TISAX
Trusted Information Security Assessment Exchange — VDA Information Security Assessment
Standard Introduction
TISAX (Trusted Information Security Assessment Exchange) is an information security assessment standard developed by the German Association of the Automotive Industry (VDA) and administered by the ENX Association. Based on the VDA Information Security Assessment (ISA) questionnaire, it provides a standardized approach to evaluating information security in the automotive supply chain.
TISAX enables mutual recognition of security assessments between automotive manufacturers and their suppliers, eliminating costly redundant audits. With over 10,000 companies registered on the ENX portal, TISAX has become the de facto standard for information security in the European automotive industry and is increasingly adopted globally by OEMs and their supply chains.
Automotive-Specific
Purpose-built for the automotive supply chain, based on VDA ISA (Information Security Assessment) questionnaire adapted from ISO 27001/27002 with automotive-specific requirements.
Mutual Recognition
Assessment results are shared via the ENX portal, enabling mutual recognition between automotive OEMs and suppliers — eliminating redundant audits across the supply chain.
Three Assessment Levels
Level 1 (self-assessment), Level 2 (remote verification for high protection), and Level 3 (on-site inspection for very high protection needs such as prototype data).
list_alt VDA ISA Assessment Modules
- Information Security — based on ISO 27001/27002 controls
- Prototype Protection — physical and organizational protection of prototypes
- Data Protection — GDPR-aligned personal data processing requirements
- Availability — IT and OT system availability requirements (new in ISA 6.0)
- Third-party connection security
- Incident and crisis management
- Human resource security and awareness
- Asset management and classification
Who Needs to Comply?
Automotive suppliers, engineering partners, and service providers that handle confidential information from OEMs such as Volkswagen, BMW, Daimler, and other VDA members. Required for participation in most European automotive supply chains.
Key Requirements
VDA ISA Self-Assessment
Complete the VDA Information Security Assessment questionnaire covering all applicable modules. Assess maturity levels (0-5) for each control objective and identify gaps.
Assessment Provider Audit
Engage an ENX-approved audit provider to conduct the assessment at the required level. Level 3 requires comprehensive on-site inspection and in-person interviews.
Prototype Protection
If handling prototype components, vehicles, or design data, implement specific physical security measures including restricted areas, visitor controls, photography bans, and logistics security.
Label Maintenance
TISAX labels are valid for three years. Organizations must undergo re-assessment before expiration to maintain their label and supply chain eligibility.
Implementation Roadmap
Prepare scope, labels & assessment level
Register in the ENX portal, define locations and assessment scope, identify customer-required TISAX labels, and determine whether assessment level 2 or 3 is needed. Confirm whether prototype protection, data protection, or availability modules apply.
Gap analysis against VDA ISA
Complete the VDA ISA self-assessment, score maturity for applicable controls, and identify gaps in information security, supplier management, HR security, physical security, prototype protection, data protection, and availability.
Implement controls and audit evidence
Remediate gaps, collect evidence, update policies, train owners, restrict prototype areas, and validate supplier and third-party controls. Engage an ENX-approved audit provider and prepare interviewees for the formal assessment.
Audit, share labels & maintain maturity
Complete the assessment, remediate findings, obtain TISAX labels, and share results with customers through the ENX portal. Maintain controls and plan reassessment before the three-year label validity expires.
Compliance Checklist
checklist Scope & assessment setup
checklist VDA ISA controls
checklist Assessment & label maintenance
TISAX vs ISO 27001 vs SOC 2
TISAX is optimized for automotive supply-chain trust and result exchange.
| Aspect | TISAX | ISO 27001 | SOC 2 |
|---|---|---|---|
| Primary audience | Automotive OEMs and suppliers | Global organizations seeking ISMS certification | Service organization customers |
| Basis | VDA ISA based on ISO 27001/27002 plus automotive requirements | ISO management-system requirements | AICPA Trust Services Criteria |
| Output | TISAX labels shared through ENX | Accredited certificate | Independent attestation report |
| Special focus | Prototype, confidential information, supplier exchange, and automotive data | Risk-managed information security | Controls relevant to service commitments |
Common Misconceptions
TISAX is just ISO 27001 with a different name.
TISAX uses automotive-specific VDA ISA requirements, label sharing, and assessment levels that are distinct from ISO 27001 certification.
Only factories need TISAX.
Engineering, software, logistics, IT, marketing, and service providers may need TISAX if they handle confidential automotive information.
Once a label is issued, no maintenance is needed.
Controls must be maintained and reassessment is needed before the label expires or when scope materially changes.
Penalties & Enforcement
No direct legal penalties — TISAX is an industry-driven requirement. However, failure to obtain or maintain a valid TISAX label effectively disqualifies suppliers from working with major European automotive OEMs, resulting in loss of business relationships and contracts.
Frequently Asked Questions
What is TISAX?
expand_more
TISAX is the Trusted Information Security Assessment Exchange for the automotive industry. It is operated by ENX and based on the VDA Information Security Assessment, allowing assessment results to be recognized and shared among participating customers and suppliers.
Who needs TISAX?
expand_more
Automotive suppliers, engineering firms, prototype handlers, IT providers, logistics partners, and other service providers may need TISAX when OEMs or tier suppliers require it before sharing confidential information or awarding work.
What are TISAX labels?
expand_more
Labels represent the protection objectives and assessment results that a participant can share in the ENX portal. Examples include information security objectives and additional objectives such as prototype protection or data protection where applicable.
How does TISAX differ from ISO 27001?
expand_more
TISAX builds on ISO 27001 and ISO 27002 concepts but uses the automotive-specific VDA ISA questionnaire, label exchange model, and requirements for topics such as prototypes, data protection, and automotive supply-chain collaboration.
How long is a TISAX label valid?
expand_more
A TISAX label is generally valid for three years. Organizations should plan reassessment well before expiration because customer eligibility can be affected if the label lapses.
What is assessment level 3?
expand_more
Assessment level 3 is the most intensive assessment and normally includes on-site inspection and interviews. It is commonly required for very high protection needs, such as sensitive prototype or highly confidential customer information.
Can assessment results be reused?
expand_more
Yes. The point of TISAX is controlled exchange and mutual recognition of assessment results. Participants choose which customers can see their results in the ENX portal.
What happens if findings are identified?
expand_more
Findings must be remediated through corrective actions. Depending on severity, the audit provider may require follow-up evidence or reassessment before labels can be issued or maintained.
Official Documentation
TISAX Downloads
PDF • enx.com • Assessment Documentation
TISAX Portal
External Link • enx.com • Official TISAX Information
VDA Information Security
External Link • vda.de • ISA Questionnaire & Resources