In the modern age, cars aren’t just cars anymore – they’re also sophisticated computers, entertainment units, and sometimes more.
Auto manufacturers are increasingly handling sensitive and confidential data (not just personal information, but R&D, prototype data, and so on), and that means so are their various software vendors. That’s why some of these manufacturers got together to create a framework and certification to help ensure the industry here in Europe met or exceeded minimum security standards.
That framework is TISAX, and if you’re reading this article then you might need it. So, what is TISAX, and how do you get certified? Let’s take a look.
Read more about data in the automotive sector: “The automotive sector is changing: Can you keep up?“
Everything you need to know about TISAX
What does TISAX stand for?
Trusted Information Security Assessment Exchange.
What is TISAX compliance?
TISAX is a security standard devised by the German Association of the Automotive Industry (VDA) in 2017 to ensure a base level of information & cyber security in the European auto industry. It is administered by the ENX Association, and while isn’t officially recognised as an international standard, many foreign software partners do choose to get TISAX certified as well.
TISAX was originally based on ISO/IEC 27001, which presents a framework for protecting information through the use of an information security management system (ISMS). However, TISAX goes beyond this standard by adding guidance for data and prototype protection, among other areas. The scope, assessment and recommended measures are also different.
You’ll see a number of assessment criteria within TISAX that have been pulled from ISO 27002 and 27017, too.
How is TISAX structured?
TISAX starts with a self-assessment, which is usually followed-up by an outside auditor either online or in person, depending on your individual scope. To be successful in qualifying for TISAX certification, your business will need to show that it possesses the required information security maturity across a variety of factors related to your business and the data it will handle on behalf of your auto partner.
Or, in short, you’re going to be given a checklist and it will help you identify your maturity score in key areas. Then someone will check that score.
But not all TISAX assessments are alike
This is because each registrant chooses which assessment objectives are most relevant to their business, based on the types of data they will be handling and specific requirements from the auto company. You will then be asked a series of questions related to those objectives. In this way, you won’t have to answer all of the questions as some of them may fall outside of your scope (more on scope below).
So what are the objectives? Well, there are eight of them all totalled and they each map to one of three categories, called ‘criteria catalogs‘. Those are:
- Information security
- Prototype protection
- Data protection
And the objectives are:
You’ll also need to determine your assessment level, which will be low, high or very high (aka AL 1, 2 or 3). Your assessment level helps determine whether you can get away with just a self assessment, or if you’ll need an auditor to check your evidence, interview your people, or even complete an on-site assessment.
Is TISAX mandatory?
TISAX is not a legal requirement. But, whether you consider it ‘mandatory’ or not is up to your definition of the word.
OK, so it’s not law, but it’s increasingly considered best practice in the European and global auto industries. As such, it’s getting more and more unlikely that you will be able to work with car manufacturers on any project that requires the handling of their data if you don’t have TISAX certification. If they say they want it, you’ll need to get it.
Who triggers a TISAX assessment?
Generally, companies will be asked to get their TISAX certification from a partner company. Typically this will be the car manufacturer itself, but TISAX isn’t just for partners of auto manufacturers.
You may need your own partners to get certified, too. If someone handles your data, and you’re handling a marque’s data, you will probably need to ask your own vendors to seek out TISAX certification to ensure they have the ISMS required to keep all of that information safe.
Of course, if you know you’re going to be approaching the auto industry in future you could look to get certified in advance. You don’t actually ‘need’ a trigger. Plus, even if no one asks you, it’s still a great process to go through to ensure your company is achieving industry best practice when it comes to cyber security.
How do you get TISAX certified?
How to get a TISAX assessment
The TISAX assessment process generally follows these steps:
- Registration: You’ll start by creating an ENX Portal account and following the online registration steps at this website.
- Define scope: Then you’ll need a good understanding of what type of certification you’re going to require, how many locations you require it for, and more. We’ll talk more about scope below.
- Self assessment: TISAX isn’t something to fail and do again. Before you approach any auditors you will need to conduct a thorough self-assessment to find out whether your ISMS matches your expected maturity level.
- Self optimizations: Found something amiss? This step ensures that you attend to all of the problems or red flags found during your self-assessment before hiring an auditor. If you can’t do this part yourself, consider bringing on board a security specialist with TISAX experience.
- Audit: You get to choose which company audits your own. Depending on your scope, this may be a thorough in-person process, or more of a plausibility check done over the internet.
- Additional optimizations: Should anything more be found amiss, the auditor will direct you on what new changes you must make before proceeding. You will have just nine months to complete any optimizations and request a follow-up assessment.
- Exchange: After passing, you can share your new credentials with your auto partner. Additionally, you can choose to publish your results on the TISAX Exchange.
For a much more detailed explanation of these steps, read through the TISAX Participant Handbook.
Duration and cost of TISAX
Duration: As mentioned just before, no more than nine months can pass from the initial audit (coming after your self-assessment) and the final audit result. All optimizations and corrections must be made within this timeframe.
Validity: TISAX certifications are valid for three years under the same scope. If your scope changes (i.e. you weren’t handling prototype data but now you are), you will need to manage the TISAX process again. This is one reason that it often pays to get a higher level of certification than required, so that you ‘future-proof’ your business.
Cost: The cost of TISAX depends fully on your scope. You can expect to pay a fee to register, and to pay an additional fee to the independent auditing company (or multiple fees, if multiple audits are to take place). Your budget will also need to leave room for optimizations and improvements, and any third-party vendors who will help you make those changes.
What does a TISAX self-assessment look like?
- Determine your scope: Your partner will help you understand what data your company will be handling.
- Select your assessment objectives: It’s up to you to choose which assessment objectives you will be assessing yourself against, unless your partner has given you specific requirements. Remember, you might want to think about getting assessed at a higher level to give yourself room to grow in future.
- Determine protection needs: Each objective has its own data protection needs, and understanding these needs tells you your assessment level.
- Download the ISA document: The ISA self-assessment checklist is a spreadsheet containing all of the different items you will need to check against, broken up into the three criteria catalogs described earlier. You’ll go through it slowly, fill in all the fields, and make a list of the items that you might fail on.
- Optimize your business: Now you should be able to work towards the requirements not currently in place within your business, so when an auditor comes calling you’ll pass first try.
Getting your audit scope right
Not every company will need a thorough, level-three assessment, although you may be requested to get one regardless (or choose to get one yourself for future-proofing).
It’s very common for companies to get their scope wrong. This could lead to the business failing because it was not audited at a high enough level for the type of data in question. Or, it could lead to the opposite – being over-audited, where you fail over things that just weren’t relevant to your partnership (and could have been skipped as a result).
Some companies find that their data protection requirements are also so light that they are asked to conduct only the self-assessment, with no audit required. This helps them better secure their business, but doesn’t count as a TISAX certification.
Got multiple locations? You’ll need to take that into account
If your organization has multiple business locations, you have to define whether they will all be included in your audit, or just some of them. Who will be handling the data?
If you include all locations but one fails, the entire business will fail. So this isn’t a decision to take lightly. You’ll be making a choice between using a single scope that includes all locations at once (for cost efficiency), or adopting a single scope per location (more costly, but less risk of failing across the entire business).
Want to learn more? Go to the handbook and find section “4.3.2.3. Scoping”.
How dig8ital can help you get TISAX certified
If you’re looking at all of this and thinking it’s a whole lot, you’re worried your business won’t pass the certification, or perhaps you’ve failed in the past – we can help.
At dig8ital, we know TISAX inside and out and can assist you in a number of different ways. First, we can walk you through preparing for TISAX, understanding your objectives and assessment level, auditing your system, and working out the gap between where you are now and where you need to be in order to pass.
From there, we’ll work with you to fully optimize your system in line with your business goals. Our experts can embed themselves in your company, get to know your teams, and figure out what areas we can improve, what steps we need to take to get to where we’re going, and how we develop those new services in a cost-effective manner.
To learn more about how we can help your unique business, contact us now for a FREE maturity consultation.