TISAX®: 10 facts

TISAX 10 facts
Welche Vorteile bietet Ihnen TISAX (Trusted Information Security Assessment Exchange)?

1. What is TISAX®?

TISAX® stands for Trusted Information Security Assessment Exchange . This is a testing and exchange mechanism established by the VDA (German Association of the Automotive Industry) in cooperation with ENX (European Network Exchange Association) at the beginning of 2017. A specially developed online platform is used for the cross-company exchange of test results in information security in the automotive sector . By releasing the results on the platform, companies can notify their direct business partners or all participating companies that their information security is TISAX® compliant.

2. How important is TISAX® for suppliers?

Suppliers and service providers in the automotive sector often process extremely sensitive information from their clients and are therefore required to provide regular evidence that they meet information security requirements. Until now, the audit was usually carried out by the manufacturers themselves on the basis of the Information Security Assessment (ISA) requirements catalog. This often resulted in numerous companies having to undergo the same audit several times - for each client. With TISAX® , this additional effort can be reduced, because by releasing the results on the platform, companies can signal that their information security is TISAX®-compliant. For suppliers, a TISAX® label represents the entry ticket into the automotive industry and is obligatory for cooperation with OEMs .

3. What are the benefits of TISAX®?

  • TISAX® provides a uniform information security level in the automotive industry.
  • TISAX® counts as a recognized standard in the automotive industry.
  • Unnecessary double and multiple checks are eliminated .
  • The assessment for TISAX® certification is only required every three years. Thus, time and costs are saved .

But: For the introduction of such a system, you need the full support of the management. For the advice and support there is an external network of competent partners. The consulting is separate from the certification and must be done by separate organizations.

4. What are the assessment levels?

TISAX® distinguishes three assessment levels (protection needs). These levels differ in testing procedures and intensity. The basis of the TISAX assessments is the VDA-ISA requirements catalog:

  • Level 1: Self-assessment without plausibility check, usually only for internal purposes. These test results have only a low significance and are not used in TISAX®.
  • Level 2: Plausibility check of the self-assessment by a testing service provider (usually by telephone).
  • Level 3: Plausibility check of the self-assessment by a testing service provider (intensive and comprehensive on-site testing).

5. How long does the TISAX® implementation take?

This depends on several factors:

  • Complexity of the company (production, service, national, international, etc.)
  • Size of the company (number of employees, number of sites)
  • Maturity of the information security management system (ISMS)

On average, this takes approx. 6-9 months , but can take longer on a case-by-case basis (e.g., international sites).

With TISAX®, not only do you continue to be a valuable partner and supplier for OEMs, but at the same time you secure and optimize your systems and processes in terms of information security. With TISAX® you go safely through the automotive world!

Bastian Härzer Geschäftsführer Syngenity GmbH https://www.bayern-innovativ.de/seite/clusterpartner-im-fokus-syngenity


6. How long does it take for a company to be certified?

The TISAX® audit process must be completed within nine months from registration, otherwise the process starts all over again. If all criteria are met or only minor deviations are apparent, the test report is submitted to ENX. Once this has been accepted, a (temporary) TISAX® label is handed over. In the case of major deviations, the label is only valid from the day on which the deviations have been rectified. These must be resolved within 8 months at the latest.

7. What are TISAX® labels?

The labels summarize the test result and are hierarchically linked. The labels can only be viewed in the ENX portal for Approved OEMs. They are valid for three years.

8. Should one strive for TISAX® certification even without a customer request?

In principle, certification according to TISAX® is always recommendable for suppliers. On the one hand, it reduces the internal audit effort should an OEM require evidence, and on the other hand, your internal organization is so advanced in terms of information security that other standards, e.g. ISO 27001, can also be implemented for other industries without any problems.

9. What changes does the new VDA ISA catalog include?

The new version of the ISA requirements catalog has an even clearer structure and reduces the effort for companies and auditors. In addition, adjustments have been made to the "Information Security" module and redundancies have been eliminated . Version 5.0 of the VDA ISA question catalog has been available since July 2020. It has been mandatory for all new TISAX® assessments since October 1, 2020.

10. Who is the contact for a TISAX® audit?

Only ENX-approved testing service providers with special accreditation for TISAX® and extensive industry expertise, such as TÜV SÜD, are the contact for a TISAX® audit in order to ensure a high, consistent product level and broad recognition of the standard. Accredited testing service providers and those currently undergoing accreditation can be viewed via the platform.



Infographic Syngenity TISAX

Your contact

Matthias Mederer

Do you also have an exciting topic that you would like to explore with us in more detail or are you interested in a deeper collaboration with us? Then become partner in the Automotive cluster and benefit from our numerous offers!