March 15, 2024

Last Updated on April 12, 2024

Trusted Information Security Assessment Exchange (TISAX) is a widely used cybersecurity and vendor due diligence platform specifically for the automotive industry. More and more automakers and top-tier suppliers are asking supply chain partners to undergo TISAX assessments to enhance and/or validate their cybersecurity and privacy controls.

Recently updated to version ISA 6.0, TISAX offers a range of assessment levels depending on assessment objectives and other factors. But for companies with many locations, the normal TISAX assessment effort can be considerable.

The Simplified Group Assessment (SGA) option streamlines the audit process for organizations with multiple sites in their TISAX scope—but there are several preconditions. This blog post explains the TISAX SGA process so you can decide whether it makes sense for your business.

 

What is a TISAX Simplified Group Assessment (SGA)?

The SGA option is one of the best reasons to choose TISAX to validate a successful security and compliance program, as it can reduce effort and cost versus a conventional audit process.

The SGA specifically supports TISAX participants that have three or more in-scope locations and a centralized, highly mature information security management system (ISMS—a concept that TISAX derives from its ISO 27001 foundation). The streamlined SGA evaluation approach focuses primarily on the centralized/headquarters cybersecurity controls. From there, it employs overall less rigor to validate effective control operation across the other locations.

Features of a centralized ISMS include:

  • “Hub-spoke” incident reporting mechanisms
  • Centralized control monitoring and evaluation
  • Centralized compliance

To use an SGA, the central ISMS component of the company’s overall cybersecurity environment must comply with all the TISAX requirements associated with the auditee’s chosen assessment objectives.

 

What are the key steps in a TISAX group assessment?

The basic process for a TISAX SGA includes:

  • Step 1: Intensive third-party audit focused on the company’s headquarters/ISMS hub.
  • Step 2: Remote or on-site inspections to validate control operation at one or more “sample” locations, depending on the total number of sites in scope.
  • Step 3: Simplified remote or on-site auditing at the remaining sites.

Based on experience, a “sweet spot” for leveraging the SGA approach is 6 to 7 sites minimum. The “Simplified Group Assessment” addendum to the TISAX Participant Handbook recommends 12 sites or more.

 

What are the TISAX assessment levels in a nutshell?

TISAX offers “three and one-half” assessment levels, one or more of which will come into play in an SGA scenario:

  • AL 1 is a self-evaluation with no independent validation of the results. This is mainly for internal use, especially as a starting point for a third-party audit. AL 1 assessment results are not shared with customers and partners through the TISAX portal.
  • AL 2 is a “plausibility check.” It starts with a self-evaluation per AL 1, but must also include comprehensive documentation, records, and other evidence of control operation. Your auditor will review the submission for credibility.
  • AL 3 is an inclusive, independent onsite audit comparable to an ISO 27001 or SOC 2 audit.
  • An alternative approach to AL 2, referred to in the latest TISAX Participant Handbook as AL 2.5, replaces the auditor’s plausibility check with a full remote assessment. AL 2.5 is ideal for organizations that can use AL 2 but lack audit experience and are challenged to identify and collect all the data the auditor will want to see.

In practice, many suppliers must pursue an AL 3 audit to reach their TISAX assessment objectives. For example, all the Prototype Protection assessment objectives (safeguarding prototype parts, proper handling of test vehicles, protections during events, photo shoots, etc.) require an AL 3 audit. This is because prototype protections generally involve physical security as well as data security controls, so on-site evaluation is needed.

 

What are the two SGA location sampling options?

Companies planning a TISAX SGA can choose either of two location sampling options:

  1. A sample-based simplified group assessment (S-SGA). Here, the audit encompasses a representative sample of your locations.
  2. A rotating schedule-based simplified group assessment (R-SGA). Here, all your in-scope locations are evaluated over an agreed timeline, generally the three-year validity period for TISAX labels.

With both these options, the main location is audited intensively (always AL 3). With the S-SGA option, the sample locations also receive strong scrutiny (AL 3 or AL 2). But the non-sample locations are checked less thoroughly than with a non-group assessment (AL 2 or AL 1).

With the R-SGA option, each remote location is checked equally, but the audit period is significantly extended. An advantage of this path is that it spreads the effort of evaluating many locations over a longer period, so the effort at any one time is reduced. This can favorably impact budgets, staffing, and other resources.

Note that the R-SGA option cannot be used with Prototype Protection assessment objectives.

We need different labels for different locations. Can we still get an SGA?

All the locations in scope for an SGA must have the same assessment objectives, as with other TISAX audit formats. You can only register a TISAX audit scope with one set of objectives.

But what if you have 20 manufacturing plants and only 2 of them work with prototypes? Should you undergo an SGA for all 20 locations against the more rigorous prototype assessment objective(s)?

A best-practice approach can be to create two TISAX assessment scopes and undergo two audits:

  1. An SGA against less rigorous objectives (e.g., Confidential, High availability) to cover all the locations that don’t handle prototypes.
  2. A non-group assessment with a smaller scope to get the necessary prototype labels for just the locations that need them.

 

What are the benefits of a TISAX group assessment?

Advantages of an SGA approach for organizations that meet the stipulations include:

  • Reduced audit cost and effort versus a non-group audit across multiple sites.
  • Potential to reduce staffing requirements with the R-SGA option by spreading the audit effort over a longer period.
  • The external auditor’s “precondition check” to gain a picture of the overall information security program reduces audit risk and helps ensure success.
  • SGA is an especially attractive option for manufacturers with multiple locations that are ISO 27001 certified.

 

How can a third-party consultant help with TISAX assessments?

A trusted partner can help ensure a successful TISAX assessment for your organization by:

  • Identifying your ideal TISAX scope through artifact review and interviews.
  • Conducting a TISAX maturity/gap assessment against the relevant controls.
  • Delivering a gap remediation plan that recommends in detail how to move your controls to the target level and reduce risk per your business goals.
  • Advising on your selection of an optimal TISAX-authorized audit provider.
  • Collaborating with, augmenting, or serving as your team to perform identified remediations and validate their effectiveness.
  • Supporting your assessment process, especially AL 3 assessments.

 

What’s next?

For more guidance on this topic, listen to Episode 134 of The Virtual CISO Podcast with guest Alexander Häußler, Global Product Performance Manager at TÜV SÜD.