- Work with confidential ZF data
- Have system access to ZF information
- Obtain copies of sensitive ZF documentation (e.g. drawings)
- Provide parts specific to ZF requirements
TISAX
Trusted Information Security Assessment Exchange
Overview of TISAX
TISAX, or Trusted Information Security Assessment Exchange, is a certification standard that is used to evaluate a company’s ability to meet all information security process standards throughout the entire organization.
Evaluation is done in the following areas:
- Physical work areas
- Data Storage
- Systems Development
- Systems Access
- Proprietary & Intellectual Property Management
While originally driven by European OEMs/Tier 1 suppliers, the certification is now a global standard and is required by ZF.
To learn more, please visit the ENX TISAX Homepage
Target of TISAX
The TISAX standard seeks to establish a mature Information Security level in the automotive industry by creating a mutually accepted certificate for suppliers under one global standard. By creating one common standard, the aim is to reduce cost, effort and complexity for all participants and allow for comparable results between participants.
TISAX Governance
The ENX Association is the governing organization behind the TISAX certification. This organization was formed in 2000 by European automobile manufacturers, automotive suppliers, and a number of national automobile associations to define and oversee industry standards. To learn more, about ENX, please visit their website.
TISAX at ZF
In our connected and information-driven business environment it is critical that proper information safeguards are in place. Many of ZF's customers have included TISAX requirements in their Terms & Conditions, which require us (and our supply chain) to prove a mature Information Security Management System (ISMS). ZF Group has already worked to certify many of our locations based on customer requirements and risk analysis. Beginning in 2020 we began implementation of a TISAX certification requirement for those suppliers who met the applicable criteria. For suppliers deemed TISAX relevant by ZF, maintenance of a proper TISAX certification in SupplyOn Business Directory is a condition of sourcing.
ZF Group's commitment to the TISAX standard and our intention to implement this with our supply base were communicated a supplier letter distributed in August 2020. Click here to read the communication.
TISAX Relevance
Not all suppliers are considered "TISAX Relevant" by ZF Group. For TISAX to be required, a supplier must meet one or more of the following criteria:
- Work with confidential ZF data
- Have system access to ZF information
- Obtain copies of sensitive ZF documentation (e.g. Drawings)
- Provide parts specific to ZF requirements
If the necessary criteria is met, ZF Group will designate a supplier as "TISAX Relevant" and your supplier ID will receive a flag in our systems. You will be notified directly by your ZF Group buyer if certification is a requirement so that you can provide an existing certification or begin the process.
Assessment Level
There are three Assessment levels outlined in the TISAX certification, however ZF requires Assement level 3 (AL3)
The table below shows the 12 different TISAX assessment objectives which are currently offered by the certification body ENX. The assessment objective determines the applicable requirements that your information security management system (ISMS) has to fulfill. The assessment objective is entirely based on the type of data you handle on behalf of ZF. The ones marked with “ZF” have to be checked within the business relationship with ZF whether they are mandatory or not. For the module „Information Security” the ZF requirement is „Info very high” or „Strictly confidential”/ „Very high availability”.
Frequently Asked Questions
- Do you work with confidential ZF data?
- Do you have system access to ZF information?
- Do you obtain copies of sensitive ZF documentation? (e.g. drawings)
- Do you provide parts specific to ZF requirements?
If you answer "Yes" to any of these questions, you will need to obtain the TISAX certification. If you are unsure as to whether it is required, please contact your responsible ZF Buyer.
The core module is the Information Security Management System (ISMS) but depending on the business relationship with the supplier the modules Data Protection and/or Prototype Protection may also be required.
- Registration costs can be found on the ENX website under TISAX Price List
- Audit costs will depend on the size of your organization and are negotiated separately with approved auditors. A list of currently approved TISAX Auditors can be found on the ENX website.
- Assessment ID
- Assessment Level (Should be AL3)
- Validity Date
Not registered with a SupplyOn account? Please visit our SupplyOn page to learn more about Digital Communication via this online business portal. While other modules have a cost, the SupplyOn Business Directory module is free to suppliers.