Trusted Information Security Assessment Exchange (TISAX)

What is TISAX?

Trusted Information Security Assessment Exchange (TISAX) is a vendor due diligence standard used in the automotive industry to verify that third-party suppliers’ cybersecurity programs provide adequate protection for the information the automotive supplier shares. In short, if you are doing business with a German automotive company or a key supplier to the German automotive industry, you are likely to be asked to undergo a TISAX assessment.

What are TISAX Assessment Objectives (AO), and how do they impact my assessment?

TISAX defines eight potential AOs, of which one or more will apply to your organization. You must know which AO(s) are required before moving forward.

  • AO1 & AO2 apply to information shared with high or very high information security protection needs, and one or the other will apply to most assessments. These AOs outline ~41 information security objectives and ~200 security requirements that need to be achieved. The information security objectives and requirements are derived from and cross-referenced to ISO 27001.
  • AO3 through AO6 apply to different use cases of automotive prototypes (parts, vehicles, test vehicles, and events). These AOs outline ~22 security objectives and ~100 security requirements that need to be achieved. All these AOs automatically bring AO1 into the scope of the assessment.
  • AO7 & AO8 apply to Personal Information (PI) information shared with your organization that requires protection per GDPR Article 28 Processor requirements or special categories of GDPR data as specified in GDPR Article 9. These AOs outline four privacy objectives and ~30 privacy requirements that need to be achieved. Although there are only four privacy objectives, it should be noted that these AOs intend to validate that you have a verifiable GDPR-compliant privacy program. Both AO7 & AO8 automatically bring AO2 into the assessment.
No Assessment Objective Abbreviation
1. Handling of information with high protection needs Info high
2. Handling of information with very high protection needs Info very high
3. Protection of prototype parts and components Proto parts
4. Protection of prototype vehicles Proto vehicles
5. Handling of test vehicles Test vehicles
6. Protection of prototypes during events and film or photo shoots Proto events
7. Data protection
According to Article 28 (“Processor”) of the European General
Data ProtectionRegulation (GDPR)
Data
8. Data protection with special categories of personal data
According to Article 28 (“Processor”) with special categories of personal data as specified in Article 9 of the European General Data Protection Regulation (GDPR)
Special data

What are TISAX Assessment Levels (AL), and how do they impact my organization?

  • AL1: An AL1 is a self-assessment. For AL1, an auditor only validates the existence of a completed self-assessment. They do not assess the self-assessment content or require further evidence. Results of assessments in assessment level 1 have a low trust level and are thus not formally used in TISAX. However, your client may request such a self-assessment.
  • AL2: An AL2 is a third-party plausibility check on your self-assessment performed by a certified TISAX auditor. The auditor will look for evidence of assertions and interview the person in charge of information security. The review is usually performed off-site. It is possible to shift an AL2 to a full remote assessment, sometimes called an AL2.5. However, you will still only receive an AL2 attestation.
  • AL3: An AL3 is a comprehensive third-party verification of your company’s compliance with the applicable requirements. The auditor uses your self-assessment and submitted documentation to prepare the assessment. But in contrast to assessment level 2, the auditor will verify everything. The review is performed on-site.

What role does PPS play in the TISAX process?

PPS acts in a consultative role in preparing your organization for completing a TISAX Assessment. The process generally includes the following:

  • Identifying the TISAX scope through artifact review and interviews
  • Conducting a TISAX maturity assessment against the AO-relevant controls
  • Delivering a Gap Remediation plan which details recommended actions to move your controls to the target level and to reduce risk to an acceptable level (may or may not be the same recommendation/maturity level)
  • Support selecting the optimal TISAX-authorized audit provider
  • Collaborative execution of required remediations
  • Validation of the effectiveness of all remediation activities
  • Support during your AL3 assessment

Where can I find additional information on TISAX?

The ENX Association administers TISAX.
https://www.enx.com/en-US/TISAX/

What if we are already ISO 27001 certified?

The good news is that the controls relating to information protection are directly mapped to ISO 27001. Clients already 27001 certified will need to gap assess their current ISO 27001 controls against the prescriptive elements of TISAX to see if/where any fine-tuning of your ISMS is necessary.