Advice on Implementing the TISAX Standard
The Trusted Information Security Assessment Exchange, or TISAX for short, is an information security assessment standard specifically tailored to the automotive industry and an associated platform for exchanging certifications.
Manufacturers, suppliers and service providers can register on the TISAX platform and be certified according to the TISAX specifications. TISAX certification (TISAX label) achieves a high level of information security, but also data protection and especially prototype protection, which is why TISAX certification is accepted by the entire automotive industry.
The TISAX label is based on the VDA ISA questionnaire and an assessment of the maturity level of the implemented measures. The questionnaire is based on the international standard ISO 27001, which forms the basis for the introduction of an information security management system (ISMS).
VDA ISA Catalog
TISAX is based on the VDA ISA question catalog with the four areas of information security, third-party integration, data protection and prototype protection.
For each question in the questionnaire, there is an objective that describes the desired result of the requirement to be fulfilled. Requirements themselves are divided into must, should and can requirements:
- Must: a must requirement must be fulfilled
- Should: a should requirement must also be implemented. However, in contrast to a mandatory requirement, it is possible to disregard it in justified individual cases. Justifications must be documented and comprehensible
- Optional: an optional requirement does not necessarily have to be fulfilled
The maturity level must also be specified for each requirement. The VDA ISA catalog specifies a target maturity level for each requirement. If the maturity level achieved is below the specification of the VDA ISA catalog, no TISAX label can be issued.
- Level 0: Incomplete
- Level 1: Performed
- Level 2: Managed
- Level 3: Established
- Level 4: Predictable
- Level 5: Optimising
Most questions have a target maturity level of three. However, individual questions also have a target maturity level of two or four.
During the initial self-assessment, it is advisable to take a critical approach to the individual requirements and cautiously assess their degree of fulfillment.
Assessment Objectives
TISAX consists of one assessment objective "Information with high protection requirements", which represents the minimum. Further assessment objectives are optional and depend on the requirements of the customer, who can specify an assessment objective. Optional modules include the connection of third parties, data protection and the protection of prototypes, which is divided into various sub-items. Optional test objectives with a high protection requirement always require the "Information with a high protection requirement" test objective, while optional test objectives with a very high protection requirement require the "Information with a very high protection requirement" test objective.
Assessment Level
TISAX defines three assessment levels that specify different assessments.
- AL1: Assessment Level 1 consists solely of a self-assessment based on the VDA ISA. This self-assessment is only suitable for internal purposes and can be used to prepare for an external assessment
- AL2: Assessment Level 2 consists of a plausibility check of the evidence and a telephone conference with interviews on the VDA ISA. An on-site assessment is only planned in individual cases. Assessment Level 2 is only suitable for a low protection requirement
- AL3: Assessment Level 3 consists of an in-depth on-site assessment based on the VSA ISA in accordance with the desired TISAX label. Assessment Level 3 is the standard intended for publication
Our Service
We check the maturity level of your ISMS and your IT infrastructure. We then help you to understand and meet the requirements of the VDA ISA catalog.
We also prepare you for the assessment.
TISAX® is a registered trademark of the ENX Association (European Network Exchange Association).