TISAX Certification – Requirements, Levels & Costs

Faster, better, and ultra-high-tech: The automotive industry is booming. To guarantee high standards throughout the planning and manufacturing process, manufacturers work very closely with their suppliers, often involving them directly in product development processes. To do so, however, they have to pass on highly sensitive data. But the loss or misuse of this information can lead to potentially grave economic and financial consequences.

For this reason, the German Association of the Automotive Industry (Verband der Automobilindustrie, or VDA for short) has established a standard for information and cyber security that is specifically designed to meet the requirements of the automotive industry. This standard is called TISAX® (which stands for Trusted Information Security Assessment Exchange) and, although it is a German standard, is globally recognized and therefore also applies to foreign suppliers who wish to do business with the German automotive industry.

In this article, we are going to examine what exactly sets TISAX apart from ISO 27001 and which requirements organizations must meet in order to complete their TISAX certification.

TISAX Certification for the Automotive Industry

Before TISAX, car manufacturers were already asking suppliers and other service providers to prove they had a suitable ISMS (Information Security Management System) in place in order to sufficiently protect the data they were being given by these manufacturers. Back then, the information they would receive from suppliers would be assessed on the basis of the Information Security Assessment (ISA) requirements catalog developed by the VDA in cooperation with ENX.

The problem was, however, that manufacturers were forced to conduct assessments for every service provider individually. And suppliers had to allow each manufacturer to assess them separately if they wanted to continue receiving orders. What they needed was a standardized process and transparent approach to exchanging assessment results between organizations.

Industry Standard for Information and Cybersecurity

The introduction of TISAX in 2017 addressed both of these problems. The ENX Association acts as a governance organization within TISAX. Many automobile manufacturers and suppliers in the German automotive industry now expect their business partners to be certified for TISAX.

Caution! While foreign suppliers can get certified for TISAX®, it is not a globally recognized ISO standard. The introduction of TISAX for suppliers and OEMs in the US is still pending. Some manufacturers in the US rely on a security standard called TPISR, short for Third-Party Information Security Requirements.

TISAX® Assessment and Exchange Mechanism

TISAX does more than “just” recommend measures for information security in the automotive industry. Registered participants can exchange assessment results through a specifically developed online platform (TISAX Exchange) and the defined standard ensures that all participants recognize these results.

Sharing your results on the platform communicates, not only to your direct business partners, but also to all participating organizations, that your company complies with TISAX® in terms of information security.

TISAX vs. ISO 27001

The ISA catalog of requirements for TISAX certification is derived from the international industry standard ISO 27001. However, the VDA and ENX Association have expanded the requirements to include additional areas of interest that are specifically relevant to the automotive industry.

These areas include, among others, the integration of partners into the company’s own IT infrastructure, as well as data protection and prototype protection. Other differences between ISO 27001 and TISAX include the defined scope, the assessment process and the qualification of recommended measures.

Learn more about the role of identity and access management in the automotive industry and why it is key to achieving your cybersecurity and compliance goals by reading our overview on Access Management for Automotive Companies.

TISAX Certification Requirements
There are significant differences between TISAX and ISO 27001. Adobe Stock, (c) chokniti

TISAX vs. ISO 27001 – Scope

The scope of a cybersecurity standard determines which parts of a company will be assessed during the certification process. While for ISO 27001, companies can largely determine the scope of their assessments themselves, the ENX Association specifies a standard scope for TISAX certification.

The standard scope forms the basis of the TISAX assessment and is accepted by all participants. Under certain circumstances, the scope of the assessment may be adjusted (for instance if the original equipment manufacturer requires an even more thorough inspection).

Companies who wish to be certified with TISAX® must include all employees who come into contact with sensitive information related to the relevant automotive sectors in their assessment.

TISAX vs. ISO 27001 – Assessment Process

Both TISAX and ISO 27001 certification processes start with a self-assessment. The applying company can choose between several levels of certification and both audit processes include multiple steps. The difference is that in the TISAX audit process, all weaknesses identified during the assessment must be resolved in order for the company to receive its TISAX® label or certificate.

TISAX vs. ISO 27001 – Maturity Level

The TISAX® assessment catalog is based on the controls defined in ISO 27001. To successfully qualify for TISAX certification, however, companies must reach a certain “maturity level” regarding the implementation of these controls and the processes behind them. The maturity levels defined in TISAX® range from 0 (incomplete) to 5 (optimizing). You can learn more about these maturity levels in the TISAX participant handbook.

0 – Incomplete

A process is not available, not followed or not suitable for achieving the objective. Maturity level 0 is also covered by ISO 27001

1 – Performed

An undocumented or incompletely documented process is followed and indicators exist that it achieves its objective. Maturity level 1 is also covered by ISO 27001.

2 – Managed

A process achieving its objectives is followed. Process documentation and process implementation evidence are available. Maturity level 2 is mostly covered by ISO 27001.

3 – Established

A standard process integrated into the overall system is followed. Dependencies on other processes are documented and suitable interfaces are created. Evidence exists that the process has been used sustainably and actively over an extended period. Maturity level 3 is mostly covered by ISO 27001, but needs to be validated in detail.

4 – Predictable

An established process is followed. The effectiveness of the process is continually monitored by tracking key figures. Limit values are defined at which the process is considered to be insufficiently effective and requires adjustment. (Key Performance Indicators) Maturity level 4 is not covered by ISO 27001.

5 – Optimizing

A predictable process with continual improvement as a major objective is followed. Improvement is actively advanced by dedicated resources. Maturity level 5 is not covered by ISO 27001.

A process is not available, not followed or not suitable for achieving the objective. Maturity level 0 is also covered by ISO 27001

TISAX® Certification

TISAX certification is conducted on the basis of the VDA Information Security Assessment (VDA ISA) catalog, which is already being used as a common basis for auditing by 2,500 companies across 40 countries and serves to establish clear criteria for information security in the automotive sector. Companies can choose between three different assessment levels.

For the audit, you must hire an independent audit service provider that has been approved by the ENX Association. The ENX Association monitors the quality of the audit as well as of the audit results and ensures compliance with the Audit Provider Criteria and Assessment Requirements (TISAX ACAR).

TISAX Requirements

To get TISAX certified, organizations must meet the requirements set out by the VDA ISA assessment catalog, which consists of three modules: (1) Information security, (2) prototype protection and (3) data protection. Information security is the main module that will be assessed in every case.

The module is assessed based on the requirements of ISO 27001 / ISO 27002 and ISO 27017 (requirements for cloud security). The TISAX questionnaire directly references the ISO standard. The three other modules are assessed where necessary and depending on the selected level (2 and 3).

The implementation of the requirements as well as the underlying processes are evaluated according to a maturity level model, whereby 3 is the target maturity level. An above-average maturity level in one area does not compensate for a below-average result in another area.

TISAX Questionnaire

The current VDA ISA catalog (version 5.1.0) forms the basis for all new TISAX audits since October 1, 2020. The previous version of the catalog (VDA ISA 4.1.1) is no longer in use, though it remained valid until March 31, 2021.

TISAX Certification – Procedure

  • Registration: A company registers for TISAX and submits their self-assessment based on the VDA ISA questionnaire, including their target certificate level.

  • Select audit provider: The company selects an independent audit provider.

  • Plausibility check/initial check: The audit provider verifies that a self-assessment, including any supporting documents, has been completed.

  • Optimization: Company eliminates the weaknesses that were identified during the initial audit.

  • Assessment: The company undergoes TISAX assessment (Level 2: remote, Level 3: on-site).

  • Optimization: The company eliminates the weaknesses that were identified during the TISAX assessment.

  • Follow-up: The company must prove that all weaknesses identified during the assessment have been eliminated.

  • Exchange: The company publishes the audit results via the TISAX Exchange (voluntary).

The audit provider submits the results of the final assessment to the ENX Association. If there are minor deviations from the criteria, the company is only awarded a provisional TISAX® label, which is valid for a limited time only. Permanent certification will not be granted until the deviations have been corrected. In the case of major deviations, the TISAX certification only becomes valid on the day when the deviation has been corrected and this can be proven.

TISAX Certification – Assessment Levels

The assessment level that is applicable to your company depends on the level of protection required in your particular environment (ranging from low to high to very high). It is up to you to decide which assessment level you want to subject your company to. However, many manufacturers do expect a certain level of certification from their potential suppliers.

Level 1 Assessment – Low

TISAX Level 1 is intended for companies with standard protection requirements. The auditee conducts a self-assessment based on the VDA ISA questionnaire. However, this self-assessment is not audited and does not count as TISAX certification.

Level 2 Assessment – High

TISAX level 2 is intended for companies with high level protection needs. The auditee performs a self-assessment based on the VDA ISA catalog. After an opening interview, the audit provider checks the plausibility of this self-assessment and whether all supporting documents have been submitted in full. The actual Level 2 assessment is conducted in the form of a telephone interview. If prototype protection and/or the third party connectivity are also part of the assessment, it is to take place on site.

Level 3 Assessment – Very High

TISAX Level 3 is for companies with very high-level protection requirements. The process is the same as for Level 2 assessments (self-assessment, plausibility and documentation check by the auditor), except that the assessment is always conducted on site. The effectiveness and maturity of the ISMS is verified through interviews on site and by conducting walk-throughs of critical areas and premises.

TISAX Level 1 is intended for companies with standard protection requirements. The auditee conducts a self-assessment based on the VDA ISA questionnaire. However, this self-assessment is not audited and does not count as TISAX certification.

TISAX Certification – Duration

No more than nine months may pass between the initial check (which takes place after the self-assessment) and the final TISAX compliant audit result. The company must correct any deviations and weaknesses identified during the assessment within this time-frame. If all necessary VDA ISA requirements have been met, the company receives its TISAX® certification. The certification is valid for three years and no annual surveillance audits will be performed in this time.

TISAX Certification – Costs

The costs for TISAX® certification vary from case to case. Expenses every company should expect include the costs of the audit provider and of the audit itself (or multiple audits if follow-up audits are needed). Many companies therefore choose to invest in the developing and expanding their ISMS (Information Security Management System) in advance. As a rule, costs are also incurred for optimization during the ongoing audit process.

TISAX Certification Requirements
You may have to optimize access controls to get TISAX certified. Adobe Stock, (c) zephyr_p

How TISAX Certification Reduces Costs

Despite the investments that need to be made to obtain TISAX® certification, the fact that requirements have been standardized means that the expenses have become predictable and can therefore be better managed. Before the industry standard was introduced, companies usually had to undergo several audits by several manufacturers and make investments to meet all of their varying demands. Now, one certification is enough to qualify as a trusted supplier for multiple customers.

Renewing the certification after three years tends to be far less expensive than the original audit, as by that time an appropriate ISMS has usually been implemented and only some minor optimizations, if any, are necessary.

Preparing for TISAX Using Access Management

TISAX certification is primarily about proving that you are managing the sensitive information you have been entrusted with securely. So, you need to ensure this data is sufficiently protected, both against unauthorized internal access and, of course, external access. The fastest way to achieve this is by implementing a professional access management system.

Most companies that have gotten by without using an IAM solution thus far are not entirely aware of the status quo of their permissions. They don’t know for sure who has access to what data, nor who granted them access, when it was granted, or for what purpose.

How Does tenfold Help?

tenfold brings order to this chaos by standardizing and automating processes that were previously carried out manually.

In tenfold, data owners (typically managers or department heads) are responsible for assigning permissions to users. This streamlines the approval process and removes the need to contact IT for every single change. Periodic user access reviews are conducted automatically through a prompt asking data owners to confirm whether permissions they assigned are still in use.

Outdated and incorrect permissions pose a significant security risk for companies that manage permissions manually. tenfold is also able to generate clear and concise reports with just one click, giving you an immediate overview of user permissions in all connected systems and applications.

Whitepaper

Best Practices for Access Management In Microsoft® Environments

Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implentation, reporting and auditing.

TISAX Requirements: What Does tenfold Cover?

Implementing access management software alone will, of course, not suffice to carry you through a TISAX audit. Preparing for TISAX certification takes a whole lot more. However, IAM can provide a good foundation for you to build on.

tenfold helps to eliminate security risks associated with manual access management and the use of different, non-centralized systems and applications. Read on to learn which TISAX requirements are covered by tenfold specifically.

Identity and Access Management (VDA ISA Section 4)

The VDA ISA catalog includes a section dedicated entirely to the topic of Identity and Access Management. You can download the complete catalog here. The specifications covered by tenfold are essentially sections 4.1 and 4.2 of the Identity and Access Management module:

VDA ISA – Section 4.1.1

Question: To what extent is the use of identification means managed?

Objective: To check the authorization for both physical access and electronic access, means of identification such as keys, visual IDs or cryptographic tokens are often used. The security features are only reliable if the use of such identification means is handled adequately.

Solution in tenfold: The various operational and controlling instances can be modeled via tenfold’s internal authorization system. Users are registered in tenfold and uniquely identified by their tenfold user account. Electronic access to resources is also controlled and documented exclusively through tenfold.

There is currently no direct function available in tenfold that can be used to control and manage physical access. However, physical access systems can be controlled through an interface and so-called access profiles. If this is done, physical access rights are adjusted automatically when users change departments. For example, to manage physical user access, tenfold can be integrated with PKE’s locking system through its PKE SMS plugin.

VDA ISA – Section 4.1.2

Question: To what extent is the user access to network services, IT systems and IT applications secured?

Objective: Only securely identified (authenticated) users are to gain access to IT systems. For this purpose, the identity of a user is securely determined by suitable procedures.

Solution in tenfold: All employees are recorded in tenfold. By synchronizing with Active Directorytenfold ensures each employee is assigned only ONE user account in which all of their permissions are managed. The user can therefore be uniquely identified through their tenfold user account. tenfold is also exclusively responsible for controlling and documenting electronic access to resources. It further uses access profiles to ensure only users who have been approved (by a data owner) are given access to IT systems. If such an authorization becomes obsolete (e.g. due to a change of department), the privileges in question are automatically withdrawn.

VDA ISA – Section 4.1.3

Question: To what extent are user accounts and login information securely managed and applied?

Objective: Access to information and IT systems is provided via validated user accounts assigned to a person. It is important to protect login information and to ensure the traceability of transactions and accesses.

Solution in tenfold: Employees are recorded in tenfold. The data set for an employee includes a configurable range of attributes. tenfold is further able to automatically adopt such attributes from other systems, e.g. HR software.

VDA ISA – Section 4.2.1

Question: To what extent are access rights assigned and managed?

Objective: The management of access rights ensures that only authorized users have access to information and IT applications. For this purpose, access rights are assigned to user accounts.

Solution in tenfoldtenfold uses profiles containing permissions for different systems. These profiles can be assigned to users automatically via their organizational unit. Users can request additional rights through tenfold’s self-service portal. These requests must then be checked and either approved or denied by the corresponding data owner as part of an automatic approval workflow.

Standard permissions the user receives through their assigned profile are removed automatically when the user changes departments. You can also set a transition period for this event. The permissions required for the new department are also assigned automatically through the appropriate profiles. Any additional permissions given to the user are reviewed on a regular basis as part of the recertification process and will be removed automatically when necessary.

One of tenfold’s main objectives is to ensure compliance with the Principle of Least Privilege or POLP, which it achieves using a variety of features, including: automatic adjustment of permissions via profiles, provision of permission overview in Microsoft infrastructure, documentation and regular monitoring of access rights, and more.

Question: To what extent is the use of identification means managed?

Objective: To check the authorization for both physical access and electronic access, means of identification such as keys, visual IDs or cryptographic tokens are often used. The security features are only reliable if the use of such identification means is handled adequately.

Solution in tenfold: The various operational and controlling instances can be modeled via tenfold’s internal authorization system. Users are registered in tenfold and uniquely identified by their tenfold user account. Electronic access to resources is also controlled and documented exclusively through tenfold.

There is currently no direct function available in tenfold that can be used to control and manage physical access. However, physical access systems can be controlled through an interface and so-called access profiles. If this is done, physical access rights are adjusted automatically when users change departments. For example, to manage physical user access, tenfold can be integrated with PKE’s locking system through its PKE SMS plugin.
Why tenfold?

What makes tenfold the leading IAM solution for mid-market organizations?

About the Author: Nele Nikolaisen

Nele Nikolaisen is a content manager at tenfold. She is also a book lover, cineaste and passionate collector of curiosities.