标准简介
TISAX(可信信息安全评估交换)是由德国汽车工业协会(VDA)制定、ENX 协会运营的信息安全评估标准。基于 VDA 信息安全评估(VDA ISA)问卷,TISAX 为汽车行业提供了标准化的信息安全评估和交换机制。该标准涵盖信息安全、原型保护和数据保护三大评估目标,评估级别分为普通(AL1)、高(AL2)和非常高(AL3),其中 AL3 要求最为严格的现场审核。
TISAX 评估由 ENX 协会认可的审核服务提供商执行,评估结果通过 ENX 门户在参与者之间共享,有效期为三年。该标准已成为全球汽车供应链的事实标准,大众、宝马、奔驰等主要汽车制造商(OEM)要求其供应商和合作伙伴获得 TISAX 标签。VDA ISA 问卷基于 ISO/IEC 27001 但针对汽车行业进行了定制扩展,特别强调原型车辆和零部件的物理保护、与第三方的信息交换安全以及连接车辆的数据保护。全球已有超过 1 万家企业完成了 TISAX 评估。
Automotive-Specific
Purpose-built for the automotive supply chain, based on VDA ISA (Information Security Assessment) questionnaire adapted from ISO 27001/27002 with automotive-specific requirements.
Mutual Recognition
Assessment results are shared via the ENX portal, enabling mutual recognition between automotive OEMs and suppliers — eliminating redundant audits across the supply chain.
Three Assessment Levels
Level 1 (self-assessment), Level 2 (remote verification for high protection), and Level 3 (on-site inspection for very high protection needs such as prototype data).
list_alt VDA ISA Assessment Modules
- Information Security — based on ISO 27001/27002 controls
- Prototype Protection — physical and organizational protection of prototypes
- Data Protection — GDPR-aligned personal data processing requirements
- Availability — IT and OT system availability requirements (new in ISA 6.0)
- Third-party connection security
- Incident and crisis management
- Human resource security and awareness
- Asset management and classification
Who Needs to Comply?
Automotive suppliers, engineering partners, and service providers that handle confidential information from OEMs such as Volkswagen, BMW, Daimler, and other VDA members. Required for participation in most European automotive supply chains.
Key Requirements
VDA ISA Self-Assessment
Complete the VDA Information Security Assessment questionnaire covering all applicable modules. Assess maturity levels (0-5) for each control objective and identify gaps.
Assessment Provider Audit
Engage an ENX-approved audit provider to conduct the assessment at the required level. Level 3 requires comprehensive on-site inspection and in-person interviews.
Prototype Protection
If handling prototype components, vehicles, or design data, implement specific physical security measures including restricted areas, visitor controls, photography bans, and logistics security.
Label Maintenance
TISAX labels are valid for three years. Organizations must undergo re-assessment before expiration to maintain their label and supply chain eligibility.
Penalties & Enforcement
No direct legal penalties — TISAX is an industry-driven requirement. However, failure to obtain or maintain a valid TISAX label effectively disqualifies suppliers from working with major European automotive OEMs, resulting in loss of business relationships and contracts.