TISAX
Trusted Information Security Assessment Exchange — VDA Information Security Assessment
Standard Introduction
TISAX (Trusted Information Security Assessment Exchange) is an information security assessment standard developed by the German Association of the Automotive Industry (VDA) and administered by the ENX Association. Based on the VDA Information Security Assessment (ISA) questionnaire, it provides a standardized approach to evaluating information security in the automotive supply chain.
TISAX enables mutual recognition of security assessments between automotive manufacturers and their suppliers, eliminating costly redundant audits. With over 10,000 companies registered on the ENX portal, TISAX has become the de facto standard for information security in the European automotive industry and is increasingly adopted globally by OEMs and their supply chains.
Automotive-Specific
Purpose-built for the automotive supply chain, based on VDA ISA (Information Security Assessment) questionnaire adapted from ISO 27001/27002 with automotive-specific requirements.
Mutual Recognition
Assessment results are shared via the ENX portal, enabling mutual recognition between automotive OEMs and suppliers — eliminating redundant audits across the supply chain.
Three Assessment Levels
Level 1 (self-assessment), Level 2 (remote verification for high protection), and Level 3 (on-site inspection for very high protection needs such as prototype data).
list_alt VDA ISA Assessment Modules
- Information Security — based on ISO 27001/27002 controls
- Prototype Protection — physical and organizational protection of prototypes
- Data Protection — GDPR-aligned personal data processing requirements
- Availability — IT and OT system availability requirements (new in ISA 6.0)
- Third-party connection security
- Incident and crisis management
- Human resource security and awareness
- Asset management and classification
Who Needs to Comply?
Automotive suppliers, engineering partners, and service providers that handle confidential information from OEMs such as Volkswagen, BMW, Daimler, and other VDA members. Required for participation in most European automotive supply chains.
Key Requirements
VDA ISA Self-Assessment
Complete the VDA Information Security Assessment questionnaire covering all applicable modules. Assess maturity levels (0-5) for each control objective and identify gaps.
Assessment Provider Audit
Engage an ENX-approved audit provider to conduct the assessment at the required level. Level 3 requires comprehensive on-site inspection and in-person interviews.
Prototype Protection
If handling prototype components, vehicles, or design data, implement specific physical security measures including restricted areas, visitor controls, photography bans, and logistics security.
Label Maintenance
TISAX labels are valid for three years. Organizations must undergo re-assessment before expiration to maintain their label and supply chain eligibility.
Penalties & Enforcement
No direct legal penalties — TISAX is an industry-driven requirement. However, failure to obtain or maintain a valid TISAX label effectively disqualifies suppliers from working with major European automotive OEMs, resulting in loss of business relationships and contracts.