VDA 6.2 Certification
VDA 6.2 Certification
TISAX® Assessment
Prove your information security standards with our TISAX® assessments
Demonstrate to your stakeholders with a TISAX® assessment that you meet the high security requirements of the German Association of the Automotive Industry (VDA) and the ENX Association. As a TISAX® audit provider approved by the ENX Association, we provide you with comprehensive support for your TISAX® assessment. You can rely on our many years of experience in the automotive industry.
Do you need a TISAX® assessment for your company? Please contact us!
- Avoidance of costly and time-consuming duplicate or multiple checks
- Building trust in the supply chain
- Improved opportunities for contracts and orders
- Establishment of risk management and reduction of risks
TISAX® at a glance
The value chains in the automotive industry are characterized by their complexity and internationality. With increasing digitalization in the end product, but also during production, the demands on companies' information security are increasing at the same time.
With TISAX® (Trusted Information Security Assessment Exchange) a practice-oriented, robust assessment has been created that can be applied to all companies involved in the automotive supply chain and beyond. Our experts will guide you through your TISAX® assessment over the phone, remotely or on-site. In just a few steps, you can show your stakeholders that sensitive data and/or prototypes are in safe hands with you.
Your trusted partner for all your information security requirements
- Thanks to our many years of experience in the automotive and information security sectors, we can provide you with expert support.
- We have a global presence and support you wherever you are.
- With our comprehensive portfolio of more than 40 accreditations, we offer you time and cost-saving combined certifications.
- In co-operation with the ENX Association, DEKRA guarantees that assessments and test results meet the highest standards of objectivity and quality.
TISAX® is a registered trademark of the ENX Association.
TISAX® distinguishes between three assessment levels (protection requirements), depending on what protection is required: normal (level 1 = self-assessment), high (level 2 = remote) and very high (level 3 = on-site). Inspection methods and efforts are determined by the established security needs.
Assessment Level 2 and 3 always involve a Third-Party Auditor. Assessment Level 1 does not except in case of a Simplified Group Audit, where a simplified check is carried out.
TISAX® is not limited to manufacturing companies but covers the entire supply chain of the automotive industry. Your individual need to implement TISAX® depends on the particular requirements of your client. If your client does not specifically approach you or change any accepted general terms and conditions, it is advisable to wait and see whether you will need TISAX® assessment for further cooperation.
It is although important to highlight though, that TISAX is becoming a pre-requisite to participate in tender calls and puts business at risk that try to sit out security compliance.
The TISAX® audit catalogue was derived from the international ISO 27001 standard and uses the controls defined therein. Instructions describe how the respective requirements (must, should, can) can be implemented, how processes are to be ensured, and which tools can be used. A major difference between the two standards is that TISAX® must achieve a certain maturity level to receive the label.
All employees must be included in the scope. This can also be, for example, an employee in production who works with customer information. For audit execution it is essential that information security contact points from IT, HR, Purchasing and Quality are established and support the auditees Information Security governance team.
The duration of your assessment depends on the size of your company and the amount of travel activity associated with the inspection of your locations. Normally, 2-3 days on site are sufficient to complete the procedure for a company of average size.
From the closing meeting of the initial assessment until the completion of the final Follow Up the auditee you have max. 9 months of time. If by then the assessment process you will not receive a TISAX® label.
But let's go step-by-step
If your company meets all controll requierements, you will be awarded with a label for 3 years right away. In case of minor non-conformities that are covered by validated corrective actions - temporary labels can be awarded up to 9 months. Furthermore, in case of major non-conformities. Immediate, risk mitigating measures are required to enable downgrading to a minor non-conformity if desired.
If your company meets all controll requierements, you will be awarded with a label for 3 years right away. In case of minor non-conformities that are covered by validated corrective actions - temporary labels can be awarded up to 9 months. Furthermore, in case of major non-conformities. Immediate, risk mitigating measures are required to enable downgrading to a minor non-conformity if desired.
It always depends on the size and the activity of your company. Theoretically, you could cover all processes in a single document, as long as it is plausible. The faulty assumption is often that an assessment can be passed by exclusively presenting theory in terms of how things are done. This is indeed wrong. Matching implementation evidence is essential to present both VDA ISA requirement realization and ISMS performance.
Yes, our pre-assessment service enables you to find out how well you are positioned in information security and what tasks still need to be completed for a successful TISAX® assessment.
No, even though TISAX® was originally developed for the requirements of the automotive industry, the proof of information and cyber security is basically open to all industries. At DEKRA, companies outside the automotive industry are also welcome to use TISAX® for their security requirements at any time. However, prototype protection can only be applied to “non-automotive” participants to a very limited extent, as the requirements are aimed at secure product development processes and related physical working environments in the automotive industry.
The ENX Association is an association of automotive manufacturers, suppliers and associations and assumes central responsibility for the governance and control of the TISAX® procedure. As a non-profit association, it defines the contractual framework and organises the control functions to ensure the objectivity and quality of the assessments.
Update: VDA Information Security Assessment (ISA) catalog version 6 now available
On April 25th, 2024, the ENX Association published the latest version of the VDA Information Security Assessment (ISA) catalog, version 6.0.3. This catalog serves as the basis for assessing the information and cyber security of organizations within the framework of TISAX®.
The extensive revision of the ISA catalog brings numerous changes and improvements. These include:
- Due to the subdivision into new controls, the topics of emergency management, business continuity management and backup and disaster recovery (BDR) are gaining more room for the ISMS in the company.
- The data protection catalogue has been completely revised. The leading language is now English and several translations are planned.
Management System Certification is offered by DEKRA Certification GmbH and operates independently of all training and consultancy services offered by other DEKRA units.
