The purpose and scope of TISAX is to have a common assessment and exchange mechanism across the supply chain from component manufacturers to media relations. TISAX was developed by VDA (German Association of the Automotive Industry) TISAX is a European automotive industry-standard information security assessment (ISA) catalogue based on key aspects of information security such as data protection and connection to third parties.

How much does TISAX consultancy cost?

The cost will depend on the size of your company, the classified information held and the ultimately the TISAX scope that is defined. For most small companies a single scope covering a single location is a relatively easy task. All of these points will be covered during a planning meeting with costs being agreed.

TISAX - Trusted Information Security Assessment Exchange

A world that requires its manufacturing supply chain to be secure needs a security partner that will grow with you

The first impression you give to your business partners is more critical than ever; make it count and establish compliance to a recognised standard whether you're looking for TISAX or a cost-effective approach to ISO 27001. ParkinsonHowe can help you deliver best practices. Everything from an assessment of your current secure working practices to complete implementation of TISAX or ISO 27001 - we will be your ISO security partner to guide you through.

supply chain

able to share Tisax security best practices.
Manufacturers

evidence of a Tisax secure supply chain
participants

have control over the Tisax results.

TISAX SECURITY SERVICES

Scoping or merging your security system

One of the areas we work with businesses on is correctly scoping your Tisax security management system, as, over time, it can change.
Tisax Gap analysis and Report

Our Tisax security gap analysis will look to the security standard you request and determine if your current performance meets your desired and expected performance.
IMPLEMENTING THE Tisax REQUIREMENTS

We have the ability and knowledge to deliver the most cost-effective and certifiable Tisax implementation to meet your needs.
Tisax Internal Audit

We work and audit for a number of certification bodies and therefore are best placed and competent to conduct a Tisax internal audit
Tisax Security Maintenance

If you want to have a resource manage your Tisax certification for the short or long term, we are more than happy to assist.
Pre & Post Tisax monitoring

For Tisax, we will conduct monitoring audits annually to ensure that your security system is operational and maintained

TISAX Facts

attempts to hack SMB's occur in the UK every day
of UK companies have suffered data breaches in the last 12 months
of UK companies have reported a data breach incident

Security Endorsements

ParkinsonHowe has been a trusted partner for over five years. Rob Howe is a dedicated professional that brings a high level of expertise to the information security audits he provides. I highly recommend his services to any organisation that values quality and professionalism.

Director of Information Security
Panasonic
ParkinsonHowe is an expert in ISO27001 and ISO22301, business continuity, disaster recovery, and information security. Rob's knowledge came from applied experience as well as expert-level training. I would recommend them for any information security/cybersecurity field task.

Security and Compliance Director
Undisclosed

Common TISAX Security Questions

What is TISAX®

The purpose and scope of TISAX are to have a common assessment and exchange mechanism across the supply chain from component manufacturers to media relations. TISAX was developed by VDA (German Association of the Automotive Industry).

TISAX is a European automotive industry-standard information security assessment (ISA) catalogue based on critical aspects of information security such as data protection and connection to third parties.

TISAX combines the former Information Security Rules (ISA) of the German Verband der Automobilindustrie e. V. (abbreviated: VDA) with the Appendix A (Technical Controls) of the ISO/IEC 27001 and some Privacy requirements. This VDA-ISA catalogue has existed for more than ten years now and has been used by many global automotive companies.
What or who are ENX

The ENX network collaborates with companies representing the European automotive industry to address and develop secure exchange methods for critical development, purchasing, and production control data used by more than 1,000 companies in over 40 countries.

Since 2000, the ENX network has served as a private Internet service for the automotive industry

The current version of the ISA standard was released in 2020.
TISAX Assessment Levels

AL1. Self-assessment to verify that the controls have been installed and that the VDA ISA catalogue has been followed will validate evidence, and a completeness check may also be performed.

AL2. Typically a remote audit and a detailed self-assessment review, including the sampling of evidence that the VDA ISA catalogue has been followed. One of the purposes of this review is to verify and substantiate your self-assessment based on the documents and provided evidence

AL3. On-site audit and a complete check of the VDA ISA catalogue and self-assessment, including evidence and interviews with control owners.
How does the TISAX process begin?

The TISAX process usually starts with one of your partners requesting you prove a defined level of information security management according to the "VDA Information Security Assessment" (VDA ISA). To comply with that request, you must complete the 3-step TISAX process.

Step 1 - Registration - After contacting one of your partners, your business will register to become a TISAX participant

Step 2 - Assessment - We will ensure that your information security management system (ISMS) is at its best before the TISAX certification auditor assessment takes place.

Step 3 - Exchange - You share your assessment result with your partner.
How much does TISAX consultancy cost

The cost will depend on the size of your company, the classified information held and the ultimately the TISAX scope that is defined. For most small companies a single scope covering a single location is a relatively easy task. All of these points will be covered during a planning meeting with costs being agreed.

The question whether to have just one scope or several scopes is one that only you can answer. But we can help you decide on the options available.

Provided the TISX certification assessment has not completed allows your busienss to re-evaluate the scope and make changes.
TISAX® Assessment Order Process

Stage 1 - Registration on the ENX Portal

Stage 2 - Company: Requests quote

Stage 3 - Certification Body: Confirmation request if Scope ID is registered and matches to assessment request

Stage 4 - ENX: Confirms scope with metadata and Provider requests additional details from participant (optional)

Stage 5 - Company: Provides details necessary to provide the quote and Provider prepares the quote

Stage 6 - Company: Certification Body selection

Stage 7 - Certification Body: Process the order - Company: Confirms order
TISAX® Assessment Process

Stage 1 - Certificiation body Assigns TISAX Assessment ID to Company

Stage 2 - Company: Conducts self-assessment (conduct self-assessment on VDA-ISA (see TISAX handbook and VDA-ISA). The Certification Body doesn’t conduct the self assessment)

Stage 3 - Certification Body: Conducts Assessment Remote or On-Site dependent on 'AL' rating raquired (checking the reliability of the Self Assessment done by the active participant)

Stage 4 - Certification Body: Produces Assessment report

Stage 5 - Company: Approves report

Stage 6 - Company: Gets TISAX labels from ENX
TISAX® Assessment objectives and your own suppliers

TISAX does not necessarily require you to subject all of your own suppliers to the same requirements. If your assessment objective is “Information security with very high protection needs”, this does NOT automatically mean that your own suppliers have to achieve the same assessment objective. It even does not mean they need to have TISAX labels at all.

But you still have to check for all of your suppliers whether using their services increases risks or introduces new risks.

Two very abridged examples:
- You have a policy that regular email can’t be used for data with very high protection needs. Therefore, your email provider does not need to achieve the TISAX label with very high protection needs. You could come to a similar conclusion if you only send encrypted emails and the email provider can’t see any of the data with very high protection needs.
- You dispose of printed data with very high protection needs into the shredder. In such a case, of course, the waste disposal service provider does not have to meet the same requirements as you.
However, the risk assessment may show that your supplier also has to meet the requirements for very high protection needs. In this case, TISAX labels are an option to prove this to you accordingly
List of assessment objectives

There are currently eight TISAX assessment objectives. You have to select at least one assessment objective. You can select more than one.

You can consider your assessment objective the benchmark for your information security management system. The assessment objective is a key input for the TISAX process. All TISAX audit providers base their assessment strategy mainly on the assessment objective.

The current TISAX assessment objectives are:

No	Objective	Abbreviation
1	Information with high protection needs	Info high
2	Information with very high protection needs	Info very high
3	Data protection According to article 28 (“Processor”) of the European General Data Protection Regulation (GDPR)	Data
4	Data protection with special categories of personal data According to article 28 (“Processor”) with special categories of personal data as specified in article 9 of the European General Data Protection Regulation (GDPR)	Special Data
5	Protection of prototype parts and components	Proto parts
6	Protection of prototype vehicles	Proto vehicles
7	Handling of test vehicles	Test vehicles
8	Protection of prototypes during events and film or photo shootings	Events + shootings