TISAX® - Information security in the automotive sector
In an extremely innovative environment dependent upon multiple players to succeed, secure exchange of information is essential to safeguard confidential information such as prototypes, protect brand reputations and build customer loyalty.
With a long and complex supply chain, the automotive industry demands an “ecosystemic” information security approach. In our digital age, information security needs span beyond automotive suppliers to marketing companies and other parties involved. The primary need is to protect:
- projects or design information, prototypes or secret plans of investment,
- big data and process data, linked to the new concepts of digitalization, the development of autonomous cars,
- interconnections within the supply chain network,
- and the personal data of customers
TISAX (Trusted Information Security Assessment eXchange) is a maturity-based information security assessment approach targeted to the automotive industry’s needs. Primarily applicable to 1st and 2nd tier suppliers, but extendable to more complex supply chains, assessment is a requirement from certain OEMs.
TISAX is a global information security standard for the automotive industry. Assurance providers, such as DNV, are accredited by the ENX Consortium. The goal of the scheme is to:
- establish a common level of security for the automotive industry
- ensure common recognition of assessments to reduce costs, efforts and complexity for manufacturers and suppliers
- ensure the comparability and quality of the assessments
- exchange best practices and lessons learned
- let each participant decide to whom results will be revealed and degree of detail
TISAX combines the former Information Security Rules (ISA) of the German Verband der Automobilindustrie (VDA) with ISO/IEC 27001’s Appendix A (Technical Controls) as well as some Privacy requirements.
Beyond being a ticket-to-trade requirement from certain manufacturers, TISAX assessments contribute to building supply chain trust. Participating suppliers can benefit by:
- Being recognized by Automotive Manufacturers;
- Preventing information security breaches and cyber-attacks;
- Gaining customer trust;
- Identifying and addressing risk;
- Getting recognition for due information security processes;
- Sharing assessment results through the ENX exchange.
TISAX® vs ISO/IEC 27001
While both cover information security TISAX builds on key elements in the information security management system standard ISO/IEC 27001. However, it focusses in on the elements specifically relevant to the context of the automotive industry.
The main differences are:
|Management system standard||Covers information security processes and parts relevant to partners in the automotive industry|
|On/off approach||Maturity level approach|
|Scope defined before certification||Scope is fixed|
|Company-based risk analysis||VDA-ISA working group-based risk analysis|
|Certification body issues certificate||TISAX issues label and exchange registration|
|Periodic audit and recertification after 3 years||3-year validity, no periodic audits|
How to become assessed?
Companies entering the program must register with ENX as a participant.
The process is set up in stages:
Get to know the TISAX requirements.
Register on the TISAX portal, select your auditing body, and prepare for the audit. This includes a self-assessment to measure your compliance and readiness.
How the audit is executed depends upon whether you qualify for a remote (Level 2) or physical (Level 3) audit. The audit itself consists of interviews, a document review, clarification of possible findings and next steps.
- Corrective action plan and follow-up
Prepare a corrective action plan (CAP) to close any findings (gaps) which is submitted to the audit provider. The CAP is assessed through a follow up (or more, if necessary) and completes TISAX report.
- Exchange of results
The audit provider uploads TISAX report to the platform. Audited company decides with whom the results should be shared. ENX issues the TISAX labels to the audited company.
How can DNV help?
As an assessor accredited by ENX, DNV can provide assessments to TISAX globally, through our network of local offices and auditors.
ENX maintains the audit provider criteria and assessment requirements (TISAX ACAR). It approves audit providers and monitors the quality of implementation as well as the assessment results. ENX is supported by the TISAX Committee, consisting of representatives of manufacturers, suppliers and associations.