February 10, 2023

Last Updated on January 15, 2024

More and more companies in the Americas’ automotive supply chain are hearing about TISAX compliance requirements (Trusted Information Security Assessment Exchange). Originally developed by major European automakers, TISAX is a comprehensive framework for protecting intellectual property, personal data, and other sensitive data across the automotive supply chain.

If your customer is asking for a “TISAX label,” there is likely a compliance audit in your company’s future. How big of a deal is that likely to be?

To brief automotive leaders on TISAX, Ed Chandler, National Sales Manager at TÜV SÜD America, joined a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.

Determining TISAX assessment objectives
TISAX is intended to help reduce supply chain risk. So, it is usually an automotive OEM or a Tier 1 supplier that specifies what TISAX labels a supplier needs to obtain, based on that supplier’s risk profile. Each label corresponds to a TISAX assessment objective, such as “Handling of information with very high protection needs” or “Protection of prototype parts and components.”

“A label states that you have been assessed toward that objective,” Ed explains. “It means that you’ve been through the assessment, and the labels are based on the objectives you’ve been audited against.”

What’s critical here is that orgs pursuing a TISAX assessment understand clearly what their customer is asking for, so that they meet the necessary requirements. To go through this extensive process and miss the mark isn’t something you want to contemplate.

“It’s always good to get direct information whenever possible from your customer on what their expectations are,” advises Ed.


Choosing an audit provider

ENX, an association of auto manufacturers, suppliers, and industry associations, administers the TISAX program. This includes establishing a group of authorized TISAX audit providers that offer standardized (hence uniformly trustworthy) assessment results.

Companies seeking a TISAX audit can work with any of these audit partner based on factors like cost, location, and availability.


What a TISAX audit looks like

TISAX audits take place at assessment level 3, which mandates thorough verification of evidence, including interviews, in an in-person, onsite context. Most TISAX assessment objectives require assessment level 3.

“There are three stages to the audit,” describes Ed. “The first is a kickoff meeting, usually held at least a week or two weeks before the audit occurs. This is so you can get to know your auditor and what the expectations are for the audit, so you’re not left in the dark.”

The second stage is the audit itself. According to Ed, a single audit for a specific location would last a week at most, and three days minimum.

The third stage is a closing meeting, which usually takes place within a week or two of the audit depending on findings.


Closing nonconformities

Orgs have nine months from the last day of the audit to close out any nonconformities.


If nonconformities are minor, ENX will issue the audited org temporary labels, which are good through that nine-month period.

In the event of a major nonconformity, the audited org can implement corrective action. Depending on the nonconformity and corrective action plan, a temporary label may be issued. Once the major nonconformity is resolved, ENX will issue “permanent” labels (good for three years).

ENX maintains an online database of labels that other TISAX participants can access. Companies can specify how much information they want to share about their TISAX labels.


What’s next?

Ready to hear this podcast show with Ed Chandler? Click here.

What? Nonconformities are good?: Why You Should Tell Your ISO 27001 or SOC 2 Auditor That You Want as Many Nonconformities as Possible