What is TISAX: Here’s what you need to know about TISAX certification

When Tesla’s model S came out in 2015, Elon Musk called it “a very sophisticated computer on wheels.” With cars increasingly more electronic device than machine, car makers are starting to act like software companies. We see a prime example of that shift in auto makers’ efforts to secure the vast amounts of personal and confidential data now coming through their systems.

The need to regulate how auto makers handle data spurred a group of European auto manufacturers to gather in 2017 to create TISAX (Trusted Information Security Assessment Exchange). The standard has emerged as a key framework for ensuring the integrity of information security systems in the automotive industry. In April 2024, the standard got an update that strengthens controls to combat ransomware and APT resilience, and further emphasizes the information technology (IT) and operational technology (OT) convergence.

In this guide, we’ll walk you step-by-step through what you need to know to achieve and maintain TISAX certification. Our goal is to provide actionable insights and practical tips to help your organization understand the requirements and navigate the process of obtaining the TISAX label.

TISAX certification is a standardized assessment and certification framework specifically designed for the automotive industry. The standard is based on the German Association of the Automotive Industry (VDA) catalogue of Information Security Assessment (ISA) questionnaire, which in turn largely follows the international ISO/IEC 27001 standard.

The framework that makes up the TISAX label enables auto manufacturers to assess and demonstrate their adherence to strict data protection and information security requirements. By achieving TISAX compliance, companies can share a standardized assessment of their information security status to establish trust with their partners, customers, and regulatory bodies throughout the automotive industry.

The ENX Association operates the TISAX program, and defines the levels and scope of assessments.

Registered companies can use the ENX TISAX platform to:

• Ensure their suppliers and service providers meet key information security requirements

• Save time and money, avoiding multiple audits of corporate information security. The audited company decides if they want to share results, and with whom.

• Increase security awareness among employees

• Lays the groundwork for an integrated information security management system (ISMS) and possible further certification according to ISO 27001.

To achieve and maintain TISAX compliance, organizations must meet several key TISAX certification requirements. These include:

• Information Security: Organizations must implement an Information Security Management System (ISMS). They must demonstrate that their system reliably can identify and manage risks, establish security policies and procedures, and conduct regular audits.

• Prototype protection: Organizations must ensure protection of prototype vehicles, parts and components.

• Data Protection: Organizations must ensure the confidentiality, integrity, and availability of sensitive data by implementing appropriate technical and organizational measures. This includes secure storage, access controls, encryption, and employee training.

The TISAX participant handbook contains a thorough overview of the entire TISAX label process.

The TISAX label is mandatory for any company looking to do business with the German automotive industry. The label increasingly applies to manufacturers, suppliers and service providers across the global automotive supply chain that handle sensitive data.

In practice, TISAX is now essential to work with any original equipment manufacturers (OEMs).

Andre Froneman, OT solutions specialist at Datacentrix in South Africa, sees first-hand the reality of TISAX's global reach.

"I'm located in what you might call the Detroit of South Africa, a manufacturing hub for Mercedes Benz, Volkswagen, Ford, and Isuzu, as well as auto parts manufacturers that are part of German automakers' supply chain.

The challenge we see with TISAX compliance is getting the visibility needed across their OT and IT networks to complete self-assessments, and evaluating where the TISAX auditors will want to see security, specifically for their environment."

The cost of TISAX depends on company size and scope. The fee for the audit provider generally runs between 5,000 and 10,000 euros. The mandatory registration fee is approximately 500 euros. To that, you should budget operational costs around preparing for the audit, as well as implementing or configuring an IMS.

TISAX certification is valid for three years.

Technically, compliance with the TISAX standard results in a label, not a certificate (unlike the ISO 27001 standard). Organizations that wish to obtain the TISAX label follow three main steps:

1. Registration: You register your organization as a participant on the ENX platform

2. Assessment: You go through self-assessments and, later on, an assessment conducted by a TISAX audit provider.

3. Exchange: You share your assessment result with your partner via the ENX platform.

For TISAX compliance, the VDA recommends starting with a self-assessment. The “Information security assessment (ISA)” questionnaire lists key security topics (also known as controls) to assess. The ISA helps you build a comprehensive overview of your own information security status on topics such as:

1. Information security policies and organization

2. Human Resources

3. Physical security and business continuity

4. Identity and access management

5. IT security/cyber security

6. Supplier relationships

7. Compliance

8. Prototype protection

You can rate their target achievement for each control from level 0 to 5. Below is a sample spider chart from the ISA that shows how ranking works for each security topic and maturity level.

Image source: VDA Information Security Assessment

The ISA ranks TISAX "maturity levels" in terms of the overall quality of your information security management system.

Organizations much reach TISAX level 3 to receive the label. You are encouraged to self-assess your maturity level first to see if you are ready for a TISAX assessment. If not quite at level 3, you can address your results before seeking the label.

The ISA describes the TISAX maturity levels as follows:

Source: TISAX Participant Handbook, Table 11. Informal description of the maturity levels

The TISAX label saves time and money since organizations can easily share assessment results with partners and suppliers via the TISAX Exchange, or ENX, an online platform. This means organizations don’t have to conduct assessments for each new partner; they can just look them up on the platform.

TISAX focuses on the automotive industry’s cybersecurity requirements, taking a risk-based approach that comprehensively evaluates and verifies the entire vehicle system (hardware, software, and communication protocols).

The certification also mandates the VDA standard, which is a set of requirements for automotive components and system security. This requires organizations to put in place and maintain a cybersecurity management system as well as demonstrate compliance with other industry-wide standards and regulations.

TISAX is often compared with ISO 27001 – and with good reason. Both are information security standards, and they have many similarities (The security controls in Annex A of ISO 27001 essentially make up 90% of the common part of TISAX controls).

Source: IS Decisions

To increase your chances of achieving and maintaining TISAX compliance, consider the following best practices:

• Conduct regular risk assessments: Identify potential risks and vulnerabilities within your organization’s information security landscape. Implement controls to mitigate these risks and regularly review and update your risk assessment.

• Establish an information security culture: Foster a culture of information security throughout your organization. Provide cybersecurity and TISAX training and awareness programs to employees to ensure they understand their roles and responsibilities in maintaining data security.

• Implement strong access controls: Restrict access to sensitive data to authorized personnel only. Implement multi-factor authentication (MFA), strong password policies, and role-based access controls to minimize the risk of unauthorized access.

• Engage with accredited TISAX auditors: Work closely with accredited auditors who have experience in TISAX compliance. They can provide valuable guidance, identify areas for improvement, and ensure a smooth certification process.