TISAX® Label: All you need to know

TISAX Blog
TISAX Blog

What’s TISAX?

Let’s start with the acronym. TISAX® stands for Trusted Information Security Assessment Exchange. Or as called in the industry ISO 27001 for automotive. In 2017, the German Association of the Automotive Industry (Verband der Automobilindustrie, VDA) published its list of criteria regarding information security in the automotive industry.

Which parties are included?

Before the TISAX® certification members of VDA ran their internal assessments and also assessments for their suppliers, partners, and service providers. However, this individual assessment per provider required partners to spend time & money on assessment for each of their clients. Let’s assume that you are a producer from Bayern and you have to pass through AT LEAST 3 different assessments if you provide goods for Daimler, BMW, and VW.

To reduce duplicate efforts for similar assessments for different companies, VDA came up with its list of criteria; TISAX®. Which has a catalog of criteria, audits, processes, and KPIs, therefore, as a result, TISAX® Certification. If a supplier is TISAX® certified, it assures the controlled sharing and security of the data being held.

VDA has chosen a neutral third party, the ENX Association, which accredits auditors, maintains the assessment requirements, monitors the audit quality, and finally keeps audit results. Therefore, in addition to ENX, there are neutral auditing firms such as TÜV, Dekra, PWC, KPMG, Bureau Veritas, Deloitte, etc.

Who needs to be TISAX® certified?

If you are a supplier, service provider, or partner to a VDA member (i.e VW, Daimler, AUDI, BMW, Porsche, Continental, MAGNA, Škoda, etc.), a TISAX® Certification will make sure that you are eligible to continue proving your services, and/or take part in tenders. As more and more companies are getting TISAX® certification, companies without the certification will have difficulties being a part of the supply chain for big automotive producers. That applies to Tier 2 and Tier 3 suppliers as well as other service providers.

What are the major benefits of TISAX®?

First and foremost, TISAX® is there to create a base information security level within the automotive industry. And if we think about patents, prototypes, and R&D efforts, and how many different stakeholders are included; information security is crucial for a smooth and secure supply chain.

Let’s continue with the supply chain, every producer would want to make sure that their supply chains are secure and built with strong links, which means reliable suppliers. TISAX® certifications can provide a comparison ground, as well as a trust basis. This also ensures the suppliers are working towards improving their internal security measures and processes.

As mentioned above, by having a common assessment guideline, duplication efforts are eliminated. Therefore, both suppliers and producers can save significant time and money.

Which levels of certification do I Need?

There are 3 levels of assessment for TISAX® certification:

Level 1: At this level, suppliers should fulfill the Information Security Assessment (ISA) questionnaire and have a certain level of maturity to be approved by the TISAX® Auditor

Level 2: If the supplier wants Level 2 certification, a self-assessment questionnaire will be followed by remote compliance checks by the audit provider

Level 3: Suppliers who work with confidential data have to go through an on-site inspection by the audit provider

Which steps are included in TISAX® Label?

First of all, the company should register on the ENX platform. This is the first step of the TISAX® certification regardless of the certification level. Then the companies should decide which certification level they need and select the auditor. Please keep in mind that by selecting an audit provider, this company is automatically excluded from any TISAX® consultancy service throughout the certification.

Then ISA questionnaire should be completed by the company. Here is quite important to consider having expert help, to carefully identify the basis for the GAP analysis. Then the results are shared with the auditor. Depending on which level, the next steps might vary. However, the essence is that the auditor sends an audit report with the necessary precautions. Those precautions need to be fulfilled before getting the TISAX® Label.

Then the TISAX® Label must be renewed every 3 years. However, the procedure for recertification differs from that for initial certification. In the case of recertification, annual audits must be carried out to ensure that the processes are being executed and comply with the TISAX® requirements.

What are the costs of the TISAX® Label?

There are 4 possible cost items. The registration fee paid to ENX is mandatory and is about 500 € per site. Then a mandatory fee for the audit provider, which depends on your choice and varies between 5,000 and 10,000 € depending on the audit level. There are also operational costs that your employees should spend on preparing for the audit, which can also be significantly reduced with external help.

For pricing, we offer our Workshop for TISAX® for your personal GAP analysis. In addition, the consulting costs can be calculated between 16.000-25.000€.

For instance, we as 360 Digital Transformation help you from the beginning to the end of the certification process. Through GAP analysis, process optimization, framework creation and ISMS creation, tool selection, and support during the audit. We have helped more than 50 companies to achieve their TISAX® Label.

TISAX® ist eine eingetragene Marke der ENX Association. Die 360 Digitale Transformation steht in keiner geschäftlichen Beziehung zur ENX. Mit der Nennung der Marke TISAX® ist keine Aussage des Markeninhabers zur Geeignetheit der hier beworbenen Leistungen verbunden. TISAX® Assessments, zur Erlangung von Labels, werden nur von den auf der Homepage der ENX genannten Prüfdienstleistern durchgeführt.

What are the differences between TISAX® Label and ISO 27001?

TISAX® Label and ISO 27001 are quite similar, as both are standards for ISMS (Information Security Management Systems). The difference between TISAX® certification and ISO 27001 is that TISAX® Label is required by the automotive industry. So if you are a supplier or service provider to the automotive industry, then you may need TISAX® Label. On the other hand, ISO 27001 is a general standard, which means it can be applied in any industry. However, in this blog post, we will not go into detail about the application differences between the two standards.

For companies wishing to obtain both certificates, we recommend starting with TISAX® Label and then proceeding to ISO 27001.

If you want to learn more about the differences between TISAX® and ISO 27001, we recommend reading this blog post.

Two ways we can help you

We are here to help you get your TISAX® Label with less cost and faster. 

Would you like to learn more about TISAX® or do you have any questions?  Then schedule a free-of-charge meeting.

Do you already want to start with your TISAX project? Then book our GAP Analysis so that you have your maturity level and your Roadmap for TISAX® clearly defined.

About the Author

TISAX® Label

Can Adiguzel is the founder of 360 Digital Transformation. He is a TISAX consultant and ISO 27001 Lead Auditor. He has been working in IT project management for more than 11 years. His passion is information security for SMEs and he helps SMEs overcome their information security challenges with a hands-on consulting approach.