TISAX: Certification Requirements & Process Explained!
With TISAX, the German car industry has unified IT security requirements across their supply chain. Any suppliers who want to do business with participating OEMs need to pass TISAX certification. Everything you need to know about TISAX requirements and the certification process.
TISAX Certification
What Is TISAX?
TISAX (Trusted Information Security Assessment Exchange) is an IT security standard created by the German automotive industry. To protect critical data across the supply chain, suppliers and contractors who want to work with participating manufacturers or OEMs need to complete TISAX certification to prove that they effectively safeguard vehicle blueprints, prototypes and specs.
TISAX is based on ISO 27001, an international norm used to certify information security management systems (ISMS). An ISMS is a body of documents that establishes overall security goals as well as individual safeguards. It also designates who is responsible for ensuring that safeguards are implemented and policies are followed, enshrining IT security at every level of the organization.
However, in addition to the normal requirements of ISO 27001, TISAX comes with additional requirements for data privacy and the confidentiality of proprietary vehicle data.
Important TISAX resources:
While German car producers use the TISAX standards, other countries and manufacturers may have their own certification schemes such as TPISR in the US.
Is TISAX Mandatory?
Although TISAX is not technically mandatory, TISAX certification is a must-have for anyone who wants to do business in the car industry and work with participating manufacturers. So in practice, there is no way around completing TISAX certification if you want to win OEM contracts or maintain business relationships.
TISAX Certification: Key Terms & Concepts
To successfully prepare for TISAX certification, it’s important to understand these key terms related to the audit process.
Assessment Objective: Not every TISAX requirement will be relevant to your business. The assessment objective determines which sections of the criteria catalogue you are tested against, such as handling confidential data or safeguarding vehicle prototypes.
Label: Depending on which assessment objective you choose, you will receive the corresponding label once you complete your audit. There are a total of 10 different TISAX labels available, such as Confidential or Proto Vehicles.
Assessment Level: The assessment level determines the audit process and is based on your assessment objective. Level 1 is a self-assessment, which is not used in official audits. Level 2 includes remote interviews and a thorough check of security documents. Level 3 audits are conducted on-site with staff interviews and a walkthrough of relevant areas.
Assessment Scope: The assessment scope determines which areas of your organization are audited. It must include all relevant business processes and information systems. However, you can set multiple different scopes if you plan to complete different assessment objectives at different locations.
Maturity Level: TISAX uses maturity levels on a scale from 0 to 5 to measure whether you have fulfilled an information security objective. For each security objective in the criteria catalogue, you must achieve a maturity level of three or higher.
TISAX Certification Process
TISAX certification takes place in several steps, from registering through the official TISAX portal to completing your audits and receiving the final assessment result. The certification process itself only takes a few months to complete.
The bigger factor, however, is how long it will take to set up your ISMS. TISAX preparation can vary greatly from organization to organization. If you completed similar certifications like ISO 27001 in the past and have an existing ISMS to build upon, it will give you a leg up in getting ready for TISAX.
The step-by-step process to TISAX certification:
Prepare: Research TISAX requirements, set up your ISMS, select an assessment objective
Register: Sign up for TISAX through the official ENX Portal
Select an Audit Provider: Choose an audit provider, schedule a kick-off meeting and audit dates
Stage 1 Audit: Review of your submitted self-assessment and ISMS documents
Stage 2 Audit: Detailed document audit, interviews, on-site walkthrough (depending on assessment level)
Corrective Action: If necessary, submit a corrective action plan to address audit findings
Final Assessment Result: You receive your final assessment report and can share your results through the TISAX exchange platform
TISAX Checklist: The Road to Compliance
Frequently Asked Questions
There is no time limit to the TISAX certification process. Even once you have registered, selected an audit provider and had your kick-off meeting, you can spend as much time as you need to get your ISMS ready. How long this will take depends on the state of your ISMS and whether you’ve completed similar certifications before. Once your audit is complete, you have 9 months to take corrective action before you need to start a new audit instead.
TISAX certification is valid for three years, starting from when you received your initial assessment results. This start date is used even if you need to complete follow-up audits to pass certification, meaning the duration will be shorter in this case. Unlike ISO 27001, TISAX has no annual surveillance audits.
The total cost of TISAX certification consists of the audit itself, any consulting services you use to prepare and, most importantly, the cost of implementing the necessary safeguards. Depending on the scope and complexity of your IT, the total cost of completing TISAX certification can range from 10,000$ to 200,000$.
TISAX differentiates between four types of findings. If you meet all requirements, your auditor makes observations or notes room for improvement, you will receive the assessment result conform. If your audit reveals minor non-conformities, you can receive a temporary TISAX label if you submit a corrective action plan. Major non-conformities will prevent you from receiving your TISAX label until addressed.
TISAX assessment results can be shared by granting other participants access through the TISAX exchange platform. This allows you to either share the label you have received or detailed audit results, down to maturity levels for individual objectives. Information about your TISAX certification may not be shared outside the exchange platform, meaning potential business partners will have to register in order to access it. You can, however, publicly mention your TISAX efforts without going into detail.
As part of their TISAX certification, automotive suppliers need to ensure that an appropriate level of IT security is maintained while collaborating with their own partners and contractors. This requires risk assessments and passing on contractual obligations. To continue their business relationships under these circumstances, Tier 2 and Tier 3 suppliers will increasingly have to demonstrate TISAX compliance as well.
TISAX Requirements
In order to pass TISAX, your business must create and run an information security management system (ISMS) based on the ISO 27001 standard. Additionally, TISAX contains a number of industry-specific requirements targeted at the automotive sector. These focus on protecting proprietary vehicle and parts data during the manufacturing process, press events and other stages of the supply chain.
TISAX requirements consist of:
ISO 27001 requirements
Organizational Controls
People Controls
Physical Controls
Technological Controls
Continuous Improvement
Management Responsibility
TISAX-specific requirements
Data Protection
Prototype Protection
Managing Vehicles and Parts
Confidentiality Agreements
Protection During Public Events
The goal of TISAX is to manage all risks to the integrity, availability and confidentiality of information shared by OEMs with their suppliers. This includes threats such as data breaches and cyber attacks as well as unauthorized access within the organization such as insider threats and employee data theft.
ISO 27001: Access Governance Requirements
Everything you need to know about the IAM requirements of ISO 27001.
TISAX Assessment Objectives
A detailed list of TISAX requirements is available in the criteria catalogue Information Security Assessment (VDA ISA). Which sections of the catalogue are relevant to your organization depends on the assessment objective you plan to complete. There are a total of 10 objectives to choose from.
| Assessment Objective | Requirements | Assessment Level (AL) |
|---|---|---|
| Confidential | Information Security tab: must, should and high protection needs (if marked C for confidentiality) | Level 2 |
| Strictly confidential | Information Security tab: must, should, high and very high protection needs (if marked C for confidentiality) | Level 3 |
| High availability | Information Security tab: must, should and high protection needs (if marked A for availability) | Level 2 |
| Very high availability | Information Security tab: must, should, high and very high protection needs (if marked A for availability) | Level 3 |
| Proto parts | Prototype Protection tab: must and should, chapters 8.1, 8.2 and 8.3 | Level 3 |
| Proto vehicles | Prototype Protection tab: must, should and additional requirements, chapters 8.1, 8.2 and 8.3 | Level 3 |
| Test vehicles | Prototype Protection tab: must and should, chapters 8.2, 8.3 and 8.4 | Level 2 |
| Proto events | Prototype Protection tab: must and should, chapters 8.2, 8.3 and 8.5 | Level 2 |
| Data | Information Security tab: must, should and high protection needs (if marked C for confidentiality) Data Protection tab: must requirements | Level 2 |
| Special Data | Information Security tab: must, should, high and very protection needs (if marked C for confidentiality) Data Protection tab: must requirements | Level 3 |
TISAX Maturity Levels
To meet a TISAX requirement, you must achieve a maturity level of 3 or higher for the security objective in question. The maturity model measures how successfully you have implemented requirements on a scale from 0 to 5.
Maturity Level 0, Incomplete: A process does not exist, is not followed or not suitable to achieve the objective.
Maturity Level 1, Performed: A process is followed which is not or insufficiently documented and there is some evidence that it achieves its objective.
Maturity Level 2, Managed: A process achieving its objectives is followed. Process documentation and process implementation evidence are available.
Maturity Level 3, Established: A standard process integrated into the overall system is followed. Dependencies on other processes are documented and suitable interfaces are created. Evidence exists that the process has been used consistently over an extended period.
Maturity Level 4, Predictable: An established process is followed. The effectiveness of the process is continually monitored by collecting key figures. Limit values are defined at which the process is considered to be insufficiently effective and requires adjustment.
Maturity Level 5, Optimizing: A predictable process with continual improvement as a major objective is followed. Improvement is actively advanced by means of dedicated resources.
TISAX IT Security Requirements
To successfully complete their TISAX certification, automotive suppliers and contractors need to defend against all manner of IT threats. TISAX requirements for IT security include malware protection, vulnerability management, network segmentation, encryption, business continuity management and many more.
Businesses need to cover a wide range of security requirements. This means that to achieve TISAX certification, you need the right mix of security solutions, tailored to your organization. The field of information security is far too complex for a single product to address every TISAX requirement. In order to tick every box during your audit, you need a combination of tools.
TISAX Requirements: No Certification Without IGA
One critical step on the road to completing your TISAX certification is centralized Identity Governance & Administration. IGA allows organizations to automate essential governance workflows such as on- and offboarding, access requests and privilege audits. This ensures that only authorized individuals have access to sensitive information, such as proprietary vehicle data.
Several TISAX requirements refer directly to the need for effective access governance under Section 4: Identity and Access Management. Questions your org must be able to answer to achieve TISAX certification include:
What is the process for creating, updating and removing user accounts?
Are user accounts regularly reviewed?
Are access rights allocated on a least privilege basis?
Are access rights revoked when no longer needed?
From user lifecycle management to role-based access, in-depth reporting and access reviews, IGA gives you the tools you need to pass TISAX certification.
tenfold: TISAX-Compliant Access Governance
Governing user identities and access rights doesn’t have to be completed: With our no-code IGA solution tenfold, you can automate essential governance processes in as little as two weeks.
While Legacy IGA solutions require time-consuming manual scripting to set up, tenfold provides out-of-the-box support for the apps you use โ allowing us to cut setup time and operational effort by as much as 90%! But don’t take our word for it: Book a personal demo or free tenfold trial to see for yourself.