February 7, 2023

Last Updated on January 15, 2024

There has been a surge in interest in TISAX (for Trusted Information Security Assessment Exchange) across the Americas’ automotive supply chain in recent months.

What is TISAX, where did it come from, why does it exist and who may need to comply with it?

To share a business-level dive into TISAX, a recent episode of The Virtual CISO Podcast featured Ed Chandler, National Sales Manager at TÜV SÜD America with host John Verry, Pivot Point Security CISO and Managing Partner.

What’s making TISAX so hot?

TISAX has been around since 2017, so why all the fuss now?

“The reason why we’re starting to see a significant impact today is that over time TISAX has slowly been brought out into the Americas,” Ed relates. “The initial rollout was in Europe, and after the last three or four years of talking about it, [the major German automakers] finally set the line in the sand stating that organizations do need to follow it.”

Europe’s automotive industry is well ahead of other geographies with TISAX adoption, but that’s bound to change as orgs fall into line to keep their customers. Some of the biggest European automotive suppliers, in particular Bosch and ZF, are now “flowing down” TISAX compliance requirements to their suppliers as well.

 

What is TISAX?

Automotive OEMS, notably the largest German automakers (BMW, Diamler and Volkswagen) jointly developed TISAX to help protect intellectual property, prototype vehicles and parts, and personal data subject to GDPR and other privacy regulations across their global supply chains. As an agreed standard for automotive cybersecurity, TISAX provides consistent, objective “proof” that suppliers can safeguard their partners’ critical data. This drives a massive advantage for vendor due diligence across the entire supply chain versus different OEMs maintaining different standards.

 

Like the SOC 2 cybersecurity framework, and in contrast to ISO 27001, TISAX is a third-party attestation but does not provide a certification. There is also a voluntary self-attestation process for companies that want to align with TISAX but are still maturing their cybersecurity programs.

TISAX objectives, levels, and labels

Typically at the behest of a major customer, orgs can align with one or more of three TISAX assessment objectives (information security, data privacy, and prototypes). Within each of these are various assessment options. TISAX also has three assessment levels, from Level 1 (self-attestation) to Level 3 (comparable to a full-on cybersecurity audit such as SOC 2 or ISO 27001).

Once an org has undergone its TISAX assessment(s) against the required assessment objective(s) and achieved successful results, it is awarded the corresponding TISAX label(s). A label confirms your assessment results, and states that your security program meets those specific TISAX requirements.

 

What’s next?

To listen to this podcast episode with Ed Chandler, click here.

Here’s how third-party risk impacts your overall attack surface: Factoring Third-Party Risk into Attack Surface Management