How to Increase Your Chances of Achieving the TISAX® Certification

Understand TISAX® Requirements

To pass the certification, you must familiarize yourself with the TISAX® requirements and assessment criteria.

How is the TISAX® Standard (VDA® ISA) Structured?

The official self assessment involves three main modules:

• Information Security

• Prototype Protection

• Data Protection

Depending on the scope of your ISMS, you’ll undergo different assessment processes. For Level 1 protection, you only need to conduct a self-assessment using the TISAX® / VDA® ISA questionnaire for all three modules.

The Level 2 TISAX® assessment, however, requires an external auditor who’s been accredited by the ENX Association. They evaluate your self-assessment and perform a plausibility check, which you must pass before they review your ISMS and TISAX® implementation.

For the highest level of protection (level 3), the external auditor is required to be on-site for your assessment.

TISAX® Assessment Objectives

When defining the scope of your ISMS, you must consider the TISAX® assessment objectives. You’re required to choose at least one objective, which you can then use as a benchmark for your information security system.

Here are the TISAX® assessment objectives:

• Handling of information with high protection needs

• Handling of information with very high protection needs

• Protection of prototype parts and components

• Protection of prototype vehicles

• Handling of test vehicles

• Protection of prototypes during events and film or photo shoots

• Data protection

• Data protection with special categories for personal data

Choose objectives that are relevant to your business. Or, if a business partner requires you to obtain a certain TISAX® label, select the corresponding objective. For example, if you select the ‘handling of information with high protection needs’ objective, you’ll obtain a TISAX® label with the same name after passing the certification.

What are the TISAX® Requirements you Must Implement into Your ISMS?

TISAX® requirements may differ slightly depending on your chosen assessment objective, but generally, most of the guidelines are also present in the ISO® 27001 standard.

Here’s a brief list of some TISAX® requirements to consider:

• Build and implement an ISMS

• Perform risk assessments and design risk treatment plans

• Create incident response plans to counter future security threats

• Establish a secure infrastructure and follow best practices for information security

• Implement effective security controls and procedures

• Conduct periodic ISMS assessments and track performance

• Follow legal regulations surrounding information security

Prepare the Requirements of Your Company

Determine which TISAX® requirements need to be implemented in your company and make the necessary preparations. If you don’t already have a suitable ISMS setup, use the ISO® 27001 standard to help you design an effective security system. This also serves as a good foundation for the TISAX® certification.

Perform Internal Assessments

Conduct regular internal audits to help you discover weak points in your information security system and check for TISAX® compliance. This way, you’re able to continuously find ways to improve your ISMS and ensure you achieve your chosen TISAX® objective(s). You can also perform these self-assessments in preparation for the official audit.

Prepare Documentation

Make sure to write up all the necessary documents, which include policies and procedures, to evidence your TISAX® implementation. Your documentation should be clear and concise, as the external auditor will review them during your assessment.

Perform Gap Analysis

Conduct a gap analysis to see which areas of your ISMS still require improvement to meet the necessary TISAX® requirements (which includes your assessment objectives). You’ll be evaluating your information security procedures against the TISAX® standard to identify gaps between the two.

When performing your gap analysis, consider the following:

• ISMS Maturity & Effectiveness: Take a look at the maturity and effectiveness of your ISMS. Is it properly implemented? Are there any areas that need to be fortified?

• TISAX® Readiness: Make sure your ISMS is TISAX®-ready, meaning that it’s compliant with the standard’s requirements.

Implement Information Security Controls

Design and implement information security controls into your ISMS according to your TISAX® requirements. This may require changing your policies, procedures, and risk mitigation plans, so make sure to document everything. Your employees should also be trained on how to use any new controls during security awareness programs.

Any security controls you choose to implement should serve to increase the quality of your data protection, minimizing or resolving vulnerabilities in your system.

Address Findings and Remediate Gaps

If you’ve identified gaps in your ISMS after performing a gap analysis, note down your findings and start addressing them. Think of ways to bridge those gaps and bring your company closer to TISAX® compliance.

With ISMS Connect, your company gains access to detailed guides on the TISAX® certification that help you better prepare for the assessment. You can also contact our team of expert consultants to receive personalized guidance in times of need.

How do I Find the Right Partner to Help with TISAX® Certification?

• Researching different partners: Search for TISAX® consultants online and compare different agencies.

• Identify your needs: Determine what kind of support you require from your consultant and whether the agencies you researched fit those requirements.

• Get quotes from multiple potential partners: Negotiate pricing with multiple agencies and compare them to see which one suits your budget. You can also discuss their services to get an idea of their methodology.

• Ask for recommendations: If you’re struggling to find suitable TISAX® consultants, ask someone who’s experienced the certification for some recommendations.

• Interview the potential partners: Once you’ve got a list of potential candidates, interview them to learn about their expertise on the TISAX® certification and how they would help you reach compliance.

• Note down the details: After choosing a TISAX® consultant to hire, discuss and note down details about their fees, services, and timeline to avoid confusion later down the line.

Things to Look for in a TISAX® Consultant Partner

• High-level knowledge and experience with the TISAX® certification

• Work experience or proficiency in information security

• Relevant credentials or qualifications

• Ability to provide personalized guidance tailored toward your specific needs

• Quality references and testimonials (positive reputation)

• Able to give continuous support via suitable communication channels

• Helps you prepare for the TISAX® certification within a certain period

TISAX® Certification Process

• Online registration (includes registering your assessment scope)

• Self-assessment (analyze the results to determine your TISAX® readiness)

• Contact TISAX® auditor providers and request their services

• Choose an auditor and have a kick-off meeting to discuss assessment details

• Initial assessment

• Corrective action plan preparation (if gaps are found)

• Send plan to an auditor for approval (aka corrective action plan assessment)

• Follow-up assessment

• Exchange (share assessment results with business partners — only applicable if your partners are registered TISAX® participants)

Understand How Much it Costs

The cost of a TISAX® certification varies depending on a few factors, including:

• Consultant fees

• External auditor fees (plus travel costs for on-site assessments)

• Audit fees (including follow-up audits if necessary)

• The assessment scope

…and so on.

On average, prices can range from $10,000 for smaller companies up to between $50,000 and $200,000. However, there are ways to minimize these costs, such as properly preparing for the assessment (to avoid correction plans and follow-up audits) and choosing an auditor close to your business (to reduce travel costs).

Also See our article on costs: Overview of TISAX® Certification Costs — An Easy Guide