How to perform a Self-Assessment for TISAX®?

Self Assessment TISAX
Self Assessment für TISAX

Your company has now decided to get a TISAX® Certification. Maybe you are required to be TISAX® certificated. In both cases, welcome to the club! TISAX® is an extremely deep topic, therefore if you are new to TISAX®, I would definitely recommend starting with this Blog Post.

In this post, after covering some basics, we will focus on performing a Self-Assessment for TISAX. Hence, this blog post aims at companies, which are more advanced in their TISAX Certification processes. For instance, companies that already decided to proceed with the TISAX Certification.

What does a typical Roadmap for TISAX® look like?

This is a very often asked question, therefore we want to start with the Roadmap for TISAX®. After deciding to get your TISAX® Certification, you should start with registration to ENX TISAX® Portal.

The registration fee is about 400€ (as of August 2021). After the registration, you will receive your SCOPE ID. Thus, our congrats, you have successfully completed the first step towards your TISAX® Certification. 👏

TISAX® Self-Assessment
TISAX® Certification Stages

After this step, you need to choose the Auditing company, hence the Auditor. However, we strongly suggest completing your preparation before deciding on your audit date. Why is that? If you are not sure about how fit you are for your audit, then you are doing two things. Firstly, you are putting time pressure on your shoulders. Secondly, you are risking a smooth audit by skipping the preparation. Therefore, preparation first!

You can choose your auditor from the given list of companies. Examples of those companies are; DEKRA, TÜV, KPMG, etc. You can get offers from different auditors. Then decide which one suits you best. After your decision, the auditor company will ask you to define an Audit Date and a Kick-off meeting. We suggest having enough time between the audit and the kick-off meeting.

How do you prepare for your TISAX® Certification?

You need to prepare your homework, before choosing the audit date. The preparation time depends on your company’s ISMS readiness level. We suggest taking enough time for preparation. Hence, avoid rushing into the audit. Let’s dive into the preparation steps.

A GAP Analysis is like an X-Ray for doctors. It defines the maturity level of your company. It also shows in which areas your company needs to improve to get the TISAX® Certification. Here is what a GAP Analysis looks like:

  • Physical Security Questionnaire
  • ISMS Structure
  • Technical Security
  • Self-Assessment

This blog post will give you detailed information about Self-Assessment for TISAX®. Therefore we will only cover this aspect of the GAP Analysis. The result of the GAP Analysis will be affected by your ISMS structure, document management system, documentation policies, security policies, network plan, etc.

TISAX® requires a certain structure and clearly defined policies. Therefore it’s crucial to have them in place. If that’s not possible yet, performing a Self-Assessment for TISAX® helps you to see in which areas your company needs more preparation. As well as which requirements are a must-have.

What are the components of Self-Assessment for TISAX®?

TISAX® Self-Assessment is a catalog from VDA (Verband der Automobilindustrie – German Association of Automotive Industry). The catalog contains questions about Information Security, Prototype Protection, and Data Protection. However, please keep in mind that not all three sections are valid for all TISAX® Certification levels.

The self-assessment will also be provided as audit documentation. Therefore, it’s crucial to execute thoroughly. We suggest taking it twice, before the project kick-off, and then building from there. Hence the final version of the self-assessment can be provided without any additional effort.

Cover Page

Firstly, you need to start with the cover page. Here you provide basic information about your company. For instance your Scope-ID* and DUNS number**.

* You receive your SCOPE-ID, once you have registered in the ENX Platform.

**You receive your DUNS number via this link.

Maturity Level and Definitions

After that, we can start explaining how to proceed with sections. Each section has different questions. You need to answer those questions as per your company’s maturity level. Therefore, you need to know what’s meant by maturity level.

The maturity level is explained in the maturity levels of the catalog. There are six maturity levels according to VDA from 0 to 5:

  • Incomplete
  • Performed
  • Managed
  • Established
  • Predictable
  • Optimizing

It’s also wise to read the definitions before moving on to answering the questions. Thus you can have a profound understanding of the logic of the VDA Catalogue.

Information Security

In each section, there are multiple questions to determine your maturity level. There are different categories under the Information Security section. As a result of your assessment, you will be graded under the categories:

  • Information Security Policies and Organisation
  • Human Resources
  • Physical Security and Business Continuity
  • Identity and Access Management
  • IT Security/Cyber Security
  • Supplier Relationships
  • Compliance
  • Prototype Protection (comes from the Prototype Protection section)

How do I define my maturity level during Self-Assessment for TISAX®?

Firstly, to define your maturity levels, you need to pay attention to the must and should requirements of the control questions. In case you want to improve your maturity level, those requirements need to be in place. Needless to say, your maturity levels depend on to what extent you have these requirements fulfilled.

As there are many control questions with multiple requirements each, it’s wise to spare some time for the assessment. It is worth investing in understanding the criteria to have a smooth audit in the future. Therefore we strongly suggest performing the self-assessment at the beginning of the project.

Finally, you will need to fill in the reference documentation (column G). This column can be filled by providing the link to the reference documentation in your ISMS system. Alternatively, you can type in the name of the documented file in the related control question. Here you can download the latest version of the VDA Catalogue which was released on April 21st, 2021.

What are the success criteria of Self-Assessment for TISAX®?

Firstly, the average of all maturity levels should be a minimum of 3. However, that alone doesn’t guarantee your certificate. Secondly, you shouldn’t have any 0 or 1 grades. Thus, having Incomplete or Performed as a maturity level is a no-go for TISAX®.

Therefore it’s crucial to run a Self-Assessment for TISAX® before you define your audit date. You will not only see where are your improvement potential. You can also have a backup plan to make sure that you are ready for your audit.

Finally, Self-Assessment for TISAX® provides a good benchmark in case your company prioritizes one of the categories mentioned above. Needless to say, you can always improve.

What are the costs of TISAX® Label?

Here is a cost breakdown that you can use:

  • ENX Registration approximately 405€ (as of August 2023)
  • ISMS (Information Security Management System) depending on the tool in use
  • Auditor Fees start from 5.000€ (depending on the Auditing Company)
  • Consultancy for TISAX® (getting an expert team on board for a smooth audit) starting from approx. 20.000€

The prices given above are approximations of what we have experienced in the market. Each cost can vary depending on the number of locations, existing infrastructure, and your TISAX® maturity level (i.e. the result of your TISAX® Self-Assessment).

Wrapping Up

Preparing for your TISAX® Audit is a tedious, time-consuming process. It also needs hard work. However, the benefits of the TISAX® certification outweigh the efforts. Therefore, getting an expert on board even from the beginning is wise. Alternatively, you can book a workshop with us to define your Roadmap for TISAX®. Do you have any other questions? Please contact us!

TISAX® ist eine eingetragene Marke der ENX Association. Die 360 Digitale Transformation steht in keiner geschäftlichen Beziehung zur ENX. Mit der Nennung der Marke TISAX® ist keine Aussage des Markeninhabers zur Geeignetheit der hier beworbenen Leistungen verbunden. TISAX® Assessments, zur Erlangung von Labels, werden nur von den auf der Homepage der ENX genannten Prüfdienstleistern durchgeführt.

JOIN OUR NEWSLETTER

Thus you will be notified when we have new blog posts. We won’t spam you, promise!

About the Author

TISAX® Self-Assessment

Can Adiguzel is the founder of 360 Digital Transformation. He is a TISAX consultant and ISO 27001 Lead Auditor. He has been working in IT project management for more than 11 years. His passion is information security for SMEs and he helps SMEs overcome their information security challenges with a hands-on consulting approach.