Introduction
We are regularly entrusted with classified information by our customers and partners. Protecting this information in the course of our daily work has top priority at INCHRON. To be able to prove our information security efforts to our customers we take part in TISAX, which allows our customers and partners to easily gain insights in our information security efforts.
What is TISAX
TISAX stands for „Trusted Information Security Assessment Exchange“ and is administered by the ENX Association on behalf of the German Association of the Automotive Industry (VDA). Its main focus is the assessment of all information security efforts of a participating organization and to communicate these efforts to partners.
It is a mechanism comprised of the following steps:
- Registration – To be able to see shared assessment results and to be assessed,
- Audit provider selection – ENX cooperates with certified audit providers (such as DEKRA or TÜV) to conduct assessment,
- Assessment – The selected audit provider conducts the assessment according to the registered security scope,
- Exchange – the results of the assessment are made available on the TISAX platform.
Once a TISAX assessment is passed, a TISAX label is obtained, which is valid for 3 years. That is, organizations must schedule a new assessment before these 3 years have passed in order to keep their label.
The TISAX Assessment
TISAX is all about information security. The foundation of a TISAX assessment is the VDA ISA catalog, which is based on the international ISO/IEC 27001 standard but was adapted to the needs of the automotive industry.
The VDA ISA catalog contains controls (checks) for different protection needs:
- Information security (high and/or very high), e.g.:
- Information Security Policies and Organization
- Physical Security and Business Continuity
- IT Security/Cyber Security
- Supplier Relationships
- Prototype protection (optional)
- Data protection (optional)
How and which controls are assessed is determined by the registered assessment scope. All controls that belong to the registered scope must be implemented.
TISAX also defines how the controls need to be implemented with the notion of maturity levels. These are also described in the catalog. For passing the assessment, each control must have at least a maturity level of 3 – established – which means the implementation must be, e.g., defined, documented, monitored, and – most of all – effective.
TISAX @ INCHRON
For INCHRON, participating in TISAX meant that we implemented an effective information security management system (ISMS). Our ISMS was assessed by the DEKRA Certification GmbH in the role of our audit provider against the VDA ISA catalog version 5.0.4.
Now, even more than before, information security is considered in every aspect of our organization:
- Information Security Policies and Procedures
- Risk Management
- Asset Management
- Business Continuity
- Supplier Management
Industry representatives that are registered with ENX can find INCHRON’s TISAX assessment details on the ENX Portal. To narrow down the search, the following information is provided:
Participant ID: PT79MP
Scope ID: S83787
If you have questions about INCHRON’s information security approach or are not registered with ENX but need INCHRON’s TISAX results, please contact infosec@inchron.com for more information.
Generally, the ENX’ terms and conditions prohibit sharing TISAX results outside of the ENX portal. TISAX and TISAX results are not intended for the general public.
Any questions?
Feel free to contact us.