TISAX / VDA Information Security - Trigonum - Managementsysteme für Informationssicherheit und Datenschutz auf Basis Mircosoft 365

TISAX / VDA Information Security

TISAX / VDA Information Security

Our customers appreciate our all-inclusive TISAX service package, providing everything needed to efficiently implement the TISAX certification process.

VDA / TISAX Information Security Assessment: A Key Success Factor for Automotive Suppliers

We support you in building an ISMS according to TISAX standards. With our guidance, you can achieve all the required TISAX labels to demonstrate an implemented Information Security Management System. The “TISAX Model” (Trusted Information Security Assessment Exchange) was developed under the umbrella of the VDA (Association of the Automotive Industry) to ensure a unified information security level between product development and supplier companies. TISAX is a mutually recognized audit standard for information security in the automotive industry, ensuring that all supply chain participants maintain comparable security levels concerning information security.

OEMs, such as Volkswagen Group, BMW, or Daimler AG, audit key suppliers' ISMS status using external companies to conduct audits based on VDA/TISAX assessment questionnaires. The primary focus includes prototype protection, IT infrastructure, data protection, and relevant applications used during the development process.

Failure to meet the basic requirements of the VDA/TISAX Information Security Assessment can result in lost contracts for suppliers or exclusion from future projects. This can lead to millions in lost revenue or even threaten a company’s existence. The link between information security and business success is clear.

Information security’s value is now measurable in tangible terms, making it a vital component of a company's risk management strategy.

TISAX Ziele und Assessment Level

VDA / TISAX Information Security Assessment: A Key Success Factor for Automotive Suppliers

We support you in building an ISMS according to TISAX standards. With our guidance, you can achieve all the required TISAX labels to demonstrate an implemented Information Security Management System. The “TISAX Model” (Trusted Information Security Assessment Exchange) was developed under the umbrella of the VDA (Association of the Automotive Industry) to ensure a unified information security level between product development and supplier companies. TISAX is a mutually recognized audit standard for information security in the automotive industry, ensuring that all supply chain participants maintain comparable security levels concerning information security.

OEMs, such as Volkswagen Group, BMW, or Daimler AG, audit key suppliers' ISMS status using external companies to conduct audits based on VDA/TISAX assessment questionnaires. The primary focus includes prototype protection, IT infrastructure, data protection, and relevant applications used during the development process.

Failure to meet the basic requirements of the VDA/TISAX Information Security Assessment can result in lost contracts for suppliers or exclusion from future projects. This can lead to millions in lost revenue or even threaten a company’s existence. The link between information security and business success is clear.

Information security’s value is now measurable in tangible terms, making it a vital component of a company's risk management strategy.

Why Implement TISAX with Trigonum?

Trigonum is among the few consulting firms that deeply understand the automotive industry in the field of information security.

With over 50 years of experience in the automotive industry, both on the OEM side (e.g., Porsche, Daimler Chrysler) and on the supplier side, we offer management experience as CIOs, IT leaders, process management heads, project leaders, and in various areas such as IT, procurement, development, production, and project management.

We have successfully guided many companies, from small one-person GmbHs to global suppliers, through the TISAX certification process. We can offer comprehensive consulting:

  • We understand how companies operate and recognize the challenges of creating documentation and processes alongside daily business activities.
  • As consultants, we provide the methods, tools, and concepts to effectively implement TISAX requirements. Our experience as auditors (TÜV Rheinland, TÜV Süd) and IT organization leaders helps us balance standard requirements with daily business practicality.
  • We have supported the global implementation of ISMS according to TISAX, both onsite and remotely.
  • In short: Trigonum is the full-service partner for information security and data protection in the automotive industry.

We help you meet VDA / TISAX requirements!

Your Benefits:

  • Comprehensive methodological support for holistic risk assessment analyses
  • Independent assessment of your security level based on the VDA / TISAX questionnaire
  • Definition of security measures to achieve the VDA / TISAX required security level
  • Creation of necessary policies, documents, and processes to build an ISMS per VDA / TISAX requirements
  • Employee training and awareness programs
  • Support during audits to ensure you can respond appropriately to auditor questions and requirements
  • Guidance towards obtaining ISO 27001 certification

Contact us today to schedule a consultation on VDA / TISAX Information Security Assessment and Prototype Protection.

For more information and support on TISAX, contact us!

Direct Contact with Trigonum:
+49 40 3199 1618 0
Trigonum GmbH
Notkestrasse 9
22607 Hamburg

    We need the data marked with an asterisk in order to process your enquiry. We process the data you enter in the contact form in accordance with our Privacy policy.

    More Information about TISAX

    • TISAX Assessment Level
    • ASSESSMENT LEVEL CATEGORIES

      In the TISAX certification process, there are several assessment levels (abbreviated AL1-3) that define the depth of review:

      • TISAX Assessment – Level 1 (Normal)
        This level involves self-reporting via a questionnaire. It holds low credibility and is rarely applied or requested by partners.
      • TISAX Assessment – Level 2 (High)
        Achieved through a phone interview and a plausibility check by an accredited inspection company. If “Third-Party Connection” is defined as a test goal, an onsite inspection is mandatory.
      • TISAX Assessment – Level 3 (Very High)
        To reach Level 3, a comprehensive onsite inspection at the company and a document review by the accredited audit firm’s experts are required.

      It is advisable to aim for Level 3 during the first TISAX certification to be prepared for future requirements without causing additional work later on.


      GENERAL CONSIDERATIONS/INFORMATION ON ASSESSMENT LEVEL

      Information Classification and Protection Needs
      The classification of information (such as confidential or secret) and the related protection needs can vary from partner to partner. It is essential to understand the specific requirements of each partner for each location.

      Higher assessment levels always include the requirements of lower ones. For example, if an assessment is based on AL3, it automatically covers the requirements of AL2.

      If you must choose an assessment level based on your discretion, we recommend selecting Assessment Level 3, as it prepares you for future partner demands, especially when working with multiple partners that may have varying requirements. By choosing Level 3, you avoid managing different levels and conflicting requirements.

      The effort required for TISAX assessments in Assessment Level 3 is not necessarily greater than in Level 2. While the costs of a Level 2 assessment may be lower, the internal workload can be higher. This is because a Level 2 assessment typically requires more comprehensive self-assessments and better internal documentation. For Level 3, auditors can often be satisfied with showing certain things along with basic documentation as proof. Without an onsite visit, however, more detailed documentation will be required. Therefore, it is not unusual to opt for Assessment Level 3 over Level 2.

    • TISAX Process
      1. YOUR CUSTOMER REQUESTS A TISAX ASSESSMENT

      The TISAX process usually begins when one of your customers requests you to demonstrate an information security management system (ISMS) in accordance with the “VDA Information Security Assessment” (ISA) requirements. Often, it is unclear what level you need to achieve. (Please refer to our explanations regarding the different TISAX Assessment Levels).

      1. REGISTRATION

      Access to the TISAX portal, which facilitates the exchange of assessment data, is granted through participant registration. This is a prerequisite for engaging an audit service provider for an assessment.

      As a result of successful registration, a “TISAX SCOPE REGISTRATION EXCERPT” is generated for each registered scope, which is available as a PDF file either in German or English from the TISAX database. Multiple locations can be consolidated into one scope. The fully completed “Excerpt” forms the basis for calculating the assessment effort, supplemented by additional information that also needs to be requested.

      1. DEVELOPMENT OF THE ISMS ACCORDING TO TISAX REQUIREMENTS

      The next step is to develop an information security management system and implement the TISAX requirements. Trigonum supports you from accompanying coaching to taking over the role of an external information security officer.

      1. ENGAGEMENT OF AN AUDIT SERVICE PROVIDER

      When your ISMS has reached a maturity level that allows for successful external certification, an audit service provider is selected. Trigonum has experience with different providers in Europe, America, and Asia, and can competently assist you in this process.

      1. DOCUMENT REVIEW AND/OR ONSITE INSPECTION

      To be ready for a TISAX assessment, your ISMS must be in top shape. To determine if your ISMS meets the expected maturity level, you must perform a self-assessment based on the ISA. The ISA (“Information Security Assessment”) is a criteria catalog issued by the “Verband der Automobilindustrie e.V.” (VDA), the automotive industry’s standard for information security assessments. The existing documents are assigned to the relevant controls and the completed criteria catalog is sent to the audit service provider.

      Depending on the assessment level, a remote document review and phone interview may be sufficient. For Level 3 assessments and prototype handling, an onsite inspection is required.

      1. IMPLEMENTATION OF CORRECTIVE ACTIONS (IF NEEDED)

      Based on the audit results, corrective actions may need to be implemented.

      1. AUDIT REPORT AND EXCHANGE OF AUDIT RESULTS

      The “TISAX Report”:

      • Is updated and issued after each TISAX assessment.
      • Documents the findings of your audit service provider.
      • Contains the overall assessment result (Compliant, Minor Non-Conformity, Major Non-Conformity).
      • Includes all additional information regarding your TISAX assessment (e.g., assessment objective, scope, involved persons, and locations).

      One of the main features of TISAX is that you can decide which parts of the TISAX report you want to share with your partner or any other participant. The structure of the TISAX report is designed to allow this selective sharing. Each section provides increasing levels of detail.

    • TISAX vs. CSMS
    • TISAX AND CYBERSECURITY MANAGEMENT SYSTEM (CSMS) – HOW ARE THEY RELATED?

      The United Nations Economic Commission for Europe (UNECE) has responded to the growing cybersecurity challenges by establishing the Task Force on Cyber Security and Over-the-Air issues. The UNECE mandates an audit of the Cybersecurity Management System (CSMS) for Original Equipment Manufacturers (OEMs) and requires a cybersecurity assessment as part of type approval. An automotive Cybersecurity Management System audit is a process for independently analyzing and evaluating an automotive CSMS, which is a systematic risk-based management system that defines organizational processes, responsibilities, and methods to mitigate threats and protect vehicles from cyberattacks.

      In contrast to the Information Security Management System (ISMS), which is certified in the automotive industry through TISAX, the Automotive CSMS specifically aims to protect road users and the public in the context of increasing vehicle connectivity and automation. An ISMS, on the other hand, primarily focuses on information security within the organization and ensures secure collaboration throughout the supply chain.

      It is expected that companies implementing a CSMS for components will also require TISAX certification, as this framework is necessary to ensure secure product development, manufacturing, and safe operation of applications and systems.

    • Tool Support
    • For the development and operation of a professional Information Security Management System (ISMS), we have developed our innovative tool for integrated management systems, “TRIGovernance.” The close integration of solution components such as document management and control, information classification, asset and risk management, processing descriptions, as well as audit and task management, makes “TRIGovernance” a powerful collaboration platform for integrated management systems. This allows companies to have all information and solution components in one central location, simplifying processes and leveraging synergies for the implementation of various management systems.