Are you a supplier or service provider to the automotive industry? In order to remain competitive in the future, you should urgently acquire a so-called TISAX® certification by 2023. This is a recognized certification of your information security standards.
For whom TISAX® is important, how much it costs and how certification works, you can find out in the following FAQ. To get a more in-depth insight, we recommend our article on the topic of TISAX®.
TISAX® stands for Trusted Information Security Assessment Exchange and is a brand of the ENX Association. It is a testing and exchange mechanism for companies of the automotive industry. Since 2017, the TISAX® certificate has been regarded as a uniform proof of information security for companies in the industry. It is recognized by all automotive original equipment manufacturers (OEM).
In terms of content, TISAX® is based on the norm ISO 27001 (an international standard for information security) and the associated introduction of an ISMS (Information Security Management System). The TISAX® testing process is based on a questionnaire from the German Association of the Automotive Industry, which covers the special requirements for information security in the automotive sector.
TISAX® certification is not yet mandatory. However, many OEMs (Original Equipment Manufacturers) make certification a condition for cooperation. These include, for example, Audi, BMW, Mercedes-Benz, Porsche, VW or their subsidiaries. However, it can also be observed that Tier 1 and Tier 2* suppliers now also make TISAX® certification a condition for their suppliers.
Whether you need TISAX® certification depends on your existing or potential contractors. If you have not yet been requested by an OEM, you can also wait until you are actively approached on the subject of TISAX®. Due to its increasing relevance, our information security experts Alex Fürst and Michael Kirsch recommend that you voluntarily or proactively set out on the path to the TISAX® label. This way, you are already prepared if the topic slips onto your to-do list sooner or later. After all, the certification process often takes many months and involves high costs. So it’s better to take care of it early on.
If you now decide to obtain TISAX® certification, you also need to determine which assessment level you want to aim for. In some cases, your contractor will also tell you whether you need Assessment Level 2 or 3.
*Tier is derived from “tier”, which means level. This refers to the levels of the supplier pyramid, depending on the distance to the OEM.
The costs of TISAX® vary as much as the duration of the process. Many factors play a role in this context. However, certain fixed costs for the auditor, the audit itself and, if necessary, a follow-up audit are a given for all companies. On average, costs of 50,000 up to 200,000 Dollar can be incurred by the time the assessment is completed.
However, efficient preparation for the TISAX® assessment can save some costs. Unprepared companies will otherwise incur costs for optimization during the ongoing assessment process.
As a small or medium-sized company, you would like to obtain TISAX® certification, but you are put off by the high costs and time involved? Then we are pleased to introduce you to our solution “NORM X for TISAX®“.
NORM X puts you on the fast track to TISAX® assessment! Our solution is based on fully automated software and saves you up to 70% time and costs on your way to the TISAX® Assessment with the help of effective processes and the guidance of an Information Security Officer (ISB).
The duration of the assessments can vary greatly and depends on various factors, such as the size of your company and the number of company locations. For an average company size, 2 to 3 days are sufficient for the assessment process itself. What may require more time, on the other hand, is the preparation for the assessment. The assessment or audit should only be carried out if you also fulfill the TISAX® requirements from the TISAX question catalog. Otherwise, you will not pass the audit and will not receive a certificate. There is a risk that you will have to take a follow-up audit, which in turn will incur additional costs.
The Preparation and the audit process can take up to 8 to 12 months. An assessment process must not take longer than 9 months from registration, otherwise you will not receive a label. Sufficient preparation for the assessment is therefore crucial!
Level 1 requires a normal level of protection. At Level 2, your organization is assessed for information security according to a high need for protection, and at Level 3, according to a very high need for protection.
Normal: The potential damage to the organization is limited and manageable.
High: The potential damage to the organization can be significant.
Very High: The potential damage can reach an existentially threatening catastrophic level for the organization.
As can be assumed, the testing method and the associated effort also differ depending on the assessment level.
The level 1 assessment is carried out with the help of a self-assessment that is not checked by an auditor. It is therefore only used for internal purposes. These test results have only limited significance and do not represent a valid TISAX® label. Therefore, most manufacturers require at least Assessment Level 2.
In this case, the self-assessment is tested by a recognized testing service provider accepted by the ENX Association. These tests are often conducted by telephone. On-site testing only takes place if you have the “prototype protection” module tested or if you expressly request on-site testing.
In this assessment level, a comprehensive on-site examination of your self-assessment is performed by a testing service provider accepted by the ENX Association. This takes 2-3 days on average.
For a deeper insight, we recommend our article about TISAX®:
As the name suggests, information security refers to the protection of information and corresponding systems for information processing and storage. These can be of a technical or non-technical nature.
Information security aims to make and keep the properties of these systems as secure as possible. The introduction of an ISMS (Information Security Management System) can be particularly helpful in this respect. This makes it easier for a company to define, achieve and permanently control the protection goals of information security.
What exactly is the difference between information security, IT security and data protection?
IT security can be understood as a partial aspect of the broader topic of information security. The term IT security covers the protection of data and information that is stored and processed electronically – i.e., in IT systems. These must be protected by appropriate measures.
While IT security refers to the protection of technical systems, information security is generally about the protection of all types of information. This is because information can exist not only in technical systems, but also in a paper archive or in the heads of employees. It also includes securing the company premises.
Information security is thus somewhat more comprehensive than IT security and therefore appears more frequently in linguistic usage.
Data protection is understood as the protection of personal data. This includes, for example, name, address, telephone number, social security number, etc. – in principle, all data on the basis of which a direct personal reference can be established.
In data protection, the focus is not on the content of the data itself, but on the right to process this information. With the introduction of the GDPR 2018, legal specifications for the European area were established and significantly tightened. The GDPR addresses the legal conditions under which personal data may be collected, processed or used. The aim is to protect the privacy of every individual by providing the opportunity for informational self-determination. This goal is achieved through appropriate measures that are based on the GDPR.
Like IT security, data protection is also a subarea of the broader topic of information security.
ARTIFICIAL INTELLIGENCE (AI)
AI is intended to transfer human learning and thinking to computer systems, thus giving them intelligence in an artificial way. In this way, the computer system learns independently and does not have to be reprogrammed for every case. For example, an AI can independently find answers and solve minor problems on its own.