current language
World Site available in the following languages:
or select your TÜV Rheinland region / country website:

TISAX® Assessment

Information security assessment in der automotive industry – TISAX® label | TÜV Rheinland

More Information Security in the Automotive Industry with the TISAX® Label

With TISAX® (Trusted Information Security Assessment Exchange), the VDA (German Association of the Automotive Industry) and the ENX Association have developed a consistent quality standard for increasing information security. TISAX® regulates the assessment criteria, assessment methods and the standard for exchanging assessment information along the entire value chain of an automobile. It therefore applies to all parties involved.

As a common assessment and exchange mechanism under the sponsorship of ENX, TISAX® is considered an anchor of confidence in the automotive industry.

The TISAX® assessment is based on the VDA ISA catalog of requirements with regard to assessment criteria, assessment methods and the standard for the exchange of assessment information. The relevance of the standard and its high quality standards for information security are reflected in the fact that the VDA ISA catalog of requirements forms the basis for key aspects of the internationally recognized ISO/IEC 27001 standard.

Many automotive manufacturers now mandate the TISAX® assessment for service providers and suppliers. The TISAX® assessment must be conducted every three years. It offers additional benefits for suppliers and service providers:

  • Thanks to the international, industry-wide recognition, identical assessments in quick succession can be avoided
  • Significant time and cost savings, as multiple assessments are eliminated
  • High level of information security within the company
  • Establishment of a reliable foundation of trust with business partners
  • Good reputation and high trustworthiness
  • Expansion of existing and new customer relationships and market opportunities in the automotive industry

Benefit from the strengths of a TISAX® assessment and request a quotation.

TISAX® customer groups

Display all Hide all

One-man businesses (specialists)

Specialists and experts often work for the automotive industry as sole contractors. They can be special designers, researchers, or specialized translation service providers.

When assessing these groups of companies, we focus on the proper regulations and verifications. Often, day-to-day business practices can explain the situation of the company in just a few words. We carefully consider whether the existing documentation is adequate for a small company.

SMEs in the production industry

A motor vehicle always needs physical parts, such as lamps, seats, trim and other components, which are often manufactured by SMEs.

At traditional manufacturing companies, information security is often not an integral part of the corporate culture. The absolute focus on production quality all too easily overshadows information security. With us, you partner with a testing service provider and auditors who come from the industry and understand the industry. Many issues sometimes have to be dealt with peripherally, and clear guidance during the assessment helps to identify key aspects.

Film studios and marketing companies

The creation of attractive marketing materials or appealing commercials or other short films is a key factor in the sales of vehicles. Therefore, film studios and marketing companies are commissioned to properly convey the vehicles and the emotions associated with them even before their actual release.

This industry is characterized by creative processes and creative approaches. These companies are therefore quick to reject rigid standardized regulations, as these are not compatible with their corporate culture. But requirements can also be implemented in creative ways and regulations do not necessarily have to be 100-page documents. As a testing service provider, we know how to adapt to the corporate culture, and we always look at the proper implementation of requirements by considering the individual company being assessed.

Development companies

Before the first part of a new vehicle can be produced, there always are the idea and the first drawings and designs. In development companies, the focus is primarily on the creation of design drawings and the interactive exchange with customers until a new vehicle or its individual parts are perfect.

In these companies particularly, an active exchange with the customers is necessary. A significant amount of data is being transferred in both directions and the requirements for individual pieces of information change over the course of the project. As a testing service provider, we understand the challenges and know that not every single email requires a very high level of protection and not every design drawing is critical for an OEM. Therefore, we can address your individual circumstances.

Cloud service providers

Cloud service providers are becoming increasingly more important. Almost every company uses external service providers or cloud providers. This work is not really comparable to that of any of the above-mentioned companies, as their focus is on providing computing capacity and services. In the end however, it is the customer who decides which data is to be transferred to the cloud.

Cloud service providers therefore have different critical business processes than conventional companies. We use our expertise to support you in mastering the challenges and establishing IT security in your company.

TISAX® – Comprehensive Service: From Preparation to Assessment

Service providers and suppliers in the automotive industry must provide proof at regular intervals that the high demands of their customers with regard to information security are being met. The TISAX® assessment must be conducted at least every three years. To make this process easy for you, we have tailored our service specifically to your needs. Benefit from our universal approach!

TISAX® Informational Meeting

Before your TISAX® assessment is being conducted, you probably have a few questions. We will be happy to offer you an initial phone consultation, where one of our experts will answer any questions you may have about the registration, the process and other relevant topics.

TISAX® Gap Analysis

Would you like to get an overview of your current status before your TISAX® assessment? With our TISAX® gap analysis, we simulate a TISAX® assessment to help you assess your chances of successfully completing the assessment. The results of the gap analysis provide you with a basis for deciding how to proceed and how much preparation you will need.

TISAX® Workshops

Do you have questions about scoping, individual protection requirements, options for structuring and planning the assessment, or differences between TISAX® and standards such as ISO 27001? We support you with a customized workshop of up to two days where we provide you with information about the formal aspects around TISAX®.

TISAX® Assessment

Our experts conduct your TISAX® assessment with great care and will address your specific requirements. From assessments of individual locations over multi-site assessments with different scopes to assessments of multiple sites all over the world – as an experienced and approved testing institute, we are always at your side to support you.

TISAX® Group Assessments

Do you have more than seven locations and a consistent ISMS for all of them? If so, a group assessment could be the right choice for you. Our qualified experts are at your side from the planning phase to performing the assessment.

TISAX® Consulting

As an alternative to a TISAX® assessment, we are also offering a TISAX® consultation. In this consultation, you will work with our experts to develop a TISAX® -compliant information security management system (ISMS). We support you according to your needs – from simple coaching to comprehensive consulting.

Do you have questions or would you like more information?

The TISAX® Assessment Levels

In addition to the general process, TISAX® offers three different assessment levels. Our interactive graphic will give you an overview.

General Assessment Process
AL2 Assessments
AL2.5 Assessments
AL3 Assessments
Initial Assessment
Corrective Action Assessment
Follow-up assessment
Objective
Procedure
Advantages and disadvantages
Objective
Procedure
Advantages and disadvantages
Objective
Procedure
Advantages and disadvantages

The initial assessment begins after the assessment requirements have been reviewed and the TISAX® assessment was assigned. After a kick-off, you complete a self-assessment, which is then submitted to our auditor for a plausibility check.

After successfully passing this plausibility check, the auditor reviews the implementation of the assessment requirements and records any findings.

Our experts will conduct the corrective action assessment if there were findings in the initial assessment. During this step, you can propose remedial measures and time frames, which will be evaluated by our auditor.

If there are findings during the initial assessment, our auditor reviews the proof of your implementation in the follow-up assessment with the help of the implementation description and implementation documents.

If you wish an assessment of another location or want to define a new assessment objective, a scope extension will be performed as an additional assessment.

The TISAX® AL2 assessment focuses on an in-depth plausibility check of your self-assessment and the verifications you provide. Therefore, the standards for a good self-assessment are high, and thoroughly prepared documents and verifications are an important component of a successful AL2 assessment.

  1. Based on the supporting documentation provided by you, the auditor performs a plausibility check and verifies your compliance with the requirements.
  2. After the successful completion, you receive the technical and organizational information to prepare for the remote assessment.
  3. Each site-specific remote assessment is carried out by phone by thoroughly interviewing different departments (four to six hours).

Advantages

  • No travel expenses
  • Fast, efficient completion if well-prepared
  • Less resources and time
  • Reduced assessment costs

Disadvantages

  • No possibility of a later upgrade to a higher TISAX® assessment level
  • Preparation itself is more time-consuming and resource-intensive compared to AL2.5 or AL3
  • Generally, it is necessary to abort the assessment if the plausibility check cannot be completed
  • Exchange on an inter-personal level is more difficult than with AL2.5 or AL3

In addition to an initial self-assessment, an in-depth phone assessment is an integral part of this assessment. In contrast to the AL2 assessment, the self-assessment does not necessarily have to be completed successfully, as the auditor will go over the controls in-depth in a phone interview. The interview lasts several days.

The thorough plausibility check and review of controls allow for simple scope extensions. This also allows a later upgrade to an AL3 assessment level of your TISAX® assessment if an on-site visit is not possible due to COVID-19.

  1. Plausibility check of your self-assessment and your verifications by our auditor.
  2. After the successful completion, you receive all necessary information to prepare for the remote assessment.
  3. The remote assessment is conducted by phone and will be spread over several days based on your individual needs. During the 16- to 20-hour assessment step, the auditor will interview various departments.
  4. Possibility of an AL2.5 expansion assessment via scope extension.

Advantages

  • Possibility of a later upgrade to a higher TISAX® assessment level
  • Preparation of the assessment is less time-consuming
  • Possibility to provide additional information during the assessment at short notice
  • Reduced travel and accommodation costs
  • In case of deficiencies in the plausibility check, the assessment can still be continued

Disadvantages

  • More time-consuming than AL2 assessment
  • Higher assessment costs compared to AL2 assessment
  • Less exchange on interpersonal or personal level

The AL3 assessment focuses on an on-site interview, an on-site assessment, and a thorough self-assessment. This helps to ensure high quality standards.

  1. Your prepared self-assessment and verifications are checked for plausibility and for compliance with the requirements.
  2. Feedback is provided and, after successful completion, the further course of action is agreed upon.
  3. The auditor spends at least two days at your site for interviews with departments as well as for a review and evaluation of various aspects of the assessment.
  4. On-site inspection of your location to check the physical conditions.

Advantages

  • Less time required for preparing the assessment
  • Easy later upgrade to very high protection requirements or prototypes
  • Possibility to provide additional information during the assessment at short notice
  • No termination of the assessment in case of problems with the plausibility check due to direct inter-personal exchange on site

Disadvantages

  • More time requirements and higher cost due to in-depth and thorough assessment and consultation
  • Travel and accommodation costs

Save time and costs by properly preparing your request for a quotation. Request your TISAX® assessment in a few easy steps with the help of our checklist.

Process of a TISAX® Assessment

We are Your Reliable TISAX® Partner

As an independent partner and one of the first TISAX® assessment providers, we use our expertise to support and advise you in defining your assessment objectives and assessment levels as well as in complying with the high information security requirements in your company.

Since 2017, our IT security and data protection specialists have been working with companies to find the right technical and organizational solutions and help them implement suitable measures that sustainably increase their level of protection.

As an internationally operating company, we are able to involve qualified experts for both consulting and TISAX® assessments, thus providing added value from understanding cultural aspects to optimizing assessment approaches.

FAQ: Frequently Asked Questions about TISAX®

Our experts have compiled some frequently asked questions about TISAX® and the relevant terminology for you.

Display all Hide all

Where can I find the TISAX® assessment catalog?

The TISAX® assessment catalog is based on the VDA ISA 5.0 assessment catalog. The catalog, which was developed by the VDA and ENX, contains the Information Security workbook, which serves as the basis for the assessment. The current assessment catalog can be found on the VDA and ENX websites.

What are the assessment objectives?

The following assessment objectives are included in the TISAX® assessment catalog:

  • Information with high protection needs
  • Information with very high protection needs
  • Protection of prototype parts and components
  • Protection of prototype vehicles
  • Handling of test vehicles
  • Protection of prototypes during events and film or photo shootings
  • Data protection
  • Data protection with special categories of personal data

What is an assessment location?

The TISAX® location is the physical site that processes the relevant information.

Not every location must have a TISAX® label. It is therefore important to consider in advance for the respective location, where and in which order an assessment is to be conducted. Group assessments are possible for ten or more locations.

What is the standard scope of the assessment?

The TISAX® assessment standard scope always includes entire locations and also the individual assessment objectives. A scope focuses primarily on the business processes of performing services as well as dependent supporting processes and departments.

What are the differences between the TISAX® assessment levels?

The assessment level describes the assessment to be performed, which depends on the selected objectives. There are three assessment levels:

An AL2 assessments focuses on a plausibility check based on the submitted documentation, followed by a remote assessment by phone.

The AL2.5 assessment is similar to the AL2 assessment. After a plausibility check of the self-assessment by an auditor, a remote assessment is performed, which lasts several days. This is also conducted by phone, but is much more thorough. The AL2.5 assessment is particularly useful if a later upgrade to a higher assessment level is desired, but an on-site inspection of individual locations is currently not possible due to COVID-19.

The AL3 assessment also includes a plausibility check of the self-assessment but is continued on-site. The auditor conducts on-site interviews on at least two days and inspects the location.

Related Links

ENX Association

TISAX® Portal

VDA ISA Catalog

Penetration Test

Contact

Contact us to request a non-binding offer

Contact us to request a non-binding offer

Get in contact with us!

This might also interest you

ISMS According to ISO/IEC 27001

ISMS According to ISO/IEC 27001

Improve systematic control over your company’s information security.

more

Penetration test

Penetration test | TÜV Rheinland

Uncover the vulnerabilities in your IT infrastructure with a penetration test.

more

Last Visited Service Pages