When Tesla’s model S came out in 2015, Elon Musk called it “a very sophisticated computer on wheels.” With cars increasingly more electronic device than machine, car makers are starting to act like software companies. We see a prime example of that shift in auto makers’ efforts to secure the vast amounts of personal and confidential data now coming through their systems.
The need to regulate how auto makers handle data spurred a group of European auto manufacturers to gather in 2017 to create TISAX (Trusted Information Security Assessment Exchange). The standard has emerged as a key framework for ensuring the integrity of information security systems in the automotive industry.
In this guide, we’ll walk you step-by-step through what you need to know to achieve and maintain TISAX certification. Our goal is to provide actionable insights and practical tips to help your organization understand the requirements and navigate the process of obtaining the TISAX label.
What is TISAX certification
TISAX certification is a standardized assessment and certification framework specifically designed for the automotive industry. The standard is based on the German Association of the Automotive Industry (VDA) catalogue of Information Security Assessment (ISA) questionnaire, which in turn largely follows the international ISO/IEC 27001 standard.
The framework that makes up the TISAX label enables auto manufacturers to assess and demonstrate their adherence to strict data protection and information security requirements. By achieving TISAX compliance, companies can share a standardized assessment of their information security status to establish trust with their partners, customers, and regulatory bodies throughout the automotive industry.
The ENX Association operates the TISAX program, and defines the levels and scope of assessments.
Benefits of using the TISAX standard
Registered companies can use the ENX TISAX platform to:
- Ensure their suppliers and service providers meet key information security requirements
- Save time and money, avoiding multiple audits of corporate information security. The audited company decides if they want to share results, and with whom.
- Increase security awareness among employees
- Lays the groundwork for an integrated information security management system (ISMS) and possible further certification according to ISO 27001.
Key requirements for the TISAX label
To achieve and maintain TISAX compliance, organizations must meet several key requirements. These include:
- Information Security: Organizations must implement an Information Security Management System (ISMS). They must demonstrate that their system reliably can identify and manage risks, establish security policies and procedures, and conduct regular audits.
- Prototype protection: Organizations must ensure protection of prototype vehicles, parts and components.
- Data Protection: Organizations must ensure the confidentiality, integrity, and availability of sensitive data by implementing appropriate technical and organizational measures. This includes secure storage, access controls, encryption, and employee training.
The TISAX participant handbook contains a thorough overview of the entire TISAX label process.
Who needs TISAX certification and how much does it cost?
The TISAX label is mandatory for any company looking to do business with the German automotive industry. But the label is increasingly applicable to manufacturers, suppliers and service providers across the global automotive supply chain that handle sensitive data.
In practice, TISAX is now essential to work with any original equipment manufacturers (OEMs).
The cost of TISAX depends on company size and scope. The fee for the audit provider generally runs between 5,000 and 10,000 euros. The mandatory registration fee is approximately 500 euros. To that, you should budget operational costs around preparing for the audit, as well as implementing or configuring an IMS.
The TISAX certification process
Technically, compliance with the TISAX standard results in a label, not a certificate (unlike the ISO 27001 standard). Organizations that wish to obtain the TISAX label follow three main steps:
- Registration: You register your organization as a participant on the ENX platform
- Assessment: You go through self-assessments and, later on, assessment conducted by a TISAX audit provider.
- Exchange: You share your assessment result with your partner via the ENX platform.
TISAX control categories
The VDA recommends starting with a self-assessment. The “Information security assessment (ISA)” questionnaire lists key security topics (also known as controls) to assess. The ISA helps you build a comprehensive overview of your own information security status on topics such as:
- Information security policies and organization
- Human Resources
- Physical security and business continuity
- Identity and access management
- IT security/cyber security
- Supplier relationships
- Prototype protection
You can rate their target achievement for each control from level 0 to 5. Below is a sample spider chart from the ISA that shows how ranking works for each security topic and maturity level.
Image source: VDA Information Security Assessment
Overview of the TISAX maturity levels
Organizations much reach level 3 in order to receive the label. You are encouraged to self-assess your maturity level first to see if you are ready for a TISAX assessment. If not quite at level 3, you can address your results before seeking the label.
The ISA describes the TISAX maturity levels as follows:
|Maturity level||In one word||Description|
|0||Incomplete||A process is not available, not followed or not suitable for achieving the objective.|
|1||Performed||An undocumented or incompletely documented process is followed and indicators exist that it achieves its objective.|
|2||Managed||A process achieving its objectives is followed. Process documentation and process implementation evidence are available.|
|3||Established||A standard process integrated into the overall system is followed. Dependencies on other processes are documented and suitable interfaces are created. Evidence exists that the process has been used sustainably and actively over an extended period.|
|4||Predictable||An established process is followed. The effectiveness of the process is continually monitored by collecting key figures. Limit values are defined at which the process is considered to be insufficiently effective and requires adjustment. (Key Performance Indicators)|
|5||Optimizing||A predictable process with continual improvement as a major objective is followed. Improvement is actively advanced by dedicated resources.|
Source: TISAX Participant Handbook, Table 11. Informal description of the maturity levels
How is TISAX certification different from other cybersecurity certifications?
The TISAX label saves time and money since organizations can easily share assessment results with partners and suppliers via the TISAX Exchange, or ENX, an online platform. This means organizations don’t have to conduct assessments for each new partner; they can just look them up on the platform.
TISAX focuses on the automotive industry’s cybersecurity requirements, taking a risk-based approach that comprehensively evaluates and verifies the entire vehicle system (hardware, software, and communication protocols).
The certification also mandates the VDA standard, which is a set of requirements for automotive components and system security. This requires organizations to put in place and maintain a cybersecurity management system as well as demonstrate compliance with other industry-wide standards and regulations.
Key differences between ISO 27001 and TISAX
TISAX is often compared with ISO 27001 – and with good reason. Both are information security standards, and they have many similarities (The security controls in Annex A of ISO 27001 essentially make up 90% of the common part of TISAX).
|Regulatory scope||VDA, which is mainly German||International|
|Industry focus||Automotive||All industries|
|Data protected||Manufacturer data throughout supply chain||Company data or data entrusted to the company|
|Requirements||There are 6 levels (0-5), label received after completion of level 3||Each of the 114 controls as well as Annex A must be addressed to receive certification|
|Application perimeter||Entire site, no exclusions||Allows precise perimeter to be defined|
|Method of evaluation||Assessment-based||Audit-based|
|Proof||Electronic label (only available on ENX platform)||Certificate|
|Audit frequency||Every 3 years||Yearly|
Best practices for achieving and maintaining TISAX compliance
To increase your chances of achieving and maintaining TISAX compliance, consider the following best practices:
- Conduct regular risk assessments: Identify potential risks and vulnerabilities within your organization’s information security landscape. Implement controls to mitigate these risks and regularly review and update your risk assessment.
- Establish an information security culture: Foster a culture of information security throughout your organization. Provide training and awareness programs to employees to ensure they understand their roles and responsibilities in maintaining data security.
- Implement strong access controls: Restrict access to sensitive data to authorized personnel only. Implement multi-factor authentication, strong password policies, and role-based access controls to minimize the risk of unauthorized access.
- Engage with accredited TISAX auditors: Work closely with accredited auditors who have experience in TISAX compliance. They can provide valuable guidance, identify areas for improvement, and ensure a smooth certification process.
How IS Decisions supports TISAX certification
Achieving and maintaining the TISAX label is crucial for organizations in the automotive industry to safeguard sensitive data and maintain trust with stakeholders. By understanding the requirements, implementing best practices, and onboarding the right solutions, your organization can navigate the process to successfully obtain the TISAX label.
For more information about how IS Decisions’ software solutions UserLock and FileAudit support the highest levels of compliance with TISAX’s Identity and Access Management and IT Security controls, read our TISAX compliance checklist.