Technical Guide TISAX® - Trusted Information Security Assessment Exchange In today’s digitized business environment, information security has become an increasingly critical prerequisite for manufac- turers, supplies and service providers cooperating across the automotive value chain. The Trusted Information Security Assess- ment Exchange (TISAX®) provides members a standardized information security status to be shared among partners working throughout the automotive industry. Contents 1. TISAX® overview and benefits 6. ISO 27001 vs. TISAX® 2. Roles of participation 7. Defined TISAX® protection and assessment levels 3. TISAX® scopes of assessment 8. Test marks and labels 4. Established VDA ISA requirements 9. Assessment objectives for TISAX® prototype protection 5. Registered TISAX® subscriber Page 1 / 8 1. TISAX® overview and benefits Goals ct ra nt ENX Association TISAX® has been developed specifically for the automotive o R C e / g industry and aims to ensure the recognized integrity of your r is e tr id a v ti information security system. The TISAX® platform provides o o r n p t members standardized assessment of their information se- i d u A Interaction curity status to be shared with partners working throughout the value chain. Your achieved protection class is conven- during the iently registered on a dedicated digital platform and provid- assessment ed to selected members requesting your TISAX® status. process Partners in the TISAX® assessment include: • The ENX association Audit • An authorized audit provider Provider Participant • A participant company applying for certification Assessment TISAX® certification is valid for a period of three years. Registered partners share confidential information and need At its core, TISAX® aims to establish standardized labeling to be absolutely sure that others are continuously handling based on criteria common within the automotive industry. information according to established TISAX® standards. TISAX® has been developed to provide a community envi- Based on assessment results, the information security status ronment in which the performance and security of IT and IS of each registered participants is available on the online systems can be shared. platform. No TISAX® member has automatic access to the assessment results and the status of others. Selected partners Phases of TISAX® certification with which information is shared are determined by each 1. Registration on the TISAX® platform TISAX® participant on a case-by-case basis. 2. Selection of an audit provider 3. Preliminary verification of label/scope assessment, infor- TISAX®, VDA and ENX mation protection class, and simplified group assess- Established in early 2017, the TISAX® testing and exchange ment (if possible) mechanism was founded on the German Association of the 4. Execution and signing of the contract Automotive Industry (VDA) catalog of ISA (Information 5. Self-assessment (Assessment Level 1) Security Assessment) requirements. 6. Off-site audit (review of Assessment Level 1 according to documentation and label/scope confirmation or Founded in 2000, the ENX Association is a legally-inde- Assessment Level 2) optional pendent union of companies and national associations 7. On-site audit (Assessment Level 3) including Audi, BMW, Bosch, Continental, Daimler, DGA, 8. Label validation Ford, Magna, PSA Peugeot Citroën, Renault, Volkswagen 9. Audit information shared with exclusive TISAX® part- ANFAC (Spain), GALIA (France), SMMT (UK) and VDA ners designated by the audited member company (Germany) which supervises the performance of certified service providers, operates central ENX network services and supports providers with efficient solutions. Page 2 / 8 TISAX Assessment Flow Chart Registration KOM OM AL2 Choice of AP Self-assessment Temporary label AL3 9 months Label (validity: 3 years) Initial Non-conformities Follow-up assessment AL corrective action plan assessment KOM = Kick-off-meeting OM = Opening meeting AL = Assessment level AP = Audit Provider Benefits of TISAX® certification Active participant (e.g. supplier): Either orders assessment In addition to the added value of your recognized informa- or is called on by an OEM or customer to undergo assess- tion security status, TISAX® certification provides you the ment. The active participant then provides selected partners following advantages: access to the assessment results. • Increased credibility with a certified information security The three steps of participation: system 1. Registration • Cross-company recognition among TISAX® members Your selected TISAX® provider gathers information about • Strong strategies for effective risk management your company and determines the scope of your assessment. • Transparency through harmonized VDA ISA catalog 2. Assessment • Sharper focus on customer needs and expectations Assessment(s) is conducted by an accredited TISAX® audit • Internationally recognized listing on the TISAX® online provider. platform 3. Exchange • Complete control over who can access your assessment Assessment results and certification(s) are exclusively shared results with designated partners. • TISAX® assessment every three years eliminating time and money spent on multiple checks STEP 1 Clients can register on the TISAX® platform and are required 2. Roles of participation to follow a specific process to obtain a “participant number”. During the online TISAX® registration process candidates Member organizations participating in the exchange model must: may adapt either a passive or an active role according to each • Provide contact details and billing information particular circumstance: • Accept TISAX® terms and conditions Passive participant (e.g. OEM, automotive manufacturer): • Define the scope of the information security assessment Calls for another company such as a supplier to undergo assessment and requests access to the assessment results. Page 3 / 8 Roles of participation 1 Requests assessment from Gets 2 TISAX®-assessed Passive Participant Active Participant Shares result with 3 The audit scope is based on VDA ISA catalog. Audit dura- only you are authorized to decide the level at which your tion is calculated according to the determined scope and partner will have access. cannot be pre-calculated based solely on the structure of the TISAX® and ENX publication of the results and assessment organization. label on the TISAX® digital platform make your certification official. STEP 2 ® Assessment is broken into four sub-steps: 3. TISAX scopes of assessment • Assessment preparation The extent of preparation depends on the current maturity Scopes of assessment available to you: level of information security management system and must • Standard Scope be based on VDA ISA catalog requirements. Applied in the majority of cases, the standard scope is • Audit provider selection pre-defined to include all resources and processes used in Participants choose their preferred partner from the list of collecting, storing, and managing digital information. accredited TISAX® audit providers. • Customized Extended Scope • Information security assessment(s) Tailored to meet your needs beyond standard scope perim- The audit provider conducts assessment based on a scope eters. determined by the requirements of the requesting partner. • Customized Narrowed Scope Each assessment process consists of at least an initial audit, Tailored to meet only specific needs in a reduction of the with additional actions necessary for those who do not standard scope (no label can be issued). immediately pass. • Assessment result sharing Extended Scope Upon the completion of a successful audit, the report and results are shared at the approval of the active participant. dard S Stan cope STEP 3 Results are entered on the TISAX® platform to be exclusively shared with designated partners on a case-by-case basis. The ed arrow Scop content of your TISAX® report is structured in levels and N e Page 4 / 8 VDA ISA Protection TISAX® Assessment criteria catalog Level (PL) Assessment objective Level Information security high Information with high protection level AL 2 very high Information with very high protection level AL 3 Prototype Handling of prototypes with high protection level (for further AL 3 protection information please see chapter 10) Data protection according to German §11 BDSG Data protection high AL 2 (“Auftragsdatenverarbeitung”) Data protection with special categories of personal data, data protection according to German §11 BDSG very high AL 3 (“Auftragsdatenverarbeitung”), special categories according to German §3 section (9) BDSG (“Besondere Arten”) ® TISAX® certification culminates with an achieved assess- 5. Registered TISAX subscriber ment label symbolizing the assessment result. There are four different label categories that can be required by various Access to TISAX® is available to registered subscribers via partners. Defined at the beginning of the process, assess- the online TISAX® portal. Registration is the prerequisite ment objectives are audited and assigned the appropriate to choosing an accredited TISAX® auditor from the list of assessment level status upon successful completion of the authorized service providers. A single organization may reg- audit. Degrees of „ high“ or „very high“ define the achieved ister several locations and have a group assessment carried protection level in each category. out if needed. After assessment based on VDA ISA require- ments, active participants can provide information to be TISAX® assessment scope and duration