To do: Get your TISAX® Label
The TISAX® label is currently part of the to-do list of many companies that are operating in the automotive industry. The TISAX® label demonstrates OEMs (Original Equipment Manufacturers) that companies place a high value on information security. Companies that hold the label prove that they meet the high TISAX® requirements on information security. Manufacturers / OEMs use the TISAX® label, among other things, as a decision-making basis for selecting their business partners.
Your company is operating in the automotive industry but you are not yet on the way to the get your TISAX® label? In this article, we inform you about everything you need to know to get the label and conclude by presenting a time- and cost-efficient way that leads you to the TISAX® assessment!
Definition of TISAX®
TISAX® means Trusted Information Security Assessment Exchange. It is a testing and exchange mechanism for companies of the automotive industry. Since 2017, the TISAX® label has been accepted as a standardized proof of the level of information security. It is accepted by all automotive manufacturers / OEMs.
The content of TISAX® is based on the ISO 27001 standard (an international standard for information security) and the corresponding implementation of an ISMS (Information Security Management System). The TISAX® auditing process is based on a questionnaire which was developed by the German Association of the Automotive Industry. It contains the special requirements for information security in the automotive sector.
TISAX® is a registered trademark of the ENX Association. To obtain the TISAX® label, you must register on the ENX Association portal and undergo the assessment and audit. In the ENX portal you can also find qualified TISAX® auditors. After the assessment, the audit results are then uploaded in the ENX portal. The portal thus serves as a platform and offers all TISAX® participants the opportunity to view and compare their results.
VDA-ISA Questionnaire for TISAX®
The evaluation of the audit results is based on the VDA-ISA questionnaire. VDA stands for the German Association of the Automotive Industry and ISA for Information Security Assessment. The questionnaire was defined by the VDA and is continuously updated.
If you would like to get an overview on the specific TISAX® requirements, you can download the VDA-ISA questionnaire from the VDA website. There you will find the questionnaire available in the latest version. The Excel file contains the various modules that are relevant for the TISAX® assessment.
The questionnaire in the current version 5.1 (September 2022) consists of a total of three modules:
- the main module “Information Security”
- and the additional modules “Data Protection”
- and “Prototype Protection”.
The main module “Information Security” is tested as a mandatory module in every TISAX® assessment. Various references to the ISO 27001 standard can be found here, as the questionnaire is based on it.
The two other modules, on the other hand, are not compulsorily tested. If an OEM or business partner asks you to get a TISAX® label, they will tell you at the same time whether you have to fulfill the additional modules or not. Of course, you can also decide to audit the additional modules voluntarily. This depends on your own information security standards.
In summary: In the automotive industry, the TISAX® label has been considered as a proof of corporate information security standard since 2017. It is accepted by all industry participants and is even demanded by automotive manufacturers (OEMs) and larger suppliers as a condition for cooperation.
You do not want to face the TISAX® challenge alone? We will be pleased to explain to you in a non-binding meeting how we can support you on your way to the TISAX® label .
Who needs the TISAX® label and which OEM requires it?
Many OEMs impose the successful TISAX® assessment as precondition for (future) cooperation. These include, for example, Audi, BMW, Mercedes-Benz, Porsche, VW or their subsidiaries. However, it can be observed that Tier 1 and Tier 2 suppliers are also imposing the TISAX® label as a requirement on their suppliers lately.
Which companies are already TISAX® certified?
In 2021, around 2,500 companies worldwide were already certified – and the trend is rising. More and more suppliers are catching up on to the trend and are even proactively seeking a TISAX® label.
Do I mandatorily need a TISAX® certification?
Whether or not you need the TISAX® label depends on your existing or potential contractors. If you have not yet been requested by an OEM to obtain the label, you can also wait until you are actively addressed on the topic of TISAX®. Due to its increasing relevance, our information security experts Alex Fürst and Michael Kirsch recommend that you voluntarily or proactively begin to prepare for the TISAX® assessment. This way, you are well prepared if the topic slips onto your to-do list sooner or later. Since there are many months and high costs associated with the certification process, it is better to adress it at an early stage.
If you choose to obtain a TISAX® label, you will also need to determine which assessment level you wish to pursue. In some cases, your contractor or OEM will tell you whether you need Assessment Level 2 or 3.
FAQ: Which assessment level should I pursue?
A distinction is made between assessment levels 1, 2 and 3. As the level increases, so do the requirements to get certificated.
Comparison of the assessment levels
Level 1 requires a normal level of protection. At level 2, your organization is assessed for a high level of protection in terms of information security, and at level 3 for a very high level of protection is demanded.
Normal: The potential damage to the organization is limited and manageable.
High: The potential damage to the organization can be significant.
Very High: The potential damage can reach catastrophic levels that threaten the existence of the organization.
As can be assumed, the audting method and the associated effort also differ depending on the assessment level.
The Level 1 Assessment is a self-assessment that is not checked by a qualified auditor. It is therefore usually used for internal purposes. These test results have only limited significance and do not represent a valid TISAX® label. Therefore, most manufacturers require at least Assessment Level 2.
Here, your self-assessment will be reviewed by a qualified auditor. This is usually done via telephone. An on-site audit is only conducted if you request the additional module “prototype protection” to be audited or if you explicitly request the on-site audit.
In this assessment level, your self-assessment is reviewed by an auditor in a detailed on-site examination. This takes 2-3 days on average.
What is the TISAX® label and where can it be consulted after the assessment?
After you have successfully completed the assessment, you will receive a label summarizing your audit results. The label, along with information about your assessment, can then be consulted in the ENX portal, i. e. by the OEMs. In return, you can of course also view the TISAX® labels and results of the other participants.
Is a ISO 27001 certification a necessary prerequisite for the TISAX® assessment?
An already established and certified ISMS (Information Security Management System) in accordance with the ISO 27001 standard is not a prerequisite for the TISAX® assessment. For the assessment, you only need to prove that you are working with an Information Security Management System and that the corresponding processes and procedures are implemented in the company. However, an existing ISO 27001 certification will definitely provide you with a good basis for the TISAX® certification process.
Advantages of the TISAX® Label
There are many advantages for TISAX® certified companies:
Procedure and duration of the TISAX® certification process
The duration of the assessment can vary significantly and depends on various factors, such as the size of your company and the number of company sites. With an average company size, 2 to 3 days on site are sufficient for the assessment procedure itself. What can require more time, however, is the preparation for the assessment. The audit should only be conducted if you are sure to meet the TISAX® requirements from the VDA-ISA questionnaire. Otherwise, you will not succeed in the audit and will not receive a TISAX® label. Then you will have to take a follow-up audit, which in turn will incur additional costs.
The preparation and the audit can together take up to 8 to 12 months. The mere assessment process may not exceed 9 months starting with your registration in the portal of the ENX Association. Otherwise you will not receive a TISAX label. Sufficient preparation for the assessment is therefore crucial!
After registration, you will go through the following steps on your way to get the TISAX® label:
Contact person for assessment and certification
If you wish to have a TISAX® audit conducted, it can only be done by ENX approved auditors with special accreditation for TISAX®. In order to be able to guarantee the high standard of the TISAX® label, the auditors must have sufficient know-how. One example for a possible auditor would be TÜV SÜD. In the ENX portal you can find other suitable auditors and options to contact them.
How long is my TISAX® label valid?
Once you receive your label, it is valid for 3 years. After that, it must be renewed. The costs for renewal are usually lower than for initial certification. In this case, you already have experience and most required processes are already established.
Costs of a TISAX® certification process
The costs for TISAX® vary as much as the duration. Here again, too many factors are involved. However, certain fixed costs for the auditor, the audit itself and, if necessary, a follow-up audit are a given for all companies. On average, expect between $50,000 – $200,000 to complete the assessment.
Efficient preparation for the TISAX® assessment can, however, save some costs. Otherwise, unprepared companies will face costs for optimizations during the ongoing assessment process.
Cost and time efficient way to the assessment
As a small or medium-sized company, you would like to obtain a TISAX® label, but you are deterred by the high costs and time involved? Then we are pleased to present you our solution “NORM X”.
NORM X gets you on the fast track to TISAX® assessment! Our solution is based on an automated software and saves you up to 70% time and costs on your way to the TISAX® Assessment with the help of effective processes and the management of an Information Security Officer (ISO).
TISAX® Audit for groups
It is also possible to perform a TISAX® group audit to provide cost savings to companies with many sites. However, there are a number of requirements that must be met in order to participate in such a group audit.
The OEMs and larger suppliers of the automotive industry impose the TISAX® label as a prerequisite for (further) cooperation to their suppliers. Although the label is NOT mandatory, it is recommended to proactively prepare for TISAX® certification. This way, you will not unintentionally get into a time constraint later on when TISAX® becomes relevant for you. Because then you possibly might risk your business partnerships. We help you prepare for the assessment quickly and cost-effectively with our solution “NORM X”.
Would you like to find out more about TISAX® or benefit from our NORM X solution? We will be pleased to explain how we will get you on the fast track to the TISAX® assessment!