Your company has now decided to get a TISAX Certification. Maybe you are required to be TISAX certificated. In both cases, welcome to the club! TISAX is an extremely deep topic, therefore if you are new to TISAX, I would definitely recommend starting with this Blog Post.
In this post, after covering some basics, we will focus on performing a TISAX Self-Assessment. Hence, this blog post aims at companies, which are more advanced in their TISAX Certification processes. For instance, companies that already decided to proceed with the TISAX Certification.
How does a typical TISAX Roadmap look like?
This is a very often asked question, therefore we want to start with the TISAX Roadmap. After deciding to get your TISAX Certification, you should start with registration to ENX TISAX Portal.
The registration fee is about 400€ (as of August 2021). After the registration, you will receive your SCOPE-ID. Thus, our congrats, you have successfully completed the first step towards your TISAX Certification. 👏
After this step, you need to choose the Auditing company, hence the Auditor. However, we strongly suggest completing your preparation before deciding your audit date. Why is that? If you are not sure about how fit you are for your audit, then you are doing two things. Firstly, you are putting time pressure on your shoulders. Secondly, you are risking a smooth audit by skipping the preparation. Therefore, preparation first!
You can choose your auditor amongst the given list of companies. Examples of those companies are; DEKRA, TÜV, KPMG, etc. You can get offers from different auditors. Then decide which one suits you best. After your decision, the auditor company will ask you to define an Audit Date and a Kick-off meeting. We suggest having enough time between the audit and kick-off meeting.
How do you prepare for your TISAX Certification?
You need to prepare your homework, before choosing the audit date. The preparation time depends on your company’s ISMS readiness level. We suggest taking enough time for preparation. Hence, avoid rushing into the audit. Let’s dive into the preparation steps.
A GAP Analysis is like an X-Ray for doctors. It defines the maturity level of your company. It also shows in which areas your company needs to improve to get the TISAX Certification. Here is how a GAP Analysis look like:
- Physical Security Questionnaire
- ISMS Structure
- Technical Security
This blog post will give you detailed information about TISAX Self-Assessment. Therefore we will only cover this aspect of the GAP Analysis. The result of the GAP Analysis will be affected by your ISMS structure, document management system, documentation policies, security policies, network plan, etc.
TISAX requires a certain structure and clearly defined policies. Therefore it’s crucial to have them in place. If that’s not possible yet, performing a TISAX Self-Assessment helps you to see in which areas your company needs more preparation. As well as which requirements are a must-have.
What are the components of TISAX Self-Assessment?
TISAX Self-Assessment is a catalog from VDA (Verband der Automobilindustrie – German Association of Automotive Industry). The catalog consists of questions about Information Security, Prototype Protection, and Data Protection. However, please keep in mind that not all three sections are valid for all TISAX Certification levels.
The self-assessment will also be provided as audit documentation. Therefore, it’s crucial to execute thoroughly. We suggest taking it twice, before the project kick-off, and then build from there. Hence the final version of the self-assessment can be provided without any additional efforts.
Firstly, you need to start with the cover page. Here you provide basic information about your company. For instance your Scope-ID* and DUNS number**.
* You receive your SCOPE-ID, once you have registered in the ENX Platform.
**You receive your DUNS number via this link.
Maturity Level and Definitions
After that, we can start explaining how to proceed with sections. Each section has different questions. You need to answer those questions as per your company’s maturity level. Therefore, you need to know what’s meant by maturity level.
The maturity level is explained in the maturity levels of the catalog. There are six maturity levels according to VDA from 0 to 5:
It’s also wise to read the definitions before moving on to answering the questions. Thus you can have a profound understanding of the logic from the VDA Catalog.
In each section, there are multiple questions to determine your maturity level. There are different categories under the Information Security section. As a result of your assessment, you will be graded under those categories:
- Information Security Policies and Organisation
- Human Resources
- Physical Security and Business Continuity
- Identity and Access Management
- IT Security/Cyber Security
- Supplier Relationships
- Prototype Protection (comes from the Prototype Protection section)
How do I define my maturity level during TISAX Self-Assessment?
Firstly, to define your maturity levels, you need to pay attention to the must and should requirements of the control questions. In case you want to improve your maturity level, those requirements need to be in place. Needless to say, your maturity levels depend on to what extent you have these requirements fulfilled.
As there are many control questions with multiple requirements each, it’s wise to spare some time for the assessment. It worths investing understanding of the criteria to have a smooth audit in the future. Therefore we strongly suggest performing the self-assessment at the beginning of the project.
Finally, you will need to fill in the reference documentation (column G). This column can be filled by providing the link to the reference documentation in your ISMS system. Alternatively, you can type in the name of the documented file in the related control question.
Here you can download the latest version of the VDA Catalogue which was released on April 21st, 2021.
What are the success criteria of TISAX Self-Assessment?
Firstly, the average of all maturity levels should be a minimum of 3. However, that alone doesn’t guarantee your certificate. Secondly, you shouldn’t have any 0 or 1 graded. Thus, having Incomplete or Performed as a maturity level is a no-go for TISAX.
Therefore it’s crucial to run a TISAX Self-Assessment before you define your audit date. You will not only see where are your improvement potential. You can also have a backup plan to make sure that you are ready for your audit.
Finally, TISAX Self-Assessment provides a good benchmark in case your company prioritizes one of the above-mentioned categories. Needless to say, you can always improve.
Do I have to run TISAX Self-Assessment in Excel?
It depends. If you are at the very beginning of your TISAX Certification journey, it might be confusing the use the complicated excel file. Therefore, we have prepared an online alternative for you*. You can easily run the self-assessment and see where you are in your TISAX journey. You will also receive a report, stating in which categories you need improvement.
However, if you are already advanced in your TISAX journey, you have to fulfill the detailed questionnaire and provide it as audit documentation. This, however, can still be tedious for most companies. If you don’t feel comfortable with TISAX Self-Assessment, you can always get an expert on board.
*For the time being it’s only available in German. If you require the English version, please contact us.
What are the costs of TISAX Self-Assessment?
But hey, what are the costs of TISAX certification before? We thought of giving you a rough idea of the certification before talking about TISAX Self-Assessment’s costs. Here is a cost breakdown that you can use:
- ENX Registration approximately 400€ (as of August 2021)
- ISMS (Information Security Management System) between 0* – 3000€ per year
- Auditor Fees starting from 5.000€ (depending on the Auditing Company)
- TISAX Consultancy (getting an expert team on board for a smooth audit) starting from 12.000€
- TISAX Process Management Tool starting from 7.000€ per year for 5 users – this is suggested after certification
*There are free tools available like Nextcloud.
The prices given above are approximations of what we have experienced from the market. Each cost can vary depending on the number of locations, existing infrastructure, your TISAX maturity level (i.e. the result of your TISAX Self-Assessment).
By the way, running a TISAX Self-Assessment is always free of charge. As mentioned above, you can do it yourself in Excel or via our online platform: E-Flow.
Preparing for your TISAX Audit is a tedious, time-consuming process. It also needs hard work. However, the benefits of the TISAX certification outweigh the efforts. Therefore, getting an expert on board even from the beginning is wise.
Alternatively, you can book a workshop with us to define your TISAX Roadmap. Do you have any other questions? Please contact us!
Can Adiguzel is the founder of 360 Digital Transformation and host of The Digital Mittelstand podcast. He is in Digital Transformation projects for more than 8 years. He is passionate about Digital Transformation for Mittelstand and helps Mittelstand to overcome their Digital Transformation challenges by optimizing and automating processes.