Get through the TISAX assessment process and share the assessment result with your partner

Published by

ENX Association
an Association according to the French Law of 1901,
registered under No. w923004198 at the Sous-préfecture of Boulogne-Billancourt, France

Addresses
20 rue Barthélémy Danjou, 92100 Boulogne-Billancourt, France
Bockenheimer Landstraße 97-99, 60325 Frankfurt am Main, Germany

Author

Florian Gleich

Contact

Version

Date:

2024-04-08

Version:

2.7.2

Classification:

Public

ENX doc ID:

602

All rights reserved by ENX Association.
ENX, TISAX, and their respective logos are registered trademarks of ENX Association.
Third party trademarks mentioned are the property of their respective owners.

1. Overview

1.1. Purpose

Welcome to TISAX, the Trusted Information Security Assessment Exchange.

One of your partners requested that you prove that your information security management complies with a defined level according to the requirements of the “Information Security Assessment” (ISA). And now you want to know how to fulfil this request.

The purpose of this handbook is to enable you to fulfil your partner’s request — or to have an edge by anticipating it before a partner asks for it.

This handbook describes the steps you need to take in order to pass the TISAX assessment and for sharing your assessment result with your partner.

Establishing and maintaining an information security management system (ISMS) is already a complex task. Proving to your partner that your information security management is up to the job adds even more complexity. This handbook won’t help you manage your information security. However, it aims to make the work of proving your efforts to your partner as easy for you as possible.

1.2. Scope

This handbook applies to all TISAX processes that you may be part of.

It contains all you need to know to go through the TISAX process.

The handbook offers some advice on how to deal with the information security requirements at the core of the assessment. But it does not aim to generally educate you on what you need to do to pass the information security assessment.

1.3. Audience

The main audience of this handbook are companies that need or want to prove a defined level of information security management according to the requirements of the “Information Security Assessment” (ISA).

As soon as you are actively involved in TISAX processes, you will benefit from the information provided in this handbook.

Companies that are requesting their suppliers to prove defined levels of information security management will benefit, too. This handbook allows them to understand what their suppliers are required to do to fulfil their request.

1.4. Structure

We begin with a brief introduction of TISAX, then we immediately move on with instructions on HOW to do things. You will find all you need to go through the process — in the order you need to know it.

The estimated reading time for the document is 75-90 minutes.

1.5. How to use this document

Sooner or later, you will probably want to understand most of what is described in this document. To be properly prepared, we recommend reading the entire handbook.

We structured the handbook along the three main steps of the TISAX process, so you can go to the section you need and read the rest later.

The handbook uses illustrations to help you improve your understanding. The colours in the illustrations often have additional meaning. We therefore recommend reading the document on a computer screen or as a colour hard copy.

We appreciate your feedback. If you think something is missing in this handbook or is not easy to understand, please don’t hesitate to let us know. We and all future readers of this handbook will be thankful for your feedback.

If you have already used a prior version of the TISAX participant handbook, you may find some helpful notes at the end of the document in Section 8, “Document history”.

1.6. Contact us

We’re here to guide you through the TISAX process and to answer any questions you may have.

Send us an email at:

tisax@enx.com

Or call us at:

+49 69 9866927-77

You can reach us during regular business hours in Germany (UTC+01:00).

We all speak Icon of the flag of the United Kingdom English and Icon of the flag of Germany German. One colleague is native speaker of Icon of the flag of Italy Italian.

1.7. The TISAX participant handbook in other languages and formats

The TISAX participant handbook is available in the following languages and formats:

Language Version Format Link

Icon of the flag of the United Kingdom English

2.7.2

Online

https://www.enx.com/handbook/tisax-participant-handbook.html

Offline

https://www.enx.com/handbook/tisax-participant-handbook-offline.html

PDF

https://www.enx.com/handbook/TISAX%20Participant%20Handbook.pdf

Icon of the flag of Germany German

2.7.2

Online

https://www.enx.com/handbook/tisax-teilnehmerhandbuch.html

Offline

https://www.enx.com/handbook/tisax-teilnehmerhandbuch-offline.html

PDF

https://www.enx.com/handbook/TISAX-Teilnehmerhandbuch.pdf

Icon of the flag of France French

2.7

Online

https://www.enx.com/handbook/tph-fr.html

Offline

https://www.enx.com/handbook/tph-fr-offline.html

PDF

https://www.enx.com/handbook/tph-fr.pdf

Icon of the flag of China Chinese

2.7

Online

https://www.enx.com/handbook/tph-cn.html

Offline

https://www.enx.com/handbook/tph-cn-offline.html

PDF

https://www.enx.com/handbook/tph-cn.pdf

Icon of the flag of Spain Spanish

2.7

Online

https://www.enx.com/handbook/tph-es.html

Offline

https://www.enx.com/handbook/tph-es-offline.html

PDF

https://www.enx.com/handbook/tph-es.pdf

Icon of the flag of Japan Japanese

2.7

Online

https://www.enx.com/handbook/tph-jp.html

Offline

https://www.enx.com/handbook/tph-jp-offline.html

PDF

https://www.enx.com/handbook/tph-jp.pdf

Icon of the flag of Brazil Brazilian Portuguese

2.7

Online

https://www.enx.com/handbook/tph-pt.html

Offline

https://www.enx.com/handbook/tph-pt-offline.html

PDF

https://www.enx.com/handbook/tph-pt.pdf

Icon of the flag of Italy Italian

2.7.1

Online

https://www.enx.com/handbook/tph-it.html

Offline

https://www.enx.com/handbook/tph-it-offline.html

PDF

https://www.enx.com/handbook/tph-it.pdf

Icon of the flag of South Korea Korean

2.7

Online

https://www.enx.com/handbook/tph-kr.html

Offline

https://www.enx.com/handbook/tph-kr-offline.html

PDF

https://www.enx.com/handbook/tph-kr.pdf

Icon of the flag of Czech Republic Czech

2.7.1

Online

https://www.enx.com/handbook/tph-cz.html

Offline

https://www.enx.com/handbook/tph-cz-offline.html

PDF

https://www.enx.com/handbook/tph-cz.pdf

Icon of the flag of Poland Polish

2.7.1

Online

https://www.enx.com/handbook/tph-pl.html

Offline

https://www.enx.com/handbook/tph-pl-offline.html

PDF

https://www.enx.com/handbook/tph-pl.pdf

Important

Important note:

The English version is the leading version.
All other languages are translations of the English version.
In case of doubt, the English version is authoritative.

1.7.1. About the online format

Each section has a unique ID (format: ID1234).
An ID references a specific section, regardless of the language.

If you want to link to a specific section, you can:

  • right-click on the section title and copy the link, or

  • click the section title and copy the link from the address bar of your browser.

Most figures are available in a larger size than displayed here by default. Click on the figure to open the larger version.

1.7.2. About the offline format

The offline format retains most features of the online format. Most notably, the figures are embedded in the HTML file. You need only one file to use the offline format.

Compared to the online format, the offline format comes without:

  • the larger images

  • the original fonts of the online format
    Your browser’s defaults define the fonts.

1.7.3. About the PDF format

If you use the PDF format on your computer, you can still click all the references. But if you print the PDF version, you won’t have things like page numbers and you will have to look up the references yourself.

2. Introduction

The following sections introduce the TISAX concept.

If you are in a hurry, you can skip them and start right away at Section 4.3, “Registration preparation”.

2.1. Why TISAX?

Or rather, why are you here?

In order to answer this question, we will start with some thoughts about doing business in general and protecting information in particular.

Imagine your partner. He has confidential information. He wants to share it with his supplier — you. The cooperation between you and your partner creates value. The information your partner shares with you is an important part of this value creation. Therefore, he wants to protect it appropriately. And he wants to be sure that you are handling his information with the same due care.

But how can he be sure that his information is in good hands? He can’t just “believe” you. Your partner needs to see some proof.

Now there are two questions. Who defines what “secure” handling of information means? And next, how do you prove it?

2.2. Who defines what "secure" means?

You and your partner are not the only ones facing these questions for the first time. Almost everyone has to find answers to them and most of the answers will share similarities.

Instead of independently creating a solution for a common problem every time, a standard way of doing it removes the burden of creating everything from scratch. While defining a standard is a huge effort, it is made only once and those who follow it benefit every time.

There are surely different views of what’s the right thing to do for protecting information. But due to the aforementioned benefits, most companies settle on standards. A standard is the condensed form of all proven and time-tested best practices for a given challenge.

In your case, standards like ISO/IEC 27001 (about information security management systems, or ISMS) and their implementation establish a state-of-the-art way to securely handle confidential information. A standard like this saves you from having to reinvent the wheel every time. More importantly, standards provide a common basis when two companies need to exchange confidential data.

2.3. The automotive way

By nature, industry-independent standards are designed as one-size-fits-all solutions rather than tailored to specific needs of automotive companies.

A long time ago, the automotive industry formed associations that aimed — among other goals — to refine and define standards that suit their more specific needs. The “Verband der Automobilindustrie” (VDA) is one of them. In the working group that deals with information security, several members of the automotive industry came to the conclusion that they have similar needs to tailor existing information security management standards.

Their joint efforts led to a questionnaire that covers the automotive industry’s widely accepted information security requirements. It is called the “Information Security Assessment” (ISA).

With the ISA, we now have an answer to the question “Who defines what “secure” means?” Through the VDA, the automotive industry itself offers this answer to its members.

2.4. How to prove security efficiently?

While some companies use the ISA for internal purposes only, others use it to assess the maturity of the information security management of their suppliers. In some cases, a self-assessment is sufficient for the business relationship. However, in certain cases, companies conduct a complete assessment of their supplier’s information security management (including on-site audits).

Along with generally increasing awareness of the need for information security management and the spreading adoption of the ISA as a tool for information security assessments, more suppliers were facing similar requests from different partners.

Those partners still applied different standards and had varying opinions on how to interpret them. But the suppliers essentially had to prove the same things, just in different ways.

And the more suppliers were asked by their partners to prove their level of information security management, the louder their complaints grew in terms of repeat efforts. Showing auditor after auditor the same information security management measures is simply not efficient.

What can be done to make this more efficient? Wouldn’t it help if the report of any auditor could be reused for different partners?

OEMs and suppliers in the ENX working group that is responsible for maintaining the ISA listened to their supplier’s complaints. Now they offer an answer to their suppliers as well as to all other companies in the automotive industry to the question “How to prove security?”

The answer is TISAX, short for “Trusted Information Security Assessment Exchange”.

3. The TISAX process

3.1. Overview

The TISAX process usually[1] starts with one of your partners requesting that you prove a defined level of information security management according to the requirements of the “Information Security Assessment” (ISA). To comply with that request, you have to complete the 3-step TISAX process. This section gives you an overview of the steps you need to take.

The 3-step TISAX process consists of the following steps:

TISAX process overview
Figure 1. TISAX process overview
  1. Registration
    We gather information about your company and what needs to be part of the assessment.

  2. Assessment
    You go through the assessment(s), which are conducted by one of our TISAX audit providers.

  3. Exchange
    You share your assessment result with your partner.

Each step consists of sub-steps. These are outlined in the three sections below and described in detail in their respective sections further down.

Note

Please note:

While we would certainly like to tell you how long it will take you to get your TISAX assessment result, we kindly ask for your understanding that it is not possible for us to forecast this in a reliable way. The overall duration of the TISAX process depends on too many factors. The wide variety of company sizes and assessment objectives plus the respective readiness of an information security management system make this impossible.

3.2. Registration

Your first step is the TISAX registration.

The main purpose of the TISAX registration is to gather information about your company. We use an online registration process to help you provide us this information.

It is the prerequisite for all subsequent steps. It is subject to a fee.

During the online registration process:

  • We ask you for contact details and billing information.

  • You have to accept our terms and conditions.

  • You can define the scope of your information security assessment.

For a direct start with this step, please refer to Section 4, “Registration (Step 1)”.

The online registration process is described in detail in Section 4.5, “Online registration process”. But if you want to start right away, please go to Icon of the flag of the United Kingdom enx.com/en-US/TISAX/.

3.3. Assessment

Your second step is going through the information security assessment.

There are four sub-steps:

  1. Assessment preparation
    You have to prepare the assessment. The extent of this depends on the current maturity level of your information security management system. Your preparation has to be based on the ISA catalogue.

  2. Audit provider selection
    You have to choose one of our TISAX audit providers.

  3. Information security assessment(s)
    Your audit provider will conduct the assessment based on an assessment scope that matches your partner’s requirements. The assessment process will consist of the initial audit at a minimum.
    If your company does not pass the assessment right away, the assessment process may require additional steps.

  4. Assessment result
    Once your company passes the assessment, your audit provider will provide you with the official TISAX assessment report. Your assessment result will also receive TISAX labels[2].

For more information about this step, please refer to Section 5, “Assessment (Step 2)”.

3.4. Exchange

Your third and last step is to share your assessment result with your partner. The content of the TISAX assessment report is structured in levels. You can decide up to which level your partner will have access.

Your assessment result is valid for three years. Assuming you are still a supplier of your partner then, you will have to go through the three-step process again[3].

For more information about this step, please refer to Section 6, “Exchange (Step 3)”.


Now that you have a fundamental idea about what the TISAX process is, you will find instructions on how to complete each step in the following sections.

4. Registration (Step 1)

The estimated reading time for the registration section is 30-40 minutes.

4.1. Overview

The TISAX registration is your first step. It is the prerequisite for all subsequent steps.

The following sections will guide you through the registration:

  1. We start with explaining an essential new term.

  2. Then we advise you on what you should do to be prepared for the online registration process.

  3. Next, we guide you through the online registration process.

4.2. You are a TISAX participant

Let us first introduce a new term that is necessary to understand. So far, you have been the “supplier”. You are here to fulfil a requirement of your “customer”. TISAX itself however does not really differentiate between these two roles. For TISAX, everyone who registered is a “participant”. You — as well as your partner — “participate” in the exchange of information security assessment results.

Register to become a TISAX participant
Figure 2. Register to become a TISAX participant

To differentiate the two roles from the beginning, we refer to you, the supplier, as “active participant”. We refer to your partner as “passive participant”. As an “active participant” you get TISAX-assessed and you share your assessment result with other participants. The “passive participant” is the one who requested that you get TISAX-assessed. The “passive participant” receives your assessment result.

Passive participant and active participant
Figure 3. Passive participant and active participant

Any company can act in both roles. You might share an assessment result with your partner, while at the same time requesting your own suppliers to get TISAX-assessed.

TISAX participants can be active and passive at the same time
Figure 4. TISAX participants can be active and passive at the same time

Requesting your own suppliers to get TISAX-assessed may even be especially advisable if your own suppliers are handling your partner’s information with protection needs as well.

4.3. Registration preparation

In this section, we give you recommendations on how to prepare for the registration. We describe the registration process itself in detail in Section 4.5, “Online registration process”.

Before you start going through our online registration process, we strongly recommend:

  • gathering information in advance

  • and taking some decisions.

4.3.1. The legal foundation

Typically, you need to sign two contracts. The first contract you enter is between you and ENX Association: The “TISAX Participation General Terms and Conditions” (TISAX Participant GTCs). The second contract is between you and one of our TISAX audit providers. For the registration, we will look at the first contract only.

The TISAX Participant GTCs govern our mutual relationship and your relationship with other TISAX participants. They define the rights and duties for all of us. Besides the usual clauses you will find in most contracts, they define the handling of the information exchanged and obtained during the TISAX process in detail. A key objective of these rules is to keep TISAX assessment results confidential. As all TISAX participants are subject to the same rules, you can expect appropriate protection of your TISAX assessment result by your partner (in his role as passive participant).

Quite early in the online registration process, we will ask you to accept the TISAX Participant GTCs. As this is a real contract, we recommend reading the TISAX Participant GTCs before starting the online registration process. One reason is that depending on your role in your company, you may need to obtain a clearance from an in-house or external lawyer.

You can download the “TISAX Participation General Terms and Conditions”[4] on our website at:
Icon of the flag of the United Kingdom enx.com/en-US/TISAX/downloads/

During the online registration process, we will ask you to check two mandatory checkboxes:

  • We accept the TISAX Participation General Terms and Conditions

  • We confirm knowledge of Applicant’s release of Audit Providers’ professional duties of secrecy acc. to Sec. IX.5. and X.3 of the TISAX Participation General Terms and Conditions;

We have the second checkbox because some of our TISAX audit providers are certified public accountants. They have special requirements regarding professional secrecy. Usually, the special requirements regarding professional secrecy prohibit the certified public accountants among our audit providers from sharing information with us. Particularly, this would cancel the control options we need for our governance role. Therefore, we need this release. You may want to pay special attention to those clauses before checking the box.

If you usually require a non-disclosure agreement (NDA) between you and anyone who handles confidential information, please examine the respective sections of our GTCs. They should address all your concerns. Moreover, you usually don’t have to provide us any confidential information at all.

Concluding the legal section, we ask for your understanding that the system depends on everyone accepting the same rules. We therefore can’t accept any additional general terms and conditions[5].

4.3.2. The TISAX assessment scope

In the second step of the TISAX process, one of our TISAX audit providers will conduct the information security assessment. He needs to know where to start and where to stop. That’s why you need to define an “assessment scope”.

The “assessment scope” describes the scope of the information security assessment. In simple terms, every part of your company that handles your partner’s confidential information is part of the assessment scope. You can consider it a major element of the audit provider’s task description. It dictates what the audit provider needs to assess.

The assessment scope is important for two reasons:

  1. An assessment result will only fulfil your partner’s requirement if the respective assessment scope covers all parts of your company that handle partner information.

  2. A precisely defined assessment scope is an essential prerequisite for meaningful cost calculations by our TISAX audit providers.

Important

Important note:

ISO/IEC 27001 vs. TISAX

First, we have to differentiate two types of scopes:
1) the scope of your information security management system (ISMS) and
2) the scope of the assessment.
These two are not necessarily identical.

For the ISO/IEC 27001 certification, you define the scope of your ISMS (in the “scope statement”). You are completely free to define the scope of your ISMS. However, the scope of the assessment (also known as “audit scope”) must be identical with the scope of your ISMS.

For TISAX, you also have to define your ISMS. But the scope of the assessment can be different.

For the ISO/IEC 27001 certification, you can freely shape the scope of the assessment through the way you define the scope of your ISMS.

In contrast, for TISAX, the scope of the assessment is predefined. The scope of the assessment can be smaller than the scope of your ISMS. But it must be within the scope of your ISMS.

4.3.2.1. Scope description

The scope description defines the assessment scope. For the scope description, you have to choose one of two scope types:

  1. Standard scope

  2. Custom scope

    1. Custom extended scope

    2. Full custom scope

We discuss the standard scope in the following section. The standard scope is the right choice for well over 99% of all participants. Therefore, we only discuss the custom scopes in Section 7.8, “Annex: Custom scopes”.

4.3.2.2. Standard scope

The standard scope description is the basis for a TISAX assessment. Other TISAX participants only accept assessment results based on the standard scope description.

The standard scope description is predefined and you can’t change it.

A major benefit of having a standard scope is that you don’t have to come up with your own definition.

This is the standard scope description (version 2.0):

The TISAX scope defines the scope of the assessment. The assessment includes all processes, procedures and resources under responsibility of the assessed organization that are relevant to the security of the protection objects and their protection goals as defined in the listed assessment objectives at the listed locations.
The assessment is conducted at least in the highest assessment level listed in any of the listed assessment objectives. All assessment criteria listed in the listed assessment objectives are subject to the assessment.

We strongly recommend choosing the standard scope. All TISAX participants accept information security assessment results based on the standard scope.

4.3.2.3. Scoping

Your next task after defining the scope type is to decide which locations belong to the assessment scope.

If your company is small (one location), this is an easy task. You simply add your location to the assessment scope.

If your company is large, you can consider registering more than one assessment scope.

Having a single scope that contains all your locations has advantages:

  • You have one assessment report, one assessment result, one expiration date.

  • You can benefit from reduced costs for the assessment because a TISAX audit provider only has to assess your central processes, procedures and resources once.

But a single scope may have disadvantages such as:

  • All locations must have the same assessment objectives.

  • The assessment result is only available once the TISAX audit provider has assessed all locations. This fact may be relevant if you urgently need an assessment result.

  • The assessment result depends on all locations passing the assessment. If just one location fails, you won’t have a positive assessment result. A workaround for this is to: a) remove the location from the scope, b) solve the issues, c) add the location afterwards with a scope extension assessment.

4.3.2.4. Scope tailoring

The question whether to have just one scope or several scopes is one that only you can answer. But answering the questions in the following diagram may help you decide.

Scope tailoring decision tree
Figure 5. Scope tailoring decision tree
Note

Please note:

Don’t let this decision intimidate you. You can change any scope as long as the audit provider didn’t conclude the assessment.

For example, during your assessment preparation you may find that the scope does not fit — and change it accordingly. Or your audit provider may recommend changing the scope during the earlier stages of the assessment.

Additional notes:

  • Technically, you can’t change the assessment scope that you defined during the online registration process in the ENX portal. But the audit provider can update your assessment scope when he uploads your assessment result to the ENX portal.

  • Adding to the scope increases the fee and you won’t get a refund if you remove locations from the scope. Since the audit providers use the original scope as a basis for their cost calculation, you should also expect changes.

4.3.2.5. Scope locations

Now that you have decided which locations are part of your assessment scope, you can continue gathering some location-specific information.

For each location we ask for information like company name and address. We also ask for some additional information that allows our TISAX audit providers to get a better idea of your company structure. Your answers will be the basis of their effort estimations.

Please prepare yourself to provide the following details for each of your locations (the red asterisk * indicates mandatory information in the online process):

Table 1. Location-specific details
Field Options

Location Name *

n/a

D&B D-U-N-S NUMBER

n/a

Location Type *

Building(s) owned and used exclusively by company
Building(s) rented by company
Floor/office rented by company in a shared building
Office shared with other companies
Own Datacenter
Shared Datacenter

Passive Site Protection *

Yes
No

Industry
(Several selections possible)

Information Technology

  • ❏ IT Services

  • ❏ Telecommunication Services

  • ❏ Software Development

Management

  • ❏ Consulting

Media

  • ❏ Marketing

  • ❏ Agency

  • ❏ Printing Services

  • ❏ Photography

  • ❏ Translation Services

Research And Development

  • ❏ Vehicle Testing

  • ❏ Vehicle Simulation

  • ❏ Prototype Construction

  • ❏ Miniature Car Models

  • ❏ Development Services

  • ❏ CAx Development Services

Production

  • ❏ Production Services

  • ❏ Contract Manufacturing

  • ❏ Shop Floor

  • ❏ Logistics

Sales And Aftersales

  • ❏ Import, NSC

  • ❏ Dealership

  • ❏ Financial Services

  • ❏ Insurance

  • ❏ Claims Settlement

Other Industry
(please enter)

Employees at Location: Overall *

0
1-10
11-100
101-1.000
1.001-5.000
More than 5.000

Employees at Location: IT *

0
1-10
11-25
26-50
More than 50

Employees at Location: IT Security *

0
Part Time
1-5
6-25
More than 25

Employees at Location: Location Security *

0
Part Time
1-3
4-10
More than 10

Certifications for this Location

ISO 27001
Other (please enter)
ISAE 3402
SOC2

Note

Please note:

Regarding the “Industry”: Select to the best of your knowledge. There is no right or wrong when selecting from the options above. If you can’t find an option that matches your type of business, just enter the appropriate option under “Other”.

For each location you have to specify a “location name”. The purpose of the location name is to make it easier to refer to the location when you assign them to an assessment scope.

We recommend assigning location names based on the following pattern:

Pattern:

[Geographical reference]

Example:

for the fictitious company “ACME”

  • Frankfurt
    (for a location in the German city Frankfurt)

4.3.2.6. Scope name

For each scope, you have to specify a “scope name”. The main purpose of the scope name is to make it easy for you to identify a scope in the overview list of scopes in the ENX portal. You should assign a name that is helpful to the reader and your colleagues. For external communication, you should use the Scope ID.

You can specify any name you want. But you shouldn’t assign the same scope name for more than one scope.

When you later want to renew your TISAX assessment, you need to create a new scope (possibly identical to the current scope). We therefore recommend adding the year of the assessment to the scope name.

We recommend assigning scope names based on the following pattern:

Pattern:

[Geographical or functional reference] [Year of the assessment]

Examples:

for the fictional company “ACME”

  • 2024
    (without geographical reference if your company has just one location)

  • Frankfurt 2024
    (for a scope with several locations in the German city of Frankfurt)

  • Lower Saxony 2024
    (for a scope with all locations in the German state of Lower Saxony)

  • Germany 2024
    (for a scope with all locations in the country of Germany)

  • EMEA 2024
    (for a scope with all locations in the EMEA region (“Europe, Middle East, Africa”))

  • Prototype development 2024
    (functional reference for a scope with all locations involved in developing prototypes)

4.3.2.7. Contacts

In order to communicate with you, we collect information about contacts at your company.

We ask for at least one contact for your company as TISAX participant in general and one for each assessment scope. You have the option to provide additional contacts.

During your registration preparations, you should decide who at your company will be a contact.

We ask for the following contact details:

Table 2. Contact details
Contact detail Mandatory? Example

1.

Salutatiosn

Yes

Mrs., Mr.

2.

Academic degree

Dr., Ph.D., other

3.

First name

Yes

John

4.

Last name

Yes

Doe

5.

Job title

Yes

Head of IT

6.

Department

Yes

Information Technology

7.

Primary phone number

Yes

+49 69 986692777

8.

Secondary phone number

9.

Email address

Yes

john.doe@acme.com

10.

Preferred language

Yes

English (default)

11.

Other languages

German, French

12.

Personal address identifier

HPC 1234

13.

Street address

Yes

Bockenheimer Landstraße 97-99

14.

Postal code

Yes

60325

15.

City

Yes

Frankfurt

16.

State/Province

17.

Country

Yes

Germany

Important

Important note:
 
We recommend assigning at least one alternate for each contact. If a contact is temporarily unavailable or leaves the company, someone else can manage your company’s participant data.
If you need to assign a new contact (without any other remaining valid contacts), you have to go through a complex process. Our process ensures that only persons who can prove that they are entitled to legally represent the company can approve assigning a new main contact.

4.3.2.8. Publication and sharing

The main purpose of TISAX is to publish your assessment result to other TISAX participants and to share your assessment result with your partner(s).

You can decide about the publication and sharing of your assessment result either during the registration process or at any time later.

If you are going through the TISAX process as a pre-emptive step, you can already decide to publish your assessment result to the community of TISAX participants. Otherwise, there is nothing to prepare for at this stage.

If your partner requested that you to go through the TISAX process, you need to share your assessment result sooner or later. You can already share status information with your partner during the registration. Once your assessment result is available, your partner will then automatically have the permission to access it[6].

There are two things you need to share status information:

  1. Your partner’s TISAX Participant ID

    The TISAX Participant ID identifies your partner as a TISAX participant.

    Usually, your partner should provide you his TISAX Participant ID.

    For your convenience, our registration form provides a drop-down list of Participant IDs for some companies that frequently receive shared assessment results.[7]

  2. The required sharing level

    The sharing level defines the depth to which your partner can access your assessment result.

    Either your partner requests a specific sharing level or you decide up to which level you want to grant your partner access to your assessment result.

    For more information on sharing levels, please refer to Section 6.5, “Sharing levels”.

So you may want to make sure you have this information.

Note

Please note:

  • You can always decide to publish your assessment result later.

  • You can always create a sharing permission for your partner later.

Important

Important note:

If you don’t publish your assessment result or don’t share it, no one can see your assessment result.

Important

Important note:

You can’t revoke publication or sharing.

Note

Please note:

It may sound odd, but you can in fact share your “assessment result” even if haven’t started the assessment process yet. At this early stage, you are just sharing the “assessment status”. The participant with whom you share your “assessment result” will see where you are in the assessment process.

Some TISAX participants have to issue a special release if you have to show TISAX labels, but haven’t finished the assessment process yet. In such a case, your partner may need to see your “assessment status” in his account for the ENX portal.

For more information on the assessment status, please refer to Section 7.6, “Annex: Assessment status.

For more information on publishing and sharing your assessment result, please refer to Section 6, “Exchange (Step 3)”.

4.3.3. Assessment objectives

You have to define your assessment objective(s) during the registration process. The assessment objective determines the applicable requirements that your information security management system (ISMS) has to fulfil. The assessment objective is entirely based on the type of data you handle on behalf of your partner.

In the following sections, we describe the assessment objectives and provide advice on how to select the right assessment objective(s).

The use of assessment objectives makes the TISAX-related communication with your partner and our TISAX audit providers easier because they refer to a defined input to the TISAX assessment process.

Note

Please note:

Some partners may request you to get TISAX-assessed with a certain “assessment level” (AL) instead of specifying an assessment objective.

For more information on assessment levels, please refer to Section 4.3.3.5, “Protection needs and assessment levels” (sub-section “Additional information”).

4.3.3.1. List of assessment objectives

There are currently twelve TISAX assessment objectives. You have to select at least one assessment objective. You may select more than one.

Consider your assessment objective the benchmark for your information security management system. The assessment objective is a key input for the TISAX process. All TISAX audit providers base their assessment strategy mainly on the assessment objective.

The current TISAX assessment objectives are:

Table 3. The current TISAX assessment objectives
No. Name Description

1.

 Info high

Handling of information with high protection needs

2.

 Info very high

Handling of information with very high protection needs

3.

 Confidential

Handling of information with high protection needs in the context of confidentiality (access to confidential information)

4.

 Strictly confidential

Handling of information with very high protection needs in the context of confidentiality (access to strictly confidential information)

5.

 High availability

Handling of information with high protection needs in the context of availability (high availability of information)

6.

 Very high availability

Handling of information with very high protection needs in the context of availability (very high availability of information)

7.

 Proto parts

Protection of Prototype Parts and Components

8.

 Proto vehicles

Protection of Prototype Vehicles

9.

 Test vehicles

Handling of Test Vehicles

10.

 Proto events

Protection of Prototypes during Events and Film or Photo Shoots

11.

 Data

Data protection according to Article 28 (“Processor”) of the European General Data Protection Regulation (GDPR)

12.

 Special data

Data protection according to Article 28 (“Processor”) of the European General Data Protection Regulation (GDPR) with special categories of personal data as specified in Article 9 of the GDPR

Example: If you are conducting test drives on public roads, then the assessment objective “Test vehicles” is one of your assessment objectives.

Note

Please note:

You can select the assessment objectives “Info high” and “Info very high” only until 31 March 2024.

You can select the assessment objectives “Confidential” and “Strictly confidential” from 1 April 2024.

For more information about this transition, please refer to the following news article on our website:
CHANGES TO TISAX LABELS ACCOMPANYING ISA 6 RELEASE
enx.com/en-US/news/Changes-to-TISAX-Labels-ISA-six-Release/

Important

Important note:

Within TISAX, the “assessment objective” is generally the process input. However, some partners may request you to get TISAX-assessed with a certain “assessment level” (AL).

For more information on the relationship between protection needs and assessment levels, please refer to Section 4.3.3.5, “Protection needs and assessment levels”.

4.3.3.2. Assessment objectives and ISA

The ISA contains three criteria catalogues (information security, prototype protection, data protection). Each criteria catalogue is composed of so-called “control questions” and associated requirements.

Each assessment objective defines:

  • the applicable ISA criteria catalogue(s)

  • the control questions you have to answer

  • the requirements you have to fulfil

For some assessment objectives only a subset of the control questions and requirements are applicable.

For further background information on the TISAX assessment objectives and the applicable control questions and requirements, please refer to Section 5.2.2, “Understand the ISA document”.

4.3.3.3. Assessment objectives and TISAX labels

Your partner may speak of “TISAX labels”. “Assessment objectives” and “TISAX labels” are almost the same. The difference is that you start into the assessment process with the “assessment objectives” and if you pass the assessment you receive the corresponding “TISAX labels”.

Example: Your partner requires you to get the TISAX label “Info high”. Then you select “Info high” as your assessment objective.

The figure below shows you the input and output of the TISAX process:

Assessment objectives and TISAX labels
Figure 6. Assessment objectives and TISAX labels

For more information on TISAX labels, please refer to Section 5.4.14, “TISAX labels”.

4.3.3.4. Assessment objective selection

Ideally, your partner tells you precisely which assessment objectives you have to achieve.

You have to select the assessment objective based on your own judgement if:

  1. you want to get TISAX-assessed before a partner asks for it, or

  2. your partner does not tell you which assessment objective to achieve.

Important

Important note:

At this point, we strongly recommend considering your other partners. Are there existing partners that have the same or higher requirements? Do you expect future partners to have higher requirements?

You may want to consider selecting assessment objectives with higher protection needs. Doing so prevents issues when other partners have higher requirements.

If you have to select the assessment objective based on your own judgement, you may find it helpful to consider the following aspects:

Table 4. Advice for selecting an assessment objective
No. Assessment objective Information

1.

 Info high

You may derive the protection needs (high, very high) from the document classification of your partner.

2.

 Info very high

3.

 Confidential

For all companies that receive and process information that has high protection needs in the context of confidentiality or is typically classified as confidential according to the company’s own classification scheme (e.g. VDA white paper “Harmonization of classification levels”).
You should select this TISAX label especially if unauthorized disclosure of the information could potentially cause considerable damage (e.g. reputational damage, criminal consequences, or monetary damage).

4.

 Strictly confidential

For all companies that receive and process information that has very high protection needs in the context of confidentiality or is typically classified as strictly confidential or secret according to the company’s own classification scheme (e.g. VDA white paper “Harmonization of classification levels”).
You should select this TISAX label especially if the unauthorized disclosure of the information could potentially cause existentially threatening or catastrophic damage (e.g. severe reputational damage, severe criminal consequences, or very high monetary damage).

5.

 High availability

For all companies whose customers' ability to produce or deliver depends on the availability of the companies' products or services, and where a failure would cause considerable damage to customers within a short period of time.
Example: Just-in-time suppliers of production material

6.

 Very high availability

For all companies whose customers' ability to produce and deliver depends on the short-term availability of the companies' products and services, and where a failure would cause significantly high damage to customers within a very short period of time.
Example: Just-in-time suppliers where a failure can result in a comprehensive production standstill with a very long restart time within a short period of time.

7.

 Proto parts

For all companies that manufacture, store or use customer-provided components or parts classified as requiring protection at their own locations.

Requirements for physical security and for security considering the surrounding area, organisational requirements and specific requirements for handling prototypes are part of the assessment.

8.

 Proto vehicles

For all companies that manufacture, store or use customer-provided vehicles classified as requiring protection at their own locations.

Requirements for physical security and for security considering the surrounding area (including the existence of protected garages and workshop areas), organisational requirements and specific requirements for handling prototypes are part of the assessment.

After a successful assessment, you automatically receive the TISAX label “Protection of prototype parts and components”.

9.

 Test vehicles

For all companies that conduct tests and test drives (e.g. test drives on public roads or test tracks) with customer-provided vehicles classified as requiring protection.

Organisational requirements, specific requirements for handling prototypes incl. camouflage and handling of vehicles during test drives in public and on test tracks are part of the assessment.

Requirements for physical security and for security considering the surrounding area are not necessarily part of the assessment. If your locations are equipped accordingly, we recommend also selecting the assessment objective “Protection of prototype vehicles”.

10.

 Proto events

For all companies that conduct presentations or events (e.g. market research, events, marketing events) and film and photo shootings with customer-provided vehicles, components or parts classified as requiring protection.

Organisational requirements and specific requirements for handling prototypes incl. requirements for presentations, events and film and photo shootings in protected rooms and in public are part of the assessment.

Requirements for physical security and for security considering the surrounding area are not necessarily part of the assessment. If your locations are equipped accordingly, we recommend also selecting the assessment objective “Protection of prototype vehicles”.

11.

 Data

If you handle personal data as a processor according to Article 28 of the GDPR, you probably have to select “Data”.

12.

 Special data

If you handle special categories of personal data (like health or religion) as a processor according to Article 28 of the GDPR, then you probably have to select “Special data”.

Further explanations:

  • If you have precise requirements from your partner, you usually don’t need to discuss your assessment objectives with your partner. However, if you don’t have precise requirements from your partner, we strongly recommend consulting your partner before initiating the assessment process.

  • The ISA describes the implementation difference between “high” and “very high” protection needs (if there is any) for each requirement.
    For more information on this, please refer to Figure 11, “Screenshot: Main elements of the questions in the ISA criteria catalogue “Information Security””.

4.3.3.5. Protection needs and assessment levels

Your partner has various types of information, of which some may deserve a higher level of protection than others. The ISA accommodates this by differentiating three “protection needs”: normal, high and very high. Your partner classifies his information and usually assigns protection needs.

The higher the protection needs, the more your partner is interested in making sure that it is safe to let you handle their information. Therefore, TISAX differentiates three “assessment levels” (AL). The assessment level defines which assessment method the audit provider has to apply. A higher assessment level increases the effort that goes into the assessment. This results in greater care and accuracy in the assessment.

The table below shows you the assessment levels that apply to the TISAX assessment objectives:

Table 5. Mapping of the TISAX assessment objectives to assessment levels
No. TISAX assessment objective Assessment level (AL)

1.

 Info high

AL 2

2.

 Info very high

AL 3

3.

 Confidential

AL 2

4.

 Strictly confidential

AL 3

5.

 High availability

AL 2

6.

 Very high availability

AL 3

7.

 Proto parts

AL 3

8.

 Proto vehicles

AL 3

9.

 Test vehicles

AL 3

10.

 Proto events

AL 3

11.

 Data

AL 2

12.

 Special data

AL 3


Assessment level 1 (AL 1):

Assessments in assessment level 1 are mainly for internal purposes in the true sense of a self-assessment.

For an assessment in assessment level 1, an auditor checks for the existence of a completed self-assessment. He does not assess the content of the self-assessment. He does not require further evidence.

Results of assessments in assessment level 1 have a low trust level and are thus not used in TISAX. But it is of course possible that your partner may request such a self-assessment outside of TISAX.


Assessment level 2 (AL 2):

For an assessment in assessment level 2, the audit provider does a plausibility check on your self-assessment (for all locations within the assessment scope). He supports this by checking evidence[8] and conducting an interview with the person in charge information security.

The audit provider does the interview generally via web conference. At your request, he can conduct the interview in person.

If you have evidence you don’t want to send to the audit provider, you can request an on-site inspection. In this way, the audit provider can still check your “for your eyes only” evidence.

Note

Please note:

There is an alternate method to conduct an assessment in assessment level 2. Instead of the plausibility check, the audit provider conducts a full remote assessment. This method is sometimes referred to as “assessment level 2.5”.

Compared to an assessment in assessment level 2, the auditor verifies whether your ISMS fulfils the applicable requirements. Yet in contrast to an assessment in assessment level 3, the auditor does not conduct the on-site activities outlined in the section about assessment level 3 below.

Formally, such an assessment will be evaluated as an assessment in AL 2.

The advantage of AL 2.5 is that the approach is methodically compatible with AL 3. It is therefore possible to upgrade to a fully-fledged assessment in AL 3 with a manageable effort at a later point in time. For the upgrade, the auditor only has to conduct the on-site activities outlined in the section about AL 3 below.

We recommend assessments in assessment level 2.5 in these cases:

  1. You currently only need TISAX labels that imply an assessment in AL 2, but you can’t exclude the possibility that other partners may require TISAX labels that imply an assessment in AL 3. An assessment in AL 2.5 keeps the way open to later upgrade to AL 3.

  2. You have difficulties to compile a sufficiently plausible self-assessment. For the plausibility check, the self-assessment has to be conclusive, well comprehensible and substantiated. Compiling such a self-assessment can cause considerable internal effort, even for companies that are fundamentally well positioned.

For more information on upgrading the assessment level, please refer to Section 7.10, “Annex: Scope extension assessment”.

This alternative is optional and not required to fulfil the AL 2 requirements. The difference between AL 2 and AL 2,5 won’t be visible for partners with whom you share your assessment result.


Assessment level 3 (AL 3):

For an assessment in assessment level 3, the audit provider does a comprehensive verification of your company’s compliance with the applicable requirements. The auditor uses your self-assessment and submitted documentation to prepare the assessment. But in contrast to assessment level 2, the auditor will verify everything. He will:

  • examine documents and evidence

  • conduct planned interviews with process owners.

  • observe local conditions

  • observe the execution of processes

  • conduct unplanned interviews with process participants

Note

Please note:

The following text refers to several concepts that will be explained only later in this document.

With AL 3, the audit provider must come to your location(s). If, for some reason, this is temporarily not possible at all or would require unreasonable efforts, your audit provider can use the video-supported remote assessment method to conduct the on-site activities of the assessment.

Your audit provider has to record this in the TISAX assessment report as a minor non-conformity. As soon as your audit provider can come to your location(s), he must conduct a follow-up assessment that includes all previously impossible on-site activities. Furthermore, you have to schedule the follow-up assessment even if you haven’t yet completed the other corrective actions.

Compared to waiting for your audit provider’s availability for on-site activities, this approach allows you to already share temporary TISAX labels with your partner.


Assessment levels and assessment methods

The following table provides a simplified overview of the audit methods associated with each assessment level:

Table 6. Applicability of assessment methods to different assessment levels
Assessment method Assessment level 1
(AL 1)
Assessment level 2
(AL 2)
Assessment level 3
(AL 3)

Self-assessment

Yes

Yes

Yes

Evidence

No

Plausibility check

Thorough verification

Interviews

No

Via web conference[9]

In person, on site

On-site inspection

No

At your request

Yes


Additional information:

  • Difference between AL 2 and AL 3
    Methodologically, the two approaches differ significantly. For assessments in assessment level 2, the auditor won’t verify anything. He will only check the plausibility. Therefore, the audit provider can’t use the results of an assessment in assessment level 2 as a basis for an upgrade to assessment level 3. The efforts for an upgrade to assessment level 3 are essentially the same as for a new initial assessment.

  • Plausibility check vs. verification
    Oversimplified, a plausibility check is checking for whether something exists and looks right. In contrast, a verification means really checking that something is what it claims to be.

  • Information classification and protection needs
    The mapping of information classification (such as confidential or secret) to protection needs can be different for various partners. Therefore, as much as we would like to, we can’t provide you a simple table where the information classification of your partner exactly maps to a protection need.

  • Just knowing an assessment level is not enough
    Some partners may request you to get TISAX-assessed with a certain assessment level. Please understand that just knowing the assessment level is not sufficient to start the TISAX process. An assessment level only makes sense in combination with an ISA criteria catalogue and a corresponding protection need. Usually, partners request you to achieve a TISAX label (criteria catalogue plus protection need). However, as protection needs map 1:1 to assessment levels, it is sufficient if you know the criteria catalogue(s) plus the assessment level.

  • Assessment level hierarchy
    Higher assessment levels always include lower assessment levels. For example, if your assessment is based on assessment level 3, it will automatically fulfil all requests for assessment level 2.

  • Our recommendation regarding assessment levels
    If you have to select an assessment objective (and thus implicitly a corresponding assessment level) based on your own judgement, we recommend selecting assessment objectives that imply an assessment level 3. The efforts for TISAX assessments in assessment level 3 are not generally higher than those in assessment level 2.
    Suppliers that have several partners often select assessment objectives that imply an assessment level 3. In this way, they are prepared for all future requests and don’t have to bother with different assessment levels.

  • Further commercial considerations
    Regarding assessment levels, the total cost of a TISAX assessment consists of the sum of your internal efforts and the cost of the assessment. While the cost of an assessment in assessment level 2 is lower, your internal efforts may be higher. This is due to the fact that an assessment in assessment level 2 usually requires a more comprehensive self-assessment and a better internal documentation. For assessments in assessment level 3, demonstrating how you do things and showing a basic documentation is often sufficient evidence for the auditor. But without an on-site inspection, the auditor will request precise documentation. Therefore, choosing assessment level 3 over assessment level 2 is not uncommon. But it is a choice made by smaller rather than larger companies.

4.3.3.6. Assessment objectives and your own suppliers

TISAX does not necessarily require you to subject all of your own suppliers to the same requirements. If your assessment objective is “Information security with very high protection needs”, this does NOT automatically mean that your own suppliers have to achieve the same assessment objective. It does not even mean they need to have TISAX labels at all.

But you still have to check for all of your suppliers whether using their services increases risks or introduces new risks.

Two very simplified examples:

  1. You have a policy that regular email can’t be used for data with very high protection needs. Therefore, your email provider does not need to achieve the TISAX label with very high protection needs.
    You could come to a similar conclusion if you send only encrypted emails and the email provider can’t see any of the data with very high protection needs.

  2. You dispose of printed data with very high protection needs in the shredder. In such a case, of course, the waste disposal service provider does not have to meet the same requirements as you.

However, the risk assessment may show that your supplier also has to meet the requirements for very high protection needs. In this case, TISAX labels are an option to prove this to you accordingly.

4.3.4. Fee

We raise a fee. Our price list informs you about applicable fees, possible discounts and our payment terms.

You can download the price list on our website at:
Icon of the flag of the United Kingdom enx.com/en-US/TISAX/downloads/
Direct PDF download:
Icon of the flag of the United Kingdom enx.com/pricelist.pdf

There are some invoice-related aspects you should consider during your registration preparations:

  • Invoice address selection
    By default, we will send the invoice to the address you provided as your participant location. But you have the option of providing a different address for receiving the invoice.

    Important

    Important note:

    Please make sure that the invoice address is correct. Accounting laws require that the address on our invoice exactly matches your company’s (invoice) address. For compliance reasons, we can’t change an invoice address once we issued the invoice.

  • Order reference
    If you need to see a specific purchase order number or something similar on our invoice, then you have the option to provide us an order reference.

  • VAT number
    All our charges are subject to German value added tax (VAT) if applicable.
    We need this number for processing payments from the EU. It is mandatory to provide a VAT number, if your invoice address is in one of the following countries:
    Austria, Belgium, Bulgaria, Croatia, Cyprus (Greek part), Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, United Kingdom

  • Supplier management

    Important

    Important note:

    Please understand that due to the mutuality between all TISAX participants, we can’t accept any additional terms (such as general purchasing terms, codes of conduct).

Additional information about our invoicing process:

  • We can’t accept individual purchasing terms.

  • We accept:

    • money transfers into the bank account specified on the invoice

    • credit card payments (during the registration process via our payment service provider “Stripe”)

  • Our invoice will contain the following references to your registration:

    • The name and email address of your main participant contact

    • The assessment scope name

    You can find an example invoice in the appendix in Section 7.1, “Annex: Example invoice”.

  • We provide most facts you would typically require for processing our invoice directly on it. These and even more facts are available in our document “Information for Members and Business Partners”. Send us an email and we send you a current version.

Note

Please note:

We are aware that sometimes a company’s internal payment approval process is rather lengthy. Therefore, your immediate next step in the TISAX process does not depend on us receiving the payment. But please be aware that you can’t share your assessment result if we haven’t received your payment.
For this reason, we recommend you ensure that we send our invoice to the appropriate recipient and that it contains an order reference if applicable. You may also want to track internally whether someone paid the invoice.

Important

Important note:

We — ENX Association — invoice the fee. It is only a part of the total cost of a TISAX assessment. Your TISAX audit provider invoices the costs for the assessment(s).

For more information on audit provider-related costs, you may want to refer to Section 5.3.4, “Evaluating offers”.

Important

Important note:

The fee is due regardless whether you:

  • continue the TISAX process or not.

  • successfully pass the TISAX assessment process.

Therefore, the invoice may arrive before you’ve started the initial assessment.

4.4. ENX portal

The next section will describe the online registration process where you enter all the data you gathered as advised in the previous section. Before you start the online registration process, please let us briefly explain the purpose and benefits of the ENX portal.

The ENX portal allows us to maintain a database of all TISAX participants and it plays an important role throughout the entire TISAX process. During the TISAX registration you enter your data which the TISAX audit providers can then use (if you agree) to calculate their offers and to plan the assessment procedures. Once you go through the TISAX assessment process, you will use the exchange platform on the ENX portal to share your assessment result with your partner.

The portal’s name is “ENX portal” instead of “TISAX portal”, because we also use the portal to manage other business activities