Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

Automotive | Information Security

TISAX:
Information Security in the Automotive Industry

TISAX is the automotive industry's standard for information security in the supply chain. OEMs such as BMW, Mercedes-Benz and Volkswagen require a valid TISAX label from their suppliers - without it, collaboration on protected projects is not possible. The standard is operated internationally by the ENX Association on behalf of the VDA.

Request TISAX Consulting Combine ISO 27001 & TISAX

Last updated: March 2026

Assessment Levels
AL 1-3
From self-assessment to on-site audit
Operated by
ENX Assoc.
On behalf of the automotive industry
Questionnaire
VDA ISA 6.0
Current version valid since 2024
Validity
3 Years
Then re-assessment required
Assessment Levels
3
Registration Body
ENX
Questionnaire
VDA ISA
Validity
3 Years

Fundamentals

What is TISAX?

TISAX (Trusted Information Security Assessment Exchange) is the automotive industry's standard for information security in the supply chain. Developed by the ENX Association in close collaboration with the VDA, it is today a mandatory prerequisite for suppliers processing sensitive information from OEMs.

What makes TISAX unique: the assessment result is determined once by an accredited audit service provider and then shared selectively with multiple customers through the ENX platform. Suppliers do not need a separate assessment for each OEM - a significant efficiency gain compared to individual supplier audits.

Content-wise, TISAX is based on the VDA ISA questionnaire and covers all essential information security domains - supplemented by automotive-specific topics such as prototype protection and data privacy in the automotive context.

ENX
ENX Association as Operator
The ENX Association operates the TISAX platform on behalf of the European automotive industry. It accredits audit service providers, manages labels and ensures secure transmission of assessment results between companies.
VDA
VDA ISA as the Foundation
The VDA Information Security Assessment (ISA) questionnaire is the substantive basis of every TISAX assessment. Version 6.0 is valid since 2024 and contains several hundred control questions covering information security, prototype protection and data privacy.
OEM
OEM Requirement in Supplier Contracts
BMW, Mercedes-Benz, Volkswagen, Stellantis and many other OEMs require suppliers to hold a valid TISAX label as a contractual prerequisite. The requirement comes through supplier portals or directly in framework supply agreements.
LBL
TISAX Label, Not Certificate
TISAX does not issue a certificate but a label, stored in the ENX platform and selectively shared with chosen partners. The label is valid for three years; after that, a re-assessment is required.

Audit Depth

The Three TISAX Assessment Levels

The required assessment level is determined by the protection needs of the information processed and the requirements of the customer. The higher the protection requirement, the more intensive the audit.

AL 1

Self-Assessment

Plausibility Check

The supplier self-assesses against the VDA ISA. An accredited audit service provider checks the plausibility of the responses remotely - without in-depth on-site verification.

Typical Use Case: Normal information without elevated protection needs. Entry level for simple supplier relationships.
  • Self-assessment by the supplier
  • Remote plausibility check
  • No personal interview
  • Lowest effort and cost
AL 2

Remote Assessment

For Normal Protection Objectives

An accredited audit service provider conducts a structured remote interview and evaluates the supplier's evidence. This level is the standard for the vast majority of TISAX assessments.

Typical Use Case: Processing confidential information with normal protection objectives (e.g., engineering data, internal processes).
  • Structured remote interview
  • Assessment by auditor
  • Evidence documentation required
  • Standard for most suppliers
AL 3

On-Site Assessment

For High Protection Needs

Complete assessment by an accredited audit service provider at the supplier's premises. Physical inspection, system checks and in-depth interviews are part of the assessment.

Typical Use Case: Prototype protection, unreleased vehicle designs, very high protection needs. Mandatory when required by OEM.
  • Physical on-site audit
  • System checks at the premises
  • In-depth interviews with responsible personnel
  • Highest audit intensity and cost

Process

TISAX Process: 5 Steps to the Label

From the decision to pursue TISAX to the issued label, there are five clearly structured steps. The total duration is typically 3-9 months - depending on the starting situation and the required assessment level.

01

Scope Definition and ENX Registration

The company determines which locations, systems and processes fall within the TISAX scope. Registration with the ENX Association follows, with selection of the assessment objective (information security, prototype protection and/or data privacy) and assessment level. ENX issues an access code for the platform.

02

Self-Assessment against VDA ISA

The company answers all relevant questions in the VDA ISA questionnaire on the ENX platform. Each question requires a maturity rating (0-3) and indication of evidence. This phase uncovers gaps and forms the basis for the subsequent gap analysis.

03

Gap Analysis and Remediation

Unfulfilled or only partially fulfilled requirements identified in the self-assessment are documented. Concrete measures are defined, prioritized and implemented for each gap. This step is typically the most resource-intensive - especially when no structured ISMS is already in place.

04

Assessment by Accredited Audit Service Provider

An ENX Association-accredited audit service provider conducts the assessment - depending on the level as a plausibility check (AL 1), remote interview (AL 2) or on-site assessment (AL 3). The auditor evaluates all responses and evidence against the VDA ISA and produces an audit report.

05

TISAX Label and Exchange via ENX Portal

After a successful assessment, the TISAX label is stored in the ENX platform. The company can now selectively share the label with customers - without disclosing the full audit report. The label is valid for three years; the re-assessment should be planned 12 months before expiry.

Content

The VDA ISA Questionnaire: What Gets Assessed

The VDA ISA (currently Version 6.0, valid since 2024) is the heart of every TISAX assessment. It is divided into three modules, of which the first is mandatory.

Module 1 Mandatory

Information Security

Mandatory module for all assessments

  • Security policies and organization
  • Physical and environmental security
  • IT systems and networks
  • Identity and access management
  • Cryptography
  • Incident and vulnerability management
  • Business continuity
  • Compliance and auditing
  • Supplier and vendor management
Module 2

Prototype Protection

Optional module for prototype handling

  • Protection of unreleased vehicle models and parts
  • Photography and video restrictions
  • Physical security of prototype areas
  • Labeling and handling of prototype materials
  • Transport protection for test vehicles
  • Third-party requirements in prototype involvement
  • Incident management for prototype leaks
Module 3

Data Privacy

Optional module - GDPR context

  • Data privacy organization and responsibilities
  • Legal bases for data processing
  • Data subject rights and requests
  • Technical data privacy measures (TOMs)
  • Data processing agreements and third-country transfers
  • Data Protection Impact Assessments (DPIA)
  • Data breach management and reporting obligations

Synergies

TISAX and ISO 27001: Maximizing Synergies

TISAX and ISO 27001 overlap by approximately 80% in their substantive requirements. Both standards require a functioning Information Security Management System (ISMS), risk-based approach, access control, incident management, business continuity and regular review of security measures.

The TISAX-specific additions primarily concern the automotive context: prototype protection, requirements for production facilities with test vehicles and industry-specific supply chain management requirements. This additional 20% effort is very manageable for ISO 27001-certified companies.

We recommend an integrated approach for automotive suppliers: ISO 27001 as the strategic foundation, TISAX as the automotive-specific extension. This achieves both goals with maximum efficiency. Learn more about our consulting services under Security Consulting.

TISAX in Numbers

~3,000
Active TISAX labels worldwide (as of 2025)
~80%
Overlap in requirements with ISO 27001
VDA ISA 6.0
Current questionnaire version since 2024
5
Assessment objectives (InfoSec, Prototypes, Data Privacy, Connected Cars, Software Development)
3 Years
Validity of the TISAX label until re-assessment

Tip: Companies with an existing ISO 27001 ISMS typically reduce their TISAX preparation effort by 60-70%. An integrated project saves time and cost - ask us about our ISO 27001 plus TISAX package.

„Implementing ISO 27001 and TISAX together is not double the work - it is strategic resource management. 80% of requirements overlap; those who leverage that achieve both goals faster and more cost-effectively than with two separate projects.“

Oskar Braun

ISO 27001 Lead Auditor (IRCA-certified) · AWARE7 GmbH

Why AWARE7 for Your TISAX Preparation

Was uns von anderen Anbietern unterscheidet

Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.

Forschung und Lehre als Fundament

Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.

Digitale Souveränität - keine Kompromisse

Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.

Festpreis in 24h - planbare Projektzeiträume

Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.

Ihr fester Ansprechpartner - jederzeit erreichbar

Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.

Für wen sind wir der richtige Partner?

Mittelstand mit 50–2.000 MA

Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.

IT-Verantwortliche & CISOs

Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.

Regulierte Branchen

KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.

Mitwirkung an Industriestandards

LLM

OWASP · 2023

OWASP Top 10 for Large Language Models

Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.

BSI

BSI · Allianz für Cyber-Sicherheit

Management von Cyber-Risiken

Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).

Frequently Asked Questions about TISAX

Answers to the most common questions about TISAX assessments, VDA ISA and preparation in the automotive supply chain.

TISAX (Trusted Information Security Assessment Exchange) is the automotive industry's standard for information security in the supply chain. Developed by the ENX Association in collaboration with the German Association of the Automotive Industry (VDA), it is based on the VDA ISA (Information Security Assessment) questionnaire. TISAX enables suppliers to have their information security assessed once by an accredited auditor and share the result with multiple OEMs and Tier-1 suppliers through the ENX platform - without requiring a separate assessment for each customer. This makes TISAX the industry's equivalent of an ISO 27001 certification, but with automotive-specific extensions for prototype protection and connected car data.
A TISAX label is required by all companies acting as suppliers or service providers in the automotive industry that handle information requiring protection. This includes in particular: suppliers receiving prototype data, engineering drawings or vehicle designs; IT service providers operating systems for OEMs or Tier-1 suppliers; marketing agencies working with unreleased vehicle models; and all companies receiving a corresponding requirement from an OEM (BMW, Mercedes-Benz, Volkswagen, Stellantis, etc.). The requirement typically comes through supplier contracts or supplier portals. If your OEM customer requires TISAX, it is a contractual prerequisite for sensitive projects.
TISAX recognizes three Assessment Levels (AL) with increasing audit intensity: AL 1 (Self-Assessment with Plausibility Check): The supplier self-assesses against the VDA ISA; an accredited audit service provider checks the plausibility of the responses remotely. Used for normal information security requirements without elevated protection needs. AL 2 (Remote Assessment): An accredited audit service provider conducts a structured remote interview. This is the standard level for the majority of TISAX assessments with normal protection objectives (confidentiality, availability, integrity). AL 3 (On-Site Assessment): Complete on-site assessment by an accredited audit service provider. Mandatory for companies with high or very high protection requirements - particularly for prototype protection and processing highly sensitive vehicle data.
A TISAX assessment typically follows five phases: (1) Scope Definition and ENX Registration: The company defines the scope to be assessed (locations, systems, processes) and registers with the ENX Association. The assessment objective (e.g., information security, prototype protection, data privacy) and assessment level are also determined. (2) Self-Assessment: The company answers all relevant questions in the VDA ISA questionnaire and documents evidence. (3) Gap Analysis and Remediation: Unfulfilled requirements are identified and measures to close gaps are implemented. (4) Assessment by Accredited Audit Service Provider: Depending on the assessment level, a plausibility check, remote or on-site assessment is performed. (5) TISAX Label and Exchange: After a successful assessment, the TISAX label is stored in the ENX platform and can be selectively shared with customers.
TISAX assessment costs consist of several components: ENX registration fee (one-time, approx. EUR 200-500), audit service provider fees (depending on assessment level, scope and number of locations; typically EUR 3,000-15,000 for AL 2, EUR 8,000-30,000 for AL 3), and implementation consulting costs for preparation (varies widely by starting situation). Companies with an existing ISO 27001 ISMS typically have approximately 60-70% lower preparation effort since many requirements are already covered. AWARE7 provides an individual fixed-price proposal after a free initial assessment.
The VDA ISA (Information Security Assessment) is the questionnaire forming the basis of every TISAX assessment. Published by the German Association of the Automotive Industry (VDA) and regularly updated - VDA ISA 6.0 is currently valid (since 2024). The questionnaire is organized into three modules: (1) Information Security (mandatory module): Questions covering all fundamental security domains - organization, physical security, IT systems, identity management, cryptography, incident management, compliance. (2) Prototype Protection (optional module): Specific requirements for companies handling unreleased vehicle prototypes, parts or designs. (3) Data Privacy (optional module): GDPR-related requirements for processing personal data in the automotive context. Each question is rated on a 0-3 scale; for a TISAX label, all must-requirements (Maturity Level >= 3) and should-requirements (Maturity Level >= 2) must be fulfilled.
TISAX and ISO 27001 overlap by approximately 80% in their substantive requirements. ISO 27001 defines a general framework for an Information Security Management System (ISMS); TISAX concretizes and extends this for the specific needs of the automotive industry. An existing, certified ISO 27001 ISMS is the ideal basis for a TISAX assessment - many pieces of evidence can be directly reused. Conversely, a TISAX assessment does not cover all ISO 27001 requirements, as TISAX sets automotive-specific priorities (particularly prototype protection and the automotive supply chain). Companies pursuing both ISO 27001 and TISAX benefit from an integrated implementation approach that deliberately exploits synergies.
AWARE7 guides companies through the entire TISAX process: from the initial gap analysis against the VDA ISA through implementing identified measures to preparation for assessment by an accredited audit service provider. We specialize in leveraging synergies between ISO 27001 and TISAX - companies already pursuing or certified for ISO 27001 can meet both requirements simultaneously with our integrated approach. Our services include: VDA ISA self-assessment and gap analysis, action planning and implementation support, ISMS development with TISAX alignment, internal preparation for AL 2 and AL 3 assessments, and ongoing support through the three-year cycle.

Aus dem Blog

Weiterführende Artikel

Pass Your TISAX Assessment Successfully

AWARE7 guides you from gap analysis to the issued label - with an integrated approach that efficiently combines ISO 27001 and TISAX. Fixed-price proposal after a free initial assessment.

Schedule a Free TISAX Initial Consultation

Kostenlos · 30 Minuten · Unverbindlich