Levels in the assessment on TISAX®: Get the right one for your business

When it comes TISAX® – the information security standard for the automotive sector – it’s a veritable jungle of questions and technical terms. An assessment level on TISAX®  is a good example. What does it mean, and who needs which level? This article will tell you everything you need to know about the topic of the levels in the assessment on TISAX®.

What is an assessment level on TISAX®?

The Trusted Information Security Assessment Exchange – TISAX® for short – is a testing and exchange mechanism for the automotive sector. The task of TISAX® is to set binding standards for information and cyber security that all suppliers in the industry must adhere to. As cooperation between OEMs and suppliers is of different types and scales, TISAX® has also defined different assessment objectives. Whether a company meets each objective is checked against the associated assessment level on TISAX®. Basically, the more demanding an assessment objective, the higher the assessment level.

Which assessment level on TISAX® is relevant for my company?

Every company can decide for itself which assessment objectives for TISAX® it wants to meet. This decision will determine which assessment levels on TISAX® are relevant in each case. That’s the theory, anyway. But in practice, things are different. Certification on TISAX® is a must for any company that wants to do business in and with the automotive sector. And as a rule, it’s the OEMs themselves who specify which assessment objectives and levels a supplier must fulfil.

Which assessment levels on TISAX® exist?

There are three different levels. The handbook for the certification on TISAX® – published by the umbrella organisation for the European automotive sector, the ENX Association – defines assessment level 1, assessment level 2 and assessment level 3.

What is assessment level 1 of the assessment on TISAX®?

TISAX® level 1 reflects ‘normal’ protection needs. This level of assessment only requires a company to complete a self-assessment based on a questionnaire known as the ‘Information Security Assessment’ or ISA. Whether the self-assessment is correct or not, is not objectifiable. As such, assessment level 1 on TISAX® is not associated with an official assessment objective. This assessment level is purely theoretical and not relevant in practice.

What is assessment level 2 of the assessment on TISAX®?

Assessment level 2 on TISAX® reflects ‘high’ protection needs. As for level 1, level 2 is based on the company’s self-assessment using the ISA questionnaire. The difference is that, during a level 2 assessment on TISAX®, an external auditor verifies the company’s self-assessment. To do this, he or she will conduct a telephone interview as well as perform comprehensive plausibility checks of the evidence provided. The checks are usually done remotely. The assessment is primarily document-based.

What is assessment level 3 of the assessment on TISAX®?

Level 3 on TISAX® reflects ‘very high’ protection needs. The majority of the defined assessment objectives require assessment level 3. The procedure is identical to that for assessment level 2 on TISAX®: first, the company to be audited submits a self-assessment, which the external auditor will then check against the documentation and evidence. But for level 3, the assessment process doesn’t stop there. In order to be able to assess the effectiveness and maturity level of the ISMS actually implemented by the company, the auditor also carries out on-site inspections and in-person interviews – all of this not only at the company headquarters, but potentially at every location.

How much does an assessment on TISAX® cost? 

It depends. Blanket statements about costs are sure to be unreliable, as the preparation, procedure and scope of an assessment on TISAX® depend on many variables. For example, what are the assessment scope and assessment levels? How effective is the company’s organisational structure already? Does the company maintain one or more locations? Are all of them located domestically, or is the company globally positioned? What ISMS optimisations and measures does a company need to carry out for a successful assessment? Are the measures then implemented sufficiently, or is another final round of checking and optimisation necessary?

What is an assessment on TISAX®? 

During an assessment on TISAX®, an external auditor checks whether the company’s established ISMS that is described in the application for the assessment actually does what it is supposed to do. To this end, the auditor will look at all processes, documents and measures as well as the appropriate evidence and – depending on the assessment objective and the associated level of TISAX® – also check these on site. Assessments are based on a questionnaire drawn up by the German Association of the Automotive Industry (VDA) for conducting Information Security Assessments (ISA), in short referred to as the ISA.

 

Who certifies TISAX®? 

Certification on TISAX® may only be granted by audit providers who are approved for this purpose and accredited by the ENX Association. The ENX Association provides country-specific information online via the TISAX® Portal about audit providers accredited to perform TISAX® audits. Good to know: Companies are free to choose which accredited audit provider they commission. That means that audit providers are in competition with each other. This arrangement is supposed to ensure fair, performance-based costs for assessment services.

Is TISAX® mandatory?

There are no legal requirements for certification on TISAX®. However, for companies that can’t prove they are TISAX® certified, cooperation with the major manufacturing companies in the automotive sector is out of the question. For anyone who wants to do business in this market, there is no way around certification. So, at the end of the day, TISAX® is a must for many companies.

Do you still have questions about which level on TISAX® is suitable for the requirements of your organisation? We will be happy to help you. Simply schedule a free consultation.

Book an appointment

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

TISAX Checklist 212x234 UK Image CTA Expert Male 2 MOBILE

TISAX® Implementation Roadmap

Our checklist will give you a clear picture of how to prepare for the assessment in practice. 

Get your free guide

About the author

TISAX Assessment Roadmap

Roadmap to successful Assessment on TISAX®

Download for Free

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk