February 8, 2023

Last Updated on July 16, 2024

An organization’s specific TISAX requirements are usually driven by an automotive OEM, Tier 1 supplier, or other major customer. These requirements actually start with the TISAX labels your customer is directing your company to earn. The mandated labels dictate the assessment objectives and assessment levels you strive for. Once you’ve chosen an approved auditor, undergone your TISAX audits(s), and been awarded your TISAX labels, you have objective evidence—good for three years—that your security program meets the necessary requirements.

In short, TISAX isn’t “one size fits all.” So how does the program work and how do the objectives, levels, and labels fit together.

To share a comprehensive overview of TISAX and how it works, a recent episode of The Virtual CISO Podcast features Ed Chandler, National Sales Manager at TÜV SÜD America. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.

TISAX assessment objectives
Among the most pivotal elements of the TISAX assessment process are the assessment objectives.

TISAX is built around three main assessment objective categories, each of which includes two or more specific objectives for a total of eight assessment objectives. A company must comply with at least one and possibly as many as six of these objectives.

According to the TISAX Participant Handbook, the current TISAX assessment objectives include:

1 Handling of information with high protection needs Info high
2 Handling of information with very high protection needs Info very high
3 Protection of prototype parts and components Proto parts
4 Protection of prototype vehicles Proto vehicles
5 Handling of test vehicles Test vehicles
6 Protection of prototypes during events and film/photo shoots Proto events
7 Data protection (according to Article 28 (“Processor”) of GDPR) Data
8 Data protection with special personal data categories (per GDPR #28) Special data

 

The three assessment objectives are the cybersecurity objectives (#1 and #2), the prototype objectives (#3 through #6), and the data protection objectives (#7 and #8).

According to Ed, most companies that need to meet data protection objectives are service providers, such as HR or marketing companies. Those with prototype requirements are dealing directly with prototype vehicles or parts.

If you have any of the objectives #3 through #8, your “protection needs” objective is likely to be Info very high (#2). Only a subset of suppliers handling relatively less sensitive data can meet the lower Info high (#1) criteria.

 

TISAX assessment levels

The higher the protection needs your customer needs you to meet, the greater their need for assurance that you can keep their data safe. This gives rise to three TISAX assessment levels, which specify the assessment method the audit provider will apply. The higher the assessment level, the greater the level of effort at audit time, and the more accurate (and therefore trustworthy) the audit results.

The three TISAX assessment levels are:

  • Level 1—basically a rigorous self-assessment. Here the auditor will simply check that a self-assessment has been performed, but will not evaluate it. This obviously yields a low trust level and does not meet TISAX requirements per se. But it can be helpful as a starting point for companies looking to mature their security programs.
  • Level 2—a “plausibility check” of a company’s self-assessment for all locations in scope, usually done remotely. Orgs looking to meet assessment objective #1 or #7 can choose Level 2.
  • Level 3—a comprehensive onsite (with caveats) verification of compliance with applicable requirements, similar in scope, effort, and duration to a SOC 2 or ISO 27001 audit. Meeting assessment objectives #2, #3, #4, #5, #6, and/or #8 all require assessment Level 3.

If your business needs to meet multiple TISAX assessment objectives, to accomplish that with one audit you would need to meet the “highest common denominator” assessment level, as Ed puts it. So, if you need to meet objectives #2 and #7, you’ll need a Level 3 audit.

Ed notes that many of the more rigorous TISAX controls have to do with physical security requirements for prototypes.

“They want to ensure that you’re not putting a prototype BMW next to a prototype Volkswagen next to a prototype Mercedes in the same garage,” Ed jokes.

“And your testing techs aren’t taking an undisguised vehicle into town for lunch so that Motor Trend paparazzi can photograph it and post images in their online magazine,” John quips back.

 

What’s next?

To hear this podcast episode with TISAX thought leader Ed Chandler all the way through, click here.

Have you heard about Shared Assessments to reduce vendor due diligence effort and risk? Here’s an overview: Shared Assessments – They’re Not Just Vendor Risk Management