Pressure from car manufacturers and major integrators to strengthen information security has led TISAX (Trusted Information Security Assessment Exchange) to become practically a “ticket of entry” into the European automotive supply chain.<\/p>\n
For many Portuguese companies, the question is no longer “if”<\/strong> they will have to implement TISAX, but “when” and “how”<\/strong> to do so efficiently and in line with their business.<\/p>\n In this article, I explain in practical terms what TISAX is, how it relates to ISO 27001, and what steps are essential to prepare your organisation for a successful assessment.<\/p>\n TISAX is a mechanism for assessing and sharing information security results<\/strong>, developed specifically for the automotive sector. It is managed by the ENX Association<\/strong> on behalf of the German automotive industry association (VDA \u2013 Verband der Automobilindustrie). Microsoft Learn+1<\/a> <\/p>\n Instead of each manufacturer requiring its own audits of each supplier, TISAX creates a central platform where:<\/p>\n companies are assessed by recognised auditors,<\/p>\n<\/li>\n obtain a “TISAX label”<\/strong> with a specific assessment level\/objective,<\/p>\n<\/li>\n and share this result<\/strong> with various business partners, avoiding duplicate audits. portal.enx.com+1<\/a><\/p>\n<\/li>\n<\/ul>\n It is important to note that we are talking about a “TISAX label”<\/strong>, not a traditional ISO certification. The standard is based on the VDA ISA (Information Security Assessment) catalogue<\/strong>, which is built on ISO\/IEC 27001 and 27002<\/strong> but adapted to the automotive context (protection of prototypes, tests, events, etc.). Microsoft Learn+2<\/a> <\/p>\n For many organisations, the question is: “If I already have ISO 27001, do I need TISAX?”<\/em><\/p>\n The short answer is: probably yes<\/strong>, if you want to work or continue working with certain OEMs or major automotive suppliers.<\/p>\n ISO 27001<\/strong> defines the requirements for an Information Security Management System (ISMS)<\/strong>.<\/p>\n<\/li>\n TISAX uses this foundation<\/strong> but translates it into sector-specific requirements and assessment objectives, including:<\/p>\n protection of prototypes and test vehicles;<\/p>\n<\/li>\n safety of facilities and test tracks;<\/p>\n<\/li>\n secure management of development and production data;<\/p>\n<\/li>\n additional requirements associated with “high” and “very high” protection levels.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n In practice:<\/p>\n if you already have ISO 27001<\/strong>, you have an excellent foundation and the TISAX project will be an “adjustment and extension”<\/strong>;<\/p>\n<\/li>\n If you do not already have one<\/strong>, the implementation of TISAX can (and should) be considered as an ISMS aligned with ISO 27001<\/strong>, so as not to “build everything twice”.<\/p>\n<\/li>\n<\/ul>\n Before launching a “mega-project,” it is crucial to answer three simple questions:<\/p>\n Which customers request TISAX \u2013 and with what requirements?<\/strong> TISAX assessment objectives<\/strong> (TISAX Assessment Objectives \/ Labels); VDA ISA Consultant+1<\/a><\/p>\n<\/li>\n the assessment level<\/strong> (AL2 \u2013 remote document assessment; AL3 \u2013 assessment with on-site visits). dataguard.com+1<\/a><\/p>\n<\/li>\n<\/ul>\n<\/li>\n What is the relevant scope?<\/strong><\/p>\n country(ies), locations, engineering centres, critical partners;<\/p>\n<\/li>\n processes (development, prototyping, testing, production, shared services);<\/p>\n<\/li>\n critical information systems and applications.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n What is the current maturity of information security?<\/strong><\/p>\n Are there already security policies, access management and incident management in place?<\/p>\n<\/li>\n Are there records and evidence, or is everything ‘informal’?<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n An initial gap analysis<\/strong> against the VDA ISA (or against your current ISO 27001) is the logical starting point. dataguard.com+1<\/a><\/p>\n The scope is the ‘boundary’ of the assessment. It must be very well thought out, because it affects: <\/p>\n the implementation effort,<\/p>\n<\/li>\n the cost of the assessment,<\/p>\n<\/li>\n and the value for its customers.<\/p>\n<\/li>\n<\/ul>\n It usually includes:<\/p>\n Legal entities involved (company A, subsidiary B, etc.)<\/p>\n<\/li>\n Physical locations (headquarters, R&D centre, factory, testing laboratory)<\/p>\n<\/li>\n Processes and services (development, prototyping, IT services, etc.)<\/p>\n<\/li>\n Relevant information systems.<\/p>\n<\/li>\n<\/ul>\n This definition is subsequently recorded on the ENX portal<\/strong> as the scope of the assessment. portal.enx.com+1<\/a><\/p>\n TISAX is not an “IT-only” project. It involves people, processes and technology. <\/p>\n Typically, there should be:<\/p>\n Top sponsor<\/strong> (General Management\/Administration);<\/p>\n<\/li>\n an information security officer<\/strong> (CISO, IT Manager, or equivalent);<\/p>\n<\/li>\n representatives of:<\/p>\n IT\/Infrastructure;<\/p>\n<\/li>\n Engineering\/Operations;<\/p>\n<\/li>\n Human Resources;<\/p>\n<\/li>\n Legal\/Contracts;<\/p>\n<\/li>\n Data Protection (DPO) \u2013 to align with GDPR;<\/p>\n<\/li>\n Suppliers\/Purchasing (when critical services are outsourced).<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n Define it right away:<\/p>\n security committee;<\/strong><\/p>\n<\/li>\n roles and responsibilities;<\/p>\n<\/li>\n meeting schedule and reporting.<\/p>\n<\/li>\n<\/ul>\n The next step is to ‘translate’ the VDA ISA into the reality of your company. In practical terms: <\/p>\n Create a control matrix<\/strong> with:<\/p>\n relevant VDA ISA clauses \/ ISO 27001 controls;<\/p>\n<\/li>\n internal processes affected;<\/p>\n<\/li>\n responsible for each measure.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n Prioritise controls in typical areas such as:<\/p>\n Governance and policies<\/strong> (security policy, information classification);<\/p>\n<\/li>\n Asset and access management;<\/strong><\/p>\n<\/li>\n Physical and environmental safety;<\/strong><\/p>\n<\/li>\n Security in development and testing;<\/strong><\/p>\n<\/li>\n Backup, continuity, and recovery;<\/strong><\/p>\n<\/li>\n Security incident management;<\/strong><\/p>\n<\/li>\n Supplier and contract security;<\/strong><\/p>\n<\/li>\n Specific prototype and testing requirements<\/strong> (where applicable).<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n With the gap matrix defined, it is time to execute.<\/p>\n Some examples of measures that recur frequently in TISAX projects:<\/p>\n reinforcement of physical access controls<\/strong> (turnstiles, visitor registration, segregated areas);<\/p>\n<\/li>\n improvement of logical access controls<\/strong> (MFA, privilege management, periodic access review);<\/p>\n<\/li>\n encryption of data at rest and in transit;<\/p>\n<\/li>\n formal vulnerability management<\/strong> and patching procedures;<\/p>\n<\/li>\n clear policies and procedures for:<\/p>\n information classification;<\/p>\n<\/li>\n trabalho remoto e uso de dispositivos m\u00f3veis;<\/p>\n<\/li>\n management of information media (USB, external drives, etc.);<\/p>\n<\/li>\n<\/ul>\n<\/li>\n contracts and NDAs tailored to prototypes and confidential information<\/strong>.<\/p>\n<\/li>\n<\/ul>\n The goal is not to achieve “perfection,” but rather consistent and demonstrable maturity<\/strong> (with evidence) in the relevant domains.<\/p>\n In a TISAX project, anything that is not documented “does not exist” in the eyes of the auditor<\/strong>.<\/p>\n It is essential to produce and maintain:<\/p>\n policies approved by management;<\/p>\n<\/li>\n operational procedures (e.g., incident management, access management, onboarding\/offboarding);<\/p>\n<\/li>\n records:<\/p>\n access logs;<\/p>\n<\/li>\n vulnerability reports;<\/p>\n<\/li>\n training records;<\/p>\n<\/li>\n atas de comit\u00e9s de seguran\u00e7a;<\/p>\n<\/li>\n continuity test records.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n The TISAX handbook itself emphasises the need for process documentation and evidence of implementation<\/strong> to demonstrate the maturity level of the ISMS. enx.com<\/a><\/p>\n With the ISMS reasonably structured, it is time to:<\/p>\n Register the organisation on the ENX portal<\/strong> and define:<\/p>\n company data;<\/p>\n<\/li>\n scope of the assessment;<\/p>\n<\/li>\n TISAX objectives and desired level.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n Select an ENX-approved audit provider<\/strong> Agree with the auditor:<\/p>\n scheduling;<\/p>\n<\/li>\n type of assessment (AL2 \u2013 remote; AL3 \u2013 with on-site visits);<\/p>\n<\/li>\n working languages;<\/p>\n<\/li>\n locations included.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n In terms of auditing, the TISAX process has two main phases: preparation<\/strong> and assessment<\/strong>. T\u00dcV S\u00dcD+1<\/a><\/p>\n Preparation:<\/strong><\/p>\n conduct a detailed self-assessment<\/strong> using the VDA ISA questionnaire;<\/p>\n<\/li>\n validate responses and associated evidence internally;<\/p>\n<\/li>\n ensure that all documentation is consolidated and easily accessible;<\/p>\n<\/li>\n prepare the teams that will interact with the auditor (briefings, mock interviews).<\/p>\n<\/li>\n<\/ul>\n Assessment:<\/strong><\/p>\n interviews with managers and operational teams;<\/p>\n<\/li>\n detailed document analysis;<\/p>\n<\/li>\n on-site verification (AL3): facilities, physical controls, procedures in place;<\/p>\n<\/li>\n identification of non-conformities and recommendations.<\/p>\n<\/li>\n<\/ul>\n After the assessment is completed, the TISAX report<\/strong> is issued, and \u2013 if the result is positive \u2013 the TISAX label <\/strong>is registered on the ENX portal to be shared with your partners. portal.enx.com+2<\/a><\/p>\n Best practices:<\/strong><\/p>\n Treat TISAX as a business project<\/strong>, not just an IT project.<\/p>\n<\/li>\n Leverage synergies with ISO 27001, GDPR, and other compliance requirements<\/strong>.<\/p>\n<\/li>\n Maintain an internal communication plan<\/strong> so that employees understand the “why” behind the changes.<\/p>\n<\/li>\n Invest in ongoing training<\/strong> in information security and awareness.<\/p>\n<\/li>\n<\/ul>\n Common mistakes:<\/strong><\/p>\n Starting with the checklist without an overall view of risks and priorities.<\/p>\n<\/li>\n Setting an overly ambitious scope (everything and anything) and making the project unaffordable.<\/p>\n<\/li>\n Leave documentation and evidence until the day before the audit.<\/p>\n<\/li>\n Viewing TISAX as a one-off event rather than a cycle of continuous improvement<\/strong>.<\/p>\n<\/li>\n<\/ul>\n The implementation of TISAX requires coordination, experience, and method<\/strong>. iCompliance can provide support on several fronts, namely: <\/p>\n TISAX\/ISO 27001 gap assessment<\/strong> vs current situation;<\/p>\n<\/li>\n definition of scope and evaluation objectives<\/strong>;<\/p>\n<\/li>\n design and implementation of policies, procedures and records<\/strong>;<\/p>\n<\/li>\n integration with GDPR<\/strong> requirements and data protection<\/strong> (in conjunction with iPrivacy.eu<\/a>);<\/p>\n<\/li>\n preparation of the organisation for the audit (simulation of interviews, review of evidence);<\/p>\n<\/li>\n1. What is TISAX?<\/h2>\n
\n
2. TISAX vs. ISO 27001: competitors or complementary?<\/h2>\n
\n
\n
\n
3. Starting point: clarifying requirements and maturity<\/h2>\n
\n
Normally, the OEM or customer specifies:<\/p>\n\n
\n
\n
4. Seven steps to implement TISAX in practice<\/h2>\n
Step 1 \u2013 Define the TISAX scope<\/h3>\n
\n
\n
Step 2 \u2013 Establish the project and governance team<\/h3>\n
\n
\n
\n
Step 3 \u2013 Map controls based on VDA ISA \/ ISO 27001<\/h3>\n
\n
\n
\n
Step 4 \u2013 Implement priority technical and organisational measures<\/h3>\n
\n
\n
Step 5 \u2013 Document processes and evidence<\/h3>\n
\n
\n
Step 6 \u2013 Registration on the ENX portal and selection of the auditor<\/h3>\n
\n
\n
There are several bodies (T\u00dcV, SGS, etc.) authorised to conduct TISAX assessments and issue the respective label. SGSCorp+2T\u00dcV S\u00dcD+2<\/a><\/p>\n<\/li>\n\n
Step 7 \u2013 Prepare and conduct the TISAX assessment<\/h3>\n
\n
\n
5. Best practices and mistakes to avoid<\/h2>\n
\n
\n
6. How iCompliance can support your TISAX implementation<\/h2>\n
\n