February 6, 2023

Last Updated on January 15, 2024

Automotive OEMS, especially the largest German automakers and their top suppliers, created Trusted Information Security Assessment Exchange (TISAX) to help protect intellectual property, prototypes, and personal data subject to GDPR and other privacy regulations across their supply chains. The point of TISAX is to provide consistent, objective “proof” that suppliers can safeguard their partners’ critical data. In use for vendor risk management since 2017, TISAX is now increasingly important not just in Europe but worldwide—especially in North America.

Ed Chandler, National Sales Manager at TÜV SÜD America, shares everything you most need to know about TISAX.

Join us as we discuss:

  • Why TISAX is suddenly such a hot topic for North American automotive suppliers
  • How the TISAX attestation process works and different ways your org can leverage TISAX to make it easier for partners to do business with you
  • The relationship between TISAX and other major global security and compliance frameworks like ISO 27001 and GDPR

Why Is TISAX Suddenly So Hot?

TISAX is emerging worldwide now for several reasons.

“The reason why we’re starting to see a significant impact today is that over time TISAX has slowly been brought out into the Americas,” Ed relates. “The initial rollout was in Europe, and after the last three or four years of talking about it, [the major German automakers] finally set the line in the sand stating that organizations [in the supply chain] do need to follow it.”

The European automotive supply chain is currently far ahead of other geographies with TISAX adoption.

Another reason TISAX is ascending is that several of the largest European automotive suppliers, notably Bosch and ZF, have not only embraced TISAX themselves, but also are “flowing down” TISAX requirements to their own suppliers.

“After the last three or four years of talking about it, they finally set the line in the sand stating that organizations do need to follow it.”—Ed Chandler

TISAX is an Attestation, Not a Certification

While some cybersecurity frameworks, notably ISO 27001, include a formal certification process, others (e.g. SOC 2) take the form of a third-party attestation. TISAX is in the latter category—it’s an attestation made by an approved third-party auditor. There’s also a voluntary self-attestation option for orgs that want to participate in the TISAX ecosystem but have less mature security programs.

TISAX Assessment Objectives

TISAX is not a one-size-fits-all process. Its scope can be adjusted (usually per the mandates of OEMS and Tier 1 suppliers) using assessment objectives.

TISAX has three main objectives, each of which has sub-objectives. First is the information security objective, which is relevant to most orgs. Within the security objective there are two option: high protection needs and very high protection needs.

There are also objectives for protecting prototypes (parts and/or vehicles), and for protecting data subject to GDPR and other privacy laws. Most companies that need to include the data protection objective are service providers, such as HR or marketing firms.

TISAX Assessment Levels

TISAX assessment levels (1, 2, and 3) determine the rigor of the attestation process.

Level 1 is a self-attestation that a company has completed a TISAX internal security assessment (ISA).

“You’ll never find that you’ll have an OEM requirement that requests a Level 1 assessment,” Ed explains. “Level 1 is really for organizations that find TISAX to be helpful as a cybersecurity standard for themselves, and something that they can put forward as that first step into the realm of cybersecurity.”

Level 2 is referred to as a validity check. Here, an approved independent auditor comes in to validate what an org has done within its ISA. But it’s not a traditional audit—more like a spot-check on specific areas in line with the ISA documentation.

“When you get to assessment Level 3, that’s what you think of as more like your traditional cybersecurity assessment,” clarifies Ed. “That’s going to be more in-depth, there’s more time associated with it, there’s more documentation that’s going to be reviewed, etc.”

TISAX levels also relate to the assessment objectives. For example, a “very high” security objective always implies a Level 3 audit. Whereas a “high” security objective goes with a Level 2 audit. Likewise, suppliers that need to meet a Prototype and/or Data Protection assessment objective can look forward to a Level 3 assessment as well.

When you get to assessment Level 3, that’s what you think of as more like your traditional cybersecurity assessment.”—Ed Chandler

TISAX Alignment with ISO 27001 and ISO 27701

TISAX is derived from the ISO 27001 cybersecurity standard, which means that ISO 27001 certified or aligned businesses have a big leg up on meeting the TISAX requirements.

Likewise, alignment with the ISO 27701 data privacy standard should mean a “relatively light lift” to reach the TISAX Data Protection objective requirements, which reflect GDPR requirements.

In fact, the TISAX ISA guidelines include mappings to ISO 27001 and ISO 27701 requirements, which demonstrates how close the respective controls are.

“It’s a lighter lift for an organization because they’ve taken into account a number of these factors already,” Ed confirms.

“It’s a lighter lift for an organization because they’ve taken into account a number of these factors already.”—Ed Chandler

TISAX Labels

Once you’ve undergone your TISAX assessment(s) against your assessment objective(s) and achieved successful results, your organization is awarded the corresponding TISAX label(s). Basically, a label summarizes your assessment results, and serves as a statement that your security program meets a specific set of requirements.

For example, if a partner requires you to get the TISAX label “Handling of information with very high protection needs,” you’d then select that as your assessment objective. Following a successful audit, you’d receive the label, which you can share with partners and other stakeholders.

“Your label is good for three years after the last day of that audit,” adds Ed. “We don’t have those surveillance audits [like with ISO 27001].”

But as Ed emphasizes, “It’s always good to get direct information whenever possible from your customer on what their expectations are. Because it would be painful to go through the process at [the wrong security level] or not realize they expected prototypes or privacy [labels].”

 

“It’s always good to get direct information whenever possible from your customer on what their expectations are.”—Ed Chandler

 

What’s next?

Listen to the full-length, TISAX filled, episode with Ed Chandler here.