TISAX (Trusted Information Security Assessment Exchange)
An industry-specific security standard for the automotive industry, managed by the ENX Association. It is based on the VDA ISA questionnaire and is required by OEMs such as VW, BMW, and Mercedes as a supplier requirement.
TISAX (Trusted Information Security Assessment Exchange) is an industry-specific information security assessment process for the automotive industry. It was launched in 2017 by the ENX Association to replace the previously inconsistent and time-consuming individual audits conducted by automotive manufacturers (OEMs). Instead of each OEM auditing its suppliers separately, the assessment is conducted once by an accredited audit service provider, and the results are shared with all participating OEMs via the TISAX platform.
What is the ENX Association?
The ENX Association is a European non-profit organization founded by leading automotive manufacturers and suppliers, including VW, BMW, Mercedes, Renault, PSA, and others. It manages the TISAX platform, accredits TISAX audit service providers, and maintains the VDA ISA questionnaire as the technical basis for the assessment.
The VDA ISA Questionnaire
The technical basis of TISAX is the VDA ISA (Information Security Assessment) questionnaire from the German Association of the Automotive Industry (VDA). The questionnaire currently (Version 6.x) comprises around 70 control requirements in the following areas:
- Information Security Management (ISMS Fundamentals)
- Personnel Security and Awareness
- Physical Security
- IT and Information Security
- Security at Service Providers and Partners
- Protection of Prototypes and Vehicle Data (specific to AL3)
- Data Protection (integrated into the catalog)
The VDA ISA is approximately 80% compatible with ISO 27001 - Companies with an existing ISO 27001 ISMS have a significant advantage in the TISAX assessment.
The 3 Assessment Levels
TISAX has three assessment levels (AL), which are agreed upon with the OEM depending on the sensitivity of the information exchanged:
| Level | Designation | Requirement | Typical Use Case |
|---|---|---|---|
| AL 1 | Normal | Plausibility check (self-assessment + spot checks) | Standard supplier data |
| AL 2 | High | On-site audit by an accredited audit service provider | Confidential design data, customer data |
| AL 3 | Very high | Intensive on-site audit | Prototypes, confidential vehicle developments |
In practice, most OEMs require at least AL 2 from their direct suppliers.
The TISAX Process Step by Step
- Registration on the ENX platform (become a TISAX participant)
- Scope definition – Define locations, information categories, and assessment levels
- Self-assessment – Complete the VDA ISA questionnaire internally and identify gaps
- Engage an accredited audit service provider (DEKRA, TÜV, Bureau Veritas, etc.)
- Assessment – On-site audit, document review, interviews
- Publication of results on the TISAX platform (visible only to authorized participants)
- Sharing - Share result labels with OEMs
The TISAX label is valid for 3 years and must then be renewed.
TISAX and ISO 27001
Establishing an ISO 27001-compliant ISMS is the most efficient foundation for TISAX:
- ~80% overlap between VDA ISA and ISO 27001 controls
- ISO 27001 fully covers all ISMS fundamentals of the VDA ISA
- TISAX-specific additions: Prototype protection (AL3), VDA-specific data protection requirements, OEM-specific additional requirements
- Companies with ISO 27001 certification typically require 40–60% less effort for the TISAX assessment
AWARE7 recommends addressing TISAX and ISO 27001 together: An integrated management system meets both requirements with significantly less overall effort than two separate projects.
