標準簡介
TISAX(可信資訊安全評估交換)是由德國汽車工業協會(VDA)開發、由 ENX 協會管理的資訊安全評估標準。該標準基於 VDA 資訊安全評估(ISA)問卷,為汽車供應鏈中的資訊安全評估提供了標準化方法。
TISAX 使汽車製造商與供應商之間能夠相互認可安全評估結果,消除了高成本的重複稽核。目前已有超過 10,000 家公司在 ENX 入口網站註冊,TISAX 已成為歐洲汽車產業資訊安全的事實標準,並在全球範圍內被 OEM 及其供應鏈日益採用。
Automotive-Specific
Purpose-built for the automotive supply chain, based on VDA ISA (Information Security Assessment) questionnaire adapted from ISO 27001/27002 with automotive-specific requirements.
Mutual Recognition
Assessment results are shared via the ENX portal, enabling mutual recognition between automotive OEMs and suppliers — eliminating redundant audits across the supply chain.
Three Assessment Levels
Level 1 (self-assessment), Level 2 (remote verification for high protection), and Level 3 (on-site inspection for very high protection needs such as prototype data).
list_alt VDA ISA Assessment Modules
- Information Security — based on ISO 27001/27002 controls
- Prototype Protection — physical and organizational protection of prototypes
- Data Protection — GDPR-aligned personal data processing requirements
- Availability — IT and OT system availability requirements (new in ISA 6.0)
- Third-party connection security
- Incident and crisis management
- Human resource security and awareness
- Asset management and classification
Who Needs to Comply?
Automotive suppliers, engineering partners, and service providers that handle confidential information from OEMs such as Volkswagen, BMW, Daimler, and other VDA members. Required for participation in most European automotive supply chains.
Key Requirements
VDA ISA Self-Assessment
Complete the VDA Information Security Assessment questionnaire covering all applicable modules. Assess maturity levels (0-5) for each control objective and identify gaps.
Assessment Provider Audit
Engage an ENX-approved audit provider to conduct the assessment at the required level. Level 3 requires comprehensive on-site inspection and in-person interviews.
Prototype Protection
If handling prototype components, vehicles, or design data, implement specific physical security measures including restricted areas, visitor controls, photography bans, and logistics security.
Label Maintenance
TISAX labels are valid for three years. Organizations must undergo re-assessment before expiration to maintain their label and supply chain eligibility.
Penalties & Enforcement
No direct legal penalties — TISAX is an industry-driven requirement. However, failure to obtain or maintain a valid TISAX label effectively disqualifies suppliers from working with major European automotive OEMs, resulting in loss of business relationships and contracts.