TISAX Assessment

The following parameters are considered during a TISAX assessment:

• Policies and Organizations: The organization makes sure that the proper policies, procedures, and roles are put in place to support effective information security management.
• Human Resources: This evaluates the organization’s human resources practices, including employee training, awareness, and the establishment of roles and responsibilities related to information security.
• Physical Security and Business Continuity:It checks the physical security measures that have been implemented to safeguard physical assets and ensure business continuity in the event of disruptions.
  4. Identity and Access Management:A review of policies and procedures for managing user identities, access rights, and authentication mechanisms is performed. Additionally, it ensures that unauthorized access to sensitive information is prevented and that user privileges are effectively managed.
• IT Security/ Cyber Security:To mitigate cyber threats, it ensures that appropriate safeguards are in place to protect sensitive information, whether it be accessible, disclosed, or disrupted by unauthorized parties.
• Supplier Relationships: Through this process, the organization ensures that it has established guidelines for assessing the information security practices of its suppliers, monitoring their compliance, and mitigating any risks they may pose to its data and systems.
• Compliance:This confirms that the company has put in place the essential safeguards and measures to satisfy compliance standards and reduce legal and regulatory risks related to information security.
• Prototype Protection:To ensure that the right safeguards are in place to protect prototypes from unauthorised access, theft, or compromise, lowering the risk of intellectual property theft and ensuring confidentiality throughout the development and testing phases.

• The TISAX label is valid for 3 years with a single three-year review. However, the temporary label is valid for 8 months.

• The German Association of Automotive Industry (VDA) has published an Information Security Assessment which forms as a Criteria catalogue. On completion of this, we get the criteria on basis of which the ISMS will be assessed.

• Based on the VDA ISA catalogue, which is a widely accepted set of security requirements for the automotive industry.
• An independent assessment mechanism, which means that the assessment is conducted by an accredited independent assessor.
• Flexible assessment framework, which means that it can be tailored to the specific needs of the company being assessed.
• Scalable assessment framework, which means that it can be used by companies of all sizes.

If you are a company in the automotive industry that is looking for a way to improve your information security posture, then TISAX certification is a valuable option. It can help you to demonstrate your commitment to information security, reduce your risk of data breaches, and gain the trust of your customers.

• BUREAU VERITAS
• DNV
• DQS
• KPMG
• PWC
• TUV NORD
• TUV SUD

• 2017: The TISAX assessment framework is published by the VDA.
• 2018: The First TISAX assessment is conducted.
• 2019: The TISAX label is launched.
• 2020: The Number of TISAX- Certified companies exceed 1000.
• 2021: The TISAX assessment framework is updated to reflect the latest security trends.

• Within TISAX, ENX Association serves as the governing body. In addition to approving audit service providers, it also keeps an eye on the assessment results’ accuracy in execution. TISAX ACAR is a set of standards that ENX Association upholds.

• The TISAX assessment process costs EUR 405.00 per location in one scope. There is a discount of 10% per location for 5-9 locations within a scope and a discount of 20% per location for 10 or more locations within a scope

• The typical TISAX certification validity period is three years. This means that in order to keep the certification status, it must be renewed every three years. It’s crucial to keep in mind, though, that many contracts and agreements could have specific requirements about how frequently certificates must be renewed.

• No, a company cannot self-assess for TISAX certification. The ENX Association, which oversees the TISAX framework, needs an independent assessment to be carried out by accredited assessors in order to obtain TISAX certification. This guarantees the evaluation process’ neutrality and objectivity.

• The following information needs to be added at the time of registration:
  • Participant Name
  • Participant Main Contact
  • Participant Address

  For the registration of a scope you need to provide the following information:

  • Scope Name
  • Scope Type
  • Assessment Objectives
  • Scope Locations
  • Main Scope Contact
  • (Additional Scope Contacts)

  Invoice Information

• Yes, small companies can get TISAX certified. It is possible to adapt the TISAX certification process to the organization’s size and complexity because it is designed to be adaptable and scalable. Small businesses may need to invest time and resources into creating an effective information security management system (ISMS) and preparing for the TISAX assessment process, nevertheless.

• Depending on how serious the non-compliance is, there may be different repercussions for violating TISAX. Occasionally, non-compliance might result in financial loss, damage to one’s reputation, or legal repercussions. Contracts or other business relationships with TISAX-certified partners may also be terminated as a result of non-compliance. In severe cases, non-compliance could lead to sanctions or legal action.

• Yes, remote assessments can be used to get TISAX certification, doing away with the necessity for assessor on-site visits. Remote assessments can be useful and practical for organisations with a wide range of regional activities or in situations where in-person evaluations are neither feasible nor preferred