Organisational tasks and timeline
Since you have already set your test objective, you should also be aware of your assessment level. The following table shows you which AL (Assessment Level) your test objective requires.
|Information Security||Information high||AL 2|
|Info very high||AL 3|
|Prototype protection||Proto Parts||AL 3|
|Proto Vehicles||AL 3|
|Test vehicles||AL 3|
|Events & Shootings||AL 3|
|Data protection||Data||AL 2|
|Data high||AL 3|
Here follows an explanation of the assessment levels:
- Assessment Level 1 (AL 1)
- Suitable for internal purposes only (self-assessment)
- Only the completeness of the self-assessment is checked
- There is no access to the content of the self-assessment
- No control through evidence
- Assessment Level 2 (AL 2)
- Plausibility check of the self-assessment for all locations included in the scope
- Acts as a spot check by interviewing employees and by checking the evidence
- Usually this test is only held remotely (telephone conference, video conference or similar)
- If desired or required, an on-site inspection is possible
- Assessment Level 3 (AL 3)
- All controls of the VDA ISA catalogue are tested
- Precise control of the self-assessment
- Always on-site inspection
- In-depth control with appraisal interviews
With this you have all necessary information together and you can start the registration as TISAX participant. You select your scope and the assessment level. After successful registration you will receive a list of all accredited testing service providers by e-mail and can select one of them.
Note: If possible, the registration should be performed in one go, because a termination or incompleteness will result in a faulty registration. The time required depends on the scope and locations. For example, it takes at least 20 minutes for a scope with one location.
The steps are now as follows:
– Register as “TISAX participant” on the ENX Association platform
– You are not automatically the company’s contact person for TISAX, but you have the right to administrate the ENX Association portal
- Participant registration and contact persons
– Register the company as TISAX participant
– Designate the main contact person for TISAX in your company (at least one person, but more than one as a substitute always makes more sense)
– You can add contact persons at any time
- Determine your TISAX Assessment Scope (Narrowed, Standard, Extended)
– You must assign a name for the test scope
– Select the type of scope (Narrowed, Standard, Extended)
– Select test target(s)
– Add location(s) to the inspection scope (removing and adding is still possible until inspection)
– Optional: Set up publication and grant release permission (can be defined at any time, once something has been published, no revocation is possible)
– Specify the bill recipient
- Select the TISAX Assessment Level, i.e. the depth of the test or depends on the test objectives
– Is directly related to the test target (see table above)
- Select an inspection service provider. Please make sure to do this in time, as the testing service providers usually have a lead time of about 6 months.
Note: In the ENX Association manual for subscribers the complete chapter 4 is about registration and who to contact in case of complications or if you want to delete a test scope. Special cases such as simplified group audits are also explained there (possible from 3 locations and very profitable with a particularly large number of locations).
After successful registration you will receive within three days (after seven days without feedback you should check if you have entered all the details) the confirmation e-mail with the list of testing service providers. You will also receive a PDF attachment entitled “TISAX Scope Excerpt”. There you will find the information that has been stored in the database. There is also your Participant ID (participant identification number) and your Scope ID (application area identification number).
The timetable for obtaining the label always depends on many factors and not least on the resources available. The following timetable is therefore intended as a guide and shows the possibilities.
The concluding conversation is framed in red, as the catch-up period of 9 months starts from here, provided that corrective measures are required.
Note: In contrast to ISO 27001, TISAX does not carry out control tests during the label validity period (3 years). However, you should think about the reaudit at an early stage (approx. 3 months before the date of the audit).