX network services
and supports providers with efficient solutions.
Audit Participant
At its core, TISAX aims to establish standardized labeling based on criteria
®
Provider
common within the automotive industry. TISAX® has been developed to provide
a community environment in which the performance and security of IT and IS
systems can be shared. A s ses s m e nt

Technical Guide TISAX® 3

 TISAX ®
Assessment Flow
Chart
Phases of TISAX® certification
1. Registration on the TISAX® platform

2. Selection of an audit provider

Registration
3. Preliminary verification of label/scope assessment, information protection
class, and simplified group assessment (if possible)
KOM OM
4. Execution and signing of the contract

5. Self-assessment (Assessment Level 1) AL2

Choice of AP Self-assessment
6. Off-site audit (review of Assessment Level 1 according to documentation and
label/scope confirmation or Assessment Level 2) optional

7. On-site audit (Assessment Level 3)

AL3
8. Label validation Temporary label

9. Audit information shared with exclusive TISAX® partners designated by the

audited member company
9 months Label
(validity: 3
years)

Initial Follow-up
assessment AL assessment

Non-conformities
corrective action plan

KOM = Kick-off-meeting OM = Opening meeting AL = Assessment level AP = Audit Provider

Technical Guide TISAX® 4
 Requests assessment from

Roles of
participation 2
Gets
TISAX®-assessed

Passive Active
3
Participant Participant
Shares result with

Benefits of TISAX® certification  Complete control over who can access your assessment results
In addition to the added value of your recognized information
 TISAX® assessment every three years eliminating time and
security status, TISAX® certification provides you the following
money spent on multiple checks
advantages:

 Increased credibility with a certified information security system 2. Roles of participation

 Cross-company recognition among TISAX® members
Member organizations participating in the exchange model may
 Strong strategies for effective risk management adapt either a passive or an active role according to each
particular circumstance:
 Transparency through harmonized VDA ISA catalog

 Sharper focus on customer needs and expectations Passive participant (e.g. OEM, automotive manufacturer): Calls for
another company such as a supplier to undergo assessment and
 Internationally recognized listing on the TISAX® online platform
requests access to the assessment results.

Technical Guide TISAX® 5

 Active participant (e.g. supplier): Either orders assessment or is Step 1
called on by an OEM or customer to undergo assessment. Clients can register on the TISAX® platform and are required to
The active participant then provides selected partners access to the follow a specific process to obtain a “participant number”. During
assessment results. the online TISAX® registration process candidates must:

The three steps of participation:  Provide contact details and billing information

 Accept TISAX® terms and conditions

1. Registration
Your selected TISAX® provider gathers information about your  Define the scope of the information security assessment
company and determines the scope of your assessment.
The audit scope is based on VDA ISA catalog. Audit duration is
2. Assessment calculated according to the determined scope and cannot be
Assessment(s) is conducted by an approved TISAX® audit provider. precalculated based solely on the structure of the organization.

3. Exchange
Assessment results and certification(s) are exclusively shared with
designated partners.

Technical Guide TISAX® 6

 Extended Scope

Standard Scope

Narrowed Scope

Step 2 assessment process consists of at least an initial audit, with

Assessment is broken into four sub-steps: additional actions necessary for those who do not immediately
pass.
 Assessment preparation
The extent of preparation depends on the current maturity level of  Assessment result sharing
information security management system and must be based on Upon the completion of a successful audit, the report and results are
VDA ISA catalog requirements. shared at the approval of the active participant.

 Audit provider selection Step 3

Participants choose their preferred partner from the list of approved Results are entered on the TISAX® platform to be exclusively shared
TISAX® audit providers. with designated partners on a case-by-case basis. The content of
your TISAX® report is structured in levels and only you are authorized
 Information security assessment(s) to decide the level at which your partner will have access. TISAX®
The audit provider conducts assessment based on a scope and ENX publication of the results and assessment label on the
determined by the requirements of the requesting partner. Each TISAX® digital platform make your certification official.

Technical Guide TISAX® 7

 3. TISAX® scopes of assessment

Scopes of assessment available to you:

VDA ISA Protection TISAX® Assessment
 Standard Scope criteria catalog Level (PL) Assessment objective Level
Applied in the majority of cases, the standard scope is pre-defined to include all
resources and processes used in collecting, storing, and managing digital Information security high Information with high protection level AL 2
information.
very high Information with very high protection level AL 3
 Customized Extended Scope
Tailored to meet your needs beyond standard scope perimeters.
Prototype Handling of prototypes with high protection level AL 3
protection (for further information please see chapter 9)
 Customized Narrowed Scope
Tailored to meet only specific needs in a reduction of the standard scope (no label
Data protection high Datenschutz nach §11 BDSG AL 2
can be issued).
(„Auftragsdatenverarbeitung“)

TISAX® certification culminates with an achieved assessment label symbolizing the

very high Data protection with special categories of AL 3
assessment result. There are four different label categories that can be required by
personal data, data protection according to
various partners. Defined at the beginning of the process, assessment objectives
German §11 BDSG (“Auftragsdatenverarbeitung”),
are audited and assigned the appropriate assessment level status upon successful
special categories according to German §3
completion of the audit. Degrees of “high” or “very high” define the achieved
section (9) BDSG (“Besondere Arten”)
protection level in each category.

TISAX® assessment scope and duration are determined on a case-by-case basis

according to the list of criteria to be met, defined protection objectives, ISMS
complexity, and the number of affected locations.

Technical Guide TISAX® 8

 4. Established VDA ISA requirements 5. Registered TISAX® subscriber

VDA ISA assessment includes a generic questionnaire on information Access to TISAX® is available to registered subscribers via the online
security and three additional specific topic modules: TISAX® portal. Registration is the prerequisite to choosing an
approved TISAX® auditor from the list of authorized service
 Prototype protection: Originally covered by VDA PTS, the providers. A single organization may register several locations and
module has been revised to follow the same structure as the have a group assessment carried out if needed. After assessment
main catalog. based on VDA ISA requirements, active participants can provide
information to be shared with their designated TISAX® partners.
 Connections to third parties: The module describes the specific
requirements suppliers and service providers should consider
TISAX® uses the VDA ISA questionnaire created by the German
when renting space meant to host on-premise partner network
Automotive Industry Association (VDA) which is based on essential
connections.
aspects of the internationally recognized ISO / IEC 27001 standard
 Data protection: This module is applied to service providers regulating information security management systems (ISMS).
mandated to process information according to Article 28 of
the European General Data Protection Regulation (GDPR). ENX monitors adherence to TISAX® procedure which includes
specific requirements for ENX TISAX® audit service providers to

Technical Guide TISAX® 9

 safeguard the quality of implementation and assessment results. ENX See the table below for the main differences:
therefore executes contracts with all authorized audit service
providers and registered participants. TISAX® standardization and
quality control ensures your certification is recognized among TISAX® ISO 27001:2013 TISAX®
members throughout the automotive industry value chain.
Audit frequency Annually Every three years

6. ISO 27001 vs. TISAX®

Proof Certificate Electronic label (only available
in the ENX data base)
TISAX® assessment is based on the VDA Information Security
Assessment (VDA ISA) test catalogue, which in turn is based on
International Yes Only in the automotive industry
ISO/IEC 27001 or ISO/IEC 27002 requirements extended to
recognition at this time
include automobile-specific requirements such as prototype
protection, or the integration of third parties or data protection.
Dealing with Major deviations must be All major and minor deviations
deviations closed before the must be closed before the
A company that has successfully passed the TISAX® procedure is not
certificate is issued label is issued
automatically certified according to ISO 27001. ISO 27001
certification must be carried out separately.

Technical Guide TISAX® 10

 7. Defined TISAX® protection and assessment levels

As the operator of the TISAX® program, the ENX Association has clearly defined
protection and assessment levels. TISAX® differentiates between two protection
levels which define the appropriate security for the type of information being
reviewed. Levels of security range from:

 High: Potential damage would be substantial, of a mid-term nature and not

limited to a single entity.

 Very high: Potential damage would be threatening to the continued

existence of the business, of a long-term nature and not limited to a single
company.

TISAX® also differentiates among three assessment levels (AL) which define
assessment depth and method for the three categories of information:

 Information with normal protection level:

Assessment Level 1: Self-assessment. Assessment Level 1 results are not

TISAX :
®
normally referenced in TISAX®, but may be requested for general use.

 Information with high protection level:

Assessment Level 2. Audit conducted by an independent approved service
provider using the self-assessment as a basis together with various documents Two protection levels
and a telephone interview (on-site inspection may be required).
Three assessment levels

Technical Guide TISAX® 11

  Information with very high protection level: Labeling is particularly critical when transmitting confidential and
Assessment Level 3: Audit conducted by an independent strictly confidential information across company boundaries.
approved service provider on the basis of documentation and
an on-site inspection. In addition to uniform information classification and corresponding
document labeling, the Information Security Working Group also
demands uniform labeling for IT applications. When opening digital
8. Test marks and labels
information such as e-mail or an attached file, a color clue can
provide an important indicating feature to visually signal the
Appropriate labeling corresponding to the protection and assessment
classification level of a digital information. A clear reference such as
classification levels is a prerequisite for the proper handling of
a colored bar can support universal understanding of the
information. In addition to the creator, both recipients and processors
classification level regardless of language-specific differences.
of information must know, understand, and apply the associated
classification level requirements during handling.

Technical Guide TISAX® 12

 9. Assessment objectives for TISAX® prototype protection

Assessment objective Information

Protection of prototype parts and components Applies to companies that manufacture, store or provide vehicles or components classified
as vulnerable on their own premises.

Protection of prototype vehicles Applies to companies that manufacture, store use customer-provided vehicles classified as
requiring protection at their own premises.

Handling of test vehicles and components Applies to companies that conduct tests and test drives with customer-provided vehicles
classified as requiring protection.

Protection of prototypes during events and film Applies to companies that conduct presentations or events and film and photo shootings
or photo shootings with customer-provided vehicles, components or parts classified as requiring protection.

Technical Guide TISAX® 13

 About DEKRA

Since our founding over 90 years ago, DEKRA has been providing services to ensure
the highest of safety standards. With passion, expertise and 45,000 employees
worldwide, we think ahead to address the safety challenges of the future. We promote
safe human interaction with technology and the environment and strive to meet today’s
security demands with regard to digitalization. On the road, at work and at home – our
skilled DEKRA experts work to increase safety across all key areas of life.

Would you like more information? Contact us!

Technical Guide TISAX® 14

 Do you require a TISAX® assessment for your company?
Contact our experts now!

Contact us!

© 2022 DEKRA. All rights reserved. All trademarks are the property of DEKRA