TISAX in the Automotive Industry: Requirements and Best Practices

TISAX® – Trusted Information Security Assessment eXchange

TISAX was established in 2017 through a partnership between the German Association of the Automotive Industry (VDA) and the European Network Exchange (ENX). 

It was designed as a standardized framework for information security assessments, ensuring suppliers and manufacturers across the automotive sector uphold strict data protection requirements. 

Over time, TISAX has gained prominence beyond Europe, with Original Equipment Manufacturers (OEMs) including these assessments in contractual obligations and supplier performance reviews. 

Hence, completing a TISAX evaluation awards an official label shared on a dedicated platform for registered participants. 

What are the best practices and standards if you hurry to get certified? Let’s dive in…

TISAX – A Quick Breakdown

TISAX stands for Trusted Information Security Assessment Exchange. It was introduced as a European cybersecurity framework to safeguard data throughout the automotive production process, particularly within the German market. 

A car manufacturer, for instance, might require suppliers to obtain TISAX certification to ensure the security of confidential information such as design details and production plans. 

Likewise, IT service providers working alongside automotive firms often undergo TISAX assessments to confirm their commitment to sound information security practices.

TISAX Requirements You Need to Know

TISAX requirements define the essential measures for safeguarding data in the automotive industry. They outline clear standards for information security management, ensuring that manufacturers and suppliers meet consistently high levels of protection. Below is an overview of key points to remember when preparing for TISAX.

Information Security

One of the essential perimeter required for the certification is information security. This framework is fundamentally drawn from ISO 27001 and its Annex A, covering the following key areas:

• Governance and oversight: Establish rules and structures to safeguard sensitive information and designate specific roles dedicated to security management.
• Workforce data protection: Secure all employee-related records, including details on recruitment, payroll activities, and performance assessments.
• Physical safeguards and operational resilience: Protect facilities, equipment, and assets while developing strategies to maintain operations when disruptions occur.
• Access control mechanisms: Manage entry to systems and data by assigning users only the required permissions.
• Technical defenses against threats: Shield digital infrastructure from malware, unauthorized intrusions, and other forms of cyberattacks.
• Partnership security protocols: Ensure suppliers and associated organizations follow robust security measures.
• Regulatory and contractual compliance: Adhere to all relevant security mandates from partners or regulations, maintaining thorough documentation and readiness for audits.

Prototype management

Prototype management applies to organizations that handle, produce, or store sensitive customer-supplied components, parts, or vehicles. This process covers physical and organizational measures required to protect prototypes, including additional safeguards when conducting road tests. 

Completing an evaluation in this area automatically confers the TISAX “Protection of prototype parts and components” label.

Also, physical security requirements and perimeter safety may not be mandatory for all participants. Still, facilities equipped for secure handling can include the objective of “Protection of prototype vehicles” in their assessment. 

Some businesses also follow extra guidelines for presenting prototypes at events or using them during film and photo sessions, whether in public or restricted areas; these considerations become part of the overall TISAX assessment.

Data protection

If you process personal data as a processor under Article 28 of the GDPR, you’ll likely need to choose “Data protection.” 

If you’re dealing with more sensitive personal data, like health information or religious beliefs, you must select “Data protection for special categories of personal data” instead. 

Selecting the proper data protection standard ensures the specific GDPR requirements based on the data you’re handling. 

Best Practices for Achieving TISAX Certification

Some best practices for achieving TISAX certification involve preparing for the self-assessment, relevant scoping based on location, and conducting self-optimizations. 

Let’s take a look at the 5 best practices in detail:

Be ready for the self-assessment

If you’re preparing for a TISAX assessment, ensuring that your Information Security Management System (ISMS) is in excellent shape is crucial. 

One way to verify whether your ISMS meets the required maturity level is by performing a self-assessment based on the “Information Security Assessment” (ISA). 

Issued by the VDA, the ISA is widely recognized across the automotive sector as the benchmark for evaluating information security practices.

Sign two contracts

Before you proceed with TISAX, you typically enter into two separate agreements. The first is with the ENX Association, known as the “TISAX Participation General Terms and Conditions” (TISAX Participant GTCs). The second is with one of the authorized TISAX audit providers. When registering, you only need to address the first agreement.

These GTCs set out the obligations and rights for everyone involved in TISAX, including how information is handled during the process. A crucial aspect of these rules is safeguarding assessment outcomes. 

Because the same conditions bind all TISAX participants, you can rely on appropriately protecting your assessment results when shared.

Scoping

Scoping is an important part of the assessment process. After choosing your scope type, you must identify which locations are part of the assessment. If your business runs from one site, you simply include that facility in the scope. 

However, you may opt for multiple assessment scopes if your organization is larger. There’s an advantage to grouping every location under a single scope: you end up with one assessment report, one result, and one expiration date. 

This approach can also help lower audit costs since the TISAX provider only needs to evaluate central processes, procedures, and resources once.

Understand the assessment levels

1. Assessment Level 1 (AL 1)
   You only need to complete a self-assessment. You are not required to provide additional evidence, conduct interviews, or host on-site inspections.
2. Assessment Level 2 (AL 2)
   A self-assessment is still required, but the audit provider will perform plausibility checks on your evidence. Interviews are conducted remotely (for instance, via web conference). On-site inspections are not mandatory but can be arranged upon request.
3. Assessment Level 3 (AL 3)
   Alongside the self-assessment, the audit provider will thoroughly verify your evidence. Interviews happen face-to-face, and on-site inspections form a mandatory part of the process.

Attempt self-optimization

It is important to address any issues or red flags during your self-assessment before bringing in an auditor. 

This step is all about fine-tuning and making sure everything is in order. If you’re unsure how to tackle these problems, it might be helpful to get a security expert who has experience with TISAX to assist you. 

How Sprinto Helps Automotive Companies with TISAX Compliance

Sprinto supports automotive organizations in achieving TISAX compliance. If you have already worked on an ISO 27001 assessment, you’re a step ahead since many of those efforts align closely with the TISAX requirements for information security. If you know ISO 27001 or TISAX is a new territory, Sprinto can streamline both processes.

This next-generation GRC platform enables a fully compliant ISMS without interrupting core activities. It features a robust control library, automated mapping, pre-built policies, training modules, integrated risk assessments, and automated evidence collection to simplify your compliance journey. 

The dashboard offers a clear view of your current status, highlighting areas that need additional attention.

Sprinto also provides immediate support for ISO 27001, laying a strong groundwork for TISAX compliance.

Get on a call with us to know more.

FAQs

Is TISAX mandatory?

TISAX is not required by law. However, many companies consider it essential if their partners or clients request it as part of doing business.

Who triggers a TISAX assessment?

A partner—often the car manufacturer—will usually request TISAX certification. This also applies to other organizations working within the automotive supply chain.

How is TISAX structured?

Participants begin with a self-assessment, typically followed by an external audit that may be performed remotely or on-site. To achieve certification, a company must demonstrate sufficient information security maturity in areas relevant to the automotive partner’s requirements.