TISAX Certification

ENX Association

Webinar

Sâo. Bernardo do Campo | April 06, 2021 Data classification: Internal

Agenda
Tisax - Trusted Information Security Assessment Exchange

1. What is Tisax
2. The TISAX process
3. Evaluation time
4. Terms / roles
5. Tisax scope
6. Objectives / levels of assessment and protection TISAX
7. Sharing / dissemination of results
8. Approved connection tools
9. Connection types
10.Cost types
11.Reference links

2 06.04.2021 | B-RS Group Security Region SAM

Tisax - Trusted Information Security Assessment EXchange

What is TISAX ? What is ENX ? What is VDA ISA ?

 It is the certificate/label  It is an Association that  It is the VDA test catalog,

and test model of VDA monitors the quality of
ISA implementation and the
 The TISAX online results of evaluations
platform allows  Ensures a high degree of
participants to share transparency and
evaluation data strengthens trust
between their customers
is based on the
internationally
recognized ISO 27001
standard and includes
special criteria catalogs
for the automotive
industry

3 06.04.2021 | B-RS Group Security Region SAM

Tisax Process

The TISAX process usually begins

with the automaker's request to its
suppliers to attest to a defined level
of information security management
in accordance with the requirements
of the VDA Information Security
Assessment (VDA ISA).

4th
3rd To fulfill this request, your
organization must complete the
TISAX process in 4 steps.
2nd

Filling out documents with business

1st NDA VWB and Orga 27 areas.

4 06.04.2021 | B-RS Group Security Region SAM

 Evaluation time
 The total duration of the TISAX process will depend
on several factors.

 The wide variation in the sizes of organizations, the

evaluation objectives and the respective readiness of
an information security management system will
contribute to the total time of the process.

 However, TISAX defines a maximum duration of 9

months for the entire evaluation process.

5 06.04.2021 | B-RS Group Security Region SAM

Tisax - Terms and Papers

Active participant
 Supplier/ Audited: organization that must demonstrate the effectiveness of its
information security management system (SGSI) with the TISAX brand at the
request of one of its "passive participant" customers.

Passive participant
 Customer/Automaker: organization that asks its relevant business partners
("active participants") to demonstrate the effectiveness of its SGSI with the
corresponding TISAX brand.

Audit provider
 Accredited providers by TISAX, approved by ENX to carry out the evaluations.

6 06.04.2021 | B-RS Group Security Region SAM

Tisax Scope Excerpt
 Participant ID
 Scope ID
 Location ID

The selected consultancy

will analyze which
evaluations should be
carried out, in which
locations (sites) and
definition of the objectives
to be audited agreed
between
custumer/automaker and
supplier.

7 06.04.2021 | B-RS Group Security Region SAM

 Tisax
Objectives and levels of Tisax assessment
in. TISAX Assessment objective Abbreviation in. TISAX assessment objective Assessment level (AL)
1. Information with high protection needs High Info 1. Information with high protection needs AL 2
2. Information with very high protection needs Very high info 2. Information with very high protection needs AL 2
3. Data protection date 3. Data protection AL 2
According to article 28 ("Processor") of the European General Data Protection According to article 28 ("Processor") of the European General Data Protection
Regulation (GDPR) Regulation (GDPR)

4. Data protection with special categories of personal data Special date 4. Data protection with special categories of personal data AL 2
According to article 28 ("Processor") with special categories of personal data as According to article 28 ("Processor") with special categories of personal data as
specified in article 9 of the European General Data Protection Regulation (GDPR) specified in article 9 of the European General Data Protection Regulation (GDPR)

5. Protection of prototype parts and components Proto parts 5. Protection of prototype parts and components AL 2
6. Protection of prototype vehicles Proto vehicles 6. Protection of prototype vehicles AL 2
7. Handling of test vehicles Test vehicles 7. Handling of test vehicles AL 2
8. Protection of prototypes during events and film or photo shootings Events + 8. Protection of prototypes during events and film or photo shootings AL 2
Shootings

 If you are driving test drives on public roads, the No. 7 "Handling of Test Vehicle"  The greater the protection needs, more the supplier should ensure that information
assessment objective is one of your assessment objectives. security is treated as if it were his. Therefore, TISAX differs at the three evaluation levels
(AL).

 The assessment level defines the depth with which TISAX-accredited Certifies will use
to perform the audit process.

8 06.04.2021 | B-RS Group Security Region SAM

Tisax

At the request of a passive participant (custumer/automaker), the

contractor (supplier) shall provide detailed reports with the depth of
detail requested, in accordance with the rules defined by ENX

Sharing The contents of the TISAX report are structured in levels.

Your organization will be able to decide to what level the automaker
and dissemination will have access to.
of
result of the The result of your organization's assessment is valid for three years,
and there are no annual monitoring audits.
Tisax Certification
Assuming your organization is still a supplier to that automaker
after 3 years, you'll need to renew your evaluation result by
following the three-step process again.

9 06.04.2021 | B-RS Group Security Region SAM

Tisax
Approved connection tools

confidential Secret

Connection
with SimplX OFTP2 KVS ECA Connect KVS Connect
Suppliers

 Fill out the CSN Shortlist and send - (Supplier and VW Area)
 Contracting the connection with Operational services (Supplier)
 User Request and Token (VW area IT key user should contact IT)

10 06.04.2021 | B-RS Group Security Region SAM

Tisax - Connection Types
 VW Group Standard for Connection

www.operational-services.de
E-MAIL: csn.service@o-s.de

11 06.04.2021 | B-RS Group Security Region SAM

 Tisax - Cost types

Consultancy
(accredited providers)
• Cost of • Contracting
registering • Cost to carry the
on the out the audit connection
platform service
Connection
ENX
Operational Services

12 06.04.2021 | B-RS Group Security Region SAM

 Tisax
Reference links

Portal ENX Association

https://portal.enx.com/en-us/TISAX/

TISAX Handbook
https://portal.enx.com/tphen.pdf

Accredited providers
https://portal.enx.com/en-US/TISAX/xap/?country=BR

VDA requirements
https://www.vda.de/en/topics/safety-and-standards/information-security/information-security-
requirements

Operational services
www.operational-services.de

13 06.04.2021 | B-RS Group Security Region SAM

Thank you.

14 06.04.2021 | B-RS Group Security Region SAM