{"version":1,"type":"rich","provider_name":"Libsyn","provider_url":"https:\/\/www.libsyn.com","height":90,"width":600,"title":"#244 What is TISAX?","description":" The modern automotive industry faces many new challenges, as vehicles evolve with more complex data requirements and supply chains become increasingly interconnected, major Original Equipment Manufacturers (OEMs) require certain Standards as a mark of trust from potential suppliers. Currently, this trust is codified in TISAX (Trusted Information Security Assessment Exchange). For businesses that have not previously dealt with Standards, TISAX can be seen as a daunting regulatory hurdle. However, a TISAX label is more than a compliance check, it\u2019s a recognised mark that your organisation has robust information security measures in place specific to the automotive industry, including considerations for protecting key intellectual property and prototype innovations. In this episode, Ian Battersby is joined by Emma Coxhill, isologist at Blackmores, to explore what TISAX is, who it applies to, what it requires and how OEM\u2019s and automotive suppliers can take their first steps towards earning a TISAX label.   You\u2019ll learn \u00b7      What is TISAX? \u00b7      Who is TISAX applicable to? \u00b7      Why is TISAX important? \u00b7      What are the 3 assessment levels within TISAX? \u00b7      What are the 3 different subject areas within TISAX? \u00b7      How is TISAX implemented? \u00b7      Why does TISAX use labels instead of certificates \u2013 and how can people verify these? \u00b7      What is the ENX portal and how does this help with supplier onboarding? \u00b7      Where should companies start if they want to earn a TISAX label?   Resources \u00b7      Register for our TISAX webinar here \u00b7      ENX \u00b7      Isologyhub   In this episode, we talk about: [02:05] Episode Summary \u2013 Emma Coxhill joins Ian to dive into the topic of TISAX, including who it\u2019s applicable to, why it\u2019s important and how businesses can make a start on earning a TISAX label. [03:40] What is TISAX? TISAX was developed for the automotive industry by the German Association of the Automotive Industry, VDA, and it's managed by the ENX Association. It\u2019s based on the ISO 27001 Annex A controls, and was created for the automotive industry because they were looking to standardise the framework for assessing and sharing information security results between manufacturers and their suppliers. [04:40] Who is TISAX applicable to? While applicable to the automotive industry, it encompasses quite a lot of businesses within this. This is because is applies to any organisation that handles sensitive data relating to vehicle development, manufacture and marketing. So, this can include any company providing car parts, vehicle software, cloud services, testing labs, engineering etc. Basically, any service providers to OEMs (original equipment manufacturers) will be applicable. TISAX can also be applicable for those dealing with automotive related events, marketing and photography, as new models are protected IP and will require related business to prove that they have the correct security requirements to ensure any potential prototypes are protected. [06:50] Why is TISAX important? Mainly, it gives the automotive industry a trusted, standardised way to ensure information security across the entire supply chain. Without it, the OEMs and suppliers can conduct their own audits, but it'll be their own interpretations or what is considered an adequate level of security. The industry saw this as an open door to chaos, so TISAX was created to protect highly confidential automotive information and support compliance with relevant data protection laws. However, now it\u2019s not so much a \u2018nice to have\u2019 Standard as it is a requirement to trade, especially within Europe. It\u2019s fast becoming a tender requirement, and many OEMs won\u2019t make it past the procurement process without a valid TISAX label. The ENX portal, where labels are registered, can also help speed up the on-boarding process. So, the whole TISAX system has been built for ease of access to help manufacturers choose suppliers that prioritise information security. [09:00] What\u2019s the consequence of not having a TISAX label? A loss of opportunities. Those within the automotive industry that don\u2019t have a valid label will be seen as a security risk, leaving them at a competitive disadvantage. [10:30] What are the 3 levels within TISAX? Unlike ISO 27001, TISAX has levels that depend on the level of data sensitivity that you\u2019re dealing with. Level 1: Self-assessment \u2013 Considered as \u2018normal risk\u2019 with general processing of data. Level 2: Remote Audit \u2013 Applicable to those dealing with confidential information such as design documents or internal projects. This requires both a self-assessment and an audit. Level 3: On-site Assessment \u2013 Highly confidential information, so this applies to those dealing with sensitive research, development information or prototype data etc. This requires a physical on-site assessment, as the qualified TISAX auditor will need to ensure that you have the appropriate physical security measures in place. Most businesses will require level 2, but if you\u2019re looking to work with high-spec OEMs, then level 3 is more desirable. [12:00] What are the 3 subject areas within TISAX? The 3 main areas are as follows: Information Security: This covers general information security controls such as relevant policies, access controls, risk management, incident handling and secure operations. Prototype Protection: This focuses on safeguarding physical and digital prototypes, design data, test vehicles and confidential development information. Data Protection: This ensures proper handling of personal data in line with legal requirements such as GDPR. If you\u2019re just doing a self-assessment, you can pick the areas which are most relevant to you. If you\u2019ve been requested to earn a TISAX label, they will usually provide you with their preference on subject areas. Many will opt to take information security, but data protection is also quite common. The prototype section is more specialist and not applicable to all businesses. [14:00] How is TISAX implemented? There are a few stages to gaining a TISAX label: Awareness \u2013 Learn the requirements for TISAX and planning for the project ahead. This may include asking your clients about what they expect of your from an information security perspective and working out costs for assessments and any additional support. The ENX website has a lot of really useful info, including a handbook and a copy of the self-assessment. Preparation \u2013 This is where you need to complete your TISAX scope and register yourself on the ENX portal. Your scope needs to specify your selected level (1,2 or 3) and the subject areas you\u2019ll be focusing on. You also need to include the locations within scope, which have to be listed one by one (not simply \u2018all offices in the UK\u2019 for example). Self-Assessment \u2013 The template for this can be downloaded from the ENX website. This is essentially a Gap Analysis that grades your current level of compliance with the TISAX requirements. It includes a scoring mechanism, where you\u2019ll be aiming to get a 2.71, as that\u2019s the pass rate. This self-assessment will highlight what gaps you need to fill before going ahead with an external assessment. Implementation \u2013 This is where you will bridge those gaps highlighted in the Self-assessment. This will involve creating the required documentation requested by TISAX and updating existing systems to align with requirements. Before going ahead with external assessments, we highly recommend you conduct some internal audits to ensure you\u2019re ready. External Assessment \u2013 Whether this is remote or on-site, you need an official TISAX auditor to perform the assessment. A list of approved TISAX auditors is available on the ENX portal, we recommend getting a few quotes to get the best price. We also recommend requesting a kick-off meeting so you can have a chat with your auditor about the requirements and how they\u2019d like to review the required evidence of compliance. The Assessments are similar to that of an ISO certification, it\u2019s broken down into 2 segments. One is a document\/evidence review and the other is done with both parties present to go through their findings, review further evidence and to question any gaps found. Again, similar to ISO, you may receive either minor non-conformities, non-conformities, opportunities for improvement or observations in their final report. If you get any non-conformities, you\u2019ll need to provide an action plan within 2 weeks following from your assessment to address them. You will then be allowed a few months to implement the corrections, which will be reviewed and approved by the auditor before receiving your label. If you only received opportunities for improvement then you\u2019ll get a label straight away. [20:40] Why does TISAX use labels instead of certificates \u2013 and how can people verify these? Taking ISO 27001 as a comparison, that certification has a blanket framework that can apply to every business. While you can exclude small bits, the vast majority applies to everyone. TISAX is more scaled based on the level of security you\u2019re dealing with. Businesses can pick both different levels and different subject areas for their Label. Another key difference is that Labels can only be verified through the ENX portal, this is where other TISAX clients can see who has what Label, including the details of level and selected subject areas. Business can still chose to state TISAX compliance on their website, but the details regarding the level of compliance only need to be seen be relevant individuals. [22:05] What is the ENX portal and how does this help with supplier onboarding? The ENX portal is accessible through the ENX website. It does require a fee to make an account, but this is where everything related to TISAX is managed. This is where you will upload your scope and findings and it\u2019s where Labels are assigned and documented for suppliers to search for. There are options for how much information you want to disclose within those public searches, allowing you to select the need for contacting for further information. The ENX portal can help massively in reducing the amount of supplier questionnaires you need to fill in, as those looking for automotive suppliers will simply look up your TISAX Label to verify if you have the required level of security to continue with the procurement process. [24:50] Where should companies start if they want to earn a TISAX label? If you\u2019re just diving in, we recommend you do some research first to fully understand what you\u2019re expected to do to earn a Label and how much the process will cost. Next you\u2019ll need to define your scope, so look at what sites need to be included and identify relevant client requirements in relation to TISAX. This is to ensure you\u2019re going for the right Level and subject areas. Next evaluate your internal resource for the project and related budget. As mentioned, you will need to pay to register on the ENX portal and you need to consider Assessment costs and any additional support costs should you need consultancy services. You\u2019ll also need to assign individuals to manage the project, which will include completing the self-assessment, updating your policies, procedures and documentation to align with the requirements and possibly conduct training if required. This isn\u2019t a 2 week project, realistic timescales will vary, but generally if you\u2019re starting from scratch you\u2019re looking at 9-12 months. If you have ISO 27001 in place already this could be reduced to 6-8 months. As with anything Standard related, leadership commitment is a big factor as you\u2019ll need their help and support to ensure the projects success. If you need additional help, reach out to consultants such as Blackmores to help guide you through the process.   [28:05] Upcoming TISAX Webinar \u2013 Join us on the 18th March 2026 at 2pm for a webinar where we\u2019ll dive into TISAX further and provide practical guidance on how to complete the VDA Self-Assessment. Attendees will also get access to some freebies. So don\u2019t delay, register your place here today. We\u2019d love to hear your views and comments about the ISO Show, here\u2019s how: \u25cf     Share the ISO Show on Twitter or Linkedin \u25cf     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List ","author_name":"The ISO Show","author_url":"https:\/\/blackmoresuk.com","html":"