Trusted Information Security Assessment Exchange (TISAX)

TISAX Certification: Ensuring Information Security Excellence

The implementation of the Trusted Information Security Assessment Exchange (TISAX) has become increasingly important for automotive suppliers. It started with VDA (the German Automakers union)and the German OEMs a few years ago, but has now moved to North America and other parts of the world with major manufacturers, such as PACCAR and Stellantis, requiring TISAX assessments to ensure strong information security practices across their supply chains.

PACCAR, for example, mandates that suppliers obtain a TISAX (AL3) label, particularly for those whose operations directly impact production continuity. Alternatively, an ISO 27001 certificate covering the relevant products and services may also be accepted. These cybersecurity requirements are being phased in with PACCAR directly communicating specific deadlines to its suppliers (Paccar Inc.).

Meanwhile, Stellantis is currently working on consolidating its requirements and plans to release unified Customer Specific Requirements (CSRs) in early 2025. Suppliers are encouraged to proactively align with TISAX standards in anticipation of these new expectations (IATF Global Oversight).

Given these industry developments, it is critical for suppliers to begin the TISAX assessment process as soon as possible to meet OEM expectations. For organizations seeking guidance on achieving TISAX certification, Omnex offers specialized support to help navigate these essential requirements.

Why Your Organization Needs a TISAX Label?

TISAX stands for Trusted Information Security Assessment Exchange, a platform operated by the ENX Association to register organizations with the need to securely exchange data with its customers and partners. Several OEMs are already establishing TISAX certification as a basic requirement for their suppliers to qualify for RFQs. In other words, no TISAX means you don’t qualify to quote on new business opportunities.

On the other hand, many organizations have chosen to pursue the TISAX assessment process and/or certification for their information security management systems. This decision may be driven by the need to meet customer expectations for information security or mandates from their senior leadership to safeguard their business assets.

Obtaining a Desired TISAX label?

TISAX labels are based on the results of Information Security Assessment questions. OEM’s based on an assessment of the risk posed by the Supplier will establish an Assessment Level that has to be met, usually AL2 or AL3. These questions cover various aspects, including information security, prototype vehicles, prototype parts, and special data privacy controls. They also assess the levels of process maturity related to the TISAX controls.

These questions are provided in the Information Security Assessment (ISA) workbook, which is made available by the ENX Association.

ISO/IEC 27001 and TISAX Control Questions

To understand the nature of TISAX control questions given in the VDA ISA workbook, one should review the controls outlined in Annex A of the ISO/IEC 27001:2022 standard. Annex A comprises a comprehensive list of best practice information and cybersecurity controls. These controls are essential for every organization to implement, as they serve to safeguard critical business and information assets. Their purpose is to prevent the loss of confidentiality, integrity, and availability (CIA) of these assets.

The primary objective of Information Security Assessment (ISA) is to gain insights into the potential risks associated with ineffective prevention controls on an organization's business assets, partner/customer information, prototypes, and personal (identifiable) data with stringent protection requirements.

Protecting Our Customers and Their (Design) Information

OEMs often share their intellectual property and proprietary standards with their supplier base to foster collaboration, particularly in areas like prototype design. However, exchanging data and informational assets along the supply chain can lead to potential risks, including data loss, manipulation, or theft of product and trade secrets, if proper protection measures are not in place.

Ensuring confidentiality, maintaining asset integrity, and ensuring data availability when and where needed are fundamental goals of an effective Information Security Management System (ISMS). The ISMS serves as the foundation for obtaining the desired TISAX label. Without a solid ISMS framework, it is unlikely that the implemented TISAX controls will yield the expected results.

OMNEX TISAX and ISO 27001 ISMS Services

Omnex offers TISAX Requirements Training and ISO 27001:2022 awareness training programs for leadership, IS/IT managers, process owners, and ISMS implementors. In addition to TISAX gap assessments and ISMS implementation support, Omnex provides ISO/IEC 27001:2022 ISMS audit services and lead auditor certification.

Training icon Training

Training iconConsulting Quote

webinar icon Webinars

Aligning your Information Security Management System framework with TISAX Controls

Speakers:

Martin Hettwer, Kumar Sivan

Watch Webinar
TISAX – An Automotive Industry Cybersecurity Requirement

Speakers:

Martin Hettwer, Laura Flanagan

Watch Webinar
Trusted Information Security Assessment Exchange (TISAX) - An Automotive Industry Cybersecurity Requirement

Speakers:

Martin Hettwer, Laura Flanagan

Watch Webinar
Information Security Management: An Industry Priority (ISO 27001)

Speakers:

Jeff Spira, Laura Flanagan

Watch Webinar

Whitepaper icon Whitepapers

Implementing an Information Security Management System (ISMS) based on TISAX

By

Martin Hettwer

click here

Case Stydy icon Case Studies

Best Practices for Implementation of TISAX and Information Security Controls
click here
Helping Customers Achieve Improved Cybersecurity and Customer Satisfaction with TISAX
click here
Newsletter featuring cybersecurity training calendar edition

FAQ

TISAX or Trusted Information Security Assessment Exchange (pronounced tea-sacks). Is an information and cyber-security assessment model developed to protect organizational assets and shared data. TISAX controls are based on the international standard ISO/IEC 27001.

TISAX is important because it helps companies demonstrate their commitment to data security and compliance with industry standards, fostering trust and collaboration among partners who share data, proprietary designs and organizational knowledge.

A number automotive OEMs (Original Equipment Manufacturers) mandate that their suppliers and partners achieve a prescribed TISAX assessment label as a prerequisite for engaging in new business with them. IATF 16949 also requires consideration of information security and contingency plans to ensure supply.

Omnex offers comprehensive services to assist organizations in getting ready for and efficiently managing TISAX assessments. Our experts can guide you through the process and help you implement necessary security measures.

TISAX certification demonstrates your commitment to establishing secure guardrails around your information network potentially increasing business opportunities. It also demonstrates your organizations commitment to safeguarding sensitive information.

The duration required to attain TISAX label relies on the level of maturity of your Information Security Management System and the existing security measures in effect. Following a formal gap assessment Omnex will provide a tailored implementation timeline.

The need for and acceptance of TISAX labels (certification) varies by industry, but it is generally recognized and demanded in sectors where data security and information protection are crucial, particularly in the automotive or aerospace industry where design responsibilities may be shared. The need for information security as it related to protection goals such as; Confidentiality, Integrity and Availability of data (assets) shall be a major consideration for all organizations given the risks and need for robust information and cybersecurity.

Your certificate typically remains valid for three years, contingent on and specific requirements from the assessment body.

TISAX does not require surveillance audits on a yearly basis. It does recommend reassessments of the ISA as the system evolves or major changes are made.

To obtain TISAX certification, the process generally involves:

  1. Identifying a licensed assessment service provider (3rd party Registrar)
  2. Information Security Management System (ISMS) prepartion
  3. Understanding the requirements, controls and awareness trainings
  4. Implement the ISMS and its controls descibed in ISO 27001 and TISAX ISA
  5. Register and undergo the TISAX assessment,
  6. Address any non-conformities, and continually improve through periodic reassessments of the ISA.

Requirements for becoming a certified TISAX auditor might involve the successful completion of accredited auditor (Omnex) training, acquiring practical auditing experience to ISO 19011, awareness trainings for ISO 27001 (ISMS) and TISAX ISA, and passing the (lead) auditor certification examination also offered by Omnex.

Actually, TISAX and ISO 27001 share many of the same security controls and thus offer benefits related to enhanced data security, compliance, risk management, and protection goals (CIA) with improved trust with partners and stakeholders. TISAX controls are a subset of ISO 27001 Annex A controls. Consider that without the foundation of a robust Information Security Management System (to ISO 27001.2022 Annex A), it is highly unlikely that Information, cyber-security and data protection will be effective for your organization.