TISAX® Assessment - Information Security in the Automotive Industry in the United States
Mutual recognition among all TISAX® participants
Suppliers and service providers achieve greater trust in your audited company
TISAX® assessments are conducted only every three years.
Save time and costs by participating in the TISAX® network
All you need to know about the TISAX® assessment in the United States
ISA also refers to ISO/SAE 62443-2-1 for industrial control systems for the automation and monitoring of industrial production facilities (IACS) and operational technologies (OT).
With over 10,000 locations evaluated in accordance with TISAX®, this standard ranks as the second most widely adopted information security framework worldwide, trailing only ISO/IEC 27001. As a result, international working groups for TISAX® and the ISA catalog have been formed by VDA and ENX to jointly influence the standard's future, fostering closer collaboration with the U.S. automotive industry. At the same time, this promotes closer cooperation with the global automotive industry. With TISAX 6.0, the updated form of the assessment and exchange procedure was published in the fall of 2023.
TISAX® 2.2 - Mandatory from April 1, 2024 - Transition notes
The new ISA Catalog 6.0 is an important milestone for TISAX®. The assessment catalog leads to adjustments of the requirements for audit providers, which were defined in the TISAX® ACAR 2.2 regulations. The change of the main language to English underlines the global perspective and the joint efforts for worldwide development. Further translations of TISAX VDA 6.0 are planned.
The most important changes in the new ISA catalog 6.0 are:
Changes to the security labels:
- The Information Security label is replaced by the Availability and Confidentiality labels. Depending on your role in the supply chain, Availability or Confidentiality or both may be relevant to you.
- An existing "Information Security High" label will be replaced with the combined "Availability High" and "Confidentiality High" labels. The same applies to an existing Information Security Very High label. It will be replaced by "Availability very high" and "Confidentiality strict".
- Both labels must meet the same set of baseline requirements. In addition, each label has specific requirements for high and very high protection needs. The assessment process is driven by the labels, taking into account your role in the supply chain. It is therefore worth checking with your customers which labels are relevant to your role.
Increased focus on information security and OT systems in the supply chain
- Relevant companies in the supply chain must meet "high availability" or "very high availability" requirements.
- Emphasis on Operational Technology (OT) systems in production and other areas in the TISAX® assessment.
- References to IEC 62443-2-1 and new ISA catalog requirements promote OT focus.
- Inclusion of Industrial Communication and Control Systems (IACS).
- Companies in this category must demonstrate adequate protection of sensitive data in development and production.
- Many of the requirements overlap with "High Sensitivity" or "Very High Sensitivity".
- Companies in the supply chain that are not highly relevant but are entrusted with sensitive information must demonstrate that this information can be adequately protected.
- The "High Confidentiality" or "Strict Confidentiality" labels are used to select the TISAX® requirements that contribute to this protection objective.
- The main purpose of the selective assessment described above is to ensure that companies only have to meet the requirements of the ISA catalog that are relevant to their role.
New Challenges for Manufacturing Companies
- OT systems must be subject to management similar to that which is generally required for TISAX® IT systems.
- As a result, the OT in asset management is identified with its specific risks, analyzed for potential vulnerabilities, managed by competent employees, subjected to ISMS-compliant processes for remote maintenance and other best management practices.
What are the advantages of a TISAX® assessment for your North American company?
- Avoid Redundant Assessments: Eliminate the need for duplicate assessments from different customers, saving time and resources.
- Mutual Recognition: Your information security assessments gain recognition from multiple TISAX® participants, reducing the need for redundant audits.
- Reliable Results: Trust in the consistency of your assessment results, thanks to the standardized ISA catalog, ensuring a uniform evaluation process.
- Boost Trust: Enhance confidence in your audited company by directing interested parties to the assessment results available on the TISAX® exchange platform, demonstrating your commitment to information security. This fosters trust among your stakeholders.
After a successful assessment you will receive a TISAX® label on the TISAX® online platform. This label is comparable to a certificate and serves to strengthen the trust in your company and to confirm your efforts to ensure information security.
How does TISAX® work in the US and Canada?
It is important to note that a company can assume both roles. If you are considering becoming an Information Contributor in TISAX®, here are the essential steps:
- 1. Register online at www.enx.com/TISAX
- 2. Select an ENX-approved audit service provider such as DQS Inc.
- 3. Undergo a TISAX® assessment
- 4. Exchange the audit results on the TISAX® online platform.
By following these steps, you are on the path to undergoing assessment within the TISAX® framework. Upon successful assessment, you will be awarded with TISAX® labels on the TISAX® online platform. These labels can be compared to receiving certificates, serving to bolster trust and guarantee the security of your information assets.
If a company is interested in your TISAX® results, it can register with ENX as an "Information Consumer". You can decide for each Information Consumer whether you want to share your current TISAX® status with them.
The TISAX® Assessment Process
Before you start with the TISAX® assessment, your company must define a clear scope. This includes the assessment level, which defines the specific assessment requirements. These requirements may include ensuring the "availability" of production capacities, guaranteeing the "confidentiality" of entrusted information, or securing "prototype parts" and "personal data". These baseline criteria apply to all sites within the scope.
A key challenge is to combine sites with similar requirements into a single scope. DQS can provide valuable design guidance on whether it should be a single comprehensive scope or multiple scopes. In principle, there are advantages to combining sites under one scope in the form of a possible reduction in audit effort if all sites operate under a centralized ISMS.
As a TISAX® participant you must first register online. The scope ID will then be assigned by ENX. Please note that there are service fees associated with this registration process, which will be charged for each location within your scope.
Acquiring TISAX® labels is a straightforward process that involves two key steps. The first step begins with the selection of an approved audit service provider, such as DQS Inc. In the second step, the process initiates with a document review, which is conducted as a self-assessment and does not involve on-site visits. Subsequently, a follow-up assessment is carried out. The depth of this assessment is contingent on the assessment level (AL):
AL 2 assessments do not include on-site visits and primarily focus on checking the plausibility of the implemented Information Security Management System (ISMS) based on documentation.
AL 3 assessments include an on-site visit and entail in-depth verification of the implemented ISMS by evaluating evidence.
For a slightly different approach, there's an alternative method referred to as AL 2.5 assessment. In this approach, your audit service provider performs a fully remote assessment instead of solely conducting a plausibility check. Notably, this method aligns methodologically with AL 3. It provides the flexibility to later upgrade to a full AL 3 by concentrating only on physical aspects and on-site evidence through a delta assessment.
AL 2.5 is particularly recommended for clients who presently only need to meet AL 2 but anticipate that AL 3 will likely be required by the manufacturers they work with in the future. This approach ensures a smoother transition when more stringent requirements come into play.
The results of the TISAX® audit are recorded in an interim report. In case of non-conformities, measures to be implemented are agreed upon. If necessary, the implementation of the measures is determined within an agreed upon period. This procedure ensures that all identified problems are addressed effectively and promptly.
Once the non-conformities have been closed, an effectiveness review is performed to validate the closure of the nonconformities and to assess the overall effectiveness of the corrective actions taken.
The final result will be published online in the ENX® portal. Your company will then be listed as a participant in the TISAX® process with the corresponding test label. In contrast to other certifications, there is no TISAX® certificate.
What Does the TISAX® Assessment Cost?
If you are interested in participating in the TISAX® process, it is advisable to initiate a conversation with DQS Inc., your approved audit service provider, at the earliest opportunity. This early engagement enables us to assess the scope of your assessment accurately and provide a customized quote tailored to your organization's specific TISAX® assessment requirements.
What you can expect from DQS Inc.
- Over 35 years of Global experience in the certification of management systems and processes
- Certificates and Labels with international acceptance
- Receive personalized and continuous assistance from our team of specialists based in the United States, with the added benefit of international support when needed.
- Customized quotes with flexible contract terms and no hidden costs
Master TISAX ISA 6.0 in Our Free Webinar Recording
Dive into the essential changes in the new TISAX® ISA 6.0. From important dates, a new label system, general trends, and major and minor adjustments to the ISMS, this recording will equip you and your organization with the knowledge and insights needed to ensure continued compliance.