Trusted Information Security Assessment Exchange
TISAX (Trusted Information Security Assessment Exchange) enables mutual acceptance of Information Security Assessments in the automotive industry and provides a common assessment and exchange mechanism. Assessment results always remain under control of the assessed companies.
ENX Association at the IAA New Mobility World 2017
TISAX participants can embody two roles: providing and/or accessing assessment information. Active participants are assessed and provide the respective assessment result to other participants via TISAX Exchange. Passive participants can request assessment results of other participants through TISAX Exchange and access those results via the platform when the request has been confirmed. Every participant can assume both roles at the same time according to its needs. TISAX does not differentiate between these roles.
These are the four steps to successfully use TISAX:
Registration is a prerequisite to participate in TISAX.
As a registered Participant, your company can
- commission assessments and have them carried out by accredited audit providers
- share results with other Participants from assessments performed
- access results shared with your company by other Participants.
To register your company as a TISAX participant, please use the online registration on the ENX Portal.
If you want to register many locations, please do not hesitate to get in touch with us and we will gladly present the options of Group Assessments to you.
If you have any questions regarding registration or TISAX we will be pleased to be at your disposal on the phone under +49 69 986692 777 and by email under email@example.com.
AUDIT PROVIDER SELECTION BY THE PARTICIPANT
TISAX enables that accredited audit providers offer mutually accepted assessments based on the VDA ISA catalogue in competition. This means that every participant can select an audit provider and expect standardized assessment results which are accepted by other participants throughout the industry.
This is enabled by an assessment system featuring distinct scopes of services which is equally suitable for all enterprises along the entire value-creation chain of the automotive industry. Clearly defined packages allow for economical assessments aligned to the individual protection needs.
Participants will receive the most recent list of audit providers and corresponding contact data after successful registration.
Currently, there are five audit providers in the process of accreditation. Four of them already perform assessments all over the world on a pilot basis.
ACCREDITATION AS AUDIT PROVIDER
The ENX TISAX accreditation is based on a framework of Accreditation Criteria and Assessment Requirements (ENX TISAX ACAR).
These criteria consist of two parts:
- Part A: General requirements on audit providers
- Part B: Specific requirements for ENX TISAX Audit Providers
Get in touch with us if you want to get your enterprise accredited as an audit provider. We gladly inform you about the requirements and the process flow in detail.
EXCHANGING ASSESSMENT RESULTS
The exchange of assessment results within TISAX is merely exclusive for registered participants and only takes place after explicit release of the results by the assessed company for an inquiring company in form of standardized summaries (TISAX Report). The scope of the information provided is based on the requirements of the requesting participant.
VDA INFORMATION SECURITY ASSESSMENT
The VDA Information Security Committee of the VDA (German Association of the Automotive Industry) was established more than 10 years ago, and has ever since developed a catalogue of assessment criteria on information security based on key aspects of the international ISO/IEC 27001 and 27002 standards: VDA ISA (VDA Information Security Assessment).
This instrument is used by VDA member companies both for internal purposes and for assessments at suppliers and service providers processing sensitive information of their respective partners.
Assessments according to VDA ISA, particularly at service providers and suppliers, are being handled individually by each requiring company so far. Therefore, it is possible that a partner is assessed several times at short intervals.
COMMON ASSESSMENT MECHANISM TISAX
The VDA Information Security Committee establishes a common assessment and exchange mechanism (TISAX = Trusted Information Security Assessment Exchange) in the automotive industry and beyond, to avoid such multiple effort in the future.
The TISAX system is operated by ENX Association which has been entrusted with the implementation as a neutral instance by the VDA.
TISAX creates competition among the accredited audit providers and allows for common acceptance of assessment results within the circle of TISAX Participants. The audit providers perform the assessments based on this set of information security management controls
GOVERNANCE BY THE ENX ASSOCIATION
The ENX Association acts as a governance organisation of TISAX. It accredits the Audit Providers and monitors the quality of implementation and assessment results.
This control function is ensured through the “ENX Triangle of Governance”, a contractual framework which consists both of a contract between ENX Association and each accredited audit provider and between ENX Association and each participant. The participant agrees to the General Terms and Conditions of TISAX participation through its registration.
This ensures the results will finally correspond to a required quality and objectivity as well as the rights and obligations of the participants are being preserved.
Double and multiple assessments of the same sites, locations or scopes will therefore be a thing of the past. This helps each participant to save time and costs.
FREQUENTLY ASKED QUESTIONS
The Trusted Information Security Assessment Exchange (or TISAX in short) creates competition among accredited audit providers and enables mutual acceptance of results.
Governance and accreditation are exercised by the ENX Association, an association of automotive manufacturers, suppliers and associations. However, TISAX focuses on the participants.
Participants can choose between any TISAX-accredited audit provider. All of them executive the assessment based on VDA ISA, thereby assessment results from the given various providers are comparable and accepted. Different labels enable economical realisation of assessments which are orientated to the respective individual protection needs.
This results in an assessment system featuring distinct scopes of services which is equally suitable for all enterprises along the entire value-added chain of the automotive industry.
TISAX enables and institutionalises the safe exchange of standardised assessment results between the participants. Control over the use of the results is always with the participant himself.
- Renewal of existing supplier relations is facilitated
- The chance of creating completely new business connections is opened through industry-wide recognition
- Standardisation creates price transparency for assessments
TISAX participants can embody two roles: providing and/or accessing assessment information. Active participants are assessed and provide the respective assessment result to other participants via TISAX Exchange. Passive participants can request assessment results of other participants through TISAX Exchange and access those results via the platform when the request has been confirmed. Every participant can assume both roles at the same time according to its own needs. TISAX does not differentiate between these roles at the time of registration.
Every enterprise must register as ‘Participant’ equally , with identical rights and obligations and can embody both roles according to his own needs.
The registration fees are calculated based on locations of a scope.
The full prices can be found in the registration price list.
The Participant has always full control over his assessment results. Correspondingly, the assessment results belong to the Participant.
Your company must accept the participation contract when registering. The registration forms should therefore always be signed by an authorized representative of the company ( Signature Form (E)).
The registration process including absorption of costs, however, can take place by a third person on behalf of the TISAX Participant at any time.
Please fill in a copy of the Address and Site Form (X) for each location to add several locations.
The participant is the company that is registered for TISAX. The Participant can register one or more scopes for which assessments can then be commissioned.
Assessment results can be shared with other participants. The shared assessment results will then be made accessible to the persons registered as contact for this participant.
‘Scope’ defines the organisational units or physical locations of a company or group for which a TISAX assessment is conducted. This may be, for example, the company’s headquarters or a certain branch office.
For each Assessment, the Participant must state the desired scope when requesting offers. Every assessment is explicitly conducted for a specific scope.
Companies with several locations can register several scopes or include several locations in one scope.
Yes, use multiple copies of the Address and Site Form (Y) and refer to the locations in the Scope Registration Form (C-09).
When you add several locations to a single scope, every Assessment of this scope is large assessment while having several scopes with less locations means to have several independent individual assessments.
The advantage of a large assessment is that central processes and guidelines are checked exactly once and only one assessment result valid for all locations is issued by the audit provider. Hence, a large assessment is often recommended in cases where central processes and guidelines are valid in multiple locations and are equally implemented, the information security in general is robust and the timeline allows to conduct such a large assessment.
The advantage of several individual assessments is that the assessments are completely independent of each other. This means in particular, that assessment results are independent and individual reports are issued. This specifically means that the any identified weaknesses only affect the particular location and not the overall result, the assessment report can be issued quickly after as the assessment of the location is completed and assessment can be performed by different audit providers at different times.
When you want to provide one of your business partners with assessment results, designate him as so-called “Trust Partner”.
A Trust Partner is always registered for a specific scope and the assessments being valid for this. One or several Trust Partners can be individually registered for each scope.
Registration of a trust partner is optional. Trust Partners can be registered later at any time (also subsequently).
Both the TISAX Participant and the exact Scope(s) (e.g. a certain company location) are queried in the forms. For many Participants, both will be identical.
The participant is the registered company with the associated administrative contact who can access results shared by other companies and who can share own results to other companies.
Furthermore, the scope(s) are included in the registration process. Scopes are assessment scopes with associated contact who is responsible for the respective scopes. A participant can always have more than one scope.
The Participant ID identifies an enterprise in the TISAX. It is equally needed to clearly identify the Participant to whom the Assessment information is to be released and that several Scopes (assessment object, for example, locations to be checked) can clearly be assigned to a Participant.
The Scope ID is needed to clearly identify each assessment object.
The Assessment ID is needed to clearly identify an assessment. Depending on the type of assessment and validity period, several Assessments may exist for one Scope (possibly from different Audit Providers).
Basis of Information Security Assessment is the identically named VDA questionnaire which is created and maintained by the VDA Information Security Committee. It can be downloaded from the VDA website in German or English language.
Labels are assigned for an assessment result when the assessment method and the assessment result meet certain defined criteria.
These criteria are assigned in such a way that Participants can map labels with the requirements on certain internal clearance levels.
Hence, reaching a certain label is preconditioned for these Participants to receiving a certain clearance at the same time.
Yes, the assessment will be also usable when another participant places requirements of lower level if your enterprise has subjected itself to an assessment of higher requirements.
You retain complete control of all assessment results at any time. Other participants can only access assessment results after registering them as a Trust Partner and by that authorizing to share the result.
Bockenheimer Landstraße 97-99
60325 Frankfurt am Main, Germany
Phone +49 69 9866 927-77
Sitz der Geschäftsführung
Bockenheimer Landstraße 97-99
60325 Frankfurt am Main
Telefon +49 69 9866 927-0
Sitz der Gesellschaft
20 rue Barthélémy Danjou
ENX ist eine französische Association nach dem Gesetz von 1901, eingetragen bei der Sous-Préfecture Boulogne-Billancourt, Frankreich unter der Nummer W923004198 mit alleiniger Betriebsstätte in Frankfurt am Main, Deutschland.
Clive Johnson, Ford (Präsident)
Philippe Ludet, Renault (Vizepräsident)
Nadine Buisson-Chavot, GALIA (Schatzmeister)
ENX prüft und aktualisiert die Informationen auf seinen Webseiten. Trotz dieser Sorgfalt können sich die Daten inzwischen verändert haben. Eine Haftung oder Garantie für die Aktualität, Richtigkeit und Vollständigkeit der zur Verfügung gestellten Informationen wird daher nicht übernommen.
Gleiches gilt auch für alle anderen Webseiten, auf die mittels Hyperlinks verwiesen wird. ENX ist für den Inhalt dieser Webseiten, die aufgrund einer solchen Verbindung erreicht werden, nicht verantwortlich. Einige der Informationen und Angebote werden von unseren Partnern, z. B. den zertifizierten Telekommunikationsdienstleistern, als selbständige Dienstleistung erbracht. Bitte beachten Sie, dass für diese Services und Angebote die Geschäftsbedingungen dieser Unternehmen gelten und mit der Aufnahme derer Webseiten auf die Webseiten von ENX keine Empfehlung oder Garantie verbunden ist. Für diese Inhalte ist ENX nicht verantwortlich. Bei diesen Anbietern handelt es sich nicht um Erfüllungsgehilfen von ENX.
Des weiteren behält sich ENX das Recht vor, Änderungen oder Ergänzungen der bereitgestellten Informationen vorzunehmen.
Inhalt und Struktur der ENX-Webseiten sind urheberrechtlich geschützt. Die Vervielfältigung von Informationen oder Daten, insbesondere die Verwendung von Texten, Textteilen oder Bildmaterial, bedarf der vorherigen schriftlichen Zustimmung von ENX.