In the era of digitisation, information security increasingly represents a decisive factor in remaining competitive. This applies in particular to the automotive industry – here companies exchange huge amounts of sensitive data on a daily basis, data that needs to be protected against theft, loss or manipulation. Information security used to be considered as being the individual concern of each particular company, but this should change in future through the common assessment and exchange mechanism TISAX® ‘(Trusted Information Security Assessment Exchange).

TISAX® is a programme for assessing the information security systems of companies in the automotive sector. It is targeting data protection and integrity as well as availability in both in the automotive manufacturing process and during vehicle operation. Behind TISAX® stands an Information Security Management System (ISMS) similar to that defined by the International Standard ISO 27001. Based on this standard, the German Association of the Automotive Industry (VDA) developed a set of catalogues of requirement (ISA) for the specific needs of the automotive industry.

The effectiveness of an ISMS can be demonstrated by successfully passing an independent assessment, by an authorized partner, for example TÜV NORD. If so, ENX*, the organisation which administers and manages the TISAX® programme, issues a TISAX® label on its online platform.

This label is recognised by all VDA members and vehicle manufacturers such as Audi, BMW, Mercedes Benz and Volkswagen, thus making it easier to participate in future tenders. Participants – there are active and passive ones – in the TISAX® programme exchange information on the status of information security by applying the online-portal. Alongside contacting each other the exchange of assessment data via the portal generates confidence and trust within the entire supply chain. Registration on the TISAX® portal is essential for those wishing to participate

There are two roles within the exchange model, which each participating company can assume, according to its needs:

1.Passive participant (e.g. OEAM, automotive manufacturer): calls for another company (e.g. a supplier) to undergo an assessment and requests access to the to the assessment results.

2. Active participant (e.g. supplier): a company is either called by another company (e.g. OEM of customer) to undergo an assessment, or undertakes to have an assessment done on their own initiative. After completion, the active participant makes it possible for selected companies (e.g. OEMs) to gain access to the TISAX® portal by registering as a participant.

This is a prerequisite for entrusting an accredited audit provider with the task of carrying out an assessment.

The ENX Association, as the operator of the TISAX® programme, has clearly defined level and scope of an assessment, TISAX® differentiates between three different “protection levels” (normal, high, and very high), defining the needed level of protection of the information in question. Furthermore, TISAX® differentiates three “assessment levels” defining the depth of assessment and the assessment method:

1. Information with normal protection level: Assessment level 1 in the form of self-assessment. Results of assessments with assessment level 1 are normally not used in the TISAX® but may be requested outside the scheme. 2.Information with high protection level: Assessment level

2 through an audit organisation, using the self-assessment as a basis, as well as various documents and a telephone interview (if required, onsite inspection).

3. Information with very high protection level: Assessment level 3 carried out by an independent audit provider based on documentation and an on-site audit.

The scope and the duration of the TISAX® assessment are in each case essentially determined according to the list of criteria, which are to be dealt with, the objectives of the protection, the complexity of the ISMS and the number of sites involved.

TÜV NORD is your preferred partner when it comes to demonstrating the quality of your Information Security Management System (ISMS), and we have been accredited for ISMS auditing and certification with the official German accreditation body (DAkkS) for many years. Specifically for the automotive sector, TÜV NORD is approved as a TISAX® Assessment Provider (TISAX® AP) by the ENX Association, with authority to perform assessments throughout the world.

*Notice: TÜV NORD CERT GmbH is authorized by ENX to offer TISAX® assessment services. The Intellectual Property associated with TISAX® program and the related trademarks are hold by ENX.

1. Online registration on the TISAX® platform
2. Selection and appointment of an accredited audit provider, e.g. TÜV NORD CERT
3. Performance of the assessment, using documentation or on-site audits
4. Exchange of information on the results of the audit with other selected TISAX® participants, based on explicit authorization by the audited company.