TISAX® Assessment - Information security in Indian automotive industry
Mutual recognition among all TISAX® participants
Suppliers and service providers achieve greater trust in your audited company
The assessment for TISAX® certification takes place only every three years
Saving time and costs by participating in the TISAX® network
All you need to know about the TISAX® assessment in India
ISA also refers to ISO/SAE 62443-2-1 for industrial control systems for the automation and monitoring of industrial production facilities (IACS) and operational technologies (OT).
Moreover, the VDA has set the foundation for the creation of the assessment and data exchange system, recognized as TISAX® (Trusted Information Security Assessment eXchange). TISAX® is a registered trademark held by the ENX Association, an organization consisting of European automotive manufacturers, suppliers, and industry associations. This association is responsible for maintaining the quality of TISAX® assessments and managing the selection of TISAX® audit service providers both in India and around the world.
With over 10,000 locations evaluated in accordance with TISAX®, this standard ranks as the second most widely adopted information security framework worldwide, trailing only ISO/IEC 27001. As a result, international working groups for TISAX® and the ISA catalog have been formed by VDA and ENX to jointly influence the standard's future, fostering closer collaboration with the Indian automotive industry. With TISAX 6.0, the updated form of the assessment and exchange procedure was published in the fall of 2023.
TISAX® 2.2 - Mandatory from April 1, 2024 - Transition notes
The new ISA Catalog 6.0 is an important milestone for TISAX®. The assessment catalog leads to adjustments of the requirements for audit providers, which were defined in the TISAX® ACAR 2.2 regulations. The change of the main language to English underlines the global perspective and the joint efforts for worldwide development. Further translations of TISAX VDA 6.0 are planned.
The most important changes in the new ISA catalog 6.0 are
Changes to the security labels:
- The Information Security label is replaced by the Availability and Confidentiality labels. Depending on your role in the supply chain, Availability or Confidentiality or both may be relevant to you.
- An existing "Information Security High" label will be replaced with the combined "Availability High" and "Confidentiality High" labels. The same applies to an existing Information Security Very High label. It will be replaced by "Availability very high" and "Confidentiality strict".
- Both labels must meet the same set of baseline requirements. In addition, each label has specific requirements for high and very high protection needs. The assessment process is driven by the labels, taking into account your role in the supply chain. It is therefore worth checking with your customers which labels are relevant to your role.
Increased focus on information security and OT systems in the supply chain
- Relevant companies in the supply chain must meet "high availability" or "very high availability" requirements.
- Emphasis on Operational Technology (OT) systems in production and other areas in the TISAX® assessment.
- References to IEC 62443-2-1 and new ISA catalog requirements promote OT focus.
- Inclusion of Industrial Communication and Control Systems (IACS).
- Companies in this category must demonstrate adequate protection of sensitive data in development and production.
- Many of the requirements overlap with "High Sensitivity" or "Very High Sensitivity".
- Companies in the supply chain that are not highly relevant but are entrusted with sensitive information must demonstrate that this information can be adequately protected.
- The "High Confidentiality" or "Strict Confidentiality" labels are used to select the TISAX® requirements that contribute to this protection objective.
- The main purpose of the selective assessment described above is to ensure that companies only have to meet the requirements of the ISA catalog that are relevant to their role.
New Challenges for Manufacturing Companies
- OT systems must be subject to management similar to that which is generally required for TISAX® IT systems.
- As a result, the OT in asset management is identified with its specific risks, analyzed for potential vulnerabilities, managed by competent employees, subjected to ISMS-compliant processes for remote maintenance and other best management practices.
What are the advantages of a TISAX® assessment for your company?
- Avoid Redundant Assessments: Eliminate the need for duplicate assessments from different customers, saving time and resources.
- Mutual Recognition: Your information security assessments gain recognition from multiple TISAX® participants, reducing the need for redundant audits.
- Reliable Results: Trust in the consistency of your assessment results, thanks to the standardized ISA catalog, ensuring a uniform evaluation process.
- Boost Trust: Enhance confidence in your audited company by directing interested parties to the assessment results available on the TISAX® exchange platform, demonstrating your commitment to information security. This fosters trust among your stakeholders.
After a successful assessment, you will receive a TISAX® label on the TISAX® online platform. This label is comparable to a certificate and serves to strengthen the trust in your company and to confirm your efforts to ensure information security.
How does TISAX® work in India?
It is important to note that a company can assume both roles. If you are considering becoming an Information Contributor in TISAX®, here are the essential steps:
- 1. Register online at www.enx.com/TISAX
- 2. Select an ENX-approved audit service provider such as DQS India.
- 3. Undergo a TISAX® assessment
- 4. Exchange the audit results on the TISAX® online platform.
If a company is interested in your TISAX results, it can register with ENX as an "Information Consumer". You can decide for each Information Consumer whether you want to share your current TISAX status with them.
How does a TISAX® assessment work?
Before you start with the TISAX® assessment, your company must define a clear scope. This includes the assessment level, which defines the specific assessment requirements. These requirements may include ensuring the "availability" of production capacities, guaranteeing the "confidentiality" of entrusted information, or securing "prototype parts" and "personal data". These baseline criteria apply to all sites within the scope.
A key challenge is to combine sites with similar requirements into a single scope. DQS can provide valuable design guidance on whether it should be a single comprehensive scope or multiple scopes. In principle, there are advantages to combining sites under one scope in the form of a possible reduction in audit effort if all sites operate under a centralized ISMS.
Acquiring TISAX® labels is a straightforward process that involves two key steps. The first step begins with the selection of an approved audit service provider, such as DQS India. In the second step, the process initiates with a document review, which is conducted as a self-assessment and does not involve on-site visits. Subsequently, a follow-up assessment is carried out. The depth of this assessment is contingent on the assessment level (AL):
AL 2 assessments do not include on-site visits and primarily focus on checking the plausibility of the implemented Information Security Management System (ISMS) based on documentation.
AL 3 assessments include an on-site visit and entail in-depth verification of the implemented ISMS by evaluating evidence.
For a slightly different approach, there's an alternative method referred to as AL 2.5 assessment. In this approach, your audit service provider performs a fully remote assessment instead of solely conducting a plausibility check. Notably, this method aligns methodologically with AL 3. It provides the flexibility to later upgrade to a full AL 3 by concentrating only on physical aspects and on-site evidence through a delta assessment.
AL 2.5 is particularly recommended for clients who presently only need to meet AL 2 but anticipate that AL 3 will likely be required by the manufacturers they work with in the future. This approach ensures a smoother transition when more stringent requirements come into play.
The results of the TISAX® audit are recorded in an interim report. In case of non-conformities, measures to be implemented are agreed upon. If necessary, the implementation of the measures is determined within an agreed upon period. This procedure ensures that all identified problems are addressed effectively and promptly.
Once the non-conformities have been closed, an effectiveness review is performed to validate the closure of the nonconformities and to assess the overall effectiveness of the corrective actions taken.
The final result will be published online in the ENX® portal. Your company will then be listed as a participant in the TISAX® process with the corresponding test label. In contrast to other certifications, there is no TISAX® certificate.
What does the TISAX® assessment cost?
If you are interested in participating in the TISAX® process, it is advisable to initiate a conversation with DQS India, your approved audit service provider, at the earliest opportunity. This early engagement enables us to assess the scope of your assessment accurately and provide a customized quote tailored to your organization's specific TISAX® assessment requirements.
What can you expect from DQS India?
TISAX® Assessment
DQS GmbH is a registered TISAX® participant and has undergone a TISAX® assessment for the "Information Security Very High" label at Assessment Level 3. TISAX® assessments are performed by ENX accredited assessment service providers. TISAX® assessment results are not intended for the general public. The result of the assessment at DQS GmbH is available to registered participants via the ENX portal: https://portal.enx.com/