TISAX audit, corrective action assessment, review and share results
The exam starts with an official opening meeting. Organisational preliminary examination topics are clarified there. However, this does not have to be held personally on site but is usually done by telephone.
The test procedure depends on the assessment level (AL2 random testing, usually via telephone with employee interviews or AL3 animal on-site testing with employee interviews and checking of all requirements).
The audit service provider will note findings as he conducts the audit and pass them on to you later in the form of a report and the final meeting. There are the following possible endorsements:
- Potential for improvement
- If the auditor sees potential for improvement in these points, this should be taken as a recommendation.
- This has no effect
- Are observations made by the examiner during the test.
- The effect here is that this is usually converted to a minor deviation at the next audit (after three years)
- Minor Deviations
- If the overall effectiveness for the ISMS does not cause a significant security risk.
- Minor deviations must be corrected within 9 months
- Major deviations
- There are doubts about the overall effectiveness of the ISMS.
- Major deviations must be corrected as soon as possible and preferably within three months. For major deviations that take more than three months to implement, evidence must be provided that this cannot be implemented more quickly.
During the official final meeting, which is the end of the TISAX audit, all findings are presented and the audit result is disclosed. In case of major deviations, the review topics are organized.
You will then receive the TISAX report after about 2 to 4 weeks and can raise objections if you believe that the testing service provider has misunderstood something or made a mistake.
Corrective Action Assessment
If variances were found during the inspection (secondary variances), you must define and then implement one or more corrective actions. In addition, you must also define a conversion date for each corrective action.
Note: Remember that you only have 9 months from the final interview to fill in any gaps.
If major deviations have been identified, you must define compensation measures and also a transposition date, with justification for periods of more than three months.
Note: You should therefore correct major deviations as soon as possible, as they pose a security risk to your ISMS. If it takes longer than 3 months to implement the measure here, you must provide evidence that it cannot be implemented more quickly.
Once you have created an action plan and are satisfied with it, you should send it to your inspection service provider so that they can perform the action plan inspection. The aim is to ensure that the action plan meets the TISAX requirements.
If your corrective action plan meets the requirements, the inspection service provider will update your TISAX report. The test is very fast and can be held as a personal meeting, telephone call or web conference.
The aim of the inspection is to check whether the deviations found have been eliminated and the corrective action plan has been implemented. You request the inspection as soon as you are sure that you have eliminated all deviations. Here the process goes into a repetitive process, if e.g. new deviations are discovered or deviations are still not completely eliminated. A personal meeting, telephone call or web conference is also possible here.
Note: You can do as many checks as you need, you only have to consider the time limit here.
Sharing your result
The testing service provider uploads the two sections A and B of their TISAX report into the ENX Association portal. For the time being, the information is only visible to you. You can only share the result if you meet the following three requirements:
- The test result has been transmitted to the exchange platform (this may take 5 – 10 working days until the result is available on the platform)
- The ENX Association has included the fee
- In addition, the test scope must have the status “Active
If these are fulfilled, you can divide the result into five different release levels, namely
- A: Information on the test
- B: Overall test result
- C: Summary of the test result
- D: Detailed examination results
- E: Maturity level in the VDA ISA catalogue
Note: Remember that once a publication has been made, it can no longer be withdrawn. This means that if you share your exam with the Sharing Level 5 and publish it, it is irrevocable.
They can also share labels so that participants know which test objectives have been tested on them.