Get through the TISAX assessment process and share the assessment result with your partner
Published by
ENX Association
an Association according to the French Law of 1901,
registered under No. w923004198 at the Sous-préfecture of Boulogne-Billancourt, France
Addresses
20 rue Barthélémy Danjou, 92100 Boulogne-Billancourt, France
Bockenheimer Landstraße 97-99, 60325 Frankfurt am Main, Germany
Author
Florian Gleich
Contact
Version
Date: |
2023-08-28 |
Version: |
2.6 |
Classification: |
Public |
ENX doc ID: |
602 |
Copyright notice
All rights reserved by ENX Association.
ENX, TISAX, and their respective logos are registered trademarks of ENX Association.
Third party trademarks mentioned are the property of their respective owners.
1. Overview
1.1. Purpose
Welcome to TISAX, the Trusted Information Security Assessment Exchange.
One of your partners requested that you prove that your information security management complies with a defined level according to the requirements of the “Information Security Assessment” (ISA). And now you want to know how to fulfil this request.
The purpose of this handbook is to enable you to fulfil your partner’s request — or to have an edge by anticipating it before a partner asks for it.
This handbook describes the steps you need to take in order to pass the TISAX assessment and for sharing your assessment result with your partner.
Establishing and maintaining an information security management system (ISMS) is already a complex task. Proving to your partner that your information security management is up to the job adds even more complexity. This handbook won’t help you manage your information security. However, it aims to make the work of proving your efforts to your partner as easy for you as possible.
1.2. Scope
This handbook applies to all TISAX processes that you may be part of.
It contains all you need to know to go through the TISAX process.
The handbook offers some advice on how to deal with the information security requirements at the core of the assessment. But it does not aim to generally educate you on what you need to do to pass the information security assessment.
1.3. Audience
The main audience of this handbook are companies that need or want to prove a defined level of information security management according to the requirements of the “Information Security Assessment” (ISA).
As soon as you are actively involved in TISAX processes, you will benefit from the information provided in this handbook.
Companies that are requesting their suppliers to prove defined levels of information security management will benefit, too. This handbook allows them to understand what their suppliers are required to do to fulfil their request.
1.4. Structure
We begin with a brief introduction of TISAX, then we immediately move on with instructions on HOW to do things. You will find all you need to go through the process — in the order you need to know it.
The estimated reading time for the document is 75-90 minutes.
1.5. How to use this document
Sooner or later, you will probably want to understand most of what is described in this document. To be properly prepared, we recommend reading the entire handbook.
We structured the handbook along the three main steps of the TISAX process, so you can go to the section you need and read the rest later.
The handbook uses illustrations to help you improve your understanding. The colours in the illustrations often have additional meaning. We therefore recommend reading the document on a computer screen or as a colour hard copy.
We appreciate your feedback. If you think something is missing in this handbook or is not easy to understand, please don’t hesitate to let us know. We and all future readers of this handbook will be thankful for your feedback.
If you have already used a prior version of the TISAX participant handbook, you may find some helpful notes at the end of the document in Section 8, “Document history”.
1.6. Contact us
We’re here to guide you through the TISAX process and to answer any questions you may have.
Send us an email at: |
|
Or call us at: |
You can reach us during regular business hours in Germany (UTC+01:00).
We all speak English and
German. One colleague is native speaker of
Italian.
Please take notice of Section 7.13, “Annex: Complaint management”.
1.7. The TISAX participant handbook in other languages and formats
The TISAX participant handbook is available in the following languages and formats:
Language | Version | Format | Link |
---|---|---|---|
|
2.6 |
Online |
https://www.enx.com/handbook/tisax-participant-handbook.html |
Offline |
https://www.enx.com/handbook/tisax-participant-handbook-offline.html |
||
https://www.enx.com/handbook/TISAX%20Participant%20Handbook.pdf |
|||
|
2.6 |
Online |
|
Offline |
https://www.enx.com/handbook/tisax-teilnehmerhandbuch-offline.html |
||
|
2.3 beta |
Online |
|
Offline |
|||
|
2.3 beta |
Online |
|
Offline |
|||
|
2.3 beta |
Online |
|
Offline |
|||
Important
|
Important note: The English version is the leading version. |
1.7.1. About the online format
Each section has a unique ID (format: ID1234).
An ID references a specific section, regardless of the language.
If you want to link to a specific section, you can:
-
right-click on the section title and copy the link, or
-
click the section title and copy the link from the address bar of your browser.
Most figures are available in a larger size than displayed here by default. Click on the figure to open the larger version.
1.7.2. About the offline format
The offline format retains most features of the online format. Most notably, the figures are embedded in the HTML file. You need only one file to use the offline format.
Compared to the online format, the offline format comes without:
-
the larger images
-
the original fonts of the online format
Your browser’s defaults define the fonts.
1.7.3. About the PDF format
The PDF format is based on the online format. We basically use a browser to save the online format as a PDF.
If you use the PDF format on your computer, you can still click all the references. But if you print the PDF version, you won’t have things like page numbers and you will have to look up the references yourself.
2. Introduction
The following sections introduce the TISAX concept.
If you are in a hurry, you can skip them and start right away at Section 4.3, “Registration preparation”.
2.1. Why TISAX?
Or rather, why are you here?
In order to answer this question, we will start with some thoughts about doing business in general and protecting information in particular.
Imagine your partner. He has confidential information. He wants to share it with his supplier — you. The cooperation between you and your partner creates value. The information your partner shares with you is an important part of this value creation. Therefore, he wants to protect it appropriately. And he wants to be sure that you are handling his information with the same due care.
But how can he be sure that his information is in good hands? He can’t just “believe” you. Your partner needs to see some proof.
Now there are two questions. Who defines what “secure” handling of information means? And next, how do you prove it?
2.2. Who defines what "secure" means?
You and your partner are not the only ones facing these questions for the first time. Almost everyone has to find answers to them and most of the answers will share similarities.
Instead of independently creating a solution for a common problem every time, a standard way of doing it removes the burden of creating everything from scratch. While defining a standard is a huge effort, it is made only once and those who follow it benefit every time.
There are surely different views of what’s the right thing to do for protecting information. But due to the aforementioned benefits, most companies settle on standards. A standard is the condensed form of all proven and time-tested best practices for a given challenge.
In your case, standards like ISO/IEC 27001 (about information security management systems, or ISMS) and their implementation establish a state-of-the-art way to securely handle confidential information. A standard like this saves you from having to reinvent the wheel every time. More importantly, standards provide a common basis when two companies need to exchange confidential data.
2.3. The automotive way
By nature, industry-independent standards are designed as one-size-fits-all solutions rather than tailored to specific needs of automotive companies.
A long time ago, the automotive industry formed associations that aimed — among other goals — to refine and define standards that suit their more specific needs. The “Verband der Automobilindustrie” (VDA) is one of them. In the working group that deals with information security, several members of the automotive industry came to the conclusion that they have similar needs to tailor existing information security management standards.
Their joint efforts led to a questionnaire that covers the automotive industry’s widely accepted information security requirements. It is called the “Information Security Assessment” (ISA).
With the ISA, we now have an answer to the question “Who defines what “secure” means?” Through the VDA, the automotive industry itself offers this answer to its members.
2.4. How to prove security efficiently?
While some companies use the ISA for internal purposes only, others use it to assess the maturity of the information security management of their suppliers. In some cases, a self-assessment is sufficient for the business relationship. However, in certain cases, companies conduct a complete assessment of their supplier’s information security management (including on-site audits).
Along with generally increasing awareness of the need for information security management and the spreading adoption of the ISA as a tool for information security assessments, more suppliers were facing similar requests from different partners.
Those partners still applied different standards and had varying opinions on how to interpret them. But the suppliers essentially had to prove the same things, just in different ways.
And the more suppliers were asked by their partners to prove their level of information security management, the louder their complaints grew in terms of repeat efforts. Showing auditor after auditor the same information security management measures is simply not efficient.
What can be done to make this more efficient? Wouldn’t it help if the report of any auditor could be reused for different partners?
OEMs and suppliers in the ENX working group that is responsible for maintaining the ISA listened to their supplier’s complaints. Now they offer an answer to their suppliers as well as to all other companies in the automotive industry to the question “How to prove security?”
The answer is TISAX, short for “Trusted Information Security Assessment Exchange”.
3. The TISAX process
3.1. Overview
The TISAX process usually[1] starts with one of your partners requesting that you prove a defined level of information security management according to the requirements of the “Information Security Assessment” (ISA). To comply with that request, you have to complete the 3-step TISAX process. This section gives you an overview of the steps you need to take.
The 3-step TISAX process consists of the following steps:
-
Registration
We gather information about your company and what needs to be part of the assessment. -
Assessment
You go through the assessment(s), which are conducted by one of our TISAX audit providers. -
Exchange
You share your assessment result with your partner.
Each step consists of sub-steps. These are outlined in the three sections below and described in detail in their respective sections further down.
Note
|
Please note: While we would certainly like to tell you how long it will take you to get your TISAX assessment result, we kindly ask for your understanding that it is not possible for us to forecast this in a reliable way. The overall duration of the TISAX process depends on too many factors. The wide variety of company sizes and assessment objectives plus the respective readiness of an information security management system make this impossible. |
3.2. Registration
Your first step is the TISAX registration.
The main purpose of the TISAX registration is to gather information about your company. We use an online registration process to help you provide us this information.
It is the prerequisite for all subsequent steps. It is subject to a fee.
During the online registration process:
-
We ask you for contact details and billing information.
-
You have to accept our terms and conditions.
-
You can define the scope of your information security assessment.
For a direct start with this step, please refer to Section 4, “Registration (Step 1)”.
The online registration process is described in detail in Section 4.5, “Online registration process”. But if you want to start right away, please go to enx.com/en-US/TISAX/.
3.3. Assessment
Your second step is going through the information security assessment.
There are four sub-steps:
-
Assessment preparation
You have to prepare the assessment. The extent of this depends on the current maturity level of your information security management system. Your preparation has to be based on the ISA catalogue. -
Audit provider selection
You have to choose one of our TISAX audit providers. -
Information security assessment(s)
Your audit provider will conduct the assessment based on an assessment scope that matches your partner’s requirements. The assessment process will consist of the initial audit at a minimum.
If your company does not pass the assessment right away, the assessment process may require additional steps. -
Assessment result
Once your company passes the assessment, your audit provider will provide you with the official TISAX assessment report. Your assessment result will also receive TISAX labels[2].
For more information about this step, please refer to Section 5, “Assessment (Step 2)”.
3.4. Exchange
Your third and last step is to share your assessment result with your partner. The content of the TISAX assessment report is structured in levels. You can decide up to which level your partner will have access.
Your assessment result is valid for three years. Assuming you are still a supplier of your partner then, you will have to go through the three-step process again[3].
For more information about this step, please refer to Section 6, “Exchange (Step 3)”.
Now that you have a fundamental idea about what the TISAX process is, you will find instructions on how to complete each step in the following sections.
4. Registration (Step 1)
The estimated reading time for the registration section is 30-40 minutes.
4.1. Overview
The TISAX registration is your first step. It is the prerequisite for all subsequent steps.
The following sections will guide you through the registration:
-
We start with explaining an essential new term.
-
Then we advise you on what you should do to be prepared for the online registration process.
-
Next, we guide you through the online registration process.
4.2. You are a TISAX participant
Let us first introduce a new term that is necessary to understand. So far, you have been the “supplier”. You are here to fulfil a requirement of your “customer”. TISAX itself however does not really differentiate between these two roles. For TISAX, everyone who registered is a “participant”. You — as well as your partner — “participate” in the exchange of information security assessment results.
To differentiate the two roles from the beginning, we refer to you, the supplier, as “active participant”. We refer to your partner as “passive participant”. As an “active participant” you get TISAX-assessed and you share your assessment result with other participants. The “passive participant” is the one who requested that you get TISAX-assessed. The “passive participant” receives your assessment result.
Any company can act in both roles. You might share an assessment result with your partner, while at the same time requesting your own suppliers to get TISAX-assessed.
Requesting your own suppliers to get TISAX-assessed may even be especially advisable if your own suppliers are handling your partner’s information with protection needs as well.
4.3. Registration preparation
In this section, we give you recommendations on how to prepare for the registration. We describe the registration process itself in detail in Section 4.5, “Online registration process”.
Before you start going through our online registration process, we strongly recommend:
-
gathering information in advance
-
and taking some decisions.
4.3.1. The legal foundation
Typically, you need to sign two contracts. The first contract you enter is between you and ENX Association: The “TISAX Participation General Terms and Conditions” (TISAX Participant GTCs). The second contract is between you and one of our TISAX audit providers. For the registration, we will look at the first contract only.
The TISAX Participant GTCs govern our mutual relationship and your relationship with other TISAX participants. They define the rights and duties for all of us. Besides the usual clauses you will find in most contracts, they define the handling of the information exchanged and obtained during the TISAX process in detail. A key objective of these rules is to keep TISAX assessment results confidential. As all TISAX participants are subject to the same rules, you can expect appropriate protection of your TISAX assessment result by your partner (in his role as passive participant).
Quite early in the online registration process, we will ask you to accept the TISAX Participant GTCs. As this is a real contract, we recommend reading the TISAX Participant GTCs before starting the online registration process. One reason is that depending on your role in your company, you may need to obtain a clearance from an in-house or external lawyer.
You can download the “TISAX Participation General Terms and Conditions”[4] on our website at:
enx.com/en-US/TISAX/downloads/
Direct PDF download:
enx.com/tisaxgtcen.pdf
enx.com/tisaxgtcde.pdf
During the online registration process, we will ask you to check two mandatory checkboxes:
-
❏ We accept the TISAX Participation General Terms and Conditions
-
❏ We confirm knowledge of Applicant’s release of Audit Providers’ professional duties of secrecy acc. to Sec. IX.5. and X.3 of the TISAX Participation General Terms and Conditions;
We have the second checkbox because some of our TISAX audit providers are certified public accountants. They have special requirements regarding professional secrecy. Usually, the special requirements regarding professional secrecy prohibit the certified public accountants among our audit providers from sharing information with us. Particularly, this would cancel the control options we need for our governance role. Therefore, we need this release. You may want to pay special attention to those clauses before checking the box.
If you usually require a non-disclosure agreement (NDA) between you and anyone who handles confidential information, please examine the respective sections of our GTCs. They should address all your concerns. Moreover, you usually don’t have to provide us any confidential information at all.
Concluding the legal section, we ask for your understanding that the system depends on everyone accepting the same rules. We therefore can’t accept any additional general terms and conditions[5].
4.3.2. The TISAX assessment scope
In the second step of the TISAX process, one of our TISAX audit providers will conduct the information security assessment. He needs to know where to start and where to stop. That’s why you need to define an “assessment scope”.
The “assessment scope” describes the scope of the information security assessment. In simple terms, every part of your company that handles your partner’s confidential information is part of the assessment scope. You can consider it a major element of the audit provider’s task description. It dictates what the audit provider needs to assess.
The assessment scope is important for two reasons:
-
An assessment result will only fulfil your partner’s requirement if the respective assessment scope covers all parts of your company that handle partner information.
-
A precisely defined assessment scope is an essential prerequisite for meaningful cost calculations by our TISAX audit providers.
Important
|
Important note: ISO/IEC 27001 vs. TISAX First, we have to differentiate two types of scopes: For the ISO/IEC 27001 certification, you define the scope of your ISMS (in the “scope statement”). You are completely free to define the scope of your ISMS. However, the scope of the assessment (also known as “audit scope”) must be identical with the scope of your ISMS. For TISAX, you also have to define your ISMS. But the scope of the assessment can be different. For the ISO/IEC 27001 certification, you can freely shape the scope of the assessment through the way you define the scope of your ISMS. In contrast, for TISAX, the scope of the assessment is predefined. The scope of the assessment can be smaller than the scope of your ISMS. But it must be within the scope of your ISMS. |
4.3.2.1. Scope description
The scope description defines the assessment scope. For the scope description, you have to choose one of two scope types:
-
Standard scope
-
Custom scope
-
Custom extended scope
-
Full custom scope
-
We discuss the standard scope in the following section. The standard scope is the right choice for well over 99% of all participants. Therefore, we only discuss the custom scopes in Section 7.8, “Annex: Custom scopes”.
4.3.2.2. Standard scope
The standard scope description is the basis for a TISAX assessment. Other TISAX participants only accept assessment results based on the standard scope description.
The standard scope description is predefined and you can’t change it.
A major benefit of having a standard scope is that you don’t have to come up with your own definition.
This is the standard scope description (version 2.0):
The TISAX scope defines the scope of the assessment. The assessment includes all processes, procedures and resources under responsibility of the assessed organization that are relevant to the security of the protection objects and their protection goals as defined in the listed assessment objectives at the listed locations. The assessment is conducted at least in the highest assessment level listed in any of the listed assessment objectives. All assessment criteria listed in the listed assessment objectives are subject to the assessment.
We strongly recommend choosing the standard scope. All TISAX participants accept information security assessment results based on the standard scope.
4.3.2.3. Scoping
Your next task after defining the scope type is to decide which locations belong to the assessment scope.
If your company is small (one location), this is an easy task. You simply add your location to the assessment scope.
If your company is large, you can consider registering more than one assessment scope.
Having a single scope that contains all your locations has advantages:
-
You have one assessment report, one assessment result, one expiration date.
-
You can benefit from reduced costs for the assessment because a TISAX audit provider only has to assess your central processes, procedures and resources once.
But a single scope may have disadvantages such as:
-
All locations must have the same assessment objectives.
-
The assessment result is only available once the TISAX audit provider has assessed all locations. This fact may be relevant if you urgently need an assessment result.
-
The assessment result depends on all locations passing the assessment. If just one location fails, you won’t have a positive assessment result. A workaround for this is to: a) remove the location from the scope, b) solve the issues, c) add the location afterwards with a scope extension assessment.
4.3.2.4. Scope tailoring
The question whether to have just one scope or several scopes is one that only you can answer. But answering the questions in the following diagram may help you decide.
Note
|
Please note: Don’t let this decision intimidate you. You can change any scope as long as the audit provider didn’t conclude the assessment. For example, during your assessment preparation you may find that the scope does not fit — and change it accordingly. Or your audit provider may recommend changing the scope during the earlier stages of the assessment. Additional notes:
|
4.3.2.5. Scope locations
Now that you have decided which locations are part of your assessment scope, you can continue gathering some location-specific information.
For each location we ask for information like company name and address. We also ask for some additional information that allows our TISAX audit providers to get a better idea of your company structure. Your answers will be the basis of their effort estimations.
Please prepare yourself to provide the following details for each of your locations (the red asterisk * indicates mandatory information in the online process):
Field | Options |
---|---|
Location Name * |
n/a |
n/a |
|
Location Type * |
Building(s) owned and used exclusively by company |
Passive Site Protection * |
Yes |
Industry |
Information Technology
Management
Media
Research And Development
Production
Sales And Aftersales
Other Industry |
Employees at Location: Overall * |
0 |
Employees at Location: IT * |
0 |
Employees at Location: IT Security * |
0 |
Employees at Location: Location Security * |
0 |
Certifications for this Location |
ISO 27001 |
Note
|
Please note: Regarding the “Industry”: Select to the best of your knowledge. There is no right or wrong when selecting from the options above. If you can’t find an option that matches your type of business, just enter the appropriate option under “Other”. |
For each location you have to specify a “location name”. The purpose of the location name is to make it easier to refer to the location when you assign them to an assessment scope.
We recommend assigning location names based on the following pattern:
Pattern: |
[Geographical reference] |
Example: |
for the fictitious company “ACME”
|
4.3.2.6. Scope name
For each scope, you have to specify a “scope name”. The main purpose of the scope name is to make it easy for you to identify a scope in the overview list of scopes in the ENX portal. You should assign a name that is helpful to the reader and your colleagues. For external communication, you should use the Scope ID.
You can specify any name you want. But you shouldn’t assign the same scope name for more than one scope.
When you later want to renew your TISAX assessment, you need to create a new scope (possibly identical to the current scope). We therefore recommend adding the year of the assessment to the scope name.
We recommend assigning scope names based on the following pattern:
Pattern: |
[Geographical or functional reference] [Year of the assessment] |
Examples: |
for the fictional company “ACME”
|
4.3.2.7. Contacts
In order to communicate with you, we collect information about contacts at your company.
We ask for at least one contact for your company as TISAX participant in general and one for each assessment scope. You have the option to provide additional contacts.
During your registration preparations, you should decide who at your company will be a contact.
We ask for the following contact details:
Contact detail | Mandatory? | Example | |
---|---|---|---|
1. |
Salutation |
Yes |
Mrs., Mr. |
2. |
Academic degree |
Dr., Ph.D., other |
|
3. |
First name |
Yes |
John |
4. |
Last name |
Yes |
Doe |
5. |
Job title |
Yes |
Head of IT |
6. |
Department |
Yes |
Information Technology |
7. |
Primary phone number |
Yes |
+49 69 986692777 |
8. |
Secondary phone number |
||
9. |
Email address |
Yes |
|
10. |
Preferred language |
Yes |
English (default) |
11. |
Other languages |
German, French |
|
12. |
Personal address identifier |
HPC 1234 |
|
13. |
Street address |
Yes |
Bockenheimer Landstraße 97-99 |
14. |
Postal code |
Yes |
60325 |
15. |
City |
Yes |
Frankfurt |
16. |
State/Province |
||
17. |
Country |
Yes |
Germany |
Important
|
Important note: |
4.3.2.8. Publication and sharing
The main purpose of TISAX is to publish your assessment result to other TISAX participants and to share your assessment result with your partner(s).
You can decide about the publication and sharing of your assessment result either during the registration process or at any time later.
If you are going through the TISAX process as a pre-emptive step, you can already decide to publish your assessment result to the community of TISAX participants. Otherwise, there is nothing to prepare for at this stage.
If your partner requested that you to go through the TISAX process, you need to share your assessment result sooner or later. You can already share status information with your partner during the registration. Once your assessment result is available, your partner will then automatically have the permission to access it[6].
There are two things you need to share status information:
-
Your partner’s TISAX Participant ID
The TISAX Participant ID identifies your partner as a TISAX participant.
Usually, your partner should provide you his TISAX Participant ID.
For your convenience, our registration form provides a drop-down list of Participant IDs for some companies that frequently receive shared assessment results.[7]
-
The required sharing level
The sharing level defines the depth to which your partner can access your assessment result.
Either your partner requests a specific sharing level or you decide up to which level you want to grant your partner access to your assessment result.
For more information on sharing levels, please refer to Section 6.5, “Sharing levels”.
So you may want to make sure you have this information.
Note
|
Please note:
|
Important
|
Important note: If you don’t publish your assessment result or don’t share it, no one can see your assessment result. |
Important
|
Important note: You can’t revoke publication or sharing. For details, please refer to Section 6.4, “Permanence of exchanged results”. |
Note
|
Please note: It may sound odd, but you can in fact share your “assessment result” even if haven’t started the assessment process yet. At this early stage, you are just sharing the “assessment status”. The participant with whom you share your “assessment result” will see where you are in the assessment process. Some TISAX participants have to issue a special release if you have to show TISAX labels, but haven’t finished the assessment process yet. In such a case, your partner may need to see your “assessment status” in his account for the ENX portal. For more information on the assessment status, please refer to Section 7.6, “Annex: Assessment status”. |
For more information on publishing and sharing your assessment result, please refer to Section 6, “Exchange (Step 3)”.
4.3.3. Assessment objectives
You have to define your assessment objective(s) during the registration process. The assessment objective determines the applicable requirements that your information security management system (ISMS) has to fulfil. The assessment objective is entirely based on the type of data you handle on behalf of your partner.
In the following sections, we describe the assessment objectives and provide advice on how to select the right assessment objective(s).
The use of assessment objectives makes the TISAX-related communication with your partner and our TISAX audit providers easier because they refer to a defined input to the TISAX assessment process.
Note
|
Please note: Some partners may request you to get TISAX-assessed with a certain “assessment level” (AL) instead of specifying an assessment objective. For more information on assessment levels, please refer to Section 4.3.3.5, “Protection needs and assessment levels” (sub-section “Additional information”). |
4.3.3.1. List of assessment objectives
There are currently ten TISAX assessment objectives. You have to select at least one assessment objective. You may select more than one.
Consider your assessment objective the benchmark for your information security management system. The assessment objective is a key input for the TISAX process. All TISAX audit providers base their assessment strategy mainly on the assessment objective.
The current TISAX assessment objectives are:
No. | Name | Description |
---|---|---|
1. |
Info high |
Handling of information with high protection needs |
2. |
Info very high |
Handling of information with very high protection needs |
3. |
High availability |
Handling of information with high protection needs in the context of availability (high availability of information) |
4. |
Very high availability |
Handling of information with very high protection needs in the context of availability (very high availability of information) |
5. |
Proto parts |
Protection of Prototype Parts and Components |
6. |
Proto vehicles |
Protection of Prototype Vehicles |
7. |
Test vehicles |
Handling of Test Vehicles |
8. |
Proto events |
Protection of Prototypes during Events and Film or Photo Shoots |
9. |
Data |
Data protection according to Article 28 (“Processor”) of the European General Data Protection Regulation (GDPR) |
10. |
Special data |
Data protection with special categories of personal data According to Article 28 (“Processor”) with special categories of personal data as specified in Article 9 of the European General Data Protection Regulation (GDPR) |
Example: If you are conducting test drives on public roads, then the assessment objective No. 7 “Test vehicles” is one of your assessment objectives.
Important
|
Important note: Within TISAX, the “assessment objective” is generally the process input. However, some partners may request you to get TISAX-assessed with a certain “assessment level” (AL). For more information on the relationship between protection needs and assessment levels, please refer to Section 4.3.3.5, “Protection needs and assessment levels”. |
4.3.3.2. Assessment objectives and ISA
The ISA contains three criteria catalogues (information security, prototype protection, data protection). Each criteria catalogue is composed of so-called “control questions” and associated requirements.
Each assessment objective defines:
-
the applicable ISA criteria catalogue(s)
-
the control questions you have to answer
-
the requirements you have to fulfil
For some assessment objectives only a subset of the control questions and requirements are applicable.
For further background information on the TISAX assessment objectives and the applicable control questions and requirements, please refer to Section 5.2.2, “Understand the ISA document”.
4.3.3.3. Assessment objectives and TISAX labels
Your partner may speak of “TISAX labels”. “Assessment objectives” and “TISAX labels” are almost the same. The difference is that you start into the assessment process with the “assessment objectives” and if you pass the assessment you receive the corresponding “TISAX labels”.
Example: Your partner requires you to get the TISAX label “Info high”. Then you select “Info high” as your assessment objective.
The figure below shows you the input and output of the TISAX process:
For more information on TISAX labels, please refer to Section 5.4.14, “TISAX labels”.
4.3.3.4. Assessment objective selection
Ideally, your partner tells you precisely which assessment objectives you have to achieve.
You have to select the assessment objective based on your own judgement if:
-
you want to get TISAX-assessed before a partner asks for it, or
-
your partner does not tell you which assessment objective to achieve.
Important
|
Important note: At this point, we strongly recommend considering your other partners. Are there existing partners that have the same or higher requirements? Do you expect future partners to have higher requirements? You may want to consider selecting assessment objectives with higher protection needs. Doing so prevents issues when other partners have higher requirements. |
If you have to select the assessment objective based on your own judgement, you may find it helpful to consider the following aspects:
No. | Assessment objective | Information |
---|---|---|
1. |
Info high |
You may derive the protection needs (high, very high) from the document classification of your partner. |
2. |
Info very high |
|
3. |
High availability |
For all companies whose customers' ability to produce or deliver depends on the availability of the companies' products or services, and where a failure would cause considerable damage to customers within a short period of time. |
4. |
Very high availability |
For all companies whose customers' ability to produce and deliver depends on the short-term availability of the companies' products and services, and where a failure would cause significantly high damage to customers within a very short period of time. |
5. |
Proto parts |
For all companies that manufacture, store or use customer-provided components or parts classified as requiring protection at their own locations. |
6. |
Proto vehicles |
For all companies that manufacture, store or use customer-provided vehicles classified as requiring protection at their own locations. |
7. |
Test vehicles |
For all companies that conduct tests and test drives (e.g. test drives on public roads or test tracks) with customer-provided vehicles classified as requiring protection. |
8. |
Proto events |
For all companies that conduct presentations or events (e.g. market research, events, marketing events) and film and photo shootings with customer-provided vehicles, components or parts classified as requiring protection. |
9. |
Data |
If you handle personal data as a processor according to Article 28 of the GDPR, you probably have to select “Data”. |
10. |
Special data |
If you handle special categories of personal data (like health or religion) as a processor according to Article 28 of the GDPR, then you probably have to select “Special data”. |
Further explanations:
-
If you have precise requirements from your partner, you usually don’t need to discuss your assessment objectives with your partner. However, if you don’t have precise requirements from your partner, we strongly recommend consulting your partner before initiating the assessment process.
-
The ISA describes the implementation difference between “high” and “very high” protection needs (if there is any) for each requirement.
For more information on this, please refer to Figure 11, “Screenshot: Main elements of the questions in the ISA criteria catalogue “Information Security””.
4.3.3.5. Protection needs and assessment levels
Your partner has various types of information, of which some may deserve a higher level of protection than others. The ISA accommodates this by differentiating three “protection needs”: normal, high and very high. Your partner classifies his information and usually assigns protection needs.
The higher the protection needs, the more your partner is interested in making sure that it is safe to let you handle their information. Therefore, TISAX differentiates three “assessment levels” (AL). The assessment level defines which assessment method the audit provider has to apply. A higher assessment level increases the effort that goes into the assessment. This results in greater care and accuracy in the assessment.
The table below shows you the assessment levels that apply to the TISAX assessment objectives:
No. | TISAX assessment objective | Assessment level (AL) |
---|---|---|
1. |
Info high |
AL 2 |
2. |
Info very high |
AL 3 |
3. |
High availability |
AL 2 |
4. |
Very high availability |
AL 3 |
5. |
Proto parts |
AL 3 |
6. |
Proto vehicles |
AL 3 |
7. |
Test vehicles |
AL 3 |
8. |
Proto events |
AL 3 |
9. |
Data |
AL 2 |
10. |
Special data |
AL 3 |
Assessment level 1 (AL 1):
Assessments in assessment level 1 are mainly for internal purposes in the true sense of a self-assessment.
For an assessment in assessment level 1, an auditor checks for the existence of a completed self-assessment. He does not assess the content of the self-assessment. He does not require further evidence.
Results of assessments in assessment level 1 have a low trust level and are thus not used in TISAX. But it is of course possible that your partner may request such a self-assessment outside of TISAX.
Assessment level 2 (AL 2):
For an assessment in assessment level 2, the audit provider does a plausibility check on your self-assessment (for all locations within the assessment scope). He supports this by checking evidence[8] and conducting an interview with the person in charge information security.
The audit provider does the interview generally via web conference. At your request, he can conduct the interview in person.
If you have evidence you don’t want to send to the audit provider, you can request an on-site inspection. In this way, the audit provider can still check your “for your eyes only” evidence.
Note
|
Please note: There is an alternate method to conduct an assessment in assessment level 2. Instead of the plausibility check, the audit provider conducts a full remote assessment. This method is sometimes referred to as “assessment level 2.5”. Compared to an assessment in assessment level 2, the auditor verifies whether your ISMS fulfils the applicable requirements. Yet in contrast to an assessment in assessment level 3, the auditor does not conduct the on-site activities outlined in the section about assessment level 3 below. Formally, such an assessment will be evaluated as an assessment in AL 2. The advantage of AL 2.5 is that the approach is methodically compatible with AL 3. It is therefore possible to upgrade to a fully-fledged assessment in AL 3 with a manageable effort at a later point in time. For the upgrade, the auditor only has to conduct the on-site activities outlined in the section about AL 3 below. We recommend assessments in assessment level 2.5 in these cases:
For more information on upgrading the assessment level, please refer to Section 7.10, “Annex: Scope extension assessment”. This alternative is optional and not required to fulfil the AL 2 requirements. The difference between AL 2 and AL 2,5 won’t be visible for partners with whom you share your assessment result. |
Assessment level 3 (AL 3):
For an assessment in assessment level 3, the audit provider does a comprehensive verification of your company’s compliance with the applicable requirements. The auditor uses your self-assessment and submitted documentation to prepare the assessment. But in contrast to assessment level 2, the auditor will verify everything. He will:
-
examine documents and evidence
-
conduct planned interviews with process owners.
-
observe local conditions
-
observe the execution of processes
-
conduct unplanned interviews with process participants
Note
|
Please note: The following text refers to several concepts that will be explained only later in this document. With AL 3, the audit provider must come to your location(s). If, for some reason, this is temporarily not possible at all or would require unreasonable efforts, your audit provider can use the video-supported remote assessment method to conduct the on-site activities of the assessment. Your audit provider has to record this in the TISAX assessment report as a minor non-conformity. As soon as your audit provider can come to your location(s), he must conduct a follow-up assessment that includes all previously impossible on-site activities. Furthermore, you have to schedule the follow-up assessment even if you haven’t yet completed the other corrective actions. Compared to waiting for your audit provider’s availability for on-site activities, this approach allows you to already share temporary TISAX labels with your partner. |
Assessment levels and assessment methods
The following table provides a simplified overview of the audit methods associated with each assessment level:
Assessment method | Assessment level 1 (AL 1) |
Assessment level 2 (AL 2) |
Assessment level 3 (AL 3) |
---|---|---|---|
Self-assessment |
Yes |
Yes |
Yes |
Evidence |
No |
Plausibility check |
Thorough verification |
Interviews |
No |
Via web conference[9] |
In person, on site |
On-site inspection |
No |
At your request |
Yes |
Additional information:
-
Difference between AL 2 and AL 3
Methodologically, the two approaches differ significantly. For assessments in assessment level 2, the auditor won’t verify anything. He will only check the plausibility. Therefore, the audit provider can’t use the results of an assessment in assessment level 2 as a basis for an upgrade to assessment level 3. The efforts for an upgrade to assessment level 3 are essentially the same as for a new initial assessment. -
Plausibility check vs. verification
Oversimplified, a plausibility check is checking for whether something exists and looks right. In contrast, a verification means really checking that something is what it claims to be. -
Information classification and protection needs
The mapping of information classification (such as confidential or secret) to protection needs can be different for various partners. Therefore, as much as we would like to, we can’t provide you a simple table where the information classification of your partner exactly maps to a protection need. -
Just knowing an assessment level is not enough
Some partners may request you to get TISAX-assessed with a certain assessment level. Please understand that just knowing the assessment level is not sufficient to start the TISAX process. An assessment level only makes sense in combination with an ISA criteria catalogue and a corresponding protection need. Usually, partners request you to achieve a TISAX label (criteria catalogue plus protection need). However, as protection needs map 1:1 to assessment levels, it is sufficient if you know the criteria catalogue(s) plus the assessment level. -
Assessment level hierarchy
Higher assessment levels always include lower assessment levels. For example, if your assessment is based on assessment level 3, it will automatically fulfil all requests for assessment level 2. -
Our recommendation regarding assessment levels
If you have to select an assessment objective (and thus implicitly a corresponding assessment level) based on your own judgement, we recommend selecting assessment objectives that imply an assessment level 3. The efforts for TISAX assessments in assessment level 3 are not generally higher than those in assessment level 2.
Suppliers that have several partners often select assessment objectives that imply an assessment level 3. In this way, they are prepared for all future requests and don’t have to bother with different assessment levels. -
Further commercial considerations
Regarding assessment levels, the total cost of a TISAX assessment consists of the sum of your internal efforts and the cost of the assessment. While the cost of an assessment in assessment level 2 is lower, your internal efforts may be higher. This is due to the fact that an assessment in assessment level 2 usually requires a more comprehensive self-assessment and a better internal documentation. For assessments in assessment level 3, demonstrating how you do things and showing a basic documentation is often sufficient evidence for the auditor. But without an on-site inspection, the auditor will request precise documentation. Therefore, choosing assessment level 3 over assessment level 2 is not uncommon. But it is a choice made by smaller rather than larger companies.
4.3.3.6. Assessment objectives and your own suppliers
TISAX does not necessarily require you to subject all of your own suppliers to the same requirements. If your assessment objective is “Information security with very high protection needs”, this does NOT automatically mean that your own suppliers have to achieve the same assessment objective. It does not even mean they need to have TISAX labels at all.
But you still have to check for all of your suppliers whether using their services increases risks or introduces new risks.
Two very simplified examples:
-
You have a policy that regular email can’t be used for data with very high protection needs. Therefore, your email provider does not need to achieve the TISAX label with very high protection needs.
You could come to a similar conclusion if you send only encrypted emails and the email provider can’t see any of the data with very high protection needs. -
You dispose of printed data with very high protection needs in the shredder. In such a case, of course, the waste disposal service provider does not have to meet the same requirements as you.
However, the risk assessment may show that your supplier also has to meet the requirements for very high protection needs. In this case, TISAX labels are an option to prove this to you accordingly.
4.3.4. Fee
We raise a fee. Our price list informs you about applicable fees, possible discounts and our payment terms.
You can download the price list on our website at:
enx.com/en-US/TISAX/downloads/
Direct PDF download:
enx.com/pricelist.pdf
There are some invoice-related aspects you should consider during your registration preparations:
-
Invoice address selection
By default, we will send the invoice to the address you provided as your participant location. But you have the option of providing a different address for receiving the invoice.ImportantImportant note:
Please make sure that the invoice address is correct. Accounting laws require that the address on our invoice exactly matches your company’s (invoice) address. For compliance reasons, we can’t change an invoice address once we issued the invoice.
-
Order reference
If you need to see a specific purchase order number or something similar on our invoice, then you have the option to provide us an order reference. -
VAT number
All our charges are subject to German value added tax (VAT) if applicable.
We need this number for processing payments from the EU. It is mandatory to provide a VAT number, if your invoice address is in one of the following countries:
Austria, Belgium, Bulgaria, Croatia, Cyprus (Greek part), Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, United Kingdom -
Supplier management
ImportantImportant note:
Please understand that due to the mutuality between all TISAX participants, we can’t accept any additional terms (such as general purchasing terms, codes of conduct).
Additional information about our invoicing process:
-
We can’t accept individual purchasing terms.
-
We accept:
-
money transfers into the bank account specified on the invoice
-
credit card payments (during the registration process via our payment service provider “Stripe”)
-
-
Our invoice will contain the following references to your registration:
-
The name and email address of your main participant contact
-
The assessment scope name
You can find an example invoice in the appendix in Section 7.1, “Annex: Example invoice”.
-
-
We provide most facts you would typically require for processing our invoice directly on it. These and even more facts are available in our document “Information for Members and Business Partners”. Send us an email and we send you a current version.
Note
|
Please note: We are aware that sometimes a company’s internal payment approval process is rather lengthy. Therefore, your immediate next step in the TISAX process does not depend on us receiving the payment. But please be aware that you can’t share your assessment result if we haven’t received your payment. |
Important
|
Important note: We — ENX Association — invoice the fee. It is only a part of the total cost of a TISAX assessment. Your TISAX audit provider invoices the costs for the assessment(s). For more information on audit provider-related costs, you may want to refer to Section 5.3.4, “Evaluating offers”. |
Important
|
Important note: The fee is due regardless whether you:
Therefore, the invoice may arrive before you’ve started the initial assessment. |
4.4. ENX portal
The next section will describe the online registration process where you enter all the data you gathered as advised in the previous section. Before you start the online registration process, please let us briefly explain the purpose and benefits of the ENX portal.
The ENX portal allows us to maintain a database of all TISAX participants and it plays an important role throughout the entire TISAX process. During the TISAX registration you enter your data which the TISAX audit providers can then use (if you agree) to calculate their offers and to plan the assessment procedures. Once you go through the TISAX assessment process, you will use the exchange platform on the ENX portal to share your assessment result with your partner.
The portal’s name is “ENX portal” instead of “TISAX portal”, because we also use the portal to manage other business activities (like the ENX network).
4.5. Online registration process
If you prepared according to our advice above (Section 4.3, “Registration preparation”), you are ready to start the online registration process.
4.5.1. Time required
How long it will take you depends heavily on the number of scopes and locations you register. For your first registration as a participant with one scope with one location, you should expect a minimum time of 20 minutes.
We recommend completing the registration in a single session, because currently you can’t easily catch up some steps later. Should you still need to pause, we will contact you to request any missing data.
4.5.2. Start here
Please start your registration on our website at:
enx.com/en-us/Account/Login/Register?returnUrl=%2FTISAX%2Ftisax-initial-registration%2F
Basically, all you need to do is follow the on-screen instructions. Nevertheless, we briefly describe the process below.
4.5.3. Portal account
Your first step is to create an account for yourself in the ENX portal. You need the portal account to be able to manage your company’s “participant data”.
Note
|
Please note: Should the ENX portal claim that your email address is already in use, please contact us. This message may indicate that for some reason you are already stored in our system. |
Note
|
Please note: As described, portal accounts are not necessarily “participant contacts” or “scope contacts” (see below) with an active role in the assessment process. Vice versa, a “participant contact” or “scope contact” doesn’t automatically include the same rights to manage the participant data as with a portal account. This means, colleagues named as “participant contact” or “scope contact” can’t automatically access the participant data in the ENX portal. If you want to assign the right to manage the participant data to a contact who you already created in the ENX portal (regardless whether you assigned him a role), you need to invite the contact. For more information, please refer to last note in Section 4.5.5, “Participant contact”. |
4.5.4. Participant registration
Your second step is to register your company as a TISAX participant. The “TISAX participant” is the company that exchanges assessment results with other participants.
4.5.5. Participant contact
This is the person that is generally responsible for all information security assessment topics of your company. This can be either you or someone else in your company.
The main participant contact is usually all we need. Should you prefer to have all communication sent by us and our TISAX audit providers in the context of this registration also to other persons as well, please add additional participant contacts.
Important
|
Important note: |
Note
|
Please note: You can always add or remove contacts at a later point in time (even after completing the online registration process and even once you completed assessments). |
Note
|
Please note: You can’t use group email addresses for participant contacts (like “info@acme.com” or “IT@acme.com”). This is in line with the ISA requirements regarding user logins. |
Note
|
Please note: You can choose if each contact should have access to your company’s participant data. Either:
To create a new contact: Sign in > MY TISAX > ADMINISTRATORS > Create new TISAX Administrator To invite a contact: Sign in > MY TISAX > ADMINISTRATORS > Go to the end of the table row of the contact and click the button with the down arrow > Edit TISAX Administrator > Go to the section “ENX PORTAL ACCESS” > Set “INVITE THIS CONTACT" to “Yes” > Click “Save Contact” |
4.5.6. General Terms and Conditions
Your third step is to accept the “TISAX Participation General Terms and Conditions”.
You may want to refer back to the explanatory notes in Section 4.3.1, “The legal foundation”.
4.5.7. Assessment scope registration
Your fourth step is to register the assessment scope of your information security assessment.
We ask you to:
-
assign an assessment scope name.
The main purpose of the scope name is to make it easy for you to identify a scope in the overview list of scopes in the ENX portal.
You may want to refer back to the explanatory notes in Section 4.3.2.6, “Scope name” -
choose an assessment scope type.
(Standard, Custom)
You may want to refer back to the explanatory notes in Section 4.3.2, “The TISAX assessment scope”. -
specify the main scope contact.
This is the person who is generally responsible for the assessment of a particular scope. This can be either you or someone else in your company.
The main scope contact is usually all we need. Should you prefer to have all communication sent by us in the context of this particular scope also to other persons, you can add additional participant contacts. -
select your assessment objective(s).
You may want to refer back to the explanatory notes in Section 4.3.3, “Assessment objectives”. -
add assessment scope location(s).
We request that you specify all locations that are part of the assessment scope.
You may want to refer back to the explanatory notes in Section 4.3.2, “The TISAX assessment scope”.NotePlease note:
Once you created a new location, you can’t edit it. For minor changes (change of company name, typos in street name, postal code, city, etc.), please contact us. We will do the editing for you.
ImportantImportant note:
This note is only relevant if you are renewing your TISAX labels.
Please reuse the existing location records that you created and used during the registration of your previous scope. Don’t create a new location record with the same address.
The reason for this: Some TISAX participants process the assessment results of their partners automatically. They synchronise their own system with the ENX portal. Even tiny differences may block the successful synchronisation. Besides that, you don’t clutter your participant data with unnecessary duplicates. -
select publication and sharing levels (optional).
You can already decide to publish your assessment result to other TISAX participants and to share your assessment result with your partner(s). Typically, you would be allowing us to at least show that your company is a participant and that you successfully passed the TISAX process.
You can safely skip this step during your initial registration. You can always define access to your assessment result later.
You may want to refer back to the explanatory notes in Section 4.3.2.8, “Publication and sharing”.ImportantImportant note:
You can’t revoke any publication or sharing permissions.
For details, please refer to Section 6.4, “Permanence of exchanged results”. -
specify who receives the invoice.
We request that you specify who will receive our invoice(s).
You may want to refer back to the explanatory notes in Section 4.3.4, “Fee”.
Note
|
Please note: You can’t do much wrong here. If you later find out that you should have registered a slightly different scope (you forgot a location, you have another assessment objective, etc.), the audit provider can nevertheless conduct the assessment. Example: The auditor determines that the scope must contain an additional location that you originally didn’t add to the scope. The auditor will proceed and afterwards updates your assessment scope in the ENX portal while uploading your assessment result. |
Note
|
Please note: Every assessment scope goes through a lifecycle. At this stage, your assessment scope either has the status “Incomplete”, “Awaiting your order” or “Awaiting ENX approval”. For more information on the status of an assessment scope, please refer to Section 7.5.1, “Overview: Assessment scope status”. |
Note
|
Please note: For large corporations with many locations, TISAX offers the simplified group assessment. You can consider this option if: For a simplified group assessment the initial effort is higher. However, this pays off the more locations you have. For more information on the “simplified group assessment”, please refer to the document “TISAX Simplified Group Assessment”. You can download the document “TISAX Simplified Group Assessment” on our website at: Direct PDF download: |
Note
|
Please note: Once we have registered your assessment scope, you can’t change it yourself. If you can credibly assure us that you have NOT yet sent your “TISAX scope excerpt” to our audit providers, please contact us. We can change it for you. If you already sent your “TISAX scope excerpt” to (one of) our audit providers, you just create the new location(s) in the ENX portal (if applicable) and discuss any changes with your audit provider. Your audit provider will conduct the assessment based on the changes and update the scope information in the ENX portal. |
Note
|
Please note: It is not possible for you to delete an assessment scope in the ENX portal. If you created an assessment scope by mistake, please contact us. We will delete it for you. |
4.5.8. Confirmation email
Once you completed all of the mandatory steps above, we will check your application. We will then send you a confirmation email.
This email has two important elements:
-
A contact list of all TISAX audit providers
You must choose one of our TISAX audit providers to conduct an assessment of your assessment scope. You can use the contacts to request offers.
For more information on audit provider selection, please refer to Section 5.3, “Audit provider selection”. -
The “TISAX Scope Excerpt” as an attached PDF file
It contains:
-
The information that we stored in our database
-
Your Participant ID
Please refer to Section 4.5.8.1, “Participant ID” below. -
Your Scope ID(s)
Please refer to Section 4.5.8.2, “Scope ID” below.
-
For an example of our confirmation email, please refer to Section 7.2, “Annex: Example confirmation email”.
For an example of the “TISAX Scope Excerpt”, please refer to Section 7.3, “Annex: Example TISAX Scope Excerpt”.
You will receive our confirmation email usually within three business days.
If you don’t hear from us within seven business days, please verify that a) you provided all information and b) the assessment scope status is “Awaiting ENX approval”. We will start processing your registration only when everything is complete. If you think everything is complete but we haven’t contacted you, please contact us.
We send our confirmation email to the main participant contact.
Note
|
Please note: Every assessment scope goes through a life cycle. At this stage, your assessment scope has the status “Awaiting ENX approval”. For more information on the status of an assessment scope, please refer to Section 7.5.5, “Assessment scope status “Awaiting your payment””. |
The next two sub-sections provide detailed information about the purpose of your Participant ID and the Scope ID.
4.5.8.1. Participant ID
The Participant ID: