Checklist on TISAX^®

Why TISAX®?

Automotive OEMs (Original Equipment Manufacturers) and their suppliers form one of the world’s most complex supply chains. In the past, the stringent requirements prevalent in this industry meant that many individual manufacturers conducted audits of their suppliers independently. This led to suppliers having to complete multiple audits by multiple customers, costing a lot of effort, time, and money.

The Trusted Information Security Assessment Exchange (TISAX®) was developed to prevent multiple audits for companies and drive efficiency in the industry. By creating one mutually accepted standard, TISAX® can be applied across companies and even other industries without the need for additional audits. Thanks to TISAX®, a uniform level of information security is now visible and understood.

Who from your organisation needs to be involved?

While this topic is often pushed to the IT team, TISAX® affects all business processes. For example, external auditors will examine what security measures you have in place when offboarding and onboarding new employees. The tasks involved (handover of keys or key cards, signing contracts and agreements, the creation of new email accounts) will usually be split across multiple departments. As such, all departments that play a role in the landscape of your core processes will be involved in some way: HR, Legal, IT, Office Managers, Leadership and more.

How long should I prepare for the assessment?

The implementation of a strong Information Security Management System (ISMS) takes six months to complete on average. You can be slightly faster, especially with the help of an expert who specialises in preparing for assessments on TISAX®.

The duration of the assessment by the external auditor depends on the size of your company and the amount of travel required between your locations. Around 2-3 days on-site to complete the assessment can be expected for an SMB-size company with around 50 employees.

What happens during the assessment?

This assessment can only be performed by certification companies accredited for TISAX® by the ENX Association, which runs the TISAX® scheme. The auditor will look under the hood of your ISMS to assess your processes. For example, they will take a close look at your approach to data privacy and how personal and confidential data is processed in your organisation.

Auditors will also examine your premises and what protective measures you have in place (for example, in the delivery and dispatch areas or the IT rooms).

The process is made up three assessments:

• Initial assessment
  
  
• Corrective action plan assessment
  
  
• Follow-up assessment

The second and third assessments can often take place several times. This will occur until your organisation has closed all the gaps - all within a maximum period of nine months. If nine months is exceeded, you must complete the initial assessment again.

What result should I aim for?

• Conform: This means you have fulfilled all requirements. This should be your primary goal.
  
  
• Minor non-conform: This means you have at least one minor non-conformity. With this result, you can get temporary labels on TISAX® until the issues are resolved.
  
  
• Major non-conform: This means you have at least one major non-conformity. With this result, you will not receive any labels until the issues are resolved.

The result is valid for a period of three years after which your business must repeat the assessment again.

Section 1: Your ISMS

Define and document the scope of your ISMS

Scope defines your limits/boundaries for which your information security management system ISMS implementation will be applicable. Your scope should cover all your organisation’s systems, processes, physical locations, services, products and departments that need to be protected.

Create a list of all the information you are protecting

Examples include information stored in cloud services (Office, G-Suite), or inside tools like Salesforce, Pipedrive, Workday, Cognos, and Slack. It also includes prototyping tools like Figma and Miro or any other cloud-based tool or platform that your team uses. It should also include information on servers, information that resides with subcontractors/suppliers, information received from customers, etc.

Define and document your information security objectives

This should cover all the ways you intend to ensure confidentiality, integrity, and availability of company information.

Define principles for the secure operation of your systems

Your principles should ensure that your information is protected against unauthorised disclosure and unauthorised or accidental modifications (e.g., deletion or editing of the data). All information should be easily accessible for authorised users.

Section 2: Your Team

Define roles and responsibilities

Nominate the responsible members of your team who will help prepare for the assessment. As noted previously, this should include a cross-section of staff, not just IT.

Define and implement a method for training your employees

Regular trainings should take place to ensure that all staff are up to date on information security topics and how this affects their daily work.

Create a guideline for access controls

You need to define rules and guidelines for how access to your information is given, controlled, and monitored.

Section 3: Risk Assessment and Treatment

Define a risk assessment methodology

This should cover both natural and physical risks, legal and contractual risks, compliance risks and financial risks.

Create a risk treatment plan and document the results

Your plan should cover what possible risks can occur and how they will be responded to. For example, what would happen if your servers crash, or an important cloud service became unavailable.

Create a risk assessment report

This report is a detailed summary of any potential threats to your organisation. For each risk, you should determine the probability of occurrence, the resulting impact, and the security controls required to prevent it.

Section 4: Customers, suppliers and partners

Create a guideline for compliance with suppliers

This document is critical to clarify your company’s requirements, expectations, and penalties regarding matters relating to business operations (e.g. service standards, deliveries, product conditions).

Include clauses for your greatest concern (e.g. how information about confidential prototypes is shared and processed).

Document how you protect the data of your customers

Are you processing the personal or sensitive data of your customers? If so, auditors will check that you have the necessary measures in place to protect this data.

Ensure all legal and contractual requirements are recorded and fulfilled

Define a clear method for documenting requirements for each business relationship.

Section 5: Testing and evaluation

Devise a method for monitoring and measuring your ISMS

The best way to determine this is to evaluate how detailed your ISMS is and how smoothly it is running. For example, your progress on risk identification, evaluation and treatment, the status of your documentation, regular management reviews and analysis, etc. An auditor will look to see if the ISMS is working in practice.

Evaluate the results of your monitoring and measuring process

What incidents have occurred, and how many? What incidents have been prevented? Has each staff member been trained effectively? Is each objective you set out at the beginning being met?

Document the corrective measures you have taken based on your findings

This could be anything that you do to avoid or neutralise threats. For example, setting up a new fence or relocating your servers.

Complete a self-assessment on TISAX®

To be ready for an assessment on TISAX®, you must ensure that your ISMS is stable and effective. To find out whether it matches the expected level, you should conduct a self-assessment based on the ISA.