TISAX Certification: All-in-One Guide to the Automotive Compliance Standard
To ensure the safety of proprietary vehicle data, any suppliers that want to work with German car manufacturers need to prove their IT security by completing TISAX certification. In this article, you will learn everything you need to know about the TISAX compliance standard, from the requirements placed on suppliers and service providers to the certification timeline, procedure and costs.
What Is TISAX?
TISAX, short for Trusted Information Security Assessment Exchange, is an IT security certification scheme developed by the German Association of the Automotive Industry (VDA). Suppliers and service providers need to be TISAX certified in order to work with German car manufacturers. The adoption of TISAX as a unified compliance platform means that businesses only need one certification to be able to work with many different companies in the automotive sector.
TISAX is based on the ISO 27001 security standard and requires organizations to implement an information security management system (ISMS). In essence, an ISMS is a set of policies and guidelines that define security requirements and who is responsible for implementing them. However, in addition to the normal demands of ISO 27001, TISAX includes additional requirements for protecting vehicle information and prototypes.
Important TISAX resources:
While German car producers use the TISAX standards, other countries and manufacturers may have their own certification schemes such as TPISR in the US.
Is TISAX Mandatory?
TISAX is not mandatory, but it is a contractual obligation for anyone who wants to work with car manufacturers that participate in the compliance program. In other words, there is no way around TISAX for companies that want to win OEM contracts or maintain their existing business relationships.
Does TISAX Apply to Tier 2 Suppliers?
Whether suppliers on deeper levels of the supply chain, such as Tier 2 and Tier 3 suppliers, need to comply with TISAX depends on if they process sensitive data. As part of their TISAX certification, Tier 1 suppliers do need to prove that their business partners maintain an adequate level of IT security.
To meet this requirement, TISAX-certified suppliers need to conduct risk assessments for their own business partners and pass contractual obligations on to their subcontractors. As a result, Tier 2 and Tier 3 suppliers are now often expected to comply with TISAX.
What Is the Difference Between TISAX and ISO 27001?
TISAX is based on ISO 27001 and draws most of its requirements from the widely known security standard. However, there are a few important differences: In addition to the information security demands of ISO 27001, TISAX includes additional sections for prototype protection and data protection (privacy). While ISO 27001 can be flexibly scoped based on an organization’s needs, TISAX works off of a predefined assessment scope.
Differences between TISAX vs. ISO 27001:
Additional chapter on prototype protection
Additional chapter on data protection
Pre-defined scope for audits
Maturity model for assessments (target maturity level of 3)
No annual surveillance audits
ISO 27001: Access Management Requirements
Everything you need to know about IAM requirements and what documents are needed in preparation for ISO-compliance.
TISAX Levels, Labels and Assessment Objectives
In order to successfully prepare for your TISAX certification, there are a few important terms you need to familiarize yourself with.
TISAX assessment objective: Not every TISAX requirement is relevant for every supplier (for example, rules for press events or vehicle prototypes). To account for the different roles service providers play in the supply chain, companies can choose among 10 different assessment objectives, all of which come with their own unique combination with requirements.
TISAX label: When a supplier completes an assessment objective, they receive the corresponding TISAX label. Labels are proof that you have passed an audit. For example, if you complete the high availability assessment objective, you receive the high availability TISAX label.
TISAX level: The assessment level indicates whether an organization has completed a self-assessment (level 1), remote audit (level 2) or on-site audit (level 3). Most TISAX labels require level 3 audits (on-site), only a few can be completed through remote audits only. A self-assessments needs to be submitted ahead of your official audit, but is not considered proof of compliance by itself.
TISAX Certification
A successful TISAX audit allows automotive suppliers to prove that they meet the requirements outlined in the VDA information security assessment catalogue (download link to latest version, VDA ISA 6.0). In order to achieve TISAX certification, however, companies must first choose their assessment objective(s), implement the necessary safeguards, prepare all relevant documents and self-assessments and finally book an independent auditor to conduct the final assessment.
Once an organization has completed the audit process, they can use the TISAX exchange platform to share their result with participating manufacturers in order to show that they are TISAX-compliant. You will learn more about the audit process and the exact security requirements below.
TISAX Certification: Step-by-Step Explanation
There are many steps on the road to TISAX certification and it’s important to be aware of where you are in this journey. Here is an outline of the road towards TISAX:
Preparation: The company begins its journey by reading up on TISAX, choosing appropriate compliance targets and preparing the necessary documents.
Registration: A company registers for TISAX and submits their self-assessment based on the VDA ISA questionnaire, including their chosen assessment objective.
Select audit provider: The company selects an independent audit provider.
Initial document check: The audit provider verifies that the self-assessment has been completed and all necessary documents have been submitted.
Optimization: The company remediates flaws that were identified during the document audit.
Assessment: The audit provider conducts their TISAX assessment (Level 2: remote, Level 3: on site).
Optimization: The company addresses any remaining issues that came up during the audit.
Follow-up audit: The company must prove that all weaknesses identified during the assessment have been resolved.
Exchange: The company shares their audit results with their business partners through the TISAX platform.
TISAX Certification: How Long Does It Take?
The biggest variable in how long it takes to achieve TISAX compliance is how much time a company needs to implement the required safeguards. For organizations that are already certified under ISO 27001, not much additional work is required. However, if TISAX is your first IT security audit, it may take longer to cover every necessary topic.
After the initial document audit, the final TISAX assessment must be completed within 9 months. Both the official audit and any follow-up fixes must be finished in this timeframe. If a company passes TISAX certification, it remains valid for three years. Unlike ISO 27001, there are no yearly surveillance audits.
TISAX Certification: How Much Does It Cost?
The total costs of TISAX certification include the cost of an official auditor, the cost of implementing the required controls, as well as fees for any compliance experts you may want to consult. The audit itself, which costs around 400€ according to the ENX price list, is generally the smallest part of your TISAX budget.
If your company has no information security management system in place or if your ISMS needs significant updates, it can cost around 20,000€ to 50,000€ to make the necessary changes. Especially if you want to speed up the process by bringing in specialized compliance consultants. On the other hand, if your organization has already been certified under ISO 27001 or similar standards like NIST CSF, it will take less work to comply with the additional requirements of TISAX, making the process much cheaper.
TISAX Requirements
The exact requirements for the different TISAX assessment objectives/labels are documented in the official Information Security Assessment catalogue (VDA ISA). Companies need to identify relevant requirements and ensure that their own controls meet the minimum maturity level. In order to pass a TISAX audit, an organization needs to achieve a maturity level of 3 or higher in every required control.
Maturity Level 3 (Established): “A standard process integrated into the overall system is followed. Dependencies on other processes are documented and suitable interfaces are created. Evidence exists that the process has been used sustainably and actively over an extended period.”
| Assessment Objective | Requirements | Assessment Level (AL) |
|---|---|---|
| Info high | Information Security tab: must, should and high protection needs | Level 2 |
| Info very high | Information Security tab: must, should, high and very high protection needs | Level 3 |
| High availability | Information Security tab: must, should and high protection needs (if marked A for availability) | Level 2 |
| Very high availability | Information Security tab: must, should, high and very high protection needs (if marked A for availability) | Level 3 |
| Proto parts | Prototype Protection tab: must and should, chapters 8.1, 8.2 and 8.3 | Level 3 |
| Proto vehicles | Prototype Protection tab: must, should and additional requirements, chapters 8.1, 8.2 and 8.3 | Level 3 |
| Test vehicles | Prototype Protection tab: must and should, chapters 8.2, 8.3 and 8.4 | Level 3 |
| Proto events | Prototype Protection tab: must and should, chapters 8.2, 8.3 and 8.5 | Level 3 |
| Data | Information Security tab: must, should and high protection needs (if marked C for confidentiality) Data Protection tab: must requirements | Level 2 |
| Special Data | Information Security tab: must, should, high and very protection needs (if marked C for confidentiality) Data Protection tab: must requirements | Level 3 |
TISAX Requirements: Protecting Sensitive Data
TISAX certification is designed to ensure that car manufacturers can safely share proprietary information and be certain that suppliers and subcontractors are protecting data from unauthorized access. There are many different security controls that organizations need to implement in order to achieve TISAX compliance. But the central question remains the same: Who has access to mission-critical data?
To prevent technical specs, vehicle data and manufacturing details from falling into the wrong hands, suppliers need to safeguard against outside attacks as well as insider threats such as employee data theft. And they need to be able to prove that access to sensitive data was restricted at all times.
Which is exactly why automotive companies need identity and access management. IAM solutions make it easy to implement access management best practices like the principle of least privilege. Users receive all permissions intended for their role through automated lifecycle management. Additional access can be requested and approved through a self-service platform. Meanwhile, automatic deprovisioning and regular audits ensure that appropriate access is maintained at all times.
Best Practices for Access Management In Microsoft® Environments
Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implementation, reporting and auditing.
TISAX Requirements: Effective Access Management
In order to establish an information security management system (ISMS) that satisfies the requirements for TISAX, organizations need to address a wide range of topics, from risk assessments to malware protection and even the physical security of IT systems. Restricting access to sensitive data and safely managing IT accounts are key requirements of TISAX.
This makes identity and access management a must-have for any organization that wants to comply with TISAX. Without an automated system to manage hundreds of accounts and thousands of permissions across various IT systems, it is simply not feasible to enforce appropriate safeguards, let alone document who has access to sensitive data.
tenfold helps you get started on the path towards TISAX compliance! Our IAM solution covers all relevant requirements in the automotive security standard. See our breakdown below for an overview of how it works. You can find the exact language in sections 4.1 and 4.2 of the information security chapter.
Control question: To what extent is the use of identification means (keycards, tokens, etc.) managed?
Solution in tenfold: Centralizing your user and permission management through tenfold makes it easy to provide each user with the right resources. By integrating helpdesk systems, security management systems like PKE or associating physical identification means with Active Directory groups, organizations can also manage physical assets like keycards.
Control question: To what extent is the user access to IT services and IT systems secured?
Solution in tenfold: tenfold‘s automated permission management ensures that each user can only access resources intended for them at any given time. A central platform for user lifecycles and permission reporting makes it easy to enforce appropriate access. For applications that come with multi-factor authentication, tenfold can be used to enforce MFA through authentication policies. Regular access reviews guarantee that outdated permissions are swiftly removed.
Control question: To what extent are user accounts and login information securely managed and applied?
Solution in tenfold: tenfold automatically assigns new IT users the permissions defined for their role in the organization. When assigning login information, tenfold follows the settings of the target system (such as password policies). Our self-service platform allows end users to reset their own passworts. All changes and requests are fully documented to ensure a complete audit trail.
Control question: To what extent are access rights assigned and managed?
Solution in tenfold: tenfold makes it easy to manage access rights in accordance with the principle of least privilege, as TISAX demands. Thanks to role-based access control, tenfold automatically assigns each user the right permissions for their location, department and function. When a user’s role changes, tenfold adjusts and revokes privileges automatically.
Users who need additional permissions for new tasks and projects can request them through a self-service platform. Requests are forwarded to data owners within the department, who can approve or deny access without the need to involve IT. Data owners are also regularly prompted to review privileges through user access reviews, which ensure long-term compliance.
Solution in tenfold: Centralizing your user and permission management through tenfold makes it easy to provide each user with the right resources. By integrating helpdesk systems, security management systems like PKE or associating physical identification means with Active Directory groups, organizations can also manage physical assets like keycards.
tenfold: TISAX Compliance Made Easy
From cyberattacks to compliance needs, identity & access management has become a must-have for organizations of all sizes. The only problem? Conventional IAM solutions are built for large enterprises, which makes them too unwieldy to use effectively in mid-market companies. The need to script integrations and workflows from scratch often leads to multi-year setup phases.
But there is an easier path to secure, efficient and compliant access management: tenfold‘s revolutionary no-code IAM platform can be set up in a matter of weeks thanks to its suite of prebuilt plugins. Connecting tenfold to other applications is a breeze, you just activate the plugin and tweak a few settings through the GUI – no scripting or custom code required!
tenfold allows you to achieve TISAX-compliant access management in record time. Sign up for a free trial and see for yourself.
Our No-Code Solution Makes IAM Easy. Sign Up Now and Test It Yourself!