TISAX Requirements Checklist For German Automotive Suppliers

“TISAX, or Trusted Information Security Assessment Exchange, is a security certification process all German automotive companies and suppliers strive to achieve. The German Association of the Automotive Industry (VDA) developed the certification.” 

Like other industry certifications, TISAX is not mandatory. Automotive manufacturers, including BMW and Audi, require their suppliers to achieve various assessment and maturity levels. These industry leaders require TISAX certification for all suppliers within their automotive supply chains. BMW and Audi will choose suppliers with TISAX certification over German suppliers, especially small-to-medium firms, who lack the certification. Getting TISAX certification helps companies stand out in the car parts market. 

German suppliers wanting to sustain their TISAX certification need to monitor all their critical systems from cyberattacks. Suppliers continue to pursue managed detection and response (MDR) solutions from providers like Forenova to help meet ongoing TISAX operational requirements and improve their security posture.

Importance of TISAX for Automotive Suppliers 

TISAX is a comprehensive information technology (IT), and cybersecurity certification focus embedded with many industry-specific security requirements—ongoing monitoring of all critical systems, including applications accessing sensitive automotive design and manufacturing processes. To achieve TISAX compliance, automotive suppliers must complete several steps to ensure their various systems remain protected, their security operations capabilities are functioning, and their ongoing monitoring and reporting remain active and accurate. 

 10-Step Checklist for TISAX Compliance 

1. 0 Understand TISAX Requirements and the VDA 

   The step in achieving TISAX starts with the automotive supplier or manufacturer understanding why they are investing in this certification and at what level. With the VDA assessment documentation, organizations need to consider what level of assessment they are focusing on achieving. This decision needs to align with the business objectives and long-term goals. If the goal of the supplier is to become a tier-1 provider to BMW or other industry leaders, this will require them to achieve the highest level. Suppose the provider's business goal is more about providing a basic level of engagement within an automotive supplier chain. In that case, they may focus their initial efforts on the lowest level of assessment. 

2. Understanding the Various TISAX Assessment Levels 

   The VDA documentation breaks down TISAX assessments into three levels.

    

   Level 1 Assessment Level 1 

   
   

   Level 1 assessment for TISAX requires automotive forms to execute a self-assessment defined by the VDA ISA 6.0. Completing the self-assessment helps the organization understand its current cybersecurity protection capabilities, what policies they currently have available, and what monitoring and response functions they are leveraging.

    

   Level 2 Assessment Level 2 

   Level 2 assessment also requires automotive firms to complete a self-assessment and engage an external auditor to validate their findings. Completing a level 2 assessment extends the firm's ability to assess a greater amount of sensitive data within the supply chain or directly from industry leaders. 

    

   Level 3 Assessment Level 3 

   Level 3 assessment requires extensive self-assessment, third-party penetration testing, vulnerability assessments, external third-party validating, and site visits with in-person interviews. Achieving level 3 assessment extends the supplier's ability to access the highest level of sensitive information within the supply chain or direct information from industry leaders. Firms seeking level 3 TISAX certification can expect the process to take up to three years. 

3. Conduct a Gap Analysis Using VDA

   After the firm has completed its work on the proper assessment, it is working towards executing a gap analysis based on VDA documentation, which is critical. Results from the self-assessments or third-party validation provide the firm with crucial issues to remediate.  

   Based on the assessment results, the VDA offers an example of a gap analysis for firms to determine what problems need to be addressed to meet the various levels. The gap analysis helps establish an order of priority regarding which issues need to be remediated first, based on the assessment level the firm is seeking.  

4. Develop an Implementation Plan to Address Gaps

   Self-assessment or third-party validation might raise issues the firm will not need to address. If the firm is only seeking level 1, the firm may consider putting off any remediation. Firms seeking level 2 or 3 may consider resolving all relevant issues. The gap analysis will set an element of alignment and priority based on the VDA document. Organizations must remedy any matters required to complete the target assessment maturity level based on the priority. 

    

   Here are some common steps organizations should follow within their implementation plan:

   Following the organization's current change control process, all changes to production systems need to be completed within the approved outage window. 

5. Implement or Update Existing ISMS Based on ISO 27001

   Once the firm has completed the remediation plan based on the gap analysis, the next critical step is implementing or updating its existing Information Security Management System (ISMS) to reflect the remediation and additional security controls installed because of the gap analysis and remediation plan. Automotive firms looking to further their cybersecurity protection strategy continue to adopt the ISO 27001 framework. 

   • TISAX is based on the ISO 27001 framework. While these standards share similar frameworks, ISO 27001 and TISAX have several differences. 
   • ISO 27001 provides flexibility for automotive firms regarding which architectures and best practices they implement. 
   • TISAX has specific assessment levels and requirements that all automotive suppliers and manufacturers must complete before receiving an assessment-level certification. 

6. Strengthen Cybersecurity Measures for TISAX

   Automotive firms must ensure they have successfully deployed several security adaptive control defensive layers to meet TISAX compliance assessment levels. These layers include: 

   • Access control 
   • Endpoint Threat Protection 
   • Data Encryption 
   • Email Security 
   • Cloud Security for Microsoft Azure, Amazon Web Services, and Google Cloud. 

7. Enhance Physical and Environmental Security Measures in Your Facility

   To achieve level 2 and level 3 assessment certifications, automotive firms must ensure they have implemented and validated their various physical and environmental systems, which internal and external assessment teams have tested. These systems include biometric systems for physical access, secured doors, data center badge readers, and remote access locks in various factory locations. 

8. Assess Third-Party Risk and Dependencies for GDPR Compliance

   Along with meeting TISAX compliance standards, German automotive firms must comply with the General Data Protection Regulation (GDPR) for data privacy. Any information, including personally identifiable information (PII), needs to be protected. Automotive firms, especially those that collect customer information, must protect this information under GPDP. 

9. Conduct Security Awareness Training

   Automotive firms investing in security awareness training as a cybersecurity defensive strategy will see a reduction in successful cyberattacks against their digital assets. 

   As automotive suppliers become certified in TISAX, the need to protect their digital assets becomes even more significant. TISAX is critical for the automotive supplier to increase revenues and ecosystem alliances for future growth. Successful cybersecurity attacks will impede their ability to become an active partner within the German automotive supplier. 

   Security awareness training is critical to lower the risk against their various attack surfaces. 

10. Choose A TISAX Assessment Provider To Complete the Official Validation

    Automotive firms seeking a TISAX-certified assessment auditor should consult the ENX website for a list of AFNOR-certified auditing firms. Here is a short list of a few European Union (EU)- based auditing firms certified to complete TISAX assessment certification. 

    • “DEKRA provides certifications based on international and national standards, holding over 200 global accreditations for quality, safety, health, environment, energy, and information security management systems.” 
    • Deloitte is a global information security and cyber risk leader, leveraging its extensive automotive sector experience for TISAX assessments. Its certified global auditors conduct evaluations and integrated audits, such as ISO 27001 or BSI C5. 
    • “DQS is a top certification service provider active in over 60 countries with a robust automotive industry history. Based in Frankfurt/Main, Germany, DQS GmbH offers certification services for advanced information technology sectors.” 

Cost Considerations for TISAX Certification 

TISAX certification costs encompass the auditor's fees, control implementation expenses, and consultant fees. 

• The initial registration fee is around €400 

• Certification costs range between €10000 and €200000, depending on the firm's size, the assessment level sought, and the preparation work completed, including gap analysis, remediation, and alignment with IS0 27001. 

• External Auditor fees range between €5000 to €10000 

• These costs may reach €20,000 to €50,000, especially with specialized compliance and remediation consultants. 

• Cost example: (528 hours * 70) + ((100 * 1 remediation consultant) * 80 hours) + €500 + €10000 = €55,460 

• If the automotive firm can complete its remediations based on its gap analysis, this will also help reduce the cost of expensive consultants. 

• Maintaining ISO 27001 also helps the automotive firm when it needs to recertify its TISAX assessment. ISO 27001 reduces the redundancy of effort and lowers the cost of ongoing security operations. 

What Role Does Managed Detection and Response Play Regarding TISAX? 

Sustaining a secure enterprise network is a significant part of reducing initial audit TISAX certification and recertification. Automotive firms want to reduce the risk of attack against their most critical digital assets, so they invest in a partnership with an MDR company like Forenova to help protect the automotive industry supply chain.