In this new era of connected and autonomous vehicles, protecting sensitive data and ensuring the security of automotive systems has become of paramount importance. As the automotive industry evolves to confront such cybersecurity challenges, the Trusted Information Security Assessment Exchange (TISAX®) assessment has emerged as a crucial, helpful tool for staying ahead and safeguarding automotive security.
Your customers and organization alike will benefit from the increased security of data, information, and prototypes/manufacturing parts after you undergo an assessment, but you have to pass it first, and that requires proper preparation.
As one of the only TISAX® assessors in the United States, we’re not only ready to assess you but we can also offer some key insight on how to do that. By the end of this article, you’ll understand the key steps in preparing for a TISAX® Assessment and the level of effort required, as well as an overview of the assessment process.
The Importance of a TISAX® Assessment
If you’re rolling up your sleeves for a TISAX® assessment, you aren’t alone. Perhaps a reputable automotive manufacturer like Mercedes or Audi has requested that you validate your data security through a TISAX® assessment. Or maybe your organization is simply aiming to enter the market and wants to use TISAX® as your gateway.
But in fact, obtaining a TISAX® Label through an assessment is more than a mere customer requirement or market differentiator—instead, consider the process like installing a camera to eliminate a blind spot in a car.
If you’ve ever driven a car with a backup camera, you know how helpful they are—sure, you’ve probably also driven a car without one and made do, but once you’ve had the upgraded experience, it almost seems incomprehensible how anyone ever parallel parked before.
Just as backup cameras enhance not only the safety of those around us but also ourselves and our vehicles, undergoing a TISAX® assessment is much the same—it’s not just about the customer-facing benefit because it provides safety for your organization too.
But, like anything, it’s only as good as it’s built. To ensure “good” TISAX® preparation, let’s explore how you can ensure a seamless assessment on your way to achieving a TISAX® Label and a more secure posture.
What are TISAX® Assessment Objectives?
Preparing for a TISAX® Assessment starts with a clear understanding of the assessment objectives, as they play a crucial role in defining the scope of your assessment.
Selecting your objectives determines the relevant requirements for your information security management system (ISMS), so—essentially—selecting and understanding your objectives provides the basis for your entire assessment.
The eight objectives are outlined below – you must choose at least one but you may also select multiple, depending on your business, the type of data you handle, and customer obligations:
No. |
ISA Criteria Catalogue |
TISAX® Assessment Objective |
Assessment Level |
---|---|---|---|
1 |
Information Security |
Handling of information with high protection needs |
AL2 |
2 |
Information Security |
High Availability |
AL2 |
3 |
Information Security |
Handling of information with very high protection needs |
AL3 |
4 |
Information Security |
Very High Availability |
AL3 |
5 |
Prototype Protection |
Protection of prototype parts and components |
AL3 |
6 |
Prototype Protection |
Protection of prototype vehicles |
AL3 |
7 |
Prototype Protection |
Handling of test vehicles |
AL3 |
8 |
Prototype Protection |
Protection of prototypes during events and film or photo shoots |
AL3 |
9 |
Data Protection |
Data protection in accordance with Article 28 (“Processor”) of the European General Data Protection Regulation (GDPR) |
AL2 |
10 |
Data Protection |
Data protection with special categories of personal data According to Article 28 (“Processor”) with special categories of personal data as specified in Article 9 of the European General Data Protection Regulation (GDPR) |
AL3 |
Number 1
- ISA Criteria Catalogue: Information Security
- TISAX® Assessment Objective: Handling of information with high protection needs
- Assessment Level (AL): AL 2
Number 2
- ISA Criteria Catalogue: Information Security
- TISAX® Assessment Objective: High Availability
- Assessment Level (AL): AL 2
Number 3
- ISA Criteria Catalogue: Information Security
- TISAX® Assessment Objective: Handling of information with very high protection needs
- Assessment Level (AL): AL 3
Number 4
- ISA Criteria Catalogue: Information Security
- TISAX® Assessment Objective: Very High Availability
- Assessment Level (AL): AL 3
Number 5
- ISA Criteria Catalogue: Prototype Protection
- TISAX® Assessment Objective: Protection of prototype parts and components
- Assessment Level (AL): AL 3
Number 6
- ISA Criteria Catalogue: Prototype Protection
- TISAX® Assessment Objective: Protection of prototype vehicles
- Assessment Level (AL): AL 3
Number 7
- ISA Criteria Catalogue: Prototype Protection
- TISAX® Assessment Objective: Handling of test vehicles
- Assessment Level (AL): AL 3
Number 8
- ISA Criteria Catalogue: Prototype Protection
- TISAX® Assessment Objective: Protection of prototypes during events and film or photo shoots
- Assessment Level (AL): AL 3
Number 9
- ISA Criteria Catalogue: Data Protection
- TISAX® Assessment Objective: Data protection in accordance with Article 28 (“Processor”) of the European General Data Protection Regulation (GDPR)
- Assessment Level (AL): AL 2
Number 10
- ISA Criteria Catalogue: Data Protection
- TISAX® Assessment Objective: Data protection with special categories of personal data according to Article 28 (“Processor”) with special categories of personal data as specified in Article 9 of the European General Data Protection Regulation (GDPR)
- Assessment Level (AL): AL 3
What are the TISAX® Assessment Levels?
Your chosen objectives—each of which corresponds with a specific TISAX® Assessment Level—will determine the overall level of your audit, as the level is determined by the highest level objective in scope.
For instance, if your assessment includes two objectives at AL2 and one objective at AL3, your assessment will be classified as an AL3.
As you’ll have noticed AL2 and AL3 are in the chart above, just know there’s also an AL1 not listed—AL1 is primarily intended for internal self-assessments. (While self-assessments are included during an external assessment, your auditor will simply verify that you completed it in an AL1 without reviewing its content.)
But if you’re seeking that TISAX® label, you’ll need to undergo an AL2 or an AL3, and those involve different assessment elements:
- AL2: Involves a plausibility check of your self-assessment by your auditor, who will also request additional evidence and conduct stakeholder interviews to support the self-assessment.
- AL3: Builds upon the AL2 with a more comprehensive assessment that includes in-person observation of conditions and processes.
Full Breakdown of the TISAX® Assessment Levels and Their Components
To summarize what you should expect to happen during each level of assessment:
Included in the Assessment? |
AL 1 |
AL 2 |
AL 3 |
---|---|---|---|
Self-assessment |
Yes |
Yes |
Yes |
Evidence |
No |
Plausibility check |
Thorough verification |
Interviews |
No |
Via web conference[9] |
In-person, on-site |
On-site inspection |
No |
At your request |
Yes |
Assessment Level 1
- Self-assessment: Yes
- Evidence: No
- Interview: No
- On-site inspection: No
Assessment Level 2
- Self-assessment: Yes
- Evidence: Plausibility check
- Interview: Via web conference[9]
- On-site inspection: At your request
Assessment Level 3
- Self-assessment: Yes
- Evidence: Thorough verification
- Interview: In-person, on-site
- On-site inspection: Yes
Other Scoping Factors for a TISAX® Assessment
Other than your assessment level, there are two other decisions you’ll need to make that will impact your TISAX® scope:
- Standard or Custom Type: You can choose either a predefined scope description—both Schellman and ENX’s recommended—path or write your own.
- NOTE: 99% of assessments are Standard, as a Custom Scope cannot obtain a TISAX® Label.
- Locations: Depending on the size of your organization, you might only have one location or multiple—if it’s the latter, you could include multiple locations within the same assessment scope or perform multiple assessments for each location instead.
- How to determine what’s right for you? It’ll depend on whether each location needs the same assessment objectives or not. (A single scope requires that all associated locations have the same assessment objectives.)
5 Steps to Get Ready for a TISAX® Assessment
Making all these decisions to define your scope is the first big step in preparing for your TISAX® assessment. Once you’ve done all that, you’ll need to take several more steps to set yourself up more completely for success, no matter if you have a robust compliance program, or if this will be your first security assessment.
We break down the steps for you below:
- Define and Communicate Roles: Establish a dedicated project team and assign responsibilities as determined by your assessment level and the corresponding amount of effort.
- Perform a Gap Assessment: Identifying control gaps and missing requirements, etc. will serve as the guide for the rest of the preparation work and will focus efforts accordingly.
- Build an Action Plan: To address those previously identified gaps, this plan also should be communicated to the responsible parties with timelines for achievement of full compliance.
- Implement Controls: Your chosen and necessary security measures should align with your anticipated assessment objectives.
- Document Policies and Procedures: Review documentation of your policies, procedures, and any necessary evidence of compliance to ensure that each meets the needs of the TISAX® requirements.
Bonus Step: Conduct a Readiness Assessment: You do have the option to undergo a readiness assessment that will test and validate your preparedness. (This can be done internally or through a third-party assessment firm like Schellman.)
Set Yourself Up for TISAX® Success
A TISAX® assessment represents an incredible opportunity to reap multi-faceted advantages—not only will you satisfy possible customer requirements, but you’ll also further secure your cybersecurity and achieve a competitive differentiator within the automotive industry.
But to get there, you’ll need to be adequately prepared, and now you know where to start. However, if you're still a little unsure and are interested in learning more about the TISAX® requirements or how to prepare for an assessment, we would be happy to provide you with a more thorough walk-through—contact us today.
About Kate Weber
Kate Weber is a Senior Manager over New Services with Schellman based in Chicago, IL. Prior to joining Schellman in 2023, Kate worked in consulting for 5+ years in the IT security and data analytics spaces. While focused on IT security, Kate specialized in Sarbanes-Oxley (SOX) 404 internal audits, ISO 27001 internal audits, HITRUST readiness, and SOC reporting. Kate is a Certified Information Systems Auditor (CISA), ISO 27001 Lead Implementer, and ISO 9001 Lead Implementer. She also previously held the HITRUST Certified CSF Practitioner (CCSFP) and Certified HITRUST Quality Professional (CHQP) certifications.