Assessments on TISAX®– what are they, what are the differences?

If your company wants a TISAX® label, you’ll need to pass an assessment on TISAX® ... Or is it an audit? And what are the differences anyway – or are there any?

This article provides answers to these and other questions about assessments on TISAX® – and, if you want, you can get even more detailed information in an individual consultation with our TISAX® experts.

TISAX® audits and what distinguishes them from an assessment

A TISAX® audit is the assessment process a company undergoes to obtain a TISAX® label. The term is often confused with ‘an assessment on TISAX®’, although in reality both basically mean the same thing. The confusion is probably due to the terms being translated inconsistently in publications on the topic. Originally written in English, the TISAX® Participant Handbook is the authoritative guide for the TISAX® process.

In the English version, the assessment process is consistently referred to as an ‘assessment’, and the examiners as ‘auditors’. In the German version of the manual, however, ‘assessment’ is usually translated as Prüfung (audit), but the manual nonetheless still refers to three ‘assessment’ levels, not ‘audit’ levels. To make things even more confusing, the manual sometimes uses the German Prüfer to refer to the auditors, while at other times it borrows the English, calling them ‘Auditor’. So, in practice, both terms are used synonymously: a TISAX® audit is an assessment on TISAX® . There are no substantial differences.

What is meant by assessment level?

TISAX® reflects a total of eight different assessment objectives. So theoretically, a company could collect eight different TISAX® labels (see Ill. 1).

Nr. TISAX® Profile Assessment Level
1 Handling of information with high proetction needs AL 2
2 Handling of information with very high protection needs AL 3
3 Protection of prototype parts and components AL 3
4 Protection of prototype vehicles AL 3
5 Handling of test vehicles AL 3
6 Protection of prototypes during events and film or photoshoots AL 3
7

Data Protection

According to Article 28 ("Processor") of the European General Data Protection Regulation (GDPR)

AL 2
8

Data protection with special categories of personal data

According to Article 28 ("Processor") with special categories of personal data as specified in Article 9 of the European General Data Protection Regulation (GDPR)

AL 3

TISAX® differentiates three assessment levels (ALs). Put simply, the assessment levels define the auditor’s level of involvement as demanded by the respective assessment scope. For AL 1, an auditor is not involved. The company merely provides a self-assessment, in the form of a questionnaire, on the effectiveness of its own information security management system (ISMS). The questionnaire is not subject to any further scrutiny or checks. So when it comes down to it, TISAX® assessment level 1 plays no real role. It’s a mere formality but does not lead to an assessment label.

For AL 2, the company undergoing the assessment must complete the ISA questionnaire and send it to the auditor of their choice, along with complete ISMS documentation. The auditor will check the documents and set up an interview using the information provided. Generally, the audit provider will conduct the interview via web conference.

The main difference between AL 3 and AL 2 is the assessment procedure. For AL 3, it is done live instead of remotely. The auditor will visit the company’s location or locations to verify that the guidelines and measures defined in the ISMS have actually been implemented effectively.

Companies should note that the assessment levels are not freely selectable; instead, they are determined by the assessment objectives and associated TISAX® labels (see Ill. 1). A company that wishes to obtain a TISAX® label that demands AL 3 must undergo an AL 3 assessment.

 

Who carries out an assessment on TISAX®, and who is involved?

Assessments on TISAX® may only be carried out by audit providers who have TISAX® accreditation. The ENX Association, an association of the European automotive sector, is the sole accrediting body. No party is involved in an AL 2 and AL 3 assessment other than the company undergoing the audit and the audit provider. The assessment results are published in the ENX Portal members’ area.

In order to implement a TISAX®-compliant ISMS and successfully prepare for an assessment, companies usually turn to professional support – for example by working with the TISAX experts at DataGuard.

Book an appointment

What is the purpose of an assessment on TISAX®?

The purpose of assessments carried out by TISAX® audit providers is to verify that participating companies comply with the TISAX® requirements. The assessment objectives defined for each TISAX® label and the assessment levels they are based on serve as benchmarks to determine compliance. From the point of view of participating companies, the purpose is to obtain the TISAX® labels they want or require for market participation in the automotive sector.

What is the procedure of an assessment on TISAX®?

In order to participate in the assessment process of TISAX®, interested companies must register on the online ENX Portal. When registering, companies will need to define, among other things, the assessment objectives they wish to pursue. Only after companies have registered and defined their assessment objectives can they go on to choose an accredited audit provider and commission said party to perform the assessment. For the procedure, the company provides the auditor with the completed ISA questionnaire and documentation of the implemented ISMS. After reviewing these documents and the corresponding evidence, and after a remote or on-site inspection, the auditor will finally issue the desired TISAX® label or labels, as the case may be.

It is important to know that the ISA questionnaire requires participants to give a self-assessment of the maturity level for each measure implemented in the company. The auditor will check this information and compare it with the on-the-ground reality by asking to see suitable evidence. As you can see, it is therefore not enough to merely draft internal guidelines and policies. TISAX® participants must be able to demonstrate that they have actually implemented these policies.

How long does an assessment on TISAX® take?

While preparation can take weeks, months or even years, the assessment on TISAX® itself takes only a few days at most – depending on the TISAX® label you are trying to obtain and your company’s organisational structure. A company with multiple international locations and assessment objectives that require AL 3 on-site inspection should plan for more time than a supplier with only one location who needs to undergo an AL 2 inspection. This holds true even if some audit providers have international teams that can share the job.

Conclusion

There is no difference between the assessments on TISAX® and TISAX® audits. There are three clearly defined assessment levels of TISAX®. And for each of the eight available TISAX® assessment objectives, the assessment level a company needs to complete is predefined. Level 1 exists merely as a formality; it is not associated with any assessment objective. Assessment level 2 applies to the assessment objectives ‘Handling of information with high protection needs’ and ‘Data protection’. All other assessment objectives and TISAX® labels require companies to complete assessment level 3.

We are happy to assist you throughout the entire process and support you on your way to getting the TISAX® label you need. Don’t hesitate to get in touch now! We wish you every success.

Book an appointment

 

 

TISAX Checklist 212x234 UK Image CTA Expert Male 2 MOBILE

TISAX® Assessment  Checklist 

Our checklist will give you a clear picture of how to prepare for the assessment in practice. 

Get your free guide

About the author

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk