TISAX® process: step by step explanation

TISAX Process Overview

Content

TISAX® is of fundamental importance for companies in the automotive industry that work with sensitive data
The TISAX® standard is relevant for manufacturers (Original Equipment Manufacturers – OEMs) for internal purposes, as well as for their supply chain and for service providers in the industry.

But what exactly is the TISAX® process about? How is the process structured and what purpose does the standard serve?

TISAX Process in four steps

Step 1: Initiation of the process

The TISAX® process usually starts with one of your business partners – e.g. an OEM such as Audi or VW – asking you to obtain the TISAX® label in order to demonstrate a specific level of information security in your organisation. Alternatively, you can start the process voluntarily or proactively if you fear that you will be requested to get TISAX® certified in the future anyway or to significantly increase your competitive chances.

If your suppliers also handle your partners’ sensitive information, it may even make sense for you to ask your own suppliers to undergo a TISAX® assessment. 

Step 2: Registration

To initiate the TISAX® process, you must complete the online registration in the ENX Association portal. Registration is subject to a fee. By registering, you agree to the ENX General Terms and Conditions of Participation. The price list and conditions of participation can be accessed online:

Visit ENX Website

During the registration process, you will be requested to provide information about your company, such as

  • Contact Details,
  • the intended TISAX® assessment objectives
  • or the Scope of the assessment.

Your partner will probably specify which assessment objectives your company has to achieve. The assessment level (level 1, 2 or 3) is then determined based on the assessment objectives. The higher the protection requirement of the information, the higher the assessment level. A higher assessment level also increases the effort required for the audit, as greater care and accuracy is required in the audit (see step 5).

Step 3: Preparing the Assessment

The extent of preparation for the TISAX® assessment depends on the current maturity level of your information security management system (ISMS) and the assessment level. To check whether your ISMS already meets the audit standard, you can carry out the self-assessment questionnaire based on the criteria catalogue of the German Association of the Automotive Industry. Depending on your audit objectives, only the first catalogue on information security or the additional ones on prototype protection and / or data protection are relevant for you:

  1. Catalogue on Information Security 
  2. Catalogue on Prototype Protection
  3. Catalogue on Data Protection

The current VDA ISA criteria catalogue can be downloaded via ENX Website:

Visit ENX Website

Before you attend the assessment, you should make sure that your ISMS is performing at its best. According to ENX, you are definitely ready for a TISAX® assessment if your result (“target maturity level”) is (almost) “3.0”. Otherwise, you should undertake further preparation.

Our experts will support you in preparing for TISAX®.

If you wish, we can not only support you with the preparation, but also take over the communication with the certification body/auditor until the audit is successfully completed.

Polaroid Alexander Fürst ISEGRIM X Geschäftsführer
CEO Alexander Fürst
Book a free initial consultation
Request offer

Step 4: Selecting an auditor

As soon as you are ready for the audit, you can choose an auditor. The auditor must be authorised by the ENX Association and should not have previously provided consultancy services to your company. All authorised auditors carry out the audits according to the same criteria and identical test methods. In theory, you therefore have a free choice and can obtain various offers before making a final decision.

Step 5: TISAX® Audit

Assessment Level 1

The assessments differ depending on the assessment level. The audit for Assessment Level 1 checks whether you have submitted a completed self-assessment questionnaire. However, the auditor does not check the content and does not require any further evidence of the information you have provided. The results therefore only have a low confidence level and limited significance.

Assessment Level 2

During the Assessment Level 2 audit, a plausibility check is carried out on based on your self-assessment. Evidence of your provided information is checked and an interview is conducted with the person responsible for information security. This usually takes place as a web conference, but can also take place on site on request.
As only plausibility is checked at Assessment Level 2, but nothing is verified, the test results cannot be used as the basis for an upgrade to Assessment Level 3. The effort required for an upgrade to Assessment Level 3 is almost the same as for a completely new audit.

Assessment Level 3

The highest assessment level includes a comprehensive review and verification of your compliance with the current TISAX® requirements. The auditor will

  • review the documents and evidence you have submitted.
  • conduct planned and unplanned interviews with the process owners.
  • observe the implementation of the processes on site and check the local conditions.

The Audit Process

The audit process consists of at least an initial audit. If your company does not pass the audit immediately, further steps are required. If deviations are identified in the initial audit, an action plan is drawn up to eliminate them. Once your company has implemented the measures, the follow-up audit takes place. In theory, you can carry out as many follow-up audits and action plan updates as you need.

Once you have passed the assessment, you will receive the TISAX® Assessment Report from the assessment service provider.

Step 6: Obtaining the audit results

With the official TISAX® assessment report, you receive the TISAX® label in addition to your assessment result. The label summarises your assessment results and certifies that your information security management system fulfils the defined assessment requirements.

Your assessment result is valid for three years, with the validity period beginning at the end of the assessment process – even before the TISAX® assessment report is issued.

Step 6: Exchanging Audit Results

Once you have received your audit results and sent them to the ENX exchange platform, you can share them with your partner. The transmission usually takes place 5-10 working days after passing the assessment. Your TISAX® assessment report is organised into several levels, and you can decide which level your partner should have access to.

TISAX Process Step by Step Explanation

Overall duration of the process

It is not possible to give a reliable indication of the duration of the process. The total duration of the TISAX® process depends on a variety of factors, such as the size of the organisation, the number of sites to be assessed, the assessment objectives, the status of your current information security management system, etc.