TISAX

TRUSTED INFORMATION SECURITY ASSESSMENT EXCHANGE

TISAX is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants. If you want to process sensitive information from your customers or evaluate the information security of your own suppliers, TISAX supports you in reducing efforts.

  1. Registration:-

    Gather information about your company and what needs to be part of the assessment.

  2. Assessment:-

    You go through the assessment(s), which are conducted by TISAX audit providers.

  3. Exchange :-

    You share your assessment result with your partner.

The current TISAX assessment objectives are:

No
Assessment objective
Abbreviation
1.
Handling of information with high protection needs
Info high
2.
Handling of information with very high protection needs
Info very high
3.
Protection of prototype parts and components
Proto parts
4.
Protection of prototype vehicles
Proto vehicles
5.
Handling of test vehicles
Test vehicles
6.
Protection of prototypes during events and film or photo shoots
Proto events
7.
Data protection According to Article 28 (“Processor”) of the European General Data Protection Regulation (GDPR)
Data
6.
Data protection with special categories of personal data According to Article 28 (“Processor”) with special categories of personal data as specified in Article 9 of the European General Data Protection Regulation (GDPR)
Special data

INFORMATION SECURITY ASSESSMENT CRITERIA CATALOGUES AND PROTECTION NEEDS TO TISAX ASSESSMENT OBJECTIVES

No
ISA criteria catalogue
Protection needs
TISAX assessment objective
1.
Information security
high
Handling of information with high protection needs
2.
Information security
very high
Handling of information with very high protection needs
3.
Prototype protection
high
Protection of prototype parts and components
4.
Prototype protection
high
Protection of prototype vehicles
5.
Prototype protection
high
Handling of test vehicles
6.
Prototype protection
high
Protection of prototypes during events and film or photo shoots
7.
Data protection
high
Data protection According to Article 28 (“Processor”) of the European General Data Protection Regulation (GDPR)
8.
Data protection
very high
Data protection with special categories of personal data According to Article 28 (“Processor”) with special categories of personal data as specified in Article 9 of the European General Data Protection Regulation (GDPR)

MAPPING OF THE TISAX ASSESSMENT OBJECTIVES TO ASSESSMENT LEVELS

No
TISAX assessment objective
Assessment level (AL)
1.
Handling of information with high protection needs
AL 2
2.
Handling of information with very high protection needs
AL 3
3.
Protection of prototype parts and components
AL 3
4.
Protection of prototype vehicles
AL 3
5.
Handling of test vehicles
AL 3
6.
Protection of prototypes during events and film or photo shoots
AL 3
7.
Data protection According to Article 28 (“Processor”) of the European General Data Protection Regulation (GDPR)
AL 2
8.
Data protection with special categories of personal data According to Article 28 (“Processor”) with special categories of personal data as specified in Article 9 of the European General Data Protection Regulation (GDPR)
AL 3

APPLICABILITY OF ASSESSMENT METHODS TO DIFFERENT ASSESSMENT LEVELS

Assessment method
Assessment level 1 (AL 1)
Assessment level 2 (AL 2)
Assessment level 3 (AL 3)
Self-assessment
Yes
Yes
Yes
Evidence
No
Plausibility check
Thorough verification
Interviews
No
Via web conference
In person, on site
On-site inspection
No
At your request
Yes

INFORMAL DESCRIPTION OF THE MATURITY LEVELS

The ISA uses the concept of “maturity levels” to rate the quality of all aspects of your information security management system

Maturity level
In one word
Description
0
Incomplete
A process is not available, not followed or not suitable for achieving the objective.
1
Performed
An undocumented or incompletely documented process is followed and indicators exist that it achieves its objective.
2
Managed
A process achieving its objectives is followed. Process documentation and process implementation evidence are available.
3
Established
A standard process integrated into the overall system is followed. Dependencies on other processes are documented and suitable interfaces are created. Evidence exists that the process has been used sustainably and actively over an extended period.
4
Predictable
An established process is followed. The effectiveness of the process is continually monitored by collecting key figures. Limit values are defined at which the process is considered to be insufficiently effective and requires adjustment. (Key Performance Indicators)
5
Optimizing
A predictable process with continual improvement as a major objective is followed. Improvement is actively advanced by dedicated resources.

THE FOUR TYPES OF FINDINGS

conformity to the requirements is called a finding. TISAX differentiates four types of findings:

No
Type
Defination
Reaction
Examples
1.
Major non-conformity
A major non-conformity:
1. creates a significant immediate risk to your information security
2. or creates doubts regarding the overall effectiveness of your information security management system
You have to:
1. address major non-conformities immediately with appropriate compensating measures
2. implement corrective actions without undue delay
1. Systematic non-conformities
2. Implementation deficits that create critical risks to the security of confidential information
3. Implementation deficits that are not addressed by an appropriate corrective action
2.
Minor non-conformity
A minor non-conformity:
1. does not create a significant immediate risk to your information security
2. and does not creates doubts regarding the overall effectiveness of your information security management system
You have to: implement corrective actions without undue delay
1. Isolated or sporadic mistakes
2. Non-compliance or deficits in the implementation of requirements or your policies
3.
Observation
An observation is a non-compliance with the requirements our your own policies that does not create an immediate risk to your information security but may do so in the future.
You have to:  carefully investigate, monitor, and evaluate possible risks  decide how to handle the observation
n/a
4.
Room for improvement
A deviation that does not belong to a forementioned types and does not create a risk to your information security, yet offers obvious room for improvement.
You can decide whether or how to address this type of finding.
n/a