TISAX, which aims to provide a standardized approach to information security across the automotive industry, has certain requirements organizations need to comply with.
In this post, we cover what TISAX is, who it applies to, its different assessment levels, and the label requirements for BISR (Level 1), ISMS (Level 2), and AISMS (Level 3).
As we mentioned in a recent blog, TISAX stands for Trusted Information Security Assessment eXchange. It’s a cybersecurity framework designed to provide a standardized approach to information security assessments for the automotive industry.
A TISAX assessment evaluates the organization's information security management system (ISMS) and then assigns one of three TISAX assessment levels based on the level of sensitivity of the information it handles. We’ll get more into that in a bit.
TISAX is mandatory for vendors working with the German automotive industry who process, store, or otherwise handle sensitive information, regardless of their size or location. This sensitive information includes any data that can be used to identify individuals or vehicles, such as customer data, employee data, and technical specifications. It also covers any data related to product development or manufacturing processes that could be used by competitors to gain an advantage in the market.
In short, TISAX applies to all organizations that do business with most major players in the German automotive industry, like suppliers of parts and components for cars, as well as providers of IT services and software.
TISAX assessments are divided into three levels, based on the level of sensitivity of the information being handled by the supplier. The higher the data sensitivity, the more rigorous the assessment required to obtain a TISAX label. The levels that correspond to such data sensitivity are:
This level is for suppliers who handle information that is deemed to have low or moderate sensitivity. This “basic” or “normal” level assessment covers a subset of the TISAX requirements and is intended to provide a starting point for suppliers to assess and improve their information security. This level only requires the organization to complete a self-assessment based on a questionnaire known as the Information Security Assessment (ISA).
This level is for suppliers who handle information that is deemed to have high sensitivity. This “high” or “advanced” level assessment covers all the TISAX requirements and is intended to provide a comprehensive evaluation of the supplier's information security. While, like Level 1, Level 2 is based on the company’s self-assessment using the ISA questionnaire, during a level 2 assessment, an external auditor verifies the self-assessment.
This level is for suppliers who handle information that is deemed to have very high sensitivity. This “very high” or “very advanced” level assessment covers all the TISAX requirements and includes additional security controls and requirements specific to the handling of such information. In addition to the self assessment and external auditor verification included in Levels 1 and 2, Level 3 also requires an auditor to carry out on-site inspections and in-person interviews.
The TISAX label is awarded to suppliers who have successfully completed a TISAX assessment. It indicates that a company meets the information security requirements of the German automotive industry and is considered a trusted partner.
The label is divided into three levels, which correspond to the assessment levels:
The TISAX label is valid for three years. After this it must be renewed through a new assessment. In order to receive a TISAX label, organizations must complete the four main groups of the assessment:
For the rest of this post, we’ll dive a bit deeper into the information security topic, which is quite similar to the ISO 27001 standard. In fact, TISAX’s seven chapters on Information Security match 69 controls from ANNEX A of ISO 27001. Let’s take a look at those now.
The assessment looks at the policies and procedures in place for information security, like the roles and responsibilities of staff and risk management. It reviews how the organization handles incidents and breaches, reporting procedures, and the measures in place for investigation and mitigation.
This area of the assessment focuses on the security awareness and training provided to staff, the processes in place for recruiting and screening staff, measures for ongoing security training and awareness, and how the organization manages access to sensitive information, including background checks and access controls for team members.
This looks at the measures in place to protect physical assets, such buildings and equipment, access controls, surveillance systems, and emergency response plans. It also looks at the measures in place to ensure business continuity in case of an incident or disaster, including backup and recovery procedures, disaster recovery plans, and the redundancy of critical systems.
This area refers to the policies and procedures in place for managing user access to systems and data, including the authentication and authorization processes for user accounts, password policies, and other access controls.
This focuses on the measures in place to protect information systems and data from cyber threats, including the policies and procedures in place for IT security. This can include vulnerability management, network security, incident response, encryption, access controls, and data backups.
The assessment looks at how the organization manages relationships with suppliers and ensures the security of the supply chain, including the security of transportation, storage, and communication of information between suppliers. It also reviews the policies and procedures in place for managing supplier relationships, such as supplier selection, contracts, and monitoring.
The compliance area of assessment focuses on the measures in place to ensure compliance with legal and regulatory requirements, including data protection, export controls, intellectual property rights, risk assessment, compliance monitoring, and reporting.
Strike Graph now supports the TISAX framework so that you can better manage your automotive ISMS. And the good news is, if you’ve already worked on your ISO 27001 assessment, you’re ahead of the curve! That’s because the work you did for the ISO 27001 standard lines up with the TISAX’s seven chapters on information security. And, if you haven’t started ISO 27001 or TISAX, we can help you efficiently achieve one or both.