To master TISAX®. That should be your minimum goal.

TISAX® assessments provide a uniform and binding standard as well als fixed TISAX® requirements for information security assessments within the automotive industry. The assessment results are recognized by the other TISAX® participants, saving you time and money.

You can also use the TISAX® platform yourself to select your own suppliers.

You can also have an TISAX® assessment carried out proactively, thereby increasing your changes of being awarded contracts by automotive manufacturers. After all, it may take several months until an assessment according TISAX® requirements is completed successfully – this is valuable time when a project needs to be started urgently.

In this way, you can simply say you are already on board!

Employees represent a significant aspect of a company's information security set-up, as their actions have a major impact on security within the company.

Training sessions improve employees' awareness of their own actions and the environment.

It is not only your clients' information which should be protected against unauthorized access, but also your own business information, expertise, and assets. Although you might decide on a TISAX® assessment because a client requires it, your company also benefits from the implementation of measures to increase information security.

The VDA Information Security Assessment is based on the international standards from the ISO 2700x series.

Once you have successfully passed a TISAX® assessment, you will have met almost all requirements for preparing for certification.

Corporate groups with a centrally organized information security management system benefit while a TISAX® group assessment from reduced outlay for audited content when many different sites are involved.

During a TISAX® assessment the conformity with the requirements of the VDA Information Security Assessment is checked. The area of information security always forms the basic assessment. The additional modules “Prototype protection” and “Data protection” can be added as an option, as required. This means that company-specific "special catalogs" with individual requirements of some OEMs are usually not required. This saves time and costs!

The more sensitive the information that you are processing within projects, the higher the level of protection you should select. The following can be used as a rule of thumb:

• Normal protection requirements is comparable with internal information

• High protection requirements is comparable with confidential information

• Very high protection requirements is comparable with secret information

After a successfull assessment you will get a TISAX® label which is valid for a maximum of 3 years. This TISAX® label can then be shared with other participants on the ENX platform and serves as confirmation that the respective company fulfills the TISAX® requirements.

The extent and duration of the audit as part of the TISAX® assessment vary depending on the specified scope and the intended assessment objective. The applicable assessment method is then derived from:

Assessment level 2

Document based assessment – The classic assessment level 2 is the auditing of all relevant assessment points in accordance with TISAX® specifications, based on documents and other suitable records. In part 1 a plausibility check of the submitted documentation of evidences is done. If this is successful a supplemental telephone interview or web conference with the auditee takes place in part 2.  

Remote assessment -  All relevant assessment points are checked based on documents and other suitable records, but without on-site visit. Afterwards multi-part telephone interviews / web conferences with the auditee take place in almost the same level of detail as on-site

Assessment level 3

Assessment level 3 is an on-site assessment, all relevant assessment points in accordance with the TISAX® specifications are audited on the client's premises/on-site at the client. Here, the primary focus is on checking whether necessary information security processes have been implemented. For this purpose, documentation and guidelines are inspected on-site and assessed, and interviews are carried out. There is also a tour round the premises to assess physical security.

Together with ENX we arranged procedures allowing TISAX® assessments even if the physical presence is currently only possible to a limited extent or not at all.

For the assessment, we go through six individual processes:

Step 1  Definition

Define the intended assessment objective or TISAX® label (by your partner / OEM): locations, protection level, additional modules.

Step 2  TISAX® registration

You register your company as a participant on the TISAX® platform. You get a scope-ID and assign an audit provider to carry out the TISAX® audit. In a joint preliminary discussion we may verify the applicable assessment level as well as the scope of the assessment, answer your questions, go through the TISAX® requirements and your further options.

Step 3  Initial assessment

The auditor holds a kick-off conference call with you, explaining the procedure as well as any other important points. You receive the relevant questionnaires to complete and compile additional evidence. An assessment date is jointly agreed. The auditor carries out the information security assessment, the TISAX® assessment, based on documents, remote or on-site and compiles the assessment report. If no vulnerabilities were identified, you will get your TISAX® label here.

Step 4 Corrective action plan assessment

In case of findings the auditee may provide a measures plan with due dates to fix the vulnerabilities. The auditor assesses this plan supplementing the assessment report.

Step 5  Implementation

You implement the measures in order to fix the findings within agreed due dates and prepare a documentation of evidences.

Step 6  Follow-up assessment

The auditor assesses the evidences based on documents or on-site and updates the assessment report. The TISAX® label will be granted, the TISAX® assessment is closed. The achieved label is reported to the TISAX® platform. You decide with whom you share your TISAX® label.

The TISAX® assessment is a comprehensive project that you will master professionally with the right preparation. Please note a few tips in order to be optimally prepared:

• Using the VDA Information Security Assessment, you can become acquainted with the topic of information security and the TISAX® audit.
• If necessary, have selected TISAX® requirements explained to you by our experts during a VDA ISA web-seminar to make sure you understood everything correctly.
• Use relevant newsfeeds to keep yourself up to date. The BSI (German Federal Office for Information Security) provides, for example, plenty of information on the topic; please see the "IT-Grundschutz" catalogs (IT Baseline Protection Catalogs).
• Become acquainted with the standards relevant to information security, such as the ISO 2700x series.
• Join relevant training programs and seminars if you feel you need to gain further expertise.
• Turn to experienced TISAX® consultants for support. They can help you to organize your information security in a way that is tailored to your company. 
• A neutral inventory through a pre-audit creates clarity about your certification maturity. So you may use the time before the TISAX® assessment for targeted elimination of weak points.
• Compare yourself with companies within your field, and optimize relevant areas correspondingly.

TISAX® provides a simplified process for assessing information security for corporate groups. The aim is to reduce the outlay required for the audited content if many different sites are involved - one of the numerous advantages of a TISAX® assessment. However, the process is only based on the basic assessment of information security with the corresponding TISAX® requirements; prototypes or similar are not covered.

Preconditions for using the process

In the TISAX® group assessment the corporate group has to prove a highly developed ISMS which contains the entire scope of the audit, i.e. the requirements of VDA ISA are reflected in the ISMS.

The ISMS is organized centrally and there are highly developed and mature internal mechanisms for tracking audits, incidents, and weak points, and central reporting mechanisms.

Basic audit process for a TISAX® Group Assessment

• Phase 1: Intensive audit in the company's main office
• Phase 2: Random inspections at several locations (number is based on the total number of sites)
• Phase 3: Simplified auditing at the other sites
• Phase 4 (optional): Other sites within the corporate group are named and benefit from the simplified assessment

If the above requirements are met, we recommend the use of a group assessment if the company has around 7 sites or more.

We willingly outline the process to you in a web conference and answer any questions you may have. We will also support you in classifying your sites according to the applicable audit type. On the basis of this, together we can develop the perfect plan for carrying out the assessment and evaluate the financial and time outlay required.

TISAX® Homepage

Description of the TISAX® model, registration, and FAQ on the subject.

VDA Information Security Assessment

The current VDA requirements catalog on the subject of information security, prototype protection, data protection, and the involvement of third parties.

• Our company itself had a TISAX® assessment, we have achieved the TISAX® label once more in 2023.
• Our company has a long tradition of supporting automotive companies, giving us extensive experience in this field. Part of OS arose from a former information technology provider gedas, which provided consultancy services to companies in the automotive and manufacturing industries for more than 20 years, advising on the development, system integration, and operation of ICT solutions.
• More than 14 years audit experience with VDA ISA: On behalf of the Volkswagen Group the OS auditor team has carried out numerous audits across the globe similar to the todays TISAX® assessments.
• OS is one of the first approved TISAX® audit providers and supports the TISAX® model since the beginning in 2017. OS also continues to exclusively carry out VW-specific audits, such as Secure i.Do areas or the protection of immobilizer-relevant components. These can be combined with the TISAX® assessment, if required.
• We have already carried out more than 2.500 TISAX® Assessments in the most diverse forms worldwide. Currently we are market leader in this segment.
• OS meets the stringent TISAX® requirements with higly qualified and experienced auditors in permanent employment. They apply their comprehensive expertise when evaluating automotive service providers from a wide range of branches, and carry out complex TISAX® audits in a variety of forms.
• The ISi service team stands ready to assist you if you have any questions about the TISAX® assessment. Personal contact is important to us, as it means we can find the best solution for your upcoming assessment together.