ENX Association acts as governance organisation within TISAX. It approves audit providers and monitors the quality of implementation as well as the assessment results. ENX Association maintains a framework of criteria (“TISAX ACAR”). For further information about governance please go to TISAX Committee.
ENX Association: ENX Association maintains the framework of criteria (“TISAX ACAR”). It approves audit providers and monitors the quality of implementation of the assessment results.
Audit Providers: The audit provider is approved by the ENX Association and conducts the assessment at the participant. The audit provider provides the assessed participant the assessment result.
Participants: The participant is a registered company in TISAX and is assessed by an audit provider.
The TISAX Participant Handbook provides you with all the necessary information regarding TISAX. It describes the steps you need to take for passing the TISAX assessment and for sharing your assessment result with your business partners and explains what TISAX is, how it works and who is behind it.
Some participants made it a mandatory requirement for many of their suppliers to prove that their information security management system fulfils a defined set of requirements. In consequence, they have to handle a lot of assessment results. Therefore, some participants use "managed service providers" to support them in various forms. For some companies, you will not notice it, because the managed service provider acts transparent for you. Others completely delegated the interaction with their suppliers to their managed service provider. Your business partner or his managed service provider will let you know if he uses a managed service provider - who in turn will let you know about any specific requirements.
The TISAX Committee is an advisory board that aims to maintain openness, transparency, control and support of the TISAX concept and its implementation through the ENX Association by stakeholders. The TISAX Committee:
During the registration of a participant you need to provide the following information:
During the registration of a scope you need to provide the following information:
A company which is registered in TISAX becomes a participant in TISAX, a TISAX participant. Only TISAX participants can exchange assessment results through TISAX. TISAX participants are all companies, that exchange information with each other in TISAX. As a registered TISAX participant your company can order assessments by approved audit providers and being assessed by them, exchange assessment results with other TISAX participants and can be provided with assessment results by other TISAX participants. The first step in order to use TISAX is the registration as a TISAX participant.
If you have interrupted your scope registration you can go to My scope and assesment and edit the incomplete scope.
The registration fees are calculated based on the locations used in scopes. The full prices can be found in the registrationTISAX Price List.
In order to apply for TISAX registration you must have full legal capacity to accept the TISAX Participation General Terms and Conditions on behalf of the company in question.
The TISAX assessment scope describes the coverage of the information security assessment. Simplified, every part of your company that handles classified information of business partners in the automotive industry is part of the assessment scope. You can consider it as a major element of the audit provider's task description. It dictates what the audit provider needs to assess.
The assessment scope is important for two reasons:
For each Assessment, the participant must state the desired scope when requesting offers from the audit providers. Every assessment is explicitly conducted for a specific scope. Companies with several locations can register several scopes or include several locations in one scope. A participant can always have more than one scope.
You can add missing information online to complete your registration, e.g. missing information about the scope main location. However, invoice information about your preferred charging model or VAT ID cannot be added afterwards from you. If this is the case, please let us know via phone +49 69 9866927-77 or send an email to email@example.com.
You can always add another location online by creating a new assessment scope on the tab MyScopes and Assessmentsin the ENX Portal. One scope can include as many locations as wanted as long as all locations in this scope have the same assessment objective(s). However, one scope must include at least one location.
You can remove a location by going to the tab TISAX Settings and click on the location you want to delete.
For large corporations with many locations, TISAX offers the "simplified group assessment". You can contact ENX Association and ask for a simplified group assessment.
For further information about a simplified group assessment you can go to "What is a simplified group assessment?".
If your company is small (e.g. one location), this is usually an easy task. You simply add your location to the assessment scope. If your company is large, you should consider registering more than one assessment scope.
Having a single scope that contains all your locations has advantages:
But a single scope may also have disadvantages like:
After you have successfully registered your participant and/ or a scope, ENX Association will send you a registration email with your TISAX Registry Excerpt and a list of audit provider contacts. You can ask all of them for a bid for your assessment.
Participant-ID: The Participant-ID identifies a participant in the TISAX. It is equally needed to clearly identify the participant to whom the assessment information is to be shared and that several scopes can clearly be assigned to a participant. The participant will receive the Participant-ID within 3-5 days after ENX Association has approved the registration of the participant.
Scope-ID: The Scope-ID is needed to clearly identify an assessment scope. The participant will receive the Scope-ID within 3-5 days after ENX Association has approved the registration of the scope.
Assessment-ID: The Assessment-ID is needed to clearly identify an assessment. Depending on the type of assessment and validity period, several assessments may exist for one scope (possibly from different audit providers).
Basis of the assessment is the VDA Information Security Assessment (ISA) questionnaire which is created and maintained by the VDA Information Security Committee. It can be downloaded from the VDA website in German or English.
You can find the latest VDA ISA catalogue on the VDA website.
The assessment objective determines the assessment level your information security management system (ISMS) is expected to have if you handle certain information. This is entirely based on the type of data you handle on behalf of your business partner. Consider your assessment objective as the benchmark for your information security management system. The assessment objective is a key input for the TISAX process. All TISAX audit providers build up their assessment strategy largely on the assessment objective. There are currently 10 TISAX assessment objectives. You must select at least one assessment objective, but you can select more than one.
The TISAX Label is part of the TISAX report. It labels what has been successfully assessed by the audit provider. You start with the "assessment objectives" and if you pass the assessment you receive the corresponding "TISAX labels".
If your overall assessment result is “minor non-conform”, you receive temporary TISAX labels. The benefit of temporary TISAX labels is that your partner generally accepts them under the condition that you later receive permanent TISAX labels. This may help you if proving the effectiveness of your information security management system to your partner is urgent. The prerequisite for temporary TISAX labels is a corrective action plan assessment report with the overall assessment result “minor non-conform”. Regarding the validity period, temporary TISAX labels:
Please note: The “corrective action plan assessment” is optional. You can proceed straight to the follow-up assessment if you:
Once you've completed all corrective actions, you should request the “follow-up assessment”.
Your business partner may speak of "TISAX labels". "Assessment objectives" and "TISAX labels" are almost the same. The difference is that you start into the assessment process with the "assessment objectives" and if you pass the assessment you receive the corresponding "TISAX labels". Example: Your business partner requires you to get the TISAX label "Information with high protection level". Then you select "Information with high protection level" as your assessment objective.
Yes, the assessment will be also usable when another participant places requirements of lower level if your company has subjected itself to an assessment of higher requirements.
By default, only the assessed TISAX participant receives its TISAX assessment report and results. If not explicitly denied, the first two chapters of the report are put in the TISAX platform. Only the assessed participant can share its results further.
For companies with many locations, the regular TISAX assessment process can be quite extensive. Under certain conditions we offer an alternative – the “simplified group assessment” (SGA).
The simplified group assessment is a special case of the TISAX assessment process. If the preconditions are fulfilled, it can reduce the efforts compared to the regular TISAX assessment process. This special TISAX assessment process is designed for companies with at least three locations and a centralised, highly developed information security management system (ISMS). You can access the simplified group assessment document here: TISAX Simplified Group Assessment (EN).
If you have completed a Volkswagen-specific Assessment after 2015, this can be taken over in TISAX. Registration is a prerequisite to participate in TISAX.
If you have passed your assessment and have been sent the assessment result by the audit provider. The first two sections (A and B) of your TISAX report will be visible only for you within two weeks within TISAX. You can find your result in the tab “Your Scopes and Assessments” in the row of each scope.
The TISAX report includes your assessment results. It is structed as follows:
A. Assessment-Related Information
B. Overall Assessment Result
C. Assessment Result Summary
D. Detailed Assessment Results
E. Maturity Levels of VDA ISA (Result Tab of VDA ISA)
The structure reflects different levels of possible disclosure regarding its content towards other TISAX participants. Starting with general information about the assessment (A. Assessment-Related Information), it spans from a summary of results (B. Overall Result, C. Summarized Assessment Results) to the very details of the assessment (D. Detailed Assessment Results and E. Maturity Levels of VDA ISA).
TISAX enables you to exchange your assessment results with other participants. For that the ENX Portal provides the necessary functions. Exchanging assessment results is an integral part of TISAX. You only have your information security management system assessed once, but now you can share your assessment results with as many business partners as you like.
Your audit provider will upload the first two sections (A and B) of your TISAX report. At this stage, the information is not visible to anyone except you. You can use the account created during the registration to access the ENX Portal and share the results with other participants.
You retain complete control of all assessment results at any time. Other participants can only access your assessment results after you have created a publication- or sharing permission on the ENX Portal. You can share your assessment result with all other TISAX participants by publishing it within TISAX. Doing so allows all other TISAX participants to access your assessment result up to the shared level. Besides, you can share it selectively with particular TISAX participants with a higher sharing level.
You can share your assessment result with all other TISAX participants by publishing it within TISAX. Doing so allows all other TISAX participants to access your assessment result up to the shared level. The sharing levels for publishing your assessment result on the exchange platform are limited to these options:
These selectable options are based on the TISAX report structure.
In order to share your assessment results with your business partners you will need their Participant-ID. If you have not received your business partner´s Participant-ID yet, please contact them. These selectable sharing options are based on the TISAX report structure.
A publication of an assessment result makes the assessment result visible (depending of the sharing level) for the entire TISAX community. All TISAX participants can see the published assessment result. The sharing permission on the other hand makes the given assessment result selectively visible for a particular TISAX participant. However, you can create both, the publication and a sharing permission for the same scope. For example, you publish a scope with Sharing level "A: Assessment-related information" (without TISAX labels) for the entire TISAX community and create a sharing permission selectively for a specific participant with a higher sharing level.