Trusted Information Security Assessment Exchange (TISAX)

Why Your Organization Needs a TISAX Label?

TISAX stands for Trusted Information Security Assessment Exchange, a platform operated by the ENX Association to register organizations with the need to securely exchange data with its customers and partners.

Many organizations have chosen to pursue the TISAX assessment process and/or certification for their information security management systems. This decision may be driven by the need to meet customer expectations for information security or mandates from their senior leadership to safeguard their business assets.

Obtaining a Desired TISAX label?

TISAX labels are based on the results of Information Security Assessment questions. These questions cover various aspects, including information security, prototype vehicles, prototype parts, and special data privacy controls. They also assess the levels of process maturity related to the TISAX controls.

These questions are provided in the Information Security Assessment (ISA) workbook, which is made available by the German Association of the Automotive Industry (www.VDA.de).

ISO/IEC 27001 and TISAX Control Questions

To understand the nature of TISAX control questions given in the VDA ISA workbook, one should review the controls outlined in Annex A of the ISO/IEC 27001:2022 standard. Annex A comprises a comprehensive list of best practice information and cybersecurity controls. These controls are essential for every organization to implement, as they serve to safeguard critical business and information assets. Their purpose is to prevent the loss of confidentiality, integrity, and availability (CIA) of these assets.

The primary objective of Information Security Assessment (ISA) is to gain insights into the potential risks associated with ineffective prevention controls on an organization's business assets, partner/customer information, prototypes, and personal (identifiable) data with stringent protection requirements.

Protecting Our Customers and Their (Design) Information

OEMs often share their intellectual property and proprietary standards with their supplier base to foster collaboration, particularly in areas like prototype design. However, exchanging data and informational assets along the supply chain can lead to potential risks, including data loss, manipulation, or theft of product and trade secrets, if proper protection measures are not in place.

Ensuring confidentiality, maintaining asset integrity, and ensuring data availability when and where needed are fundamental goals of an effective Information Security Management System (ISMS). The ISMS serves as the foundation for obtaining the desired TISAX label. Without a solid ISMS framework, it is unlikely that the implemented TISAX controls will yield the expected results.

OMNEX TISAX and ISO 27001 ISMS Services

Omnex offers TISAX and ISO 27001:2022 awareness training programs for leadership, IS/IT managers, process owners, and ISMS implementors. In addition to TISAX gap assessments and ISMS implementation support, Omnex provides ISO/IEC 27001:2022 ISMS audit services and lead auditor certification.

Training icon Training

Training iconConsulting Quote

webinar icon Webinars

Aligning your Information Security Management System framework with TISAX Controls

Speakers:

Martin Hettwer, Kumar Sivan

Watch Webinar
TISAX – An Automotive Industry Cybersecurity Requirement

Speakers:

Martin Hettwer, Laura Flanagan

Watch Webinar
Trusted Information Security Assessment Exchange (TISAX) - An Automotive Industry Cybersecurity Requirement

Speakers:

Martin Hettwer, Laura Flanagan

Watch Webinar
Information Security Management: An Industry Priority (ISO 27001)

Speakers:

Jeff Spira, Laura Flanagan

Watch Webinar

Whitepaper icon Whitepapers

Implementing an Information Security Management System (ISMS) based on TISAX

By

Martin Hettwer

click here

Case Stydy icon Case Studies

Best Practices for Implementation of TISAX and Information Security Controls
click here
Helping Customers Achieve Improved Cybersecurity and Customer Satisfaction with TISAX
click here

FAQ

TISAX or Trusted Information Security Assessment Exchange (pronounced tea-sacks). Is an information and cyber-security standard developed to protect organizational assets and shared data. TISAX controls are based on the international standard ISO/IEC 27001.

TISAX is important because it helps companies demonstrate their commitment to data security and compliance with industry standards, fostering trust and collaboration among partners whom share data, proprietary designs and organizational knowledge.

A number automotive OEMs (Original Equipment Manufacturers) mandate that their suppliers and partners achieve a perscribed TISAX assessment label as a prerequisite for engaging in new business with them. IATF 16949 also requires consideration of information security and contigency plans to ensure supply.

Omnex offers comprehensive services to assist organizations in getting ready for and efficiently managing TISAX assessments. Our experts can guide you through the process and help you implement necessary security measures.

TISAX certification enhances your reputation as a secure and reliable partner, potentially increasing business opportunities. It also demonstrates your organizations commitment to safeguarding sensitive information.

The duration required to attain TISAX label relies on the intricacy of your organization and the existing security measures in effect. Following a formal gap assessment Omnex will provide a tailored implementation timeline.

The need for and acceptance of TISAX labels (certification) varies by industry, but it is recognized and demanded in sectors where data security and information protection are crucial, particularly in the automotive or aerospace industry where design responsibilities may be shared. The need for inforamtion security as it related to protection goals such as; Confidentiality, Interity and Availability of data (assets) shall be a major consideration for all organizations given the risks and need for robust information and cybersecurity.

Your certificate typically remains valid for three years, contingent on successful surveillance audits and specific requirements from the assessment body.

To obtain TISAX certification, the process generally involves:

  1. Identifying a licensed assessment service provider,
  2. Information Security Management System (ISMS) prepartion,
  3. Understanding the requirements, controls and awareness trainings
  4. Implement the ISMS and its controls descibed in ISO 27001 and TISAX ISA
  5. Register and undergo the TISAX assessment,
  6. Address any non-conformities, and maintaining conformance through surveillance audits.

Requirements for becoming a certified TISAX auditor might involve the successful completion of accredited auditor (Omnex) training, acquiring practical auditing experience to ISO 19011, awareness trainings for ISO 27001 (ISMS) and TISAX ISA, and passing the (lead) auditor certification examination also offered by Omnex.

Actually, TISAX and ISO 27001 share many of the same security controls and thus offer benefits related to enhanced data security, compliance, risk management, and protection goals (CIA) with improved trust with partners and stakeholders. TISAX controls are a subset ISO 27001 Annex A controls. Consider that without the foundation of a robust Information Security Management System (to ISO 27001.2022 Annex A), it is highly unlikely that Information, cyber-security and data protection will be effective for your organization.