TISAX® requirements: How can companies meet them?

To enhance data protection in this sector, the Trusted Information Security Assessment Exchange (TISAX®) was created specifically to meet the unique needs of the automotive industry.

What is TISAX®? 

TISAX® (Trusted Information Security Assessment Exchange) serves as a certification specifically for the automotive sector, allowing suppliers and service providers to demonstrate how they protect the data.

TISAX® is based on the ISO 27001 security standard, which sets out the requirements for establishing an information security management system (ISMS). An ISMS is a system which outlines the roles and responsibilities concerning information security within an organization. Additionally, TISAX® enhances ISO 27001 by incorporating extra requirements focused on data protection and the security of prototypes.

---

Compliance Aspekte is a software tool and consulting service for TISAX® implementation. Our tool supports TISAX® VDA ISA 6.0 and other standards (ISO/SAE 21434, TISAX®, ASPICE®, KGAS, ISO 27001, ISO 9001, BSI IT-Grundschutz, B3S, GDPR and other regulations).   

The AI copilot in Compliance Aspekte can answer compliance questions, guide through the system and regulations, suggest a tailored list of tasks, and analyze and search through the document.

---

Is TISAX® mandatory? 

TISAX® is not mandatory for all companies in the automotive industry, but it is highly recommended and often required by major automotive manufacturers when working with suppliers and service providers. Essentially, having a TISAX® certification can be a requirement for doing business with many manufacturers, as it assures them that a supplier meets specific information security standards. 

Important terms to know to prepare for the TISAX® certification successfully 

When talking about TISAX®, several key terms are vital to understanding the certification process. Here’s an overview of these terms: 

TISAX® Test Objectives: 

• TISAX® test objectives allow for customization based on specific needs, as not all TISAX® requirements apply universally to every supplier. Companies can select from 10 distinct test objectives, each addressing a different segment of the overall requirements catalog, such as prototype protection. This flexibility enables suppliers to tailor the assessment to their specific operational areas. 

TISAX® Label: 

• After passing the audit based on the chosen test objective, companies receive a specific TISAX® label. For example, achieving the test objective for protecting prototype components results in earning the Proto Parts label. This label is a recognized indicator of compliance with the corresponding security and protection standards under TISAX®. 

TISAX® Levels: 

• The assessment level (AL) determines the rigor and method of compliance verification. There are different levels designated for various test objectives. Level 1 involves a self-assessment and is not typically featured in formal audits. Level 2 includes an external auditor reviewing the self-assessment and conducting remote interviews. Level 3, the most stringent, involves on-site assessments. 

The main steps of the TISAX® certification process 

To obtain TISAX® certification, a company should follow several key steps: 

• Step 1. Registration with ENX Association: The process begins with registering on the ENX platform, which manages TISAX® assessments. Once registered, companies receive the TISAX® questionnaire that outlines all the necessary requirements for certification. 
• Step 2. Self-assessment: Companies then conduct a self-assessment to evaluate if they meet the criteria specified in the questionnaire. This step is crucial for identifying compliance gaps. 
• Step 3. Selection of an accredited auditor: After the self-assessment, the next step is to choose an accredited audit service provider. This provider will conduct a thorough review of the company’s information security practices. 
• Step 4. Conducting the audit: The audit can be performed either on-site or remotely, depending on the level of certification being sought. This evaluation assesses the company’s adherence to the stated security measures. 
• Step 5. Audit report and issuance of TISAX® label: The entire process can take between six months to a year. Following the audit, the service provider will produce a report detailing their findings. If the company fulfills all the required standards, they are awarded a TISAX® label, validating their information security status. 

TISAX® assessment levels and protection needs 

TISAX® establishes three assessment levels alongside three protection tiers: normal, high, and very high. 

• TISAX® Level 1 – Normal protection: This level is not typically used within TISAX® but can serve internal purposes similar to a self-assessment. Here, an auditor verifies the existence of a self-assessment without reviewing its content. Additionally, your business partner might request this type of self-evaluation outside the official TISAX® framework. 
• TISAX® Level 2 – High protection: At this level, an audit organization uses your self-assessment as a foundation for the evaluation. This process includes reviewing documents and conducting a telephone interview to assess compliance. 
• TISAX® Level 3 – Very high protection: This highest level involves an independent audit firm conducting a thorough assessment. This includes reviewing documentation as well as performing an onsite audit to ensure all criteria are met. 

These structured levels allow organizations to choose the appropriate depth of assessment based on their specific needs for protection and compliance. 

Requirements for certification according to TISAX® 

TISAX® certification requirements are similar to the ISO 27001 standards. Companies seeking this certification need to demonstrate that they have a well-established and effective information security management system (ISMS) in line with ISO 27001 principles.  

The criteria for TISAX® certification are listed in the VDA ISA catalog, which includes specific control questions and basic requirements. The detailed requirements and whether the audit will be done remotely or in person vary depending on the chosen test objective or TISAX® label. It’s crucial that the actions taken meet at least the minimum maturity level. Therefore, organizations need to show that they have reached a maturity level of 3 or above in every area. 

TISAX® Label	Requirements	Assessment Level
Confidential	Criteria catalog information security: should, must, and high protection requirement (if marked with C)	Level 2
Strictly Confidential	Information security criteria catalog: should, must, high, and very high protection needs (if marked with C)	Level 3
High Availability	Criteria catalog information security: should, must, and high protection requirement (if marked with A)	Level 2
Very High Availability	Information security criteria catalog: should, must, high, and very high protection needs (if marked with A)	Level 3
Proto Parts	Catalog of criteria for prototype protection: should and must from Sections 8.1, 8.2, and 8.3	Level 3
Proto Vehicles	Catalog of criteria for prototype protection: should, must, and additional requirements from 8.1, 8.2, and 8.3	Level 3
Test Vehicles	Catalog of criteria for prototype protection: should and must from Sections 8.2, 8.3, and 8.4	Level 3
Proto Events	Catalog of criteria for prototype protection: should and must from Sections 8.2, 8.3, and 8.5	Level 3
Data	Criteria catalog information security: should, must, and high protection needs (if marked with C) Plus criteria catalog data protection	Level 2
Special Data	Information security criteria catalog: should, must, high, and very high protection needs (if marked with C) Plus data protection criteria catalog	Level 3

Fulfillment of TISAX® requirements 

During the assessment process for TISAX® certification, companies are required to demonstrate that they have an effective Information Security Management System (ISMS). The specific requirements for proof depend on the test objective, the associated protection needs, and the assessment level.  

Evidence is typically provided through a self-assessment using the VDA-ISA questionnaire, submission of relevant documentation and evidence, and, if needed, through interviews and on-site inspections conducted by the chosen audit service provider.  

Setting ISMS with Compliance Aspekte 

Implementing an Information Security Management System is crucial for simplifying the TISAX compliance process. 

Compliance Aspekte is an integrated compliance management system that provides ISMS and DPMS within a single compliance and risk platform. 

The main benefits of our ISMS tool include: 

• A single platform for multiple compliance standards with quick migration to their new versions. 
• Special template concepts for the Education, Energy and Automotive sectors. 
• Compliance as a service: compliance software and expert consulting. 
• Time-saving with compliance Azure AI GPT-based bot Helga. 
• Ready-to-use Compliance Kits. 
• Customizable functionality and pricing. 
• Automated compliance routines.

What happens if a company doesn’t meet TISAX® requirements? 

During a TISAX® assessment, the auditor checks if your ISMS tool matches the required standards. If it does, you meet TISAX® requirements. However, if it doesn’t, the auditor may find either minor or major issues. If there are only minor issues, the auditor might issue a temporary TISAX® label. This temporary label is valid until you fix all the minor issues. 

If the auditor finds major issues, you won’t get the TISAX® label until you resolve these problems. You’ll need to come up with a plan to fix the issues and show this plan to the auditor. If the auditor agrees with your plan, you should then successfully implement it. After this, the auditor may reassess the situation. If improvements are sufficient, they might downgrade the issue from a “major deviation” to a “minor deviation” and issue a temporary TISAX® label. Until these issues are resolved, your company might face restrictions on doing business within the automotive sector. 

Top challenges you may face while implementing the TISAX® requirements 

When implementing TISAX® requirements, organizations may encounter several significant challenges that can impact the success of their ISMS development projects. Here is an outline of the top challenges you might face: 

Resource allocation and organization: 

• Ensuring sufficient resources: One of the primary challenges is securing and maintaining the necessary resources over the long term. This includes financial, human, and technological resources required to develop and sustain an ISMS that meets TISAX® standards. 
• Involvement of key personnel: Successfully implementing TISAX® requirements demands involvement from all relevant stakeholders across various departments within the company. Ensuring that everyone responsible for the processes is engaged and understands their roles is crucial. 

Structured project management: 

• Effective coordination: Managing the participation of various internal teams and making timely decisions are critical. A TISAX® project needs to be meticulously organized and well-communicated within the organization to ensure smooth execution. 
• Decision making: Strategic decision-making at the right times is essential to navigate through the complexities of implementing an ISMS according to requirements for TISAX®. 

Continuity and ongoing management: 

• Sustaining efforts: Building an ISMS is not a one-time task but a continuous endeavor. Organizations must integrate the ISMS into their daily operations and keep it active and effective at all times. 
• Long-term commitment: It is important not to treat TISAX® as a checkbox that can be ticked off post-audit. The organization must commit to maintaining and improving the ISMS continuously, addressing new security challenges as they arise. 

Addressing these challenges effectively is key to establishing a robust ISMS that not only meets the TISAX® requirements but also strengthens the overall security posture of the organization. 

Top tips for successfully meeting TISAX® requirements 

Here are some expert tips that will help you meet the requirements for TISAX® without any issues: 

Tip 1: Focus on project management 

• Preparation and Maintenance: Effective project management is crucial not only in preparing for a TISAX® audit but also for maintaining TISAX® standards during regular business operations. 
• Systematic Approach: Organize and structure your Information Security Management System (ISMS) methodically. This involves detailed planning of how the ISMS is set up and managed over time. 

Tip 2: Consider resource allocation 

• Broad involvement: To meet TISAX® requirements, it’s important to involve multiple stakeholders from different departments within your company. These parties should be brought in early and their roles should be clearly defined and sustained throughout the project. 
• Long-term commitment: Remember, a TISAX® ISMS is not just a short-term project or solely an IT concern. It requires ongoing commitment and should be integrated into the company’s long-term strategic plans. 

Tip 3: Prioritize documentation 

• Thorough record-keeping: Documentation is key in proving compliance during a TISAX® audit. Maintain clear and comprehensive records of all information security policies, procedures, and changes. 
• Accessible information: Ensure that documentation is easily accessible and regularly updated. This helps in streamlining the audit process and supports the continuous management of your ISMS. 

Tip 4: Enhance employee awareness and training 

• Regular training programs: Conduct regular training sessions for employees to enhance their awareness of security practices and the importance of data protection. 
• Engagement and feedback: Encourage employee engagement by inviting feedback on the ISMS and incorporating suggestions into security practices. This fosters a culture of security within the organization. 

What are the main benefits of compliance with TISAX® requirements? 

TISAX® certification offers several advantages for companies in the automotive industry. Here are some of the key benefits: 

• Enhanced trust and credibility: TISAX® certification demonstrates to partners, clients, and stakeholders that a company adheres to stringent information security standards. This boosts the company’s credibility and can significantly increase trust, facilitating smoother business relationships. 
• Improved market access: Many automotive manufacturers require their suppliers to be TISAX® certified. Thus, obtaining this certification can open up numerous opportunities for businesses and allow companies to participate in markets where TISAX® is a prerequisite. 

• Streamlined compliance processes: TISAX® aligns with international standards such as ISO 27001, simplifying the compliance process. Companies that are TISAX® certified are recognized as meeting high security and data protection standards, reducing the need for multiple audits and assessments by different OEMs (Original Equipment Manufacturers). 
• Enhanced security posture: Through the rigorous assessment and ongoing monitoring required for TISAX® certification, companies enhance their security measures. This proactive approach helps prevent security breaches and data theft, safeguarding sensitive and proprietary information. 

• Competitive advantage: TISAX® certification can serve as a competitive edge in the automotive supply chain. It indicates that a company is committed to maintaining high standards of information security, distinguishing it from competitors who are not certified. 
• Cost efficiency: While the initial investment in TISAX® certification might be substantial, it can lead to long-term cost savings by preventing security incidents that are expensive to mitigate. Additionally, the streamlined compliance and reduced need for multiple audits can further reduce costs over time. 

Conclusion 

In conclusion, meeting TISAX® requirements is a strategic necessity for companies in the automotive supply chain aiming to ensure robust information security management.  

For those seeking to streamline this process, Compliance Aspekte offers a comprehensive solution. As an ISMS & DPMS tool in one platform tailored to support TISAX® VDA ISA 6.0, Compliance Aspekte combines AI technology, including a smart Azure GPT-based compliance assistant, with audit consulting services. This integrated tool not only simplifies compliance with TISAX® requirements but also supports multiple automotive standards, making it an invaluable asset for any organization looking to enhance its compliance efforts efficiently. 

If you’re ready to take your company’s information security to the next level, consider exploring how Compliance Aspekte can facilitate your journey towards TISAX® certification. Explore our website or contact our team to learn more and get started today.