.jpg?ext=.jpg)
What is TISAX and Do I Need It?
If you are a manufacturer in the automotive industry, you may have heard some buzz about TISAX. Does your company need to pursue this? Who is it for and what does it do?
What is the TISAX Certification?
To understand TISAX as it exists now, you need to dig into some background information.
According to the TISAX handbook, TISAX is a result of like minds in the automotive industry determining that information security needed to be prioritized. The Verband der Automobilindustrie (VDA), an association that focuses on industry-specific issues for the automotive industry, helped to create the Information Security Assessment (ISA). As the handbook says, “With the ISA, we now have an answer to the question ‘Who defines what “secure” means?’ Through the VDA, the automotive industry itself offers this answer to its members.”
The ISA was a great first step. Essentially, it is a survey that companies can complete in order to show their level of cybersecurity. However, suppliers were being asked by partners over and over again to prove compliance to ISA standards. Some companies had slightly different requirements that the suppliers were expected to meet. Suppliers began to express frustration to the VDA. They were getting tired of having to provide the same information repeatedly. Enter ENX.
ENX was started in 2000 and now has two locations, one in Paris and one in Frankfurt. The ENX is essentially a consortium of automobile manufacturers, suppliers, and four national associations. When it started it was a working group in the VDA whose mission was to maintain the ISA. They were fielding all of the complaints from the suppliers. In 2017, ENX decided to create TISAX, which allowed suppliers to enter their information once and share it with anyone who wants to see it.
Which OEMs Require TISAX, and Do I Need to Comply?
Any company that is a member of the VDA requires their suppliers to register for the TISAX. That includes German car companies like Audi, Volkswagon, and BMW. If you are a supplier for a VDA company, they can ask you to register for TISAX at any time, which means you will have to register for the site at cost and go through the audit process with an ENX-approved auditor.
What is the Difference Between ISO 27001 and TISAX?
The TISAX handbook answers this question directly. It notes:
First, we have to differentiate two types of scopes:
1) the scope of your information security management system (ISMS) and
2) the scope of the assessment.
These two are not necessarily identical.
For the ISO/IEC 27001 certification, you define the scope of your ISMS (in the “scope statement”). You are completely free to define the scope of your ISMS. However, the scope of the assessment (also known as “audit scope”) must be identical with the scope of your ISMS.
For TISAX, you also have to define your ISMS. But the scope of the assessment can be different.
For the ISO/IEC 27001 certification, you can freely shape the scope of the assessment through the way you define the scope of your ISMS.
In contrast, for TISAX, the scope of the assessment is predefined. The scope of the assessment can be smaller than the scope of your ISMS. But it must be within the scope of your ISMS.
Another way to think of it is that ISO 27001 is a general international standard. As mentioned above, TISAX was created specifically to cater to cybersecurity needs in the European automotive market. Pursuing an ISO 27001 will help you get through your TISAX assessment with greater ease, but the two are for the most part mutually exclusive.
If you would like to talk about your company’s current cybersecurity status, please schedule a complimentary meeting with our cybersecurity experts.