verified_user
Standardful
Homechevron_rightStandardschevron_rightTISAX
ActiveInternational Standardupdate Standard Updated: Apr 2024fact_check Fact checked: Jun 28, 2026

TISAX

Trusted Information Security Assessment Exchange — VDA Information Security Assessment

apartmentPublishing Organization:German Association of the Automotive Industry (VDA) / ENX Association

Standard Introduction

TISAX (Trusted Information Security Assessment Exchange) is an information security assessment standard developed by the German Association of the Automotive Industry (VDA) and administered by the ENX Association. Based on the VDA Information Security Assessment (ISA) questionnaire, it provides a standardized approach to evaluating information security in the automotive supply chain.

TISAX enables mutual recognition of security assessments between automotive manufacturers and their suppliers, eliminating costly redundant audits. With over 10,000 companies registered on the ENX portal, TISAX has become the de facto standard for information security in the European automotive industry and is increasingly adopted globally by OEMs and their supply chains.

directions_car

Automotive-Specific

Purpose-built for the automotive supply chain, based on VDA ISA (Information Security Assessment) questionnaire adapted from ISO 27001/27002 with automotive-specific requirements.

swap_horiz

Mutual Recognition

Assessment results are shared via the ENX portal, enabling mutual recognition between automotive OEMs and suppliers — eliminating redundant audits across the supply chain.

verified

Three Assessment Levels

Level 1 (self-assessment), Level 2 (remote verification for high protection), and Level 3 (on-site inspection for very high protection needs such as prototype data).

list_alt VDA ISA Assessment Modules

  • Information Security — based on ISO 27001/27002 controls
  • Prototype Protection — physical and organizational protection of prototypes
  • Data Protection — GDPR-aligned personal data processing requirements
  • Availability — IT and OT system availability requirements (new in ISA 6.0)
  • Third-party connection security
  • Incident and crisis management
  • Human resource security and awareness
  • Asset management and classification

Who Needs to Comply?

groups

Automotive suppliers, engineering partners, and service providers that handle confidential information from OEMs such as Volkswagen, BMW, Daimler, and other VDA members. Required for participation in most European automotive supply chains.

Key Requirements

1

VDA ISA Self-Assessment

Complete the VDA Information Security Assessment questionnaire covering all applicable modules. Assess maturity levels (0-5) for each control objective and identify gaps.

2

Assessment Provider Audit

Engage an ENX-approved audit provider to conduct the assessment at the required level. Level 3 requires comprehensive on-site inspection and in-person interviews.

3

Prototype Protection

If handling prototype components, vehicles, or design data, implement specific physical security measures including restricted areas, visitor controls, photography bans, and logistics security.

4

Label Maintenance

TISAX labels are valid for three years. Organizations must undergo re-assessment before expiration to maintain their label and supply chain eligibility.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Prepare scope, labels & assessment level

Register in the ENX portal, define locations and assessment scope, identify customer-required TISAX labels, and determine whether assessment level 2 or 3 is needed. Confirm whether prototype protection, data protection, or availability modules apply.

2
Phase 2schedule Duration: 4-8 weeks

Gap analysis against VDA ISA

Complete the VDA ISA self-assessment, score maturity for applicable controls, and identify gaps in information security, supplier management, HR security, physical security, prototype protection, data protection, and availability.

3
Phase 3schedule Duration: 8-16 weeks

Implement controls and audit evidence

Remediate gaps, collect evidence, update policies, train owners, restrict prototype areas, and validate supplier and third-party controls. Engage an ENX-approved audit provider and prepare interviewees for the formal assessment.

4
Phase 4schedule Duration: Ongoing

Audit, share labels & maintain maturity

Complete the assessment, remediate findings, obtain TISAX labels, and share results with customers through the ENX portal. Maintain controls and plan reassessment before the three-year label validity expires.

Compliance Checklist

0 / 12

checklist Scope & assessment setup

checklist VDA ISA controls

checklist Assessment & label maintenance

TISAX vs ISO 27001 vs SOC 2

TISAX is optimized for automotive supply-chain trust and result exchange.

AspectTISAXISO 27001SOC 2
Primary audienceAutomotive OEMs and suppliersGlobal organizations seeking ISMS certificationService organization customers
BasisVDA ISA based on ISO 27001/27002 plus automotive requirementsISO management-system requirementsAICPA Trust Services Criteria
OutputTISAX labels shared through ENXAccredited certificateIndependent attestation report
Special focusPrototype, confidential information, supplier exchange, and automotive dataRisk-managed information securityControls relevant to service commitments

Common Misconceptions

cancel
Myth

TISAX is just ISO 27001 with a different name.

check_circle
Reality

TISAX uses automotive-specific VDA ISA requirements, label sharing, and assessment levels that are distinct from ISO 27001 certification.

cancel
Myth

Only factories need TISAX.

check_circle
Reality

Engineering, software, logistics, IT, marketing, and service providers may need TISAX if they handle confidential automotive information.

cancel
Myth

Once a label is issued, no maintenance is needed.

check_circle
Reality

Controls must be maintained and reassessment is needed before the label expires or when scope materially changes.

Penalties & Enforcement

warning

No direct legal penalties — TISAX is an industry-driven requirement. However, failure to obtain or maintain a valid TISAX label effectively disqualifies suppliers from working with major European automotive OEMs, resulting in loss of business relationships and contracts.

Frequently Asked Questions

What is TISAX?

expand_more

TISAX is the Trusted Information Security Assessment Exchange for the automotive industry. It is operated by ENX and based on the VDA Information Security Assessment, allowing assessment results to be recognized and shared among participating customers and suppliers.

Who needs TISAX?

expand_more

Automotive suppliers, engineering firms, prototype handlers, IT providers, logistics partners, and other service providers may need TISAX when OEMs or tier suppliers require it before sharing confidential information or awarding work.

What are TISAX labels?

expand_more

Labels represent the protection objectives and assessment results that a participant can share in the ENX portal. Examples include information security objectives and additional objectives such as prototype protection or data protection where applicable.

How does TISAX differ from ISO 27001?

expand_more

TISAX builds on ISO 27001 and ISO 27002 concepts but uses the automotive-specific VDA ISA questionnaire, label exchange model, and requirements for topics such as prototypes, data protection, and automotive supply-chain collaboration.

How long is a TISAX label valid?

expand_more

A TISAX label is generally valid for three years. Organizations should plan reassessment well before expiration because customer eligibility can be affected if the label lapses.

What is assessment level 3?

expand_more

Assessment level 3 is the most intensive assessment and normally includes on-site inspection and interviews. It is commonly required for very high protection needs, such as sensitive prototype or highly confidential customer information.

Can assessment results be reused?

expand_more

Yes. The point of TISAX is controlled exchange and mutual recognition of assessment results. Participants choose which customers can see their results in the ENX portal.

What happens if findings are identified?

expand_more

Findings must be remediated through corrective actions. Depending on severity, the audit provider may require follow-up evidence or reassessment before labels can be issued or maintained.

Official Documentation

View All

Implementation Timeline

new_releases
2017
TISAX established by VDA and ENX Association
update
2020
VDA ISA 5.0 released with expanded controls
sync
Oct 2022
VDA ISA 5.1 aligned with ISO 27001:2022
check_circle
Apr 2024
VDA ISA 6.0 effective with new availability module
verified
2025
All assessments conducted under VDA ISA 6.0

Related Categories