Define TISAX Assessment Scope
One of the most important steps is to inform the employees, management or other relevant persons why an ISMS is important and which possible advantages a TISAX label can have for you.
Once sufficient discussion has taken place, you can start defining your scope. This is important because it sets the scope of the audit. It can be said that any area of the company that is confronted with confidential information from your partner should be part of the audit. There are three different types of scope, whereby in almost all cases the standard scope is chosen. The three scopes are named as follows:
- Narrowed Scope
- Is smaller than the standard scope
- Not the complete location
- Not all controls
- No receipt of a TISAX label possible
- Standard Scope
- Includes all processes and participating resources at the selected locations that should meet the security requirements of the partners
- Includes collection, storage and processing of information
- Will be accepted by all TISAX participants without objections
- Extended Scope
- Goes beyond the standard scope
- More controls, measures or requirements
- Makes sense if, for example, the test is carried out for a partner outside the automotive industry
- Is accepted by TISAX participants without exception, as it includes the Standard Scope
- Receives TISAX label
Here you can assign a scope to all locations or define which locations belong to the scope. It is also possible to assign different scopes to different locations.
Tip: A scope that includes all locations can have the advantage that you have a test report for all locations, a test result and an expiry date of the label. In addition, it is possible to save money on the cost of the audit, since it is not necessary to hold several audits, but one audit is sufficient.
However, caution is also advised with a scope that includes all sites, as the audit results are only available after all sites have been audited and if a site fails the audit, you will not get a positive result in the audit.
The definition is important mainly because of the following two points:
- To ensure that all relevant areas are included in the inspection scope
- With an exactly defined scope, a more precise cost calculation by the inspection service provider is possible
To write down the scope, you can use the “Definition of Scope” template and fill it in.
Note: If you have the ISO/IEC 27001 certificate, you have a working ISMS and only need to check if all controls of the TISAX requirement are fulfilled.
Examples of resources affected: employees, IT systems, software, cloud connections, locations, service providers, etc.
Examples of relevant locations: production, data centres, development sites, location of offices, etc.
In order to know what represents value in a company, it is necessary to have a list containing all relevant assets (values). For this purpose, we offer you the table template “Inventory of Assets“. There are already examples included which give you an idea of how such a thing should be structured. Only with the listing does it become clear which assets are present in the company and what protection needs (high, medium and low) they have.
Note: At TISAX, assets include all processes, procedures and involved resources that process information subject to your partners’ security requirements.