Information security at the highest level: Those who can demonstrate TISAX certification not only enable secure work within the automotive industry but also prove themselves to other companies as a reputable partner.

What is TISAX?

In 2017, the automotive industry launched TISAX, short for Trusted Information Security Assessment Exchange. The goal was to create a common standard for information security. TISAX was developed from ISO 27001. However, while the international standard has been formulated to be independent from any industry, TISAX was introduced specifically to meet the requirements of automotive manufacturers.

TISAX is organized by ENX. The European Network Exchange Association is an association of the European automotive industry that, among many other tasks, also manages the accreditation of TISAX auditors. ENX also maintains a public database that includes every company that has successfully passed a TISAX assessment.

TISAX encompasses many security-relevant areas within a company:

  • IT security
  • Prototype protection
  • Communication with external partners
  • Contingency plans
  • Security checks
  • Archive management
Icon Catalog

The basis of the test is the TISAX questionnaire – also called the VDA-ISA catalog in reference to its publisher, the German Association of the Automotive Industry (Verband der Automobilindustrie). The questionnaire is constantly updated and comprises over 60 questions divided into the categories information security, prototype protection and data protection.

TISAX certification: cost for the assessment

The cost for a TISAX assessment depends on the level of certification you wish to attain and the size of your company. In addition, the costs to be budgeted consist of various factors: First, you will usually need initial consultation so that you can prepare your company for the audit. Then comes the actual audit. Certification service providers charge for required personnel and for the duration of the audit. Since each auditor can set different prices, it is difficult to offer an accurate estimate.

But you should not forget internal costs. Depending on how well your information security management system (ISMS) has been implemented, additional effort may be required here as well. Specialized service providers such as the team at IT-Kompass can help you with the targeted introduction of an effective security system and can even reduce costs in the long term.

TISAX level explained

TISAX recognizes three different assessment levels. The level describes how intensively your company has been audited.

Which TISAX assessment level is right for your company depends on the requirements of your partners. Vehicle manufacturers (OEMs), in particular, expect a certain level from their suppliers.

A TISAX certification is valid for 3 years. After this time, your company will be removed from the ENX database and you will have to conduct another audit. This guarantees that all security measures are also permanently enforced.

TISAX level 1

At the first level, you only have to fill out a questionnaire about your internal security measures. There is no verification of your information at this level. Therefore, the assessment level 1 is only interesting internally and has no significance in dealing with other companies.

TISAX level 2

Here too, an initial self-assessment takes place. However, an external service provider then carries out a plausibility check. This consists of random questions, usually asked by telephone. This allows the auditor to determine if your provided information is plausible.

TISAX level 3

At the highest level, your self-assessment is reviewed on-site. This assessment is extensive and intensive. In addition to file reviews, a walk-through of the premises and interviews with relevant personnel are common.

A TISAX certification is valid for 3 years. After this time, your company will be removed from the ENX database and you will have to conduct another audit. This guarantees that all security measures are also permanently enforced.

Advantages of TISAX

With TISAX, you distinguish yourself to partners as a trustworthy company with effective security management. In the automotive industry, assessment is becoming increasingly important, and companies are increasingly demanding that their partners pass the assessment. The great advantage of the standardized procedure is that companies do not have to undergo a wide variety of multiple checks. The TISAX label is recognized by all industry players.

View from the cockpit of a self-driving automobile with a heads up display

Frequently asked questions about TISAX

Is TISAX necessary for my business?

If you want to be active in the automotive industry, TISAX is most likely a mandatory requirement. Accordingly, the necessity to participate in TISAX results from the requirements of the partner companies. In addition, however, you can also proactively opt for a TISAX audit: In this way, you demonstrate your reliability to external partners and also benefit from a correctly implemented ISMS.

Does TISAX replace ISO 27001?

No, TISAX is based on the ISO standard, but the two standards are not identical. TISAX was deliberately extended to include elements that are of particular interest to the automotive industry. ISO 27001, on the other hand, is universal and internationally recognized. Any company can seek ISO 27001 certification; however, due to the strong similarity, organizations for which TISAX plays a role often choose a combined audit to save time and money. But be aware: While ISO 27001 is valid for three years, just like TISAX, companies must undergo an annual review.

Who can perform the audit?

ENX appoints independent audit providers for each country. These TISAX auditors – officially: TISAX Audit Provider (XAP) – are responsible for checking the implemented ISMS as well as the self-disclosures from the participating companies. These include, for example, classic auditing organizations such as DEKRA or various TÜV groups. A list of audit service providers can be viewed on the ENX homepage.

While only these few organizations are allowed to perform the audit, you can also seek support for preparation from other service providers. IT-Kompass has been active in the field of IT security for many years and can therefore support you with a great deal of experience.

What is the benefit of a TISAX consultation?

Implementing an Information Security Management System (ISMS) is the basis for a successful TISAX audit, but this requires good preparation and planning. To ensure that you do not have to tackle this task alone, you should engage an external service provider to provide you with advice and support. This way, you can be sure to successfully pass the TISAX audit.

Your partner for TISAX: IT-Kompass helps you prepare

A friendly businessman leaning casually against a wall

As IT experts, we also know our way around information security. We support you in integrating an effective ISMS into your company. With our help and expertise, you can prepare your system for the TISAX audit. In addition, we can also provide you with competent assistance on many other IT and security issues. Consult with us today!