Get through the TISAX assessment process and share the assessment result with your partner

Published by

ENX Association
an Association according to the French Law of 1901,
registered under No. w923004198 at the Sous-préfecture of Boulogne-Billancourt, France

Addresses
20 rue Barthélémy Danjou, 92100 Boulogne-Billancourt, France
Bockenheimer Landstraße 97-99, 60325 Frankfurt am Main, Germany

Author

Florian Gleich

Contact

tisax@enx.com
+49 69 9866927-77

Version

Date:

2021-01-06

Version:

2.3

Classification:

Public

ENX doc ID:

602

All rights reserved by ENX Association.
ENX, TISAX, and their respective logos are registered trademarks of ENX Association.
Third party trademarks mentioned are the property of their respective owners.

1. Overview

1.1. Purpose

Welcome to TISAX, the Trusted Information Security Assessment Exchange.

One of your partners requested that you prove that your information security management complies with a defined level according to the requirements of the “VDA[1] Information Security Assessment” (ISA). And now you want to know how to fulfil this request.

The purpose of this handbook is to enable you to fulfil your partner’s request — or to have an edge by anticipating it before a partner asks for it.

This handbook describes the steps you need to take in order to pass the TISAX assessment and for sharing your assessment result with your partner.

Establishing and maintaining an information security management system (ISMS) is already a complex task. Proving to your partner that your information security management is up to the job adds even more complexity. This handbook won’t help you manage your information security. However, it aims to make the work of proving your efforts to your partner as easy for you as possible.

1.2. Scope

This handbook applies to all TISAX processes that you may be part of.

It contains all you need to know to go through the TISAX process.

The handbook offers some advice on how to deal with the information security requirements at the core of the assessment. But it does not aim to generally educate you on what you need to do to pass the information security assessment.

1.3. Audience

The main audience of this handbook are companies that need or want to prove a defined level of information security management according to the requirements of the “VDA Information Security Assessment” (ISA).

As soon as you are actively involved in TISAX processes, you will benefit from the information provided in this handbook.

Companies that are requesting their suppliers to prove defined levels of information security management will benefit, too. This handbook allows them to understand what their suppliers are required to do to fulfil their request.

1.4. Structure

We begin with a brief introduction of TISAX, then we immediately move on with instructions on HOW to do things. You will find all you need to go through the process — in the order you need to know it.

The estimated reading time for the document is 75-90 minutes.

1.5. How to use this document

Sooner or later, you will probably want to understand most of what is described in this document. To be properly prepared, we recommend reading the entire handbook.

We structured the handbook along the three main steps of the TISAX process, so you can go to the section you need and read the rest later.

The handbook uses illustrations to help you improve your understanding. The colours in the illustrations often have additional meaning. We therefore recommend reading the document on a computer screen or as a colour hard copy.

We appreciate your feedback. If you think something is missing in this handbook or is not easy to understand, please don’t hesitate to let us know. We and all future readers of this handbook will be thankful for your feedback.

If you have already used a prior version of the TISAX participant handbook, you may find some helpful notes at the end of the document in Section 8, “Document history”.

1.6. Contact us

We’re here to guide you through the TISAX process and to answer any questions you may have.

Send us an email at:

tisax@enx.com

Or call us at:

+49 69 9866927-77

You can reach us during regular business hours in Germany (UTC+01:00).

We all speak Icon of the flag of the United Kingdom English and Icon of the flag of Germany German. Two colleagues are native speakers of Icon of the flag of Italy Italian.

1.7. The TISAX participant handbook in other languages and formats

The TISAX participant handbook is available in the following languages and formats:

Language Version Format Link Size

Icon of the flag of the United Kingdom English

2.3

Online

https://www.enx.com/handbook/tisax-participant-handbook.html

n/a

Offline

https://www.enx.com/handbook/tisax-participant-handbook-offline.html

6.4 MB

PDF

https://www.enx.com/handbook/TISAX%20Participant%20Handbook.pdf

6.4 MB

Icon of the flag of Germany German

2.3

Online

https://www.enx.com/handbook/tisax-teilnehmerhandbuch.html

n/a

Offline

https://www.enx.com/handbook/tisax-teilnehmerhandbuch-offline.html

6,4 MB

PDF

https://www.enx.com/handbook/TISAX-Teilnehmerhandbuch.pdf

5,0 MB

Icon of the flag of France French

2.3 beta

Online

https://www.enx.com/handbook/tph-fr.html

n/a

Offline

https://www.enx.com/handbook/tph-fr-offline.html

7,0 MB

PDF

https://www.enx.com/handbook/tph-fr.pdf

7,0 MB

Icon of the flag of China Chinese

2.3 beta

Online

https://www.enx.com/handbook/tph-cn.html

n/a

Offline

https://www.enx.com/handbook/tph-cn-offline.html

7,0 MB

PDF

https://www.enx.com/handbook/tph-cn.pdf

7,0 MB

Important

Important note:

The English version is the leading version.
All other languages are translations of the English version.
In case of doubt, the English version is authoritative.

1.7.1. About the online format

Each section has a unique ID (format: ID1234).
An ID references a specific section, regardless of the language.
If you want to link to a specific section, you can:

  • right-click on the section title and copy the link, or

  • click the section title and copy the link from the address bar of your browser.

Most figures are available in a larger size than displayed here by default. Click on the figure to open the larger version.

1.7.2. About the offline format

The offline format retains most features of the online format. Most notably, the figures are embedded in the HTML file. You need only one file to use the offline format.

Compared to the online format, the offline format comes without:

  • the larger images

  • the original fonts of the online format
    Your browser’s defaults define the fonts.

1.7.3. About the PDF format

The PDF format is based on the online format. We basically use a browser to save the online format as a PDF.

If you use the PDF format on your computer, you can still click all the references. But if you print the PDF version, you won’t have things like page numbers and you will have to look up the references yourself.

2. Introduction

The following sections introduce the TISAX concept.

If you are in a hurry, you can skip them and start right away at Section 4.3, “Registration preparation”.

2.1. Why TISAX?

Or rather, why are you here?

In order to answer this question, we will start with some thoughts about doing business in general and protecting information in particular.

Imagine your partner. He has confidential information. He wants to share it with his supplier — you. The cooperation between you and your partner creates value. The information your partner shares with you is an important part of this value creation. Therefore, he wants to protect it appropriately. And he wants to be sure that you are handling his information with the same due care.

But how can he be sure that his information is in good hands? He can’t just “believe” you. Your partner needs to see some proof.

Now there are two questions. Who defines what “secure” handling of information means? And next, how do you prove it?

2.2. Who defines what "secure" means?

You and your partner are not the only ones facing these questions for the first time. Almost everyone has to find answers to them and most of the answers will share similarities.

Instead of independently creating a solution for a common problem every time, a standard way of doing it the burden of creating everything from scratch. While defining a standard is a huge effort, it is made only once and those who follow it benefit every time.

There are surely different views of what’s the right thing to do for protecting information. But due to the aforementioned benefits, most companies settle on standards. A standard is the condensed form of all proven and time-tested best practices for a given challenge.

In your case, standards like ISO/IEC 27001 (about information security management systems, or ISMS) and their implementation establish a state-of-the-art way to securely handle confidential information. A standard like this saves you from having to reinvent the wheel every time. More importantly, standards provide a common basis when two companies need to exchange confidential data.

2.3. The automotive way

By nature, industry-independent standards are designed as one-size-fits-all solutions rather than tailored to specific needs of automotive companies.

A long time ago, the automotive industry formed associations that aimed — among other goals — to refine and define standards that suit their more specific needs. The “Verband der Automobilindustrie” (VDA) is one of them. In the working group that deals with information security, several members of the automotive industry came to the conclusion that they have similar needs to tailor existing information security management standards.

Their joint efforts led to a questionnaire that covers the automotive industry’s widely accepted information security requirements. It is called the “VDA Information Security Assessment” (ISA).

With the ISA, we now have an answer to the question “Who defines what “secure” means?” Through the VDA, the automotive industry itself offers this answer to its members.

2.4. How to prove security efficiently?

While some companies use the ISA for internal purposes only, others use it to assess the maturity of the information security management of their suppliers. In some cases, a self-assessment is sufficient for the business relationship. However, in certain cases, companies conduct a complete assessment of their supplier’s information security management (including on-site audits).

Along with generally increasing awareness of the need for information security management and the spreading adoption of the ISA as a tool for information security assessments, more suppliers were facing similar requests from different partners.

Those partners still applied different standards and had varying opinions on how to interpret them. But the suppliers essentially had to prove the same things, just in different ways.

And the more suppliers were asked by their partners to prove their level of information security management, the louder their complaints grew in terms of repeat efforts. Showing auditor after auditor the same information security management measures is simply not efficient.

What can be done to make this more efficient? Wouldn’t it help if the report of any auditor could be reused for different partners?

OEMs and suppliers in the VDA working group that is responsible for maintaining the ISA listened to their supplier’s complaints. Now they offer an answer to their suppliers as well as to all other companies in the automotive industry to the question “How to prove security?”

The answer is TISAX, short for “Trusted Information Security Assessment Exchange”.

3. The TISAX process

3.1. Overview

The TISAX process usually[2] starts with one of your partners requesting that you prove a defined level of information security management according to the requirements of the “VDA Information Security Assessment” (ISA). To comply with that request, you have to complete the 3-step TISAX process. This section gives you an overview of the steps you need to take.

The 3-step TISAX process consists of the following steps:

TISAX process overview
Figure 1. TISAX process overview
  1. Registration
    We gather information about your company and what needs to be part of the assessment.

  2. Assessment
    You go through the assessment(s), which are conducted by one of our TISAX audit providers.

  3. Exchange
    You share your assessment result with your partner.

Each step consists of sub-steps. These are outlined in the three sections below and described in detail in their respective sections further down.

Note

Please note:

While we would certainly like to tell you how long it will take you to get your TISAX assessment result, we kindly ask for your understanding that it is not possible for us to forecast this in a reliable way. The overall duration of the TISAX process depends on too many factors. The wide variety of company sizes and assessment objectives plus the respective readiness of an information security management system make this impossible.

However, TISAX defines a maximum duration of nine months for the entire TISAX assessment process.

3.2. Registration

Your first step is the TISAX registration.

The main purpose of the TISAX registration is to gather information about your company. We use an online registration process to help you provide us this information.

It is the prerequisite for all subsequent steps. It is subject to a fee.

During the online registration process:

  • We ask you for contact details and billing information.

  • You have to accept our terms and conditions.

  • You can define the scope of your information security assessment.

For a direct start with this step, please refer to Section 4, “Registration (Step 1)”.

The online registration process is described in detail in Section 4.5, “Online registration process”. But if you want to start right away, please go to Icon of the flag of the United Kingdom enx.com/en-US/TISAX/.

3.3. Assessment

Your second step is going through the information security assessment.

There are four sub-steps:

  1. Assessment preparation
    You have to prepare the assessment. The extent of this depends on the current maturity level of your information security management system. Your preparation has to be based on the ISA catalogue.

  2. Audit provider selection
    Once you are ready for the assessment, you have to choose one of our TISAX audit providers.

  3. Information security assessment(s)
    Your audit provider will conduct the assessment based on an assessment scope that matches your partner’s requirements. The assessment process will consist of the initial audit at a minimum.
    If your company does not pass the assessment right away, the assessment process may require additional steps.

  4. Assessment result
    Once your company passes the assessment, your audit provider will provide you with the official TISAX report. Your assessment result will also receive TISAX labels[3].

For more information about this step, please refer to Section 5, “Assessment (Step 2)”.

3.4. Exchange

Your third and last step is to share your assessment result with your partner. The content of the TISAX report is structured in levels. You can decide up to which level your partner will have access.

Your assessment result is valid for three years. Assuming you are still a supplier of your partner then, you will have to go through the three-step process again[4].

For more information about this step, please refer to Section 6, “Exchange (Step 3)”.


Now that you have a fundamental idea about what the TISAX process is, you will find instructions on how to complete each step in the following sections.

4. Registration (Step 1)

The estimated reading time for the registration section is 30-40 minutes.

4.1. Overview

The TISAX registration is your first step. It is the prerequisite for all subsequent steps.

The following sections will guide you through the registration:

  1. We start with explaining an essential new term.

  2. Then we advise you on what you should do to be prepared for the online registration process.

  3. Next, we guide you through the online registration process.

4.2. You are a TISAX participant

Let us first introduce a new term that is necessary to understand. So far, you have been the “supplier”. You are here to fulfil a requirement of your “customer”. TISAX itself however does not really differentiate between these two roles. For TISAX, everyone who registered is a “participant”. You — as well as your partner — “participate” in the exchange of information security assessment results.

Register to become a TISAX participant
Figure 2. Register to become a TISAX participant

To differentiate the two roles from the beginning, we refer to you, the supplier, as “active participant”. We refer to your partner as “passive participant”. As an “active participant” you get TISAX-assessed and you share your assessment result with other participants. The “passive participant” is the one who requested that you get TISAX-assessed. The “passive participant” receives your assessment result.

Passive participant and active participant
Figure 3. Passive participant and active participant

Any company can act in both roles. You might share an assessment result with your partner, while at the same time requesting your own suppliers to get TISAX-assessed.

TISAX participants can be active and passive at the same time
Figure 4. TISAX participants can be active and passive at the same time

Requesting your own suppliers to get TISAX-assessed may even be especially advisable if your own suppliers are handling your partner’s confidential information as well.

4.3. Registration preparation

In this section, we give you recommendations on how to prepare for the registration. We describe the registration process itself in detail in Section 4.5, “Online registration process”.

Before you start going through our online registration process, we strongly recommend:

  • gathering information in advance

  • and taking some decisions.

4.3.1. The legal foundation

Typically, you need to sign two contracts. The first contract you enter is between you and ENX Association: The “TISAX Participation General Terms and Conditions” (TISAX Participant GTCs). The second contract is between you and one of our TISAX audit providers. For the registration, we will look at the first contract only.

The TISAX Participant GTCs govern our mutual relationship and your relationship with other TISAX participants. They define the rights and duties for all of us. Besides the usual clauses you will find in most contracts, they define the handling of the information exchanged and obtained during the TISAX process in detail. A key objective of these rules is to keep TISAX assessment results confidential. As all TISAX participants are subject to the same rules, you can expect appropriate protection of your TISAX assessment result by your partner (in his role as passive participant).

Quite early in the online registration process, we will ask you to accept the TISAX Participant GTCs. As this is a real contract, we recommend reading the TISAX Participant GTCs before starting the online registration process. One reason is that depending on your role in your company, you may need to obtain a clearance from an in-house or external lawyer.

You can download the “TISAX Participation General Terms and Conditions”[5] on our website at:
Icon of the flag of the United Kingdom enx.com/en-US/TISAX/downloads/

During the online registration process, we will ask you to check two mandatory checkboxes:

  • We accept the TISAX Participation General Terms and Conditions

  • We confirm knowledge of Applicant’s release of Audit Providers’ professional duties of secrecy acc. to Sec. IX.5. and X.3 of the TISAX Participation General Terms and Conditions;

We have the second checkbox because some of our TISAX audit providers are certified public accountants. They have special requirements regarding professional secrecy. You may want to pay special attention to those clauses before checking the box.

If you usually require a non-disclosure agreement (NDA) between you and anyone who handles confidential information, please examine the respective sections of our GTCs. They should address all your concerns.

Concluding the legal section, we ask for your understanding that the system depends on everyone accepting the same rules. We therefore can’t accept any additional general terms and conditions[6].

4.3.2. The TISAX assessment scope

In the second step of the TISAX process, one of our TISAX audit providers will conduct the information security assessment. He needs to know where to start and where to stop. That’s why you need to define an “assessment scope”.

The “assessment scope” describes the scope of the information security assessment. In simple terms, every part of your company that handles your partner’s confidential information is part of the assessment scope. You can consider it a major element of the audit provider’s task description. It dictates what the audit provider needs to assess.

The assessment scope is important for two reasons:

  1. An assessment result will only fulfil your partner’s requirement if the respective assessment scope covers all parts of your company that handle partner information.

  2. A precisely defined assessment scope is an essential prerequisite for meaningful cost calculations by our TISAX audit providers.

Important

Important note:

If your company has an ISO/IEC 27001 certification: The definition of the “TISAX assessment scope” and the scope definition required for the ISO/IEC 27001 certification are similar. The difference is that in TISAX the scope is predefined.

4.3.2.1. Scope description

The scope description defines the assessment scope. For the scope description, you have to choose one of two scope types:

  1. Standard scope

  2. Custom scope

    1. Extended scope

    2. Narrowed scope

4.3.2.2. Standard scope

The standard scope description is the basis for a TISAX assessment. Other TISAX participants only accept assessment results based on the standard scope description.

The standard scope description is predefined and you can’t change it. If you want to use a custom scope description, you can choose to either extend or narrow the scope of your assessment.

A major benefit of having a standard scope is that you don’t have to come up with your own definition.

This is the standard scope description[7]:

The standard scope comprises all processes and involved resources at the sites defined below that are subject to security requirements from partners in the automotive industry. Involved processes and resources include collection of information, storage of information and processing of information.

Examples for involved resources: Work equipment, employees, IT systems including cloud services such as infrastructure/ platform/software as a service, physical sites, relevant contractors

Examples for sites: Office sites, development sites, production sites, data centres

We strongly recommend choosing the standard scope. All TISAX participants accept information security assessment results based on the standard scope.

4.3.2.3. Custom scope

The standard scope is what almost all TISAX participants choose. However, in certain and rare circumstances you may need to choose a custom scope.

Scope types: extended scope
Figure 5. Scope types: extended scope, standard scope, narrowed scope
  1. Extended scope

    You can extend the scope. An extended scope contains MORE than the standard scope. The audit provider will perform more checks.

    Purpose: An extended scope may be relevant if you want to use your TISAX assessment for internal purposes or outside of the automotive industry.

    TISAX labels and sharing results: An extended scope always includes the standard scope. Therefore, an extended scope will receive TISAX labels[8]. Other TISAX participants will still accept the assessment result.

    Description: While the standard scope has a predefined description, you need to write your own custom scope description if you need an extended scope.

  2. Narrowed scope

    You can narrow the scope. A narrowed scope contains LESS than the standard scope. The audit provider may shorten or skip certain checks.

    Purpose: If you have locations that belong to different assessment scopes and that use services at a particular site (such as a data centre), you may use a narrowed scope for those services. Thus, a TISAX audit provider can easily reuse the assessment result of the service’s narrowed scope.

    Example: You have many locations (possibly part of different scopes) and you have a central IT department at one of those locations. Defining a narrowed scope just for the IT department may make it easier to reuse the respective assessment result in the other scopes.

    TISAX labels and sharing results: Narrowed scopes don’t receive TISAX labels. Your assessment result is recorded in the ENX portal with the date, validity period and whether the overall assessment result is conform or non-conform. You could share such an assessment result. But sharing an assessment result without TISAX labels will look like a “failed” assessment to most recipients. Other TISAX participants generally don’t accept assessment results of narrowed scopes.

    Description: As for the extended scope, you need to write your own custom scope description if you need a narrowed scope.
    Here is an example of a narrowed scope description:
    Physical security, resources and processes of the part of the data centre that are used to fulfil services of Company X[9].

    Important

    Important note:

    An assessment with a narrowed scope won’t receive TISAX labels. We therefore generally advise against choosing a narrowed scope — mainly because other participants usually don’t accept assessment results with narrowed scopes. Please consult your partner before choosing a narrowed scope.

4.3.2.4. Scoping

Your next task after defining the scope type is to decide which locations belong to the assessment scope.

If your company is small (one location), this is an easy task. You simply add your location to the assessment scope.

If your company is large, you should consider registering more than one assessment scope.

Having a single scope that contains all your locations has advantages:

  • You have one assessment report, one assessment result, one expiration date.

  • You can benefit from reduced costs for the assessment because a TISAX audit provider only has to assess your central processes, procedures and resources once.

But a single scope may have disadvantages such as:

  • The assessment result is only available once the TISAX audit provider has assessed all locations. This fact may be relevant if you urgently need an assessment result.

  • The assessment result depends on all locations passing the assessment. If just one location fails, you won’t have a positive assessment result.[10]

4.3.2.5. Scope tailoring

The question whether to have just one scope or several scopes is one that only you can answer. But answering the questions in the following diagram may help you decide.

Scope tailoring decision tree
Figure 6. Scope tailoring decision tree
Note

Please note:

Don’t let this decision intimidate you. You can change any scope as long as the audit provider didn’t conclude the assessment.

For example, during your assessment preparation you may find that the scope does not fit — and change it accordingly. Or your audit provider may recommend changing the scope during the earlier stages of the assessment.

Please note: Adding to the scope increases the fee and you won’t get a refund if you remove locations from the scope.

4.3.2.6. Scope locations

Now that you have decided which locations are part of your assessment scope, you can continue gathering some location-specific information.

For each location we ask for information like company name and address. We also ask for some additional information that allows our TISAX audit providers to get a better idea of your company structure. Your answers will be the basis of their effort estimations.

Please prepare yourself to provide the following details for each of your locations (the red asterisk * indicates mandatory information in the online process):

Table 1. Location-specific details
Field Options

Location Name *

n/a

D&B D-U-N-S NUMBER

n/a

Location Type *

Building(s) owned and used exclusively by company
Building(s) rented by company
Floor/office rented by company in a shared building
Office shared with other companies
Own Datacenter
Shared Datacenter

Passive Site Protection *

Yes
No

Industry
(Several selections possible)

Information Technology

  • ❏ IT Services

  • ❏ Telecommunication Services

  • ❏ Software Development

Management

  • ❏ Consulting

Media

  • ❏ Marketing

  • ❏ Agency

  • ❏ Printing Services

  • ❏ Photography

  • ❏ Translation Services

Research And Development

  • ❏ Vehicle Testing

  • ❏ Vehicle Simulation

  • ❏ Prototype Construction

  • ❏ Miniature Car Models

  • ❏ Development Services

  • ❏ CAx Development Services

Production

  • ❏ Production Services

  • ❏ Contract Manufacturing

  • ❏ Shop Floor

  • ❏ Logistics

Sales And Aftersales

  • ❏ Import, NSC

  • ❏ Dealership

  • ❏ Financial Services

  • ❏ Insurance

  • ❏ Claims Settlement

Other Industry
(please enter)

Employees at Location: Overall *

0
1-10
11-100
101-1.000
1.001-5.000
More than 5.000

Employees at Location: IT *

0
1-10
11-25
26-50
More than 50

Employees at Location: IT Security *

0
Part Time
1-5
6-25
More than 25

Employees at Location: Location Security *

0
Part Time
1-3
4-10
More than 10

Certifications for this Location

ISO 27001
Other (please enter)
ISAE 3402
SOC2

Note

Please note:

Regarding the “Industry”: Select to the best of your knowledge. There is no right or wrong when selecting from the options above. If you can’t find an option that matches your type of business, just enter the appropriate option under “Other”.

For each location you have to specify a “location name”. The purpose of the location name is to make it easier to refer to the location when you assign them to an assessment scope.

We recommend assigning location names based on the following pattern:

Pattern:

[Geographical reference]

Example:

for the fictitious company “ACME”

  • Frankfurt
    (for a location in the German city Frankfurt)

4.3.2.7. Scope name

For each scope, you have to specify a “scope name”. The purpose of the scope name is to make it easier to refer to the scope in every TISAX-related communication (e.g. with your TISAX audit provider).

You can specify any name you want. But you shouldn’t assign the same scope name for more than one scope.

When you later want to renew your TISAX assessment, you need to create a new scope (possibly identical to the current scope). We therefore recommend adding the year of the assessment to the scope name.

We recommend assigning scope names based on the following pattern:

Pattern:

[Geographical or functional reference] [Year of the assessment]

Examples:

for the fictional company “ACME”

  • 2020
    (without geographical reference if your company has just one location)

  • Frankfurt 2020
    (for a scope with several locations in the German city of Frankfurt)

  • Lower Saxony 2020
    (for a scope with all locations in the German state of Lower Saxony)

  • Germany 2020
    (for a scope with all locations in the country of Germany)

  • EMEA 2020
    (for a scope with all locations in the EMEA region (“Europe, Middle East, Asia”))

  • Prototype development 2020
    (functional reference for a scope with all locations involved in developing prototypes)

4.3.2.8. Contacts

In order to communicate with you, we collect information about contacts at your company.

We ask for at least one contact for your company as TISAX participant in general and one for each assessment scope. You have the option to provide additional contacts.

During your registration preparations, you should decide who at your company will be a contact.

We ask for the following contact details:

Table 2. Contact details
Contact detail Mandatory? Example

1.

Salutation

Yes

Mrs., Mr.

2.

Academic degree

Dr., Ph.D., other

3.

First name

Yes

John

4.

Last name

Yes

Doe

5.

Job title

Yes

Head of IT

6.

Department

Yes

Information Technology

7.

Primary phone number

Yes

+49 69 986692777

8.

Secondary phone number

9.

Email address

Yes

john.doe@acme.com

10.

Preferred language

Yes

English (default)

11.

Other languages

German, French

12.

Personal address identifier

HPC 1234

13.

Street address

Yes

Bockenheimer Landstraße 97-99

14.

Postal code

Yes

60325

15.

City

Yes

Frankfurt

16.

State/Province

17.

Country

Yes

Germany

Important

Important note:
 
We recommend assigning at least one alternate for each contact. If a contact is temporarily unavailable or leaves the company, someone else can manage your company’s participant data.
If you need to assign a new contact (without any other remaining valid contacts), you have to go through a complex process. Our process ensures that only persons who are legally allowed to speak for the company can approve assigning a new main contact.

4.3.2.9. Publication and sharing

The main purpose of TISAX is to publish your assessment result to other TISAX participants and to share your assessment result with your partner(s).

You can decide about the publication and sharing of your assessment result either during the registration process or at any time later.

If you are going through the TISAX process as a pre-emptive step, you can already decide to publish your assessment result to the community of TISAX participants. Otherwise, there is nothing to prepare for at this stage.

If your partner requested that you to go through the TISAX process, you need to share your assessment result sooner or later. You can already share status information with your partner during the registration. Once your assessment result is available, your partner will then automatically have the permission to access it[11].

There are two things you need to share status information:

  1. Your partner’s TISAX Participant ID

    The TISAX Participant ID identifies your partner as a TISAX participant.

    Usually, your partner should provide you his TISAX Participant ID.

    For your convenience, our registration form provides a drop-down list of Participant IDs for some companies that frequently receive shared assessment results.[12]

    But if your partner is a large OEM, sometimes departments communicate the requirement to get TISAX-assessed, while not knowing their own company’s Participant ID. In such cases you can contact us. We can provide you the Participant ID of your partner.

  2. The required sharing level

    The sharing level defines the depth to which your partner can access your assessment result.

    Either your partner requests a specific sharing level or you decide up to which level you want to grant your partner access to your assessment result.

    For more information on sharing levels, please refer to Section 6.5, “Sharing levels”.

So you may want to make sure you have this information.

Note

Please note:

  • You can always decide to publish your assessment result later.

  • You can always create a sharing permission for your partner later.

Important

Important note:

If you don’t publish your assessment result or don’t share it, no one can see your assessment result.

Important

Important note:

You can’t revoke publication or sharing.

For more information on publishing and sharing your assessment result, please refer to Section 6, “Exchange (Step 3)”.

4.3.3. Assessment objectives

You have to define your assessment objective(s) during the registration process. The assessment objective determines the applicable requirements that your information security management system (ISMS) has to fulfil. The assessment objective is entirely based on the type of data you handle on behalf of your partner.

In the following sections, we describe the assessment objectives and provide advice on how to select the right assessment objective(s).

The use of assessment objectives makes the TISAX-related communication with your partner and our TISAX audit providers easier because they refer to a defined input to the TISAX assessment process.

Note

Please note:

Some partners may request you to get TISAX-assessed with a certain “assessment level” (AL) instead of specifying an assessment objective. For more information on assessment levels, please refer to Section 4.3.3.6, “Protection needs and assessment levels” (sub-section “Additional information”).

4.3.3.1. List of assessment objectives

There are currently eight TISAX assessment objectives. You have to select at least one assessment objective. You may select more than one.

Consider your assessment objective the benchmark for your information security management system. The assessment objective is a key input for the TISAX process. All TISAX audit providers base their assessment strategy mainly on the assessment objective.

The current TISAX assessment objectives are:

Table 3. The current TISAX assessment objectives
No. Assessment objective Abbreviation

1.

Information with high protection needs

Info high

2.

Information with very high protection needs

Info very high

3.

Protection of prototype parts and components

Proto parts

4.

Protection of prototype vehicles

Proto vehicles

5.

Handling of test vehicles

Test vehicles

6.

Protection of prototypes during events and film or photo shootings

Events + Shootings

7.

Data protection
According to Article 28 (“Processor”) of the European General Data Protection Regulation (GDPR)

Data

8.

Data protection with special categories of personal data
According to Article 28 (“Processor”) with special categories of personal data as specified in Article 9 of the European General Data Protection Regulation (GDPR)

Special data

Example: If you are conducting test drives on public roads, then the assessment objective No. 7 “Handling of test vehicles” is one of your assessment objectives.

For some of the following illustrations, we will use a table representation of the eight TISAX assessment objectives. Furthermore, we will shorten the long forms for an easier visual representation.