supply chain
able to share Tisax security best practices.
able to share Tisax security best practices.
evidence of a Tisax secure supply chain
have control over the Tisax results.
One of the areas we work with businesses on is correctly scoping your Tisax security management system, as, over time, it can change.
Our Tisax security gap analysis will look to the security standard you request and determine if your current performance meets your desired and expected performance.
We have the ability and knowledge to deliver the most cost-effective and certifiable Tisax implementation to meet your needs.
We work and audit for a number of certification bodies and therefore are best placed and competent to conduct a Tisax internal audit
If you want to have a resource manage your Tisax certification for the short or long term, we are more than happy to assist.
For Tisax, we will conduct monitoring audits annually to ensure that your security system is operational and maintained
The purpose and scope of TISAX are to have a common assessment and exchange mechanism across the supply chain from component manufacturers to media relations. TISAX was developed by VDA (German Association of the Automotive Industry).
TISAX is a European automotive industry-standard information security assessment (ISA) catalogue based on critical aspects of information security such as data protection and connection to third parties.
TISAX combines the former Information Security Rules (ISA) of the German Verband der Automobilindustrie e. V. (abbreviated: VDA) with the Appendix A (Technical Controls) of the ISO/IEC 27001 and some Privacy requirements. This VDA-ISA catalogue has existed for more than ten years now and has been used by many global automotive companies.
The ENX network collaborates with companies representing the European automotive industry to address and develop secure exchange methods for critical development, purchasing, and production control data used by more than 1,000 companies in over 40 countries.
Since 2000, the ENX network has served as a private Internet service for the automotive industry
The current version of the ISA standard was released in 2020.
AL1. Self-assessment to verify that the controls have been installed and that the VDA ISA catalogue has been followed will validate evidence, and a completeness check may also be performed.
AL2. Typically a remote audit and a detailed self-assessment review, including the sampling of evidence that the VDA ISA catalogue has been followed. One of the purposes of this review is to verify and substantiate your self-assessment based on the documents and provided evidence
AL3. On-site audit and a complete check of the VDA ISA catalogue and self-assessment, including evidence and interviews with control owners.
The TISAX process usually starts with one of your partners requesting you prove a defined level of information security management according to the "VDA Information Security Assessment" (VDA ISA). To comply with that request, you must complete the 3-step TISAX process.
Step 1 - Registration - After contacting one of your partners, your business will register to become a TISAX participant
Step 2 - Assessment - We will ensure that your information security management system (ISMS) is at its best before the TISAX certification auditor assessment takes place.
Step 3 - Exchange - You share your assessment result with your partner.
The cost will depend on the size of your company, the classified information held and the ultimately the TISAX scope that is defined. For most small companies a single scope covering a single location is a relatively easy task. All of these points will be covered during a planning meeting with costs being agreed.
The question whether to have just one scope or several scopes is one that only you can answer. But we can help you decide on the options available.
Provided the TISX certification assessment has not completed allows your busienss to re-evaluate the scope and make changes.
Stage 1 - Registration on the ENX Portal
Stage 2 - Company: Requests quote
Stage 3 - Certification Body: Confirmation request if Scope ID is registered and matches to assessment request
Stage 4 - ENX: Confirms scope with metadata and Provider requests additional details from participant (optional)
Stage 5 - Company: Provides details necessary to provide the quote and Provider prepares the quote
Stage 6 - Company: Certification Body selection
Stage 7 - Certification Body: Process the order - Company: Confirms order
Stage 1 - Certificiation body Assigns TISAX Assessment ID to Company
Stage 2 - Company: Conducts self-assessment (conduct self-assessment on VDA-ISA (see TISAX handbook and VDA-ISA). The Certification Body doesn’t conduct the self assessment)
Stage 3 - Certification Body: Conducts Assessment Remote or On-Site dependent on 'AL' rating raquired (checking the reliability of the Self Assessment done by the active participant)
Stage 4 - Certification Body: Produces Assessment report
Stage 5 - Company: Approves report
Stage 6 - Company: Gets TISAX labels from ENX
TISAX does not necessarily require you to subject all of your own suppliers to the same requirements. If your assessment objective is “Information security with very high protection needs”, this does NOT automatically mean that your own suppliers have to achieve the same assessment objective. It even does not mean they need to have TISAX labels at all.
But you still have to check for all of your suppliers whether using their services increases risks or introduces new risks.
Two very abridged examples:
However, the risk assessment may show that your supplier also has to meet the requirements for very high protection needs. In this case, TISAX labels are an option to prove this to you accordingly
There are currently eight TISAX assessment objectives. You have to select at least one assessment objective. You can select more than one.
You can consider your assessment objective the benchmark for your information security management system. The assessment objective is a key input for the TISAX process. All TISAX audit providers base their assessment strategy mainly on the assessment objective.
The current TISAX assessment objectives are:
No | Objective | Abbreviation |
---|---|---|
1 | Information with high protection needs | Info high |
2 | Information with very high protection needs | Info very high |
3 | Data protection According to article 28 (“Processor”) of the European General Data Protection Regulation (GDPR) | Data |
4 | Data protection with special categories of personal data According to article 28 (“Processor”) with special categories of personal data as specified in article 9 of the European General Data Protection Regulation (GDPR) | Special Data |
5 | Protection of prototype parts and components | Proto parts |
6 | Protection of prototype vehicles | Proto vehicles |
7 | Handling of test vehicles | Test vehicles |
8 | Protection of prototypes during events and film or photo shootings | Events + shootings |
© Copyright MCMXCVIII - MMXXII | ParkinsonHowe Ltd. Registered in England and Wales No. 3448184
Template by OS Templates