How to Prepare for Your TISAX® Assessment

In this new era of connected and autonomous vehicles, protecting sensitive data and ensuring the security of automotive systems has become of paramount importance. As the automotive industry evolves to confront such cybersecurity challenges, the Trusted Information Security Assessment Exchange (TISAX®) assessment has emerged as a crucial, helpful tool for staying ahead and safeguarding automotive security.

Your customers and organization alike will benefit from the increased security of data, information, and prototypes/manufacturing parts after you undergo an assessment, but you have to pass it first, and that requires proper preparation.

As one of the only TISAX® assessors in the United States, we’re not only ready to assess you but we can also offer some key insight on how to do that. By the end of this article, you’ll understand the key steps in preparing for a TISAX® Assessment and the level of effort required, as well as an overview of the assessment process.

The Importance of a TISAX® Assessment

If you’re rolling up your sleeves for a TISAX® assessment, you aren’t alone. Perhaps a reputable automotive manufacturer like Mercedes or Audi has requested that you validate your data security through a TISAX® assessment. Or maybe your organization is simply aiming to enter the market and wants to use TISAX® as your gateway.

But in fact, obtaining a TISAX® Label through an assessment is more than a mere customer requirement or market differentiator—instead, consider the process like installing a camera to eliminate a blind spot in a car.

If you’ve ever driven a car with a backup camera, you know how helpful they are—sure, you’ve probably also driven a car without one and made do, but once you’ve had the upgraded experience, it almost seems incomprehensible how anyone ever parallel parked before.

Just as backup cameras enhance not only the safety of those around us but also ourselves and our vehicles, undergoing a TISAX® assessment is much the same—it’s not just about the customer-facing benefit because it provides safety for your organization too.

But, like anything, it’s only as good as it’s built. To ensure “good” TISAX® preparation, let’s explore how you can ensure a seamless assessment on your way to achieving a TISAX® Label and a more secure posture.

What are TISAX® Assessment Objectives?

Preparing for a TISAX® Assessment starts with a clear understanding of the assessment objectives, as they play a crucial role in defining the scope of your assessment.

Selecting your objectives determines the relevant requirements for your information security management system (ISMS), so—essentially—selecting and understanding your objectives provides the basis for your entire assessment.

The eight objectives are outlined below – you must choose at least one but you may also select multiple, depending on your business, the type of data you handle, and customer obligations:

What are the TISAX® Assessment Levels?

Your chosen objectives—each of which corresponds with a specific TISAX® Assessment Level—will determine the overall level of your audit, as the level is determined by the highest level objective in scope.

For instance, if your assessment includes two objectives at AL2 and one objective at AL3, your assessment will be classified as an AL3.

As you’ll have noticed AL2 and AL3 are in the chart above, just know there’s also an AL1 not listed—AL1 is primarily intended for internal self-assessments. (While self-assessments are included during an external assessment, your auditor will simply verify that you completed it in an AL1 without reviewing its content.)

But if you’re seeking that TISAX® label, you’ll need to undergo an AL2 or an AL3, and those involve different assessment elements:

• AL2: Involves a plausibility check of your self-assessment by your auditor, who will also request additional evidence and conduct stakeholder interviews to support the self-assessment.
• AL3: Builds upon the AL2 with a more comprehensive assessment that includes in-person observation of conditions and processes.

Full Breakdown of the TISAX® Assessment Levels and Their Components

To summarize what you should expect to happen during each level of assessment:

Other Scoping Factors for a TISAX® Assessment

Other than your assessment level, there are two other decisions you’ll need to make that will impact your TISAX® scope:

• Standard or Custom Type: You can choose either a predefined scope description—both Schellman and ENX’s recommended—path or write your own.
  • NOTE: 99% of assessments are Standard, as a Custom Scope cannot obtain a TISAX® Label.
• Locations: Depending on the size of your organization, you might only have one location or multiple—if it’s the latter, you could include multiple locations within the same assessment scope or perform multiple assessments for each location instead.
  • How to determine what’s right for you? It’ll depend on whether each location needs the same assessment objectives or not. (A single scope requires that all associated locations have the same assessment objectives.) 

5 Steps to Get Ready for a TISAX® Assessment

Making all these decisions to define your scope is the first big step in preparing for your TISAX® assessment. Once you’ve done all that, you’ll need to take several more steps to set yourself up more completely for success, no matter if you have a robust compliance program, or if this will be your first security assessment.

We break down the steps for you below:

1. Define and Communicate Roles: Establish a dedicated project team and assign responsibilities as determined by your assessment level and the corresponding amount of effort.
2. Perform a Gap Assessment: Identifying control gaps and missing requirements, etc. will serve as the guide for the rest of the preparation work and will focus efforts accordingly.
3. Build an Action Plan: To address those previously identified gaps, this plan also should be communicated to the responsible parties with timelines for achievement of full compliance.
4. Implement Controls: Your chosen and necessary security measures should align with your anticipated assessment objectives.
5. Document Policies and Procedures: Review documentation of your policies, procedures, and any necessary evidence of compliance to ensure that each meets the needs of the TISAX® requirements.

Bonus Step: Conduct a Readiness Assessment: You do have the option to undergo a readiness assessment that will test and validate your preparedness. (This can be done internally or through a third-party assessment firm like Schellman.)

Set Yourself Up for TISAX® Success

A TISAX® assessment represents an incredible opportunity to reap multi-faceted advantages—not only will you satisfy possible customer requirements, but you’ll also further secure your cybersecurity and achieve a competitive differentiator within the automotive industry.

But to get there, you’ll need to be adequately prepared, and now you know where to start. However, if you're still a little unsure and are interested in learning more about the TISAX® requirements or how to prepare for an assessment, we would be happy to provide you with a more thorough walk-through—contact us today.