TISAX Bureau Veritas

TISAX: Securing Information in the Automotive Industry

Jan. 20 2020

We live in an increasingly digital world, and our roads are no exception. Today’s connected vehicles leverage large amounts of information to offer groundbreaking new features such as self-parking and road hazard detection. Automotive players also exchange and manage manufacturing data along the entire value chain – from suppliers and service providers to end consumers.

Information security is key to keeping vehicles safe and limiting the consequences of data breaches and cyberattacks. The Trusted Information Security Assessment eXchange (TISAX) has been developed to respond to automotive players' unique challenges. In addition to providing a framework for evaluating companies for information security, TISAX comprises a dedicated digital platform where participants can share their results. This allows them to demonstrate their commitment both to information security and transparency to clients, suppliers and partners.

With great power comes great responsibility

The automotive industry is on the forefront of technological innovation. Automotive players handle vast amounts of sensitive data, making them a major target for hackers. 

Automotive stakeholders – from value chain clients to end customers – increasingly expect automotive players to take threats to information security seriously. Companies that fail to keep data safe run the risk of jeopardizing the security of their products, their reputation and – as a result – their revenues. As the industry moves towards a connected and autonomous future, it is crucial that automotive players demonstrate that they have the right systems in place to protect their data, and that of their stakeholders.

Demonstrate automotive information security with TISAX

TISAX was developed to enable automotive players to demonstrate their commitment to information security. Drawing on the VDA Information Security Assessment requirements, TISAX provides a framework for assessing the maturity of automotive players' information security systems based on industry-specific criteria. Participants select the scope of their TISAX assessment, and are awarded a corresponding label upon successful completion. TISAX also offers a secure online space where assessment results can be shared among automotive players, allowing companies both to prove and communicate their information security credentials.

TISAX assessments must be conducted once every three years. Cross-company recognition of results eliminates the need for multiple checks, saving all parties time and money. Participating companies can check the security performance of their suppliers, and gain in credibility in the eyes of their customers. The transparency fostered by TISAX’s exchange platform helps companies consolidate existing business relationships and build new ones.

VDA, the German Association of the Automotive Industry, is responsible for TISAX, while the European Network Exchange (ENX) Association monitors the quality of execution and of the assessment results. TISAX assessment is based on an interaction between three key players: the TISAX association, the participating company and a recognized audit provider like Bureau Veritas.

Assessments designed for flexibility, choice and range

Companies that participate in TISAX can choose between two different roles within the exchange model, according to their needs. “Passive participants” like OEMs and automotive manufacturers have the option of requesting that a partner company, such as a supplier, undergo assessment and share their results. As “active participants,” suppliers can submit to assessment at the request of a client or on their own initiative. Once the TISAX assessment is completed, active participants provide selected companies with access to their results.

TISAX allows participants to choose between three different scopes for assessment: standard, extended and narrowed. The pre-defined standard scope is suitable for the vast majority of automotive players and covers all processes and resources involved in collecting, storing and processing information. TISAX’s two custom scopes – extended and narrowed – offer participants the flexibility to be assessed on more or fewer criteria according to their level of maturity. The scope and duration of each TISAX assessment are determined according to the list of criteria to be dealt with, the objectives of the protection, the complexity of the Information Security Management System, and the number of sites involved.

Each assessment begins with a basic examination of information security, and can be extended to include the optional modules of connection to third parties, data protection, and prototype protection. The process culminates in the issuance of a TISAX label.

TISAX assessment with Bureau Veritas

Automotive players simply cannot afford anything other than maximum vigilance when it comes to information security. TISAX enables you to ensure and prove that you are taking every measure to keep stakeholder data secure and your vehicles safe.

Bureau Veritas is an officially recognized TISAX audit provider. Once a company has registered on the TISAX platform and selected Bureau Veritas as their audit provider, their first order of business is to select the appropriate scope, and perform a self-assessment. Bureau Veritas follows up with off-site and on-site audits. The participating company’s label is then confirmed, and can be shared via the TISAX online platform.