TISAX® Label: All you need to know

What is TISAX®?

Let’s start with the acronym. TISAX® stands for Trusted Information Security Assessment Exchange. Or as called in the industry ISO 27001 for automotive. In 2017, the German Association of the Automotive Industry (Verband der Automobilindustrie, VDA) published its list of criteria regarding information security in the automotive industry.

TISAX Logo from ENX

Source: https://portal.enx.com/en-US/enxassociation/

Which parties are included in TISAX® Label?

Before the TISAX® Certification, members of VDA ran their internal assessments and also assessments for their suppliers, partners, and service providers. However, this individual assessment per provider required partners to spend time & money on assessment for each of their clients. Let’s assume that you are a producer from Bayern and you have to pass through AT LEAST 3 different assessments if you provide goods for Daimler, BMW, and VW.

To reduce duplicate efforts for similar assessments for different companies, VDA came up with their list of criteria; TISAX®. Which has a catalog of criteria, audits, processes, and KPIs, therefore, as a result, TISAX® Certification. If a supplier is TISAX® certified, it assures the controlled sharing and security of the data being held.

VDA has chosen a neutral third party, the ENX Association, which accredits auditors, maintains the assessment requirements, monitors the audit quality, and finally keeps audit results. Therefore, in addition to ENX, there are neutral auditing firms such as TÜV, Dekra, PWC, KPMG, Bureau Veritas, Deloitte, etc.

ENX Logo association for TISAX Certification
Source: https://portal.enx.com/en-US/enxassociation/

Who needs to have TISAX® Label?

Suppose you are a supplier, service provider, or partner to a VDA member (i.e VW, Daimler, AUDI, BMW, Porsche, Continental, MAGNA, Škoda, etc.). In that case, a TISAX® Certification will make sure that you are eligible to continue proving your services, and/or take part in tenders. As more and more companies are getting TISAX® certification, companies without the certification will have difficulties being a part of the supply chain for big automotive producers. That applies to Tier 2 and Tier 3 suppliers as well as other service providers.

What are the major benefits of the TISAX® Label?

First and foremost, TISAX® is there to create a base information security level within the automotive industry. And if we think about patents, prototypes, R&D efforts, and how many different stakeholders are included; information security is crucial for a smooth and secure supply chain.

Let’s continue with the supply chain, every producer would want to make sure that their supply chains are secure and built with strong links, which means reliable suppliers. TISAX® Certifications can provide a comparison ground and a trust basis. This also ensures the suppliers are working towards improving their internal security measures and processes.

As mentioned above, by having a common assessment guideline, duplication efforts are eliminated. Therefore, both suppliers and producers can save significant time and money.

Which levels of TISAX® Label are needed?

There are 3 levels of assessment of TISAX® Certification:

Level 1: At this level, suppliers should fulfill the Information Security Assessment (ISA) questionnaire and have a certain level of maturity to be approved by the TISAX® Auditor

Level 2: If the supplier wants Level 2 certification, a self-assessment questionnaire will be followed by remote compliance checks by the audit provider

Level 3: Suppliers who work with confidential data have to go through an on-site inspection by the audit provider

Which steps are included in TISAX® Label?

First of all, the company should register on the ENX platform. This is the first step of the TISAX® Certification regardless of the certification level. Then the companies should decide which certification level they need and select the auditor. Please keep in mind that this company is automatically excluded from any TISAX® consultancy service by selecting an audit provider throughout the certification.

Then ISA questionnaire should be completed by the company. Here is quite important to consider having expert help, to carefully identify the basis for the GAP analysis. Then the results are shared with the auditor. Depending on which level, the next steps might vary. However, the essence is that the auditor sends an audit report with necessary precautions. Those precautions need to be fulfilled before getting the TISAX® certificate.

Then the TISAX® Certifications need to be renewed on 3 years basis. However, the procedure for recertification is different than the first certification. The recertification requires annual audits to be performed to ensure that processes are being executed and in compliance with TISAX® requirements.

What are the benefits of digitalized and automated TISAX® Processes?

First things first, if you have already optimized and digitalized your processes, your company will have the advantage of historical data tracking, monitoring, and decision-based execution. If these main concepts of digitalization are applied to TISAX® processes, the basic requirements will be mostly fulfilled such as Information Security Management Systems (ISMS), document classifications, audit and training planning, etc.

In addition to that, having automated TISAX® processes will also help you manage your KPI dashboards, maintain your annual internal audits, and provide necessary information for your TISAX® recertification. At the end of the day, you will save significant time and costs by avoiding renewed audits and the risk of losing your certificate.

A Dashboard for TISAX Processes to help your TISAX Certification
A Sample KPI Dashboard via E-Flow

Do only German companies need TISAX® Label?

NO! TISAX® is an international certification. It is a requirement of major German automakers such as VW and Daimler Benz for all Tier 1 (direct) suppliers. TISAX® Certification is required in turn by these Tier 1 suppliers from their own suppliers (Tier 2) and so on down the chain regardless of their geographical location.

What are the costs of the TISAX® Label?

There are 4 possible cost positions. The registration fee that’s paid to ENX is mandatory and is around 500€. Then another mandatory fee for the audit provider depends on your choice and varies around based on the Audit level from 3.000 to 15.000 €. There are also operational costs as your employees should spend time on audit preparation, which can be significantly reduced by external help. For example, we as 360 Digital Transformation can help you from the beginning till the end of the certification. By GAP analysis, process optimization, preparation of the framework, tool choices, and accompanying you during the audit. We offer our TISAX® Workshop (for the German version click here) for your personal GAP analysis. We have helped more than 30 companies to get their TISAX® Certification.

Do you want to run a free-of-charge Self-Assessment?

We have prepared a free-of-charge Self-Assessment to estimate your readiness level for your TISAX® Certification.  Here is the step for step Guide! 

What are the differences between TISAX® Label and ISO 27001?

TISAX® Certification and ISO 27001 are quite similar, as they both are standards for ISMS (Information Security Management Systems). The difference between TISAX® Certification and ISO 27001 is that TISAX® Certification is demanded by the automotive industry. So if you are a supplier or service provider for the automotive industry, then you might need TISAX® Certification. On the other hand, ISO 27001 is a general standard, meaning it can be applied to any industry. In this blog post, however, we won’t do in detail with application differences between the two standards.

For the companies that want to get both certificates, we suggest starting with TISAX® Certification and then proceeding with ISO 27001.

If you want to learn more about the differences between TISAX® and ISO 27001, we suggest reading this blog post.

Want to learn more about TISAX® ?

Please feel free to visit our TISAX® page (for the German version click here) and contact us if you need help.

We have also organized a free-of-charge webinar, to show you how we can optimize, digitalize and automate your TISAX® processes, shorten your certification time, and make sure that your processes run smoothly. You can watch the replay of the Webinar available via this link. * For the time being only available in German.

TISAX® ist eine eingetragene Marke der ENX Association (European Network Exchange Association).

In this way, you get the most relevant updates and blog posts from us!

Can Adiguzel is the founder of 360 Digital Transformation and host of The Digital Mittelstand podcast. He is in Digital Transformation projects for more than 8 years. He is passionate about Digital Transformation for Mittelstand and helps Mittelstand to overcome their Digital Transformation challenges by optimizing, digitalizing, and automating processes.