What is the role of ENX Association within TISAX?

ENX Association acts as governance organisation within TISAX. It approves audit providers and monitors the quality of implementation as well as the assessment results. ENX Association maintains a framework of criteria (“TISAX ACAR”). For further information about governance please go to TISAX Committee.

What are the benefits of TISAX?

• To renewal of existing supplier relations is facilitated
• The chance of creating completely new business connections is opened through industry-wide recognition
• To create price transparency for assessments
• To create competition between audit providers
• To establish a common level of information security in the industry
• To allow common recognition of assessment results
• To save costs and effort with manufacturers and suppliers

What are roles within TISAX?

ENX Association: ENX Association maintains the framework of criteria (“TISAX ACAR”). It approves audit providers and monitors the quality of implementation of the assessment results.

Audit Providers: The audit provider is approved by the ENX Association and conducts the assessment at the participant. The audit provider provides the assessed participant the assessment result.

Participants: The participant is a registered company in TISAX and is assessed by an audit provider.

What is the TISAX Participant Handbook?

The TISAX Participant Handbook provides you with all the necessary information regarding TISAX. It describes the steps you need to take for passing the TISAX assessment and for sharing your assessment result with your business partners and explains what TISAX is, how it works and who is behind it.

• TISAX Participant Handbook (English Version)
• TISAX Teilnehmerhandbuch (German Version)

What is a managed service provider?

Some participants made it a mandatory requirement for many of their suppliers to prove that their information security management system fulfils a defined set of requirements. In consequence, they have to handle a lot of assessment results. Therefore, some participants use "managed service providers" to support them in various forms. For some companies, you will not notice it, because the managed service provider acts transparent for you. Others completely delegated the interaction with their suppliers to their managed service provider. Your business partner or his managed service provider will let you know if he uses a managed service provider - who in turn will let you know about any specific requirements.

What is the TISAX Committee?

The TISAX Committee is an advisory board that aims to maintain openness, transparency, control and support of the TISAX concept and its implementation through the ENX Association by stakeholders. The TISAX Committee:

• Is escalation instance for discrepancies between assessed participants and the audit provider in the assessment (interpretation of the VDA ISA or other catalogues)
• Decides on approval of audit providers
• Advises ENX Association on the further development and implementation of TISAX

What information do I need to provide during the registration?

During the registration of a participant you need to provide the following information:

• Participant Name
• Participant Main Contact
• Participant Address

During the registration of a scope you need to provide the following information:

• Scope Name
• Scope Type
• Assessment Objectives
• Scope Locations
• Main Scope Contact
• (Additional Scope Contacts)
• Invoice Information

What is a TISAX Participant?

A company which is registered in TISAX becomes a participant in TISAX, a TISAX participant. Only TISAX participants can exchange assessment results through TISAX. TISAX participants are all companies, that exchange information with each other in TISAX. As a registered TISAX participant your company can order assessments by approved audit providers and being assessed by them, exchange assessment results with other TISAX participants and can be provided with assessment results by other TISAX participants. The first step in order to use TISAX is the registration as a TISAX participant.

I have interrupted my assessment scope registration. How do I get back?

If you have interrupted your scope registration you can go to My scope and assesment and edit the incomplete scope.

How much does the TISAX Participant registration cost?

The registration fees are calculated based on the locations used in scopes. The full prices can be found in the registrationTISAX Price List.

Can I register on behalf of another company?

In order to apply for TISAX registration you must have full legal capacity to accept the TISAX Participation General Terms and Conditions on behalf of the company in question.

What is a TISAX assessment scope?

The TISAX assessment scope describes the coverage of the information security assessment. Simplified, every part of your company that handles classified information of business partners in the automotive industry is part of the assessment scope. You can consider it as a major element of the audit provider's task description. It dictates what the audit provider needs to assess.
The assessment scope is important for two reasons:

• An assessment result will only fulfil your business partner's requirement if the respective assessment scope covers all parts of your company that handle business partner information.
• An exactly defined assessment scope is an essential prerequisite for appropriate cost calculations by our TISAX audit providers

For each Assessment, the participant must state the desired scope when requesting offers from the audit providers. Every assessment is explicitly conducted for a specific scope. Companies with several locations can register several scopes or include several locations in one scope. A participant can always have more than one scope.

Can I add missing information later?

You can add missing information online to complete your registration, e.g. missing information about the scope main location. However, invoice information about your preferred charging model or VAT ID cannot be added afterwards from you. If this is the case, please let us know via phone +49 69 9866927-77 or send an email to tisax@enx.com.

How can I add another TISAX location to a scope?

You can always add another location online by creating a new assessment scope on the tab MyScopes and Assessmentsin the ENX Portal. One scope can include as many locations as wanted as long as all locations in this scope have the same assessment objective(s). However, one scope must include at least one location.

How can I remove a TISAX location from a scope?

You can remove a location by going to the tab TISAX Settings and click on the location you want to delete.

We have many locations. Do we need to add them manually?

For large corporations with many locations, TISAX offers the "simplified group assessment". You can contact ENX Association and ask for a simplified group assessment.
For further information about a simplified group assessment you can go to "What is a simplified group assessment?".

How do I define an assessment scope?

If your company is small (e.g. one location), this is usually an easy task. You simply add your location to the assessment scope. If your company is large, you should consider registering more than one assessment scope.
Having a single scope that contains all your locations has advantages:

• You have one assessment report, one assessment result, one expiration date.
• You can benefit from reduced costs for the assessment because your central processes, procedures and resources are assessed only once.

But a single scope may also have disadvantages like:

• The assessment result is only available once all locations are assessed. This fact may be relevant if you urgently need an assessment result.
• The assessment result depends on all locations passing the assessment. If just one location fails, you will not have a positive assessment result.

How do I choose an TISAX audit provider?

After you have successfully registered your participant and/ or a scope, ENX Association will send you a registration email with your TISAX Registry Excerpt and a list of audit provider contacts. You can ask all of them for a bid for your assessment.

How are Participants, Scopes and Assessments identified?

Participant-ID: The Participant-ID identifies a participant in the TISAX. It is equally needed to clearly identify the participant to whom the assessment information is to be shared and that several scopes can clearly be assigned to a participant. The participant will receive the Participant-ID within 3-5 days after ENX Association has approved the registration of the participant.

Scope-ID: The Scope-ID is needed to clearly identify an assessment scope. The participant will receive the Scope-ID within 3-5 days after ENX Association has approved the registration of the scope.

Assessment-ID: The Assessment-ID is needed to clearly identify an assessment. Depending on the type of assessment and validity period, several assessments may exist for one scope (possibly from different audit providers).

What is the basis of the assessment?

Basis of the assessment is the VDA Information Security Assessment (ISA) questionnaire which is created and maintained by the VDA Information Security Committee. It can be downloaded from the VDA website in German or English.

Where do I find the latest VDA ISA catalogue?

You can find the latest VDA ISA catalogue on the VDA website.

What is a TISAX assessment objective?

The assessment objective determines the assessment level your information security management system (ISMS) is expected to have if you handle certain information. This is entirely based on the type of data you handle on behalf of your business partner. Consider your assessment objective as the benchmark for your information security management system. The assessment objective is a key input for the TISAX process. All TISAX audit providers build up their assessment strategy largely on the assessment objective. There are currently 10 TISAX assessment objectives. You must select at least one assessment objective, but you can select more than one.

What is a TISAX Label?

The TISAX Label is part of the TISAX report. It labels what has been successfully assessed by the audit provider. You start with the "assessment objectives" and if you pass the assessment you receive the corresponding "TISAX labels".

What is a temporary TISAX Label?

If your overall assessment result is “minor non-conform”, you receive temporary TISAX labels. The benefit of temporary TISAX labels is that your partner generally accepts them under the condition that you later receive permanent TISAX labels. This may help you if proving the effectiveness of your information security management system to your partner is urgent. The prerequisite for temporary TISAX labels is a corrective action plan assessment report with the overall assessment result “minor non-conform”. Regarding the validity period, temporary TISAX labels:

• expire nine months after the closing meeting of the initial assessment.
• are valid until all non-conformities are resolved. (This is established in the follow-up assessment and documented in the follow-up assessment report.)
• can't be renewed.

Please note: The “corrective action plan assessment” is optional. You can proceed straight to the follow-up assessment if you:

• don't need temporary TISAX labels and
• are confident to implement any corrective actions without getting your plan approved by your audit provider

Once you've completed all corrective actions, you should request the “follow-up assessment”.

What is the difference between an assessment objective and a TISAX label?

Your business partner may speak of "TISAX labels". "Assessment objectives" and "TISAX labels" are almost the same. The difference is that you start into the assessment process with the "assessment objectives" and if you pass the assessment you receive the corresponding "TISAX labels". Example: Your business partner requires you to get the TISAX label "Information with high protection level". Then you select "Information with high protection level" as your assessment objective.

Are the assessment results downward-compatible?

Yes, the assessment will be also usable when another participant places requirements of lower level if your company has subjected itself to an assessment of higher requirements.

Who receives the assessment report and/or assessment results?

By default, only the assessed TISAX participant receives its TISAX assessment report and results. If not explicitly denied, the first two chapters of the report are put in the TISAX platform. Only the assessed participant can share its results further.

What is a simplified group assessment?

For companies with many locations, the regular TISAX assessment process can be quite extensive. Under certain conditions we offer an alternative – the “simplified group assessment” (SGA).
The simplified group assessment is a special case of the TISAX assessment process. If the preconditions are fulfilled, it can reduce the efforts compared to the regular TISAX assessment process. This special TISAX assessment process is designed for companies with at least three locations and a centralised, highly developed information security management system (ISMS). You can access the simplified group assessment document here: TISAX Simplified Group Assessment (EN).

I have an assessment of operational services for Volkswagen group. Can I use this in TISAX?

If you have completed a Volkswagen-specific Assessment after 2015, this can be taken over in TISAX. Registration is a prerequisite to participate in TISAX.

I have completed my assessment. Where can I find my results?

If you have passed your assessment and have been sent the assessment result by the audit provider. The first two sections (A and B) of your TISAX report will be visible only for you within two weeks within TISAX. You can find your result in the tab “Your Scopes and Assessments” in the row of each scope.

What is the TISAX Report?

The TISAX report includes your assessment results. It is structed as follows:

A. Assessment-Related Information
B. Overall Assessment Result
C. Assessment Result Summary
D. Detailed Assessment Results
E. Maturity Levels of VDA ISA (Result Tab of VDA ISA)

The structure reflects different levels of possible disclosure regarding its content towards other TISAX participants. Starting with general information about the assessment (A. Assessment-Related Information), it spans from a summary of results (B. Overall Result, C. Summarized Assessment Results) to the very details of the assessment (D. Detailed Assessment Results and E. Maturity Levels of VDA ISA).

What is the Exchange?

TISAX enables you to exchange your assessment results with other participants. For that the ENX Portal provides the necessary functions. Exchanging assessment results is an integral part of TISAX. You only have your information security management system assessed once, but now you can share your assessment results with as many business partners as you like.

Who can access my assessment results?

Your audit provider will upload the first two sections (A and B) of your TISAX report. At this stage, the information is not visible to anyone except you. You can use the account created during the registration to access the ENX Portal and share the results with other participants.
You retain complete control of all assessment results at any time. Other participants can only access your assessment results after you have created a publication- or sharing permission on the ENX Portal. You can share your assessment result with all other TISAX participants by publishing it within TISAX. Doing so allows all other TISAX participants to access your assessment result up to the shared level. Besides, you can share it selectively with particular TISAX participants with a higher sharing level.

What does publication of an assessment mean?

You can share your assessment result with all other TISAX participants by publishing it within TISAX. Doing so allows all other TISAX participants to access your assessment result up to the shared level. The sharing levels for publishing your assessment result on the exchange platform are limited to these options:

• Do not share (Default)
• Sharing level "A: Assessment Related information" (without TISAX Labels)
• Sharing level "A: Assessment-related information" + TISAX Labels
• Sharing level "A: Assessment-related information" + TISAX Labels + B: Assessment Summary

These selectable options are based on the TISAX report structure.

What does sharing of an assessment mean?

In order to share your assessment results with your business partners you will need their Participant-ID. If you have not received your business partner´s Participant-ID yet, please contact them. These selectable sharing options are based on the TISAX report structure.