How to perform a TISAX® Self-Assessment?

Your company has now decided to get a TISAX® Certification. Maybe you are required to be TISAX® certificated. In both cases, welcome to the club! TISAX® is an extremely deep topic, therefore if you are new to TISAX®, I would definitely recommend starting with this Blog Post.

In this post, after covering some basics, we will focus on performing a TISAX Self-Assessment. Hence, this blog post aims at companies, which are more advanced in their TISAX Certification processes. For instance, companies that already decided to proceed with the TISAX Certification.

What does a typical TISAX® Roadmap look like?

This is a very often asked question, therefore we want to start with the TISAX® Roadmap. After deciding to get your TISAX® Certification, you should start with registration to ENX TISAX® Portal.

The registration fee is about 400€ (as of August 2021). After the registration, you will receive your SCOPE ID. Thus, our congrats, you have successfully completed the first step towards your TISAX® Certification. 👏

After this step, you need to choose the Auditing company, hence the Auditor. However, we strongly suggest completing your preparation before deciding on your audit date. Why is that? If you are not sure about how fit you are for your audit, then you are doing two things. Firstly, you are putting time pressure on your shoulders. Secondly, you are risking a smooth audit by skipping the preparation. Therefore, preparation first!

You can choose your auditor from the given list of companies. Examples of those companies are; DEKRA, TÜV, KPMG, etc. You can get offers from different auditors. Then decide which one suits you best. After your decision, the auditor company will ask you to define an Audit Date and a Kick-off meeting. We suggest having enough time between the audit and the kick-off meeting.

How do you prepare for your TISAX® Certification?

You need to prepare your homework, before choosing the audit date. The preparation time depends on your company’s ISMS readiness level. We suggest taking enough time for preparation. Hence, avoid rushing into the audit. Let’s dive into the preparation steps.

A GAP Analysis is like an X-Ray for doctors. It defines the maturity level of your company. It also shows in which areas your company needs to improve to get the TISAX® Certification. Here is what a GAP Analysis looks like:

• Physical Security Questionnaire
• ISMS Structure
• Technical Security
• Self-Assessment

This blog post will give you detailed information about TISAX® Self-Assessment. Therefore we will only cover this aspect of the GAP Analysis. The result of the GAP Analysis will be affected by your ISMS structure, document management system, documentation policies, security policies, network plan, etc.

TISAX® requires a certain structure and clearly defined policies. Therefore it’s crucial to have them in place. If that’s not possible yet, performing a TISAX® Self-Assessment helps you to see in which areas your company needs more preparation. As well as which requirements are a must-have.

What are the components of TISAX® Self-Assessment?

TISAX® Self-Assessment is a catalog from VDA (Verband der Automobilindustrie – German Association of Automotive Industry). The catalog contains questions about Information Security, Prototype Protection, and Data Protection. However, please keep in mind that not all three sections are valid for all TISAX® Certification levels.

The self-assessment will also be provided as audit documentation. Therefore, it’s crucial to execute thoroughly. We suggest taking it twice, before the project kick-off, and then building from there. Hence the final version of the self-assessment can be provided without any additional effort.

Cover Page

Firstly, you need to start with the cover page. Here you provide basic information about your company. For instance your Scope-ID* and DUNS number**.

* You receive your SCOPE-ID, once you have registered in the ENX Platform.

**You receive your DUNS number via this link.

Maturity Level and Definitions

After that, we can start explaining how to proceed with sections. Each section has different questions. You need to answer those questions as per your company’s maturity level. Therefore, you need to know what’s meant by maturity level.

The maturity level is explained in the maturity levels of the catalog. There are six maturity levels according to VDA from 0 to 5:

• Incomplete
• Performed
• Managed
• Established
• Predictable
• Optimizing

It’s also wise to read the definitions before moving on to answering the questions. Thus you can have a profound understanding of the logic of the VDA Catalogue.

Information Security

In each section, there are multiple questions to determine your maturity level. There are different categories under the Information Security section. As a result of your assessment, you will be graded under the categories:

• Information Security Policies and Organisation
• Human Resources
• Physical Security and Business Continuity
• Identity and Access Management
• IT Security/Cyber Security
• Supplier Relationships
• Compliance
• Prototype Protection (comes from the Prototype Protection section)

How do I define my maturity level during TISAX® Self-Assessment?

Firstly, to define your maturity levels, you need to pay attention to the must and should requirements of the control questions. In case you want to improve your maturity level, those requirements need to be in place. Needless to say, your maturity levels depend on to what extent you have these requirements fulfilled.

As there are many control questions with multiple requirements each, it’s wise to spare some time for the assessment. It is worth investing in understanding the criteria to have a smooth audit in the future. Therefore we strongly suggest performing the self-assessment at the beginning of the project.

Finally, you will need to fill in the reference documentation (column G). This column can be filled by providing the link to the reference documentation in your ISMS system. Alternatively, you can type in the name of the documented file in the related control question. Here you can download the latest version of the VDA Catalogue which was released on April 21st, 2021.

What are the success criteria for TISAX® Self-Assessment?

Firstly, the average of all maturity levels should be a minimum of 3. However, that alone doesn’t guarantee your certificate. Secondly, you shouldn’t have any 0 or 1 grades. Thus, having Incomplete or Performed as a maturity level is a no-go for TISAX®.

Therefore it’s crucial to run a TISAX® Self-Assessment before you define your audit date. You will not only see where are your improvement potential. You can also have a backup plan to make sure that you are ready for your audit.

Finally, TISAX® Self-Assessment provides a good benchmark in case your company prioritizes one of the categories mentioned above. Needless to say, you can always improve.

Do I have to run TISAX® Self-Assessment in Excel?

It depends. If you are at the very beginning of your TISAX® Certification journey, it might be confusing the use the complicated excel file. Therefore, we have prepared an online alternative for you. You can easily run the self-assessment and see where you are in your TISAX® journey. You will also receive a report stating which categories you need improvement in. Here is the guide to help you with your online Self-Assessment.

However, if you are already advanced in your TISAX® journey, you have to fulfill the detailed questionnaire and provide it as audit documentation. This, however, can still be tedious for most companies. If you don’t feel comfortable with TISAX® Self-Assessment, you can always get an expert on board.

*For the time being it’s only available in German. If you require the English version, please contact us.

What are the costs of TISAX® Self-Assessment?

But hey, what are the costs of TISAX® certification before? We thought of giving you a rough idea of the certification before talking about TISAX® Self-Assessment’s costs. Here is a cost breakdown that you can use:

• ENX Registration approximately 400€ (as of August 2021)
• ISMS (Information Security Management System) between 0* – 3000€ per year
• Auditor Fees start from 5.000€ (depending on the Auditing Company)
• TISAX® Consultancy (getting an expert team on board for a smooth audit) starting from approx. 12.000€
• TISAX® Process Management Tool starting from 7.000€ per year for 5 users – this is suggested after you receive your TISAX® Label

*There are free tools available like Nextcloud.

The prices given above are approximations of what we have experienced in the market. Each cost can vary depending on the number of locations, existing infrastructure, and your TISAX® maturity level (i.e. the result of your TISAX® Self-Assessment).

By the way, running a TISAX® Self-Assessment is always free of charge. As mentioned above, you can do it yourself in Excel or via our online platform: E-Flow.

Wrapping Up

Preparing for your TISAX® Audit is a tedious, time-consuming process. It also needs hard work. However, the benefits of the TISAX® certification outweigh the efforts. Therefore, getting an expert on board even from the beginning is wise. Alternatively, you can book a workshop with us to define your TISAX® Roadmap. Do you have any other questions? Please contact us!

TISAX® ist eine eingetragene Marke der ENX Association. Die 360 Digitale Transformation steht in keiner geschäftlichen Beziehung zur ENX. Mit der Nennung der Marke TISAX® ist keine Aussage des Markeninhabers zur Geeignetheit der hier beworbenen Leistungen verbunden. TISAX® Assessments, zur Erlangung von Labels, werden nur von den auf der Homepage der ENX genannten Prüfdienstleistern durchgeführt.

Can Adiguzel is the founder of 360 Digital Transformation and host of The Digital Mittelstand podcast. He is in Digital Transformation projects for more than 8 years. He is passionate about Digital Transformation for Mittelstand and helps Mittelstand to overcome their Digital Transformation challenges by optimizing, digitalizing, and automating processes.