What is TISAX?
Let’s start with the acronym. TISAX stands for Trusted Information Security Assessment Exchange. Or as called in the industry ISO 27001 for automotive. In 2017, the German Association of the Automotive Industry (Verband der Automobilindustrie, VDA) published their list of criteria regarding information security in the automotive industry.
Which parties are included in TISAX Certification?
Before the TISAX Certification, members of VDA ran their internal assessments and also assessments for their suppliers, partners, and service providers. However, this individual assessment per provider required partners to spend time & money on assessment for each of their clients. Let’s assume that you are a producer from Bayern and you have to pass through AT LEAST 3 different assessments if you provide goods for Daimler, BMW, and VW.
To reduce duplicate efforts for similar assessments for different companies, VDA came up with their list of criteria; TISAX. Which has a catalog of criteria, audits, processes, and KPIs, therefore, as a result, TISAX Certification. If a supplier is TISAX certified, it assures the controlled sharing and security of the data being held.
VDA has chosen a neutral third party, the ENX Association, which accredits auditors, maintains the assessment requirements, monitors the audit quality, and finally keeps audit results. Therefore, in addition to ENX, there are neutral auditing firms such as TÜV, Dekra, PWC, KPMG, Bureau Veritas, Deloitte, etc.
Who needs to be TISAX certified?
If you are a supplier, service provider, or partner to a VDA member (i.e VW, Daimler, AUDI, BMW, Porsche, Continental, MAGNA, Škoda, etc.), a TISAX Certification will make sure that you are eligible to continue proving your services, and/or take part in tenders. As more and more companies are getting TISAX certification, companies without the certification will have difficulties being a part of the supply chain for big automotive producers. That applies to Tier 2 and Tier 3 suppliers as well as other service providers.
What are the major benefits of TISAX Certification?
First and foremost, TISAX is there to create a base information security level within the automotive industry. And if we think about patents, prototypes, and R&D efforts, and how many different stakeholders are included; information security is crucial for a smooth and secure supply chain.
Let’s continue with the supply chain, every producer would want to make sure that their supply chains are secure and built with strong links, which means reliable suppliers. TISAX Certifications can provide a comparison ground, as well as a trust basis. Which also ensures the suppliers are working towards improving their internal security measures and processes.
As mentioned above, by having a common assessment guideline, duplication efforts are eliminated. Therefore, both suppliers and producers can save significant time and money.
Which levels of TISAX Certification are needed?
There are 3 levels of assessment of TISAX Certification:
Level 1: At this level, suppliers should fulfill the Information Security Assessment (ISA) questionnaire and have a certain level of maturity to be approved by the TISAX Auditor
Level 2: If the supplier wants Level 2 certification, a self-assessment questionnaire will be followed by remote compliance checks by the audit provider
Level 3: Suppliers who work with confidential data have to go through an on-site inspection by the audit provider
Which steps are included in TISAX Certification?
First of all, the company should register on the ENX platform. This is the first step of the TISAX Certification regardless of the certification level. Then the companies should decide which certification level they need and select the auditor. Please keep in mind that this company is automatically excluded from any TISAX consultancy service by selecting an audit provider throughout the certification.
Then ISA questionnaire should be completed by the company. Here is quite important to consider having expert help, to carefully identify the basis for the GAP analysis. Then the results are shared with the auditor. Depending on which level, the next steps might vary. However, the essence is that the auditor sends an audit report with necessary precautions. Those precautions need to be fulfilled before getting the TISAX certificate.
Then the TISAX Certifications need to be renewed on 3 years basis. However, the procedure for recertification is different than the first certification. The recertification requires annual audits to be performed to ensure that processes are being executed and in compliance with TISAX requirements.
What are the benefits of digitalized and automated TISAX Processes?
First things first, if you have already optimized and digitalized your processes, your company will have the advantage of historical data tracking, monitoring, and decision-based execution. If these main concepts of digitalization are applied to TISAX processes, the basic requirements will be mostly fulfilled such as Information Security Management Systems (ISMS), document classifications, audit and training plannings, etc.
In addition to that, having automated TISAX processes will also help you manage your KPI dashboards, maintain your annual internal audits, and provide necessary information for your TISAX recertification. At the end of the day, you will save significant time and costs by avoiding renewed audits and the risk of losing your certificate.
Do only German companies need TISAX Certification?
NO! TISAX is an international certification. It’s is a requirement of major German automakers such as VW and Daimler Benz for all Tier 1 (direct) suppliers. TISAX Certification is required in turn by these Tier 1 suppliers from their own suppliers (Tier 2) and so on down the chain regardless of their geographical location.
What are the costs of TISAX Certification?
There are 4 possible cost positions. The registration fee that’s paid to ENX is mandatory and is around 500€. Then another mandatory fee for the audit provider depends on your choice and varies around based on the Audit level from 3.000 to 15.000 €. There are also operational costs as your employees should spend time for audit preparation, which can be significantly reduced by external help. For example, we as 360 Digital Transformation can help you from the beginning till the end of the certification. By GAP analysis, process optimization, preparation of the framework, tool choices, and accompanying you during the audit. We offer our TISAX Workshop (for the German version click here) for your personal GAP analysis. We have helped more than 30 companies to get their TISAX Certification.
Do you want to run a free of charge Self-Assessment?
We have prepared a free-of-charge Self-Assessment to estimate your readiness level for your TISAX Certification. Here is the step for step Guide! * For the time being only available in German.
What are the differences between TISAX Certification and ISO 27001?
TISAX Certification and ISO 27001 are quite similar, as they both are standards for ISMS (Information Security Management Systems). The difference between TISAX Certification and ISO 27001 is that TISAX Certification is demanded by the automotive industry. So if you are a supplier or service provider for the automotive industry, then you might need TISAX Certification. On the other hand, ISO 27001 is a general standard, meaning it can be applied to any industry. In this blog post, however, we won’t do in detail with application differences between the two standards.
For the companies that want to get both certificates, we suggest starting with TISAX Certification then proceed with ISO 27001.
Want to learn more about TISAX Certification?
We have also organized a free-of-charge webinar, to show you how we can optimize, digitalize and automate your TISAX processes, shorten your certification time, and make sure that your processes run smoothly. You can watch the replay of the Webinar available via this link. * For the time being only available in German.
Can Adiguzel is the founder of 360 Digital Transformation and host of The Digital Mittelstand podcast. He is in Digital Transformation projects for more than 8 years. He is passionate about Digital Transformation for Mittelstand and helps Mittelstand to overcome their Digital Transformation challenges by optimizing and automating processes.