Supplier Board
zf.com
Supplier BoardPurchasingInformation Security Management System (TISAX)

TISAX

Trusted Information Security Assessment Exchange

Overview of TISAX

TISAX, or Trusted Information Security Assessment Exchange, is a certification standard that is used to evaluate a company’s ability to meet all information security process standards throughout the entire organization.


Evaluation is done in the following areas:

  • Physical work areas
  • Data Storage
  • Systems Development
  • Systems Access
  • Proprietary & Intellectual Property Management


While originally driven by European OEMs/Tier 1 suppliers, the certification is now a global standard and is required by ZF.


To learn more, please visit the ENX TISAX Homepage

Target of TISAX

The TISAX standard seeks to establish a mature Information Security level in the automotive industry by creating a mutually accepted certificate for suppliers under one global standard. By creating one common standard, the aim is to reduce cost, effort and complexity for all participants and allow for comparable results between participants.

TISAX Governance

The ENX Association is the governing organization behind the TISAX certification. This organization was formed in 2000 by European automobile manufacturers, automotive suppliers, and a number of national automobile associations to define and oversee industry standards. To learn more, about ENX, please visit their website.

TISAX at ZF

In our connected and information-driven business environment it is critical that proper information safeguards are in place. Many of ZF's customers have included TISAX requirements in their Terms & Conditions, which require us (and our supply chain) to prove a mature Information Security Management System (ISMS). ZF Group has already worked to certify many of our locations based on customer requirements and risk analysis. Beginning in 2020 we began implementation of a TISAX certification requirement for those suppliers who met the applicable criteria. For suppliers deemed TISAX relevant by ZF, maintenance of a proper TISAX certification in SupplyOn Business Directory is a condition of sourcing.


ZF Group's commitment to the TISAX standard and our intention to implement this with our supply base were communicated a supplier letter distributed in August 2020. Click here to read the communication.

TISAX Relevance

Not all suppliers are considered "TISAX Relevant" by ZF Group. For TISAX to be required, a supplier must meet one or more of the following criteria:

  • Work with confidential ZF data
  • Have system access to ZF information
  • Obtain copies of sensitive ZF documentation (e.g. Drawings)
  • Provide parts specific to ZF requirements


If the necessary criteria is met, ZF Group will designate a supplier as "TISAX Relevant" and your supplier ID will receive a flag in our systems. You will be notified directly by your ZF Group buyer if certification is a requirement so that you can provide an existing certification or begin the process.

Assessment Level

There are three Assessment levels outlined in the TISAX certification, however ZF requires Assement level 3 (AL3)

The table below shows the 12 different TISAX assessment objectives which are currently offered by the certification body ENX. The assessment objective determines the applicable requirements that your information security management system (ISMS) has to fulfill. The assessment objective is entirely based on the type of data you handle on behalf of ZF. The ones marked with “ZF” have to be checked within the business relationship with ZF whether they are mandatory or not. For the module „Information Security” the ZF requirement is „Info very high” or „Strictly confidential”/ „Very high availability”.

Frequently Asked Questions

Does ZF require TISAX of every supplier?

No, ZF Group does not require TISAX of all suppliers, but only of those deemed "TISAX relevant". The type of suppliers are those who meet any of the following criteria:
  • Work with confidential ZF data
  • Have system access to ZF information
  • Obtain copies of sensitive ZF documentation (e.g. drawings)
  • Provide parts specific to ZF requirements
How do I know if ZF requires TISAX of my company?

Consider the following four questions to evaluate if your company might be relevant for TISAX certification:
  • Do you work with confidential ZF data?
  • Do you have system access to ZF information?
  • Do you obtain copies of sensitive ZF documentation? (e.g. drawings)
  • Do you provide parts specific to ZF requirements?

If you answer "Yes" to any of these questions, you will need to obtain the TISAX certification. If you are unsure as to whether it is required, please contact your responsible ZF Buyer.
What level of certification is required by ZF?

In general ZF expects that suppliers that are relevant for a TISAX certification will conduct an Assessment Level 3 (AL-3)

The core module is the Information Security Management System (ISMS) but depending on the business relationship with the supplier the modules Data Protection and/or Prototype Protection may also be required.
Is there a cost for TISAX?

Yes there is a cost associated with TISAX certification both in the form of registration with ENX, and in the form of audit costs.
  • Registration costs can be found on the ENX website under TISAX Price List
  • Audit costs will depend on the size of your organization and are negotiated separately with approved auditors. A list of currently approved TISAX Auditors can be found on the ENX website.
Does ZF cover the cost of supplier TISAX certification?

No, ZF does not cover the costs for suppliers to become TISAX certified. This certificate is becoming common in the industry and will be required by other automotive OEMs and Tier 1 suppliers as well.
Is it sufficient to have a single location certified? (e.g. main HQ)

No. A supplier must certify all locations which provide products and/or services to ZF Group.
Our company has a TISAX certification. How do I demonstrate this to ZF?

ZF requires that proof of TISAX certification be maintained in our suppliers' SupplyOn Business Directory account. Suppliers must upload the following:
  • Assessment ID
  • Assessment Level (Should be AL3)
  • Validity Date

Not registered with a SupplyOn account? Please visit our SupplyOn page to learn more about Digital Communication via this online business portal. While other modules have a cost, the SupplyOn Business Directory module is free to suppliers.
Where can I find more information about ENX, TISAX certification, the audit process, etc?

The ENX website is the best place for current information related to ENX and the TISAX certification processs.

Downloads

ZF Group Supplier Letter - TISAX

Download

TISAX Information Packet for Suppliers

Download