The purpose and scope of TISAX is to have a common assessment and exchange mechanism across the supply chain from component manufacturers to media relations. TISAX was developed by VDA (German Association of the Automotive Industry) TISAX is a European automotive industry-standard information security assessment (ISA) catalogue based on key aspects of information security such as data protection and connection to third parties.

How much does TISAX consultancy cost?

The cost will depend on the size of your company, the classified information held and the ultimately the TISAX scope that is defined. For most small companies a single scope covering a single location is a relatively easy task. All of these points will be covered during a planning meeting with costs being agreed.

TISAX - Trusted Information Security Assessment Exchange

Name: Implementing the security requirements
Brand: ParkinsonHowe
SKU: PHL1000004-001
Rating: 5 (2 reviews)

In a world requiring its manufacturing supply chain to be secure requires a security partner that will grow with you.

The first impression you give to your business partners is more critical than ever, make it count and establish compliance to a recognized standard. Whether your looking for TISAX or a cost effective approach to ISO 27001. ParkinsonHowe can help you deliver best practice. Everything from an assessment of your current secure working practices to complete implementation of TISAX or ISO 27001 - we will be your ISO security partner to guide you through

supply chain

able to share best practice.
Manufacturers

evidence a secure supply chain
participants

have control over the results.

TISAX SECURITY SERVICES

Scoping or merging your security system

One of the areas we work with business on, is correctly scoping your security management system as over time it can change
Gap analysis and report

Our security gap analysis will look to the security standard you are requesting and determine if your current performance meets your desired and expected performance
IMPLEMENTING THE SECURITY REQUIREMENTS

We have the ability and knowledge to deliver the most cost-effective and certifiable ISO27001 implementation to meet your needs
Internal Audit and Report

We work and audit for a number of certification bodies and therefore are best placed and competent to conduct an internal audit that
Security Maintenance and Support

If you are looking to have a resource manage your ISMS for a short time or maybe long term then we are more than happy to assist
Pre & Post monitoring

For ISO 27001 we will conduct monitoring audits annually, this will also be done for TISAX, to make sure that your security system is operational and being maintained.

TISAX Facts

attempts to hack SMB's occur in the UK every day
of UK companies have suffered data breaches in the last 12 months
of UK companies have reported a data breach incident

Security Endorsements

ParkinsonHowe has been a trusted partner for over 5 years. Rob Howe is a dedicated professional that bring a high level of expertise to the information security audits he provides. I highly recommend his services to any organization that values quality and professionalism.

Director of Information Security
Panasonic
ParkinsonHowe are experts in ISO27001 and ISO22301, business continuity, disaster recovery, and information security. Rob's knowledge came from applied experience as well as expert-level training. I would recommend them for any task in the information security/cybersecurity field.

Security and Compliance Director
Undisclosed

Common TISAX Security Questions

What is TISAX®

The purpose and scope of TISAX is to have a common assessment and exchange mechanism across the supply chain from component manufacturers to media relations. TISAX was developed by VDA (German Association of the Automotive Industry)

TISAX is a European automotive industry-standard information security assessment (ISA) catalogue based on key aspects of information security such as data protection and connection to third parties.

TISAX combines the former Information Security Rules (ISA) of the German Verband der Automobilindustrie e. V. (abbreviated: VDA) with the Appendix A (Technical Controls) of the ISO/IEC 27001 and some Privacy requirements. This VDA-ISA catalogue exists for more than 10 years now and has been used by many global automotive companies
What or who are ENX

The ENX network is the collaboration of companies representing the European automotive industry to address and develop secure exchange methods for critical development, purchasing, and production control data used by more than 1,000 companies in over 40 countries.

Since 2000, the ENX network has served as a private Internet service for the automotive industry

The current version of the ISA standard was released in 2020.
TISAX Assessment Levels

AL1. Self-assessment to verify that the controls have been installed, and that the VDA ISA catalogue has been followed, evidence will be validated, a completeness check may also be performed.

AL2. Normally a remote audit and a detailed review of the self-assessment including the sampling of evidence that the VDA ISA catalogue has been followed. One of the purposes of this review is to verify and substantiate your self-assessment based on the documents and provided evidence.

AL3. On-site audit and a complete check of the VDA ISA catalogue and self-assessment including all evidence and interviews with control owners.
How does the TISAX process begin?

The TISAX process usually starts with one of your partners requesting you to prove a defined level of information security management according to the requirements of the “VDA Information Security Assessment” (VDA ISA). To comply with that request, you have to complete the 3-step TISAX process.

Step 1 - Registration - After being contact by one of your partners, your business will register to become a TISAX participant

Step 2 - Assessment - We will assist in making sure your information security management system (ISMS) is at its best, before the TISAX certification auditor assessment takes place.

Step 3 - Exchange - You share your assessment result with your partner.
How much does TISAX consultancy cost

The cost will depend on the size of your company, the classified information held and the ultimately the TISAX scope that is defined. For most small companies a single scope covering a single location is a relatively easy task. All of these points will be covered during a planning meeting with costs being agreed.

The question whether to have just one scope or several scopes is one that only you can answer. But we can help you decide on the options available.

Provided the TISX certification assessment has not completed allows your busienss to re-evaluate the scope and make changes.
TISAX® Assessment Order Process

Stage 1 - Registration on the ENX Portal

Stage 2 - Company: Requests quote

Stage 3 - Certification Body: Confirmation request if Scope ID is registered and matches to assessment request

Stage 4 - ENX: Confirms scope with metadata and Provider requests additional details from participant (optional)

Stage 5 - Company: Provides details necessary to provide the quote and Provider prepares the quote

Stage 6 - Company: Certification Body selection

Stage 7 - Certification Body: Process the order - Company: Confirms order
TISAX® Assessment Process

Stage 1 - Certificiation body Assigns TISAX Assessment ID to Company

Stage 2 - Company: Conducts self-assessment (conduct self-assessment on VDA-ISA (see TISAX handbook and VDA-ISA). The Certification Body doesn’t conduct the self assessment)

Stage 3 - Certification Body: Conducts Assessment Remote or On-Site dependent on 'AL' rating raquired (checking the reliability of the Self Assessment done by the active participant)

Stage 4 - Certification Body: Produces Assessment report

Stage 5 - Company: Approves report

Stage 6 - Company: Gets TISAX labels from ENX
TISAX® Assessment objectives and your own suppliers

TISAX does not necessarily require you to subject all of your own suppliers to the same requirements. If your assessment objective is “Information security with very high protection needs”, this does NOT automatically mean that your own suppliers have to achieve the same assessment objective. It even does not mean they need to have TISAX labels at all.

But you still have to check for all of your suppliers whether using their services increases risks or introduces new risks.

Two very abridged examples:
- You have a policy that regular email can’t be used for data with very high protection needs. Therefore, your email provider does not need to achieve the TISAX label with very high protection needs. You could come to a similar conclusion if you only send encrypted emails and the email provider can’t see any of the data with very high protection needs.
- You dispose of printed data with very high protection needs into the shredder. In such a case, of course, the waste disposal service provider does not have to meet the same requirements as you.
However, the risk assessment may show that your supplier also has to meet the requirements for very high protection needs. In this case, TISAX labels are an option to prove this to you accordingly
List of assessment objectives

There are currently eight TISAX assessment objectives. You have to select at least one assessment objective. You can select more than one.

You can consider your assessment objective the benchmark for your information security management system. The assessment objective is a key input for the TISAX process. All TISAX audit providers base their assessment strategy mainly on the assessment objective.

The current TISAX assessment objectives are:

No	Objective	Abbreviation
1	Information with high protection needs	Info high
2	Information with very high protection needs	Info very high
3	Data protection According to article 28 (“Processor”) of the European General Data Protection Regulation (GDPR)	Data
4	Data protection with special categories of personal data According to article 28 (“Processor”) with special categories of personal data as specified in article 9 of the European General Data Protection Regulation (GDPR)	Special Data
5	Protection of prototype parts and components	Proto parts
6	Protection of prototype vehicles	Proto vehicles
7	Handling of test vehicles	Test vehicles
8	Protection of prototypes during events and film or photo shootings	Events + shootings