1. Scope of application
These General TISAX Evaluation conditions (GTACs) apply to all contractual relationships between the customer and Hangzhou Decai Certification Co., LTD. (hereinafter referred to as "") regarding the services provided by Hangzhou Decai Certification Co., LTD., especially the information security management system evaluation based on TISAX® requirements. These GTACs do not apply to the assessment and testing of products in the consumer goods industry, nor to the assessment of individual professional qualifications.
2. The term
2.1 (Trusted Information Security Assessment Exchange Mechanism) is a general concept and system for the exchange and mutual recognition of audit information.
2.2 The self-assessment report contains information security requirements and related standards based on the specified maturity level.
2.3 "Assessment" is the procedure described in section 4 below.
(3) assessment
3.1 Appointment of auditors 3.1.1. The right to appoint internal and external auditors to provide assessment services.
3.1.2. Undertake to appoint only fully qualified and suitable personnel who have been appointed as TISAX® auditors.
3.1.3r. The Customer shall have the right to reject the auditor appointed only if the Company does not accept cooperation with the auditor or if the auditor is not fit to provide the service for other compelling reasons. The client shall give immediate notice and justify the refusal of such appointed auditor. In such cases, it is incumbent to appoint another suitable auditor to replace the rejected auditor.
3.1.4. If the auditor withdraws directly before or during the assessment, it should do so within an appropriate time
Appoint a replacement. Section 3.1.3 shall apply accordingly to the refusal of replacement.
3.2 Evaluation date and deadline
3.2.1 The client may specify a preferred date for the assessment, which shall be considered in light of its feasibility and ability. The preferred date specified by the customer is not binding and need not be adhered to. And the client shall agree on a binding date in time prior to the planning evaluation.
3.2.2 All assessments shall normally be completed within the defined period. The client shall be informed of the time frame for the evaluation to be performed. Client cooperation responsibilities regarding deadlines are as follows:
3.2.2.1 The client shall contact promptly to agree a date, thus allowing the assessment to be completed on time. 3.2.2.2 The customer shall perform a complete evaluation. If, for any reason, the Customer cancels an assessment that has been initiated, or an assessment that has been initiated, the assessment shall be deemed incomplete.
3.2.3. If the client fails to reach an agreement on the audit date and the audit cannot be carried out or promoted on time, the client shall have the right to terminate the contract for special reasons. Additional damages and other claims are not affected.
3.2.4. If in assessing the location or area serious incidents, such as force majeure, riots, armed conflict or terrorism conflict, or if the People's Republic of China's foreign ministry has issued travel warnings to the region during the disturbance and removed from the evaluation obligations affected scope, even if its behind the plan. Each party is obliged to inform the other of these obstacles and to adjust its obligations in good faith to the changing circumstances.
. Implementation requirements
4.1 Information about TISAX® evaluation
The TISAX® assessment is based on the requirements of the information Security Assessment questionnaire published by the German Automotive Industry Association (VDA). Currently available versions are divided into four subject areas
Information security - Prototype protection - Data protection - third party contact. A prerequisite for performing the assessment is that the customer registers the appropriate scope on the TISAX®(www.tisax.net) portal. The scope and duration of the evaluation depends on the scope specified and the audit label required. Always perform a comprehensive audit, such as checking all audit points in the relevant area. An information security assessment (base audit) must always be performed. The content of each assessment is specified by TISAX®. According to the protection requirements and audit focus, basically the following assessment levels can be achieved. Protection Information Security (Basic Assessment PartyConnection PrototypeProtection PrototypeProtection DataProtect Data protection Normal VDA-ISa-self-evaluation --High file-based Assessment 1: Document based and Site based Assessment 1: Document based and Site based Assessment 1: Very Site assessment 1 An on-site assessment is An on-site assessment Required under certain Conditions (Countries of the TISAX Activation List)
TISAX® uses assessment Levels (ALs) to display different levels and methods for each protection requirement. Protection Protection Assessmentlevel (AL) Assessmentlevel Description Description Normal 1Provision of a VDA self-disclosure by the Client. The Contractordoes not assess this. Customer provides VDA self-evaluation report. The auditor did not evaluate it. High 2Plausibility check on the basis of the self-disclosure, and evidence in the form of a telephone interview or a web conference. Theprocedure corresponds to the "file-based assessment". A reasonableness check is conducted on the basis of the self-assessment report, and evidence is provided in the form of telephone interview or web conference. This procedure corresponds to file-based evaluation. Very High High 3Comprehensive local assessment of all audit points by viewing documents, conducting interviews, etc. The procedure correspondsto an "on-site assessment". Conduct a thorough local assessment of all audit sites by reviewing documents, conducting interviews, etc. This procedure corresponds to "on-site assessment".
4.2 Execution scope. The assessment languages were Chinese and English. Provide the required Documents in English and Chinese in consultation with the client.
The TISAX® Assessment service pack contains the following separate activities. Applicable assessment methods can be found in the TISAX® Assessment Committee (based on documentation/field). 4.2.1.1 Preliminary Instructions and plans. The client receives all relevant information about the scope and schedule of the assessment during a telephone or web conference.
4.2.1.2. The customer shall submit a complete VDA-ISA self-assessment report covering each site involved in the assessment. The VDA-ISA self-assessment report gives the maturity level of each audit point and a practical description of the implementation of the requirements for each. Review the contents of the self-assessment report in preparation for the actual assessment. If the evaluation is conducted through a hosting service provider (such as DCSO- German Network Security Organization GMBH), a self-evaluation report is provided on the hosting Service Provider (MSP) platform.
4.2.1.3 Schedule
. Set an evaluation time with the client. A number of possible dates have been suggested.
4.2.1.4 File-based evaluation. A document-based assessment is an audit of all relevant points relating to TISAX® requirements, based on documentation and other appropriate evidence. They also conduct phone interviews or web conferences with clients. In addition to the information provided in the self-assessment report, the client submits appropriate evidence for each audit point in the form of guidelines, process instructions, screenshots or photographs. Provides a mask for entering prospective evidence. In preparing the telephone interview, the auditor should conduct a reasonableness check on the self-assessment report and evidence. If the results are negative, the customer and agree on further procedures. If the reasonableness check produces a positive result, the information provided will be validated during the interview. Where document-based assessments are accompanied by on-site inspections, verification of the information provided is carried out at the client's premises rather than during telephone interviews.
4.2.1.5 On-site Assessment An on-site assessment is an audit of all relevant audit sites in the client's office or premises as required by TISAX®. The main focus is to check the implementation of the necessary procedures for information security. To this end, documents and guidelines will be reviewed and evaluated on site, and interviews will be held. In addition, the site was visited to assess physical security.
4.2.1.6 Identification of weak links and risks. If weaknesses are identified during the assessment process, the resulting information security risks should be pointed out to the client and summarized at the last meeting. Possible improvements can be agreed with the auditor at this point in time. Alternatively, the client may draft a follow-up corrective action plan.
4.2.1.7 Review of corrective action plan. The customer shall provide a corrective action plan to rectify identified weaknesses. The auditor reviews the proposed action and schedule and records the results in a report.
4.2.1.8 Preparation of evaluation Report. After completion of the evaluation, the auditor writes a report documenting all the results of the evaluation. The report is agreed upon by the client and the auditor and sent to the client. 4.2.2 Subsequent TISAX® evaluation. The scope of the subsequent evaluation depends on the number of documents to be examined. The customer receives a separate quotation for this purpose. The following alternatives can be implemented. 4.2.2.1 Subsequent evaluation based on documentation. The customer shall provide the auditor with evidence of the implementation of the improvement measures, such as documents, screen shots, photos, etc. The client collects and processes documentation of implementation evidence, including documented weaknesses, and sends it to the auditor in a timely manner. The auditor examines the evidence and records the results in a follow-up evaluation report. Provide this report to the customer. 4.2.2.2 Follow-up Evaluation on site Due to the complexity of the improvement measures to be implemented and the evidence to be provided, it may be necessary to carry out a follow-up evaluation on site.
5.I Issuance and Use of Evaluation Documents 5.1. if audit related documents such as reports (collectively referred to as "Use Objects") are provided to the Customer, the Customer shall have the right to use such Use Objects in accordance with the provisions below.
5.2. Remains the owner of the object of use and of any existing trademark rights and Copyrights. Upon granting or handing over a use object, grant the customer non-exclusive rights to deploy it to the following scope.
5.3 If the scope of the contract includes simplified group assessment, and if the site within the scope has been bound to declare that it will comply with this GTACs as the Customer itself, the Headquarters shall have the right to re-license the use rights already granted to the site. The site is not entitled to further sublicense. If the criteria set out in Section 5.11 of the General Business Terms and Conditions are met, the customer shall immediately withdraw the use of the site. The client shall give immediate notice of the matter. If a site meets the criteria of GTACs Section 5.11, the license for headquarters to sub-license the site may be revoked without notice. Otherwise, the client has no right to sublicense or sublicense the right of use. The validity of the sub-license depends on the validity of the headquarters license.
5.4. In the absence of other agreements, specify the use object to be used in the country where it is legally located; The sole liability party for use abroad is the customer; Any responsibility in this regard is excluded.
5.5. Use objects can only be used in the form in which they are issued and delivered. No changes are allowed, especially to design, color, or text. The customer has no right to use only parts of the use object, that is, the use object can only be used as a whole.
5.6. If the customer also receives an object for use in electronic form, he is entitled to change its size; The size can only be reduced to the smallest font in Arial 4. If the size changes, the text used for the object must remain completely clear and the ratio of text to characters must not change.
5.7 The Customer shall ensure that the Object of use points to the object being audited and is presented in a manner that is understood by ordinary consumers as a mark of the activity, process, system or qualification being audited, evaluated and/or certified. A use object can only be used to publish the activities, processes, systems or qualifications of that use object and can only show that those activities, processes, systems or qualifications meet the requirements for their audit and/or evaluation. The customer shall not use the object of use to advertise the product or create the impression that the product has been inspected. The use object shall not be used for the audited items that have changed since the audit.
5.8 Use objects should not be deployed to give the impression that they are suitable for activities or sites outside the scope of the audit.
5.9. The object of use shall not be used or referenced in a form likely to damage reputation or be considered misleading. The customer is responsible for the specific use of the Objects, which can only be used in accordance with applicable laws, in particular the law against unfair competition. Customer shall not allow any misleading or illegal use by third parties. No liability arising from improper use of the object.
5.10. Use objects can only be used for the duration of the TISAX tag, and that is if the TISAX tag is not suspended.
5.11 The right to limit, suspend, revoke and/or withdraw the right of use at any time if - the requirements for the issuance of the TISAX label are not (no longer) met, for exampleOr disclosure requirements for service obligations, in particular payment obligations; - Termination of TISAX evaluation contract; - Use objects in violation of these Terms and Conditions of Use; - for other reasons specified by GTACs or this Contract.
5.12. If the TISAX label is abolished, the contract shall be terminated for special reasons. Additional damages and other claims are not affected.
5.13. Upon withdrawal of the TISAX label or expiration of its term, the customer must cease all use of the object in use.
5.14 It shall not be responsible for any damage suffered by the customer as a result of authorized revocation of the TISAX label.
6. Use logos
6.1 If the flag appears on a file, Section 5 of GTACs applies. The name, company name or logo associated with which the customer is not authorized to use.
6.2 The Customer shall not create the impression that it has business or a similar relationship with, or can act on behalf of, or is obligated in any way with, the relevant Company.
7. Use of the Certification Body logo The Customer shall not be entitled to use the certification body logo unless this is agreed in a separate contract.
8. Customer obligations
8.1 Preparation for assessment. Prior to the evaluation, the Client shall prepare documents/information normally required for the audit and any additional documents/information requested and shall submit them promptly and no later than the evaluation time.
8.2 Implementation of the assessment
8.2.1. The customer undertakes to provide all information and documents required or related to the assessment in a true, complete and timely manner. Documents must be provided in copy form, otherwise they should be easy to check. The client is obligated to provide at least a representative sample of the documents as requested. Any costs associated with the provision of such documents shall be borne by the Client. The client must be aware of all processes and facts that may be of significance to the Board's performance. Appropriate staff designated by the client or company must be able to answer any questions throughout the evaluation period.
8.2.2. The client is responsible for ensuring compliance with any relevant (legal, contractual, professional) privacy, confidentiality and data protection obligations relating to the disclosure of information to the auditor.
8.2.3. The Client is obligated to provide the auditor with appropriate office space for on-site evaluation.
Confidentiality and data protection
9.1 "Confidential Information" means all technical, financial, legal and tax information, as well as design, invention, marketing or other information (including data, records and know-how) that is directly or indirectly accessible to the Customer in connection with the Contract or otherwise made available to the Customer.
9.1.2. Information is not confidential and is already publicly known at the time of acquisition or has subsequently become publicly known without breach of this Agreement; - known at the time of acquisition; - Obtained from a third party before or after this Agreement, but without breach of this Agreement, provided that the third party lawfully obtained the Confidential Information and transmitted it without breach of any binding obligation of confidentiality; - Developed this information without reliance on the original Confidential Information.
9.1.3. Confidential Information shall be treated as strictly confidential information and shall not be forwarded or otherwise provided to third parties. Appropriate precautions shall be taken to protect confidential Information. The Confidential Information shall only be used for the preparation, evaluation and execution of the Contract and shall not be used in any other way for its own or third party's benefit.
9.1.4 Confidential Information may be disclosed to colleagues with or without employee status, associates, including their colleagues with or without employee status, and consultants who are legally bound to keep secrets, provided such personnel comply with appropriate confidentiality obligations, in accordance with AktG Section 15, etc.
9.1.5
The duty of confidentiality does not apply in cases where the Customer has previously agreed in writing to disclose the Confidential Information to a third party for specific individual circumstances; - Obligation to disclose confidential information in accordance with applicable standards, laws, court rulings, enforcement orders of other government agencies or certification bodies.
9.1.6
. Have the right to retain copies of written documents submitted for inspection or provided for the purpose of the audit.
9.1.7. If confidential Information is provided to a third party under GTACs or other agreements with the client, the client/Company under review shall be notified to the extent possible and permitted.
9.1.8. In the event of a complaint relating to customer, customer and Complainant will agree on confidential information that may be disclosed, in particular the subject matter of the complaint and its resolution.
9.1.9. Shall be authorized to retain confidential Information for orderly recording and filing, even after the termination of the contract with the Client.
9.2 Data Protection
9.2.1. Store, process and use customer's personal data for fulfillment of orders and for its own reasons. For this purpose, automatic data processing system is also used. Commit to comply with statutory data protection regulations.
9.2.2. To be permitted to publish customer address data and certificate-related facts within the scope of publishing obligations imposed by law or by certification bodies. A reference list of all certificate holders will also be maintained. This list will also be made available to third parties.
10. Expenses The expenses agreed in the contract shall be calculated according to the company information provided by the customer. The type, scope or content of the assessment to be performed may change if circumstances change within the client's company or if applicable standards are revised. In such cases, the concluded contract is no longer deemed to have served its purpose. Accordingly, a new quotation for its services should be submitted, including new fees and other conditions (if applicable). If the customer accepts the new quotation, the revised contract will apply. If the customer does not accept the new quotation, he has the right to terminate the original contract according to abnormal circumstances.
Subcontracting. The client shall agree to employ subcontractors.
12. Amendment of the contract agreement
12.1. It is entitled to modify the Contract agreement if the assessment requirements change and it is only able to provide the services agreed in the Contract in accordance with the standards of the revised Contract Agreement.
12.2. The Client shall be notified of any amendment to the contract agreement within a reasonable period of at least three months. The client shall have the opportunity to object to the amendment of the contract agreement within the prescribed period. If the Client does not raise any objections during this period, the revised contract agreement shall be deemed to have been reached between the parties. If the client raises an objection, both parties have the right to terminate the contract within one month from the date of receipt of the notice of objection.
13. Invalidation of Individual Terms If one or more of the terms specified in these certification conditions are invalidated, it shall be deemed to have consented to the statutory terms. In the absence of a statutory provision, the parties shall undertake to agree on a new effective provision that most closely approximates the meaning of the inoperative provision. The validity of the remaining provisions shall not be affected.
because false or incomplete information was provided during the audit process; - The client fails to fulfil its obligations in relation to the assessment, such as changes arising from contracts entered into
【Related reading】:
Editor in charge:Shanghai Yue Fei Enterprise Management Consulting Co., Ltd.
Copyright:http://www.yf-iso.com/ Please indicate the source of the reprint
Share 
Collection 
