Information security in the automotive industry
TISAX® deep dive: the 12 test objectives (labels)
As a rule, your business partners who require you to obtain TISAX certification will specify the assessment objectives, i.e. the TISAX labels to be achieved. It is important to understand that the respective assessment level AL results from the selection and combination of the protection objectives and not vice versa. In practice, this means that instead of requesting an assessment level from you, your business partner should define the protection objectives.
As part of this CIS article series, we are focusing on the topic of TISAX® and highlighting the three assessment levels. You can find a basic introduction, e.g. on benefits and assessment, here. and a deep dive into the three assessment levels here.
There is currently a total of 12 different TISAX labels, 6 general, 4 prototype protection labels and 2 data protection labels.
1. Info high
The "Info high" test target represents the lowest level of requirements. It is possible that business partners require a corresponding classification from their information classification.
2. Info very high
The test target "Info very high" can result from the information classification of the business partnership.
3. Confidential
The "Confidential" audit objective may be required if information with a high need for confidentiality is received or processed. It should be selected in particular if unauthorized disclosure of the information could potentially cause existential or considerable damage (e.g. reputational damage, criminal consequences or monetary damage).
4. Strictly confidential
The "Strictly confidential" test objective may be required if information with very high confidentiality requirements is received or processed or is classified as "strictly confidential" or "secret" according to the company's own classification scheme. This protection objective should be selected in particular if the unauthorized disclosure of the information could potentially cause existentially threatening or catastrophic damage (e.g. severe reputational damage, severe criminal consequences or very high monetary damage).
5. High availabilty
The "High availability" test objective is to be selected for companies if the production or delivery capability of the business partner depends on the availability of their products or services and a failure leads to considerable damage for customers within a short period of time. Example: Just-in-time suppliers of production material damage.
6.Very high availabilty
The "Very High availability" test objective is to be selected for companies whose customers' ability to produce or deliver depends on the short-term availability of their products or services and where a failure within a very short period of time would cause significant damage to customers. Example: Just-in-time suppliers whose failure is expected to result in a comprehensive production shutdown with a very long restart time.
7. Proto parts
The "Proto parts" test objective is required for companies that manufacture, store or receive components or parts classified as requiring protection at their own sites.
8. Proto vehicles
The "Proto vehicles" test objective is required for companies that manufacture vehicles classified as requiring protection at their own sites, store them or receive them for use. Requirements for physical and environmental safety (including the presence of secure garages or workshop areas), organizational requirements and specific requirements for handling prototypes are part of the test.
9. Test vehicles
The "Test vehicles" test objective is required for companies that are provided with vehicles classified as requiring protection to carry out tests and test drives (e.g. test drives on public roads or on test tracks). Organizational requirements and specific requirements for the handling of prototypes, including camouflage and the handling of vehicles during test drives in public and on test sites are part of the inspection. Requirements for the physical and environmental safety of the site are not necessarily part of the test.
10. Proto events
The "Proto events" test objective is required for companies that are provided with vehicles, components or parts classified as requiring protection for exhibitions and events (e.g. car clinics, events, marketing events) or film and photo shoots. Organizational requirements and specific requirements for handling prototypes, including requirements for exhibitions, events and film and photo shoots in protected areas and in public are part of the inspection. Requirements for the physical and environmental safety of the location are not necessarily part of the audit. If the locations to be tested are equipped accordingly, we recommend selecting the test objective "Protection of prototype vehicles".
11. Data
The "Data" test objective must be selected for companies if personal data is processed as a processor in accordance with Article 28 of the GDPR.
12. Special data
The "Special data" test objective must be selected by companies if special categories of personal data (e.g. health or religious affiliation) are processed as processors in accordance with Article 28.
Do you have any questions or would you like to find out more?
CIS Certification & Information Security Services GmbH is the leading service provider in Austria when it comes to certifications in the field of information security, business continuity and data protection. Since 2021, CIS has been authorized to conduct audits according to the TISAX® standard. Thanks to a lot of concentrated know-how through cooperation on the European and international market and a broad network of specialist auditors, customer and service orientation are our top priorities. Click here to go directly to the TISAX® Assessment. We look forward to hearing from you!
your contact person
Team
Mr. Wolfgang Glowatzki
Lead Expert Information Security | Lead Auditor TISAX® AL2 und AL3 | Lead Auditor ISO 27001
