- TISAX (Trusted Information Security Assessment Exchange) is the mandatory information security standard of the automotive industry, administered by the ENX Association.
- The basis is the VDA ISA questionnaire (currently version 6.0.3), which builds on ISO 27001 but adds industry-specific requirements for prototype protection and data privacy.
- Most OEMs require Assessment Level 3 (AL3), which involves an on-site audit by an accredited audit provider.
- The path to a TISAX label typically takes 6 to 12 months and costs a mid-market company between EUR 30,000 and 80,000 including consulting.
- Companies that already operate an ISMS based on ISO 27001 have approximately 70% of TISAX requirements covered and primarily need to add prototype protection and the data privacy module.
What Is TISAX and Why Does the Automotive Industry Need Its Own Standard?
The automotive industry is one of the most heavily networked sectors in the world. A single vehicle model is created in collaboration with hundreds of suppliers who exchange design data, prototype photos, test reports, and production plans. If a supplier becomes the victim of a cyberattack and design data for a yet-to-be-unveiled model is exfiltrated, the damage to the OEM can run into the billions.
This exact problem motivated the German Association of the Automotive Industry (VDA) to develop an industry-specific information security standard. TISAX stands for Trusted Information Security Assessment Exchange and was introduced in 2017 under the administration of the ENX Association. The idea behind it is simple yet effective: Instead of every OEM auditing its suppliers individually and every supplier being separately audited by each of its customers, there is a common standard with mutual recognition.
A TISAX assessment that your company has successfully passed is recognized by all OEMs and Tier 1 suppliers participating in the TISAX system. You don't need to do a separate audit for VW and another for BMW — one label covers all.
Who Needs TISAX?
Fundamentally, any company that processes confidential information from automotive manufacturers or their direct suppliers needs TISAX. This includes:
- Tier 1, Tier 2, and Tier 3 suppliers that receive design data, prototype specifications, or production information
- Engineering service providers involved in vehicle development
- IT service providers that operate or develop systems for OEMs or suppliers
- Logistics companies that transport prototypes or confidential components
- Tool manufacturers that produce molds and tooling for new models
In practice, you typically learn about the TISAX requirement from your customer. An OEM or Tier 1 supplier informs you that you must demonstrate a TISAX label within a certain deadline to remain eligible as a supplier. No label, no order — it's that simple in most cases.
The VDA ISA Questionnaire: The Heart of TISAX
The substantive foundation of TISAX is the VDA ISA questionnaire (Information Security Assessment). The current version is 6.0.3, and it forms the basis for both the self-assessment and the external audit. The catalog is based on ISO 27001 and ISO 27002 but goes significantly further in certain areas.
Structure of the Questionnaire
The VDA ISA is structured into three modules:
Module 1: Information Security The core module, mandatory for all TISAX participants. It covers all requirements for the information security management system and closely follows ISO 27001/27002. The topic areas:
- Information security policies and organization
- Human resources and awareness
- Asset management and classification
- Access control and identity management
- Cryptography
- Physical security
- Operational security (malware protection, backup, logging, vulnerability management)
- Network security
- Supplier relationships
- Incident management
- Business continuity
- Compliance
Module 2: Prototype Protection This module is only relevant if you work with physical or digital prototypes. It contains requirements that go well beyond classic information security and address protection against unauthorized photography, physical security of prototype rooms, and secured transport of prototype parts. Not every supplier needs this module, but if an OEM requires it, you must cover it in the assessment.
Module 3: Data Privacy This module addresses the protection of personal data and goes beyond DSGVO (GDPR) by defining specific requirements for processing personal data in the automotive context. It is relevant if you process personal data on behalf of an OEM — for instance as an HR service provider, as an operator of connected car services, or as a developer of infotainment systems.
The Maturity Level Approach
A distinctive feature of the VDA ISA compared to many other standards: Assessment is not based on a "pass or fail" principle at the individual control level but through maturity levels. Each control question is rated on a scale from 0 to 5:
| Maturity Level | Designation | Meaning |
|---|---|---|
| 0 | Incomplete | The process is not implemented or does not fulfill its purpose |
| 1 | Performed | A process exists that fundamentally works but is not formalized |
| 2 | Managed | The process is documented, assigned, and controlled |
| 3 | Established | The process follows a standardized approach and is integrated into the overall organization |
| 4 | Predictable | The process is measured and quantitatively managed |
| 5 | Optimizing | Continuous improvement based on quantitative data |
For a successful TISAX assessment, you must achieve at least maturity level 3 in all control questions. This sounds like a high bar at first, but maturity level 3 essentially means: The process is documented, is being practiced, is organizationally anchored, and is regularly reviewed. That is exactly what a well-functioning ISMS should deliver.
Individual control questions may show a maturity level of 2 as long as an action plan to reach maturity level 3 exists and the audit provider considers it plausible and achievable. A maturity level of 0 or 1 typically leads to failing the assessment.
Assessment Levels: AL1, AL2, and AL3
TISAX recognizes three assessment levels that differ in audit depth and type:
AL1: Self-Assessment
Assessment Level 1 is a pure self-assessment without external audit. You complete the VDA ISA questionnaire yourself and share the result via the ENX platform with your business partners. An AL1 assessment is rarely accepted in practice because it provides no external validation. Most OEMs require at least AL2.
AL2: Plausibility Check
At Assessment Level 2, an accredited audit provider reviews your self-assessment for plausibility. This is done via telephone interview and document review, without an on-site visit. AL2 is significantly less intensive than AL3 but is accepted by only a few OEMs as sufficient. It is primarily suited for companies that do not process highly confidential data.
AL3: Comprehensive On-Site Audit
Assessment Level 3 is the standard that most OEMs require. An accredited audit provider conducts a complete on-site audit where documentation, processes, and technical implementation are examined in detail. Interviews with employees, facility walkthroughs, and spot-check verification of technical measures are part of the audit scope.
In practice, you should assume you need AL3 unless your customer has explicitly communicated that AL2 is sufficient. If uncertain, ask before taking the cheaper route only to find that the label isn't accepted.
The Audit Process Step by Step
The path to the TISAX label follows a clearly defined process in five phases:
Phase 1: ENX Registration
Everything begins with registration on the ENX portal (portal.enx.com). You create a company account, select the locations to be audited, and define the assessment scope. The scope is determined by the audit objectives your customer specifies — typically "Information Security" and possibly "Prototype Protection" or "Data Privacy."
After registration, you pay the ENX participation fee. This currently amounts to approximately EUR 4,450 per assessment scope and is independent of the audit provider's costs.
Phase 2: Self-Assessment
Before an external auditor arrives, you must work through the VDA ISA questionnaire as a self-assessment. This means: For each control question, you document what maturity level your company currently achieves, what evidence exists, and what measures may still need to be implemented.
The self-assessment serves two purposes: It prepares you for the external audit, and it is the basis on which the audit provider plans their audit. The more thoroughly you conduct the self-assessment, the more efficiently the actual audit proceeds.
Phase 3: Selecting the Audit Provider
You select an ENX-accredited audit provider. On the ENX portal, you'll find a list of all approved providers. Important selection criteria are industry expertise, regional availability, scheduling flexibility, and of course price.
The audit provider's costs depend on company size, number of locations, and scope. For a mid-market company with one location and standard scope (information security, no prototype protection), you should expect EUR 8,000 to 15,000 for the initial audit.
Phase 4: The Assessment (Audit)
The audit provider conducts the assessment. For AL3, this means an on-site audit lasting one to three days depending on company size and scope. The typical sequence:
Day 1: Opening and Management System The auditor reviews the ISMS documentation: security policies, risk assessment, action plans, management review protocols, and training evidence. They conduct interviews with the CISO, executive management, and IT manager.
Day 2: Technical Audit and Processes The auditor reviews technical implementation: network security, access controls, patch management, backup concept, encryption. They conduct walkthroughs of server rooms and office spaces and review physical security. Interviews with departments on operational processes such as incident management, change management, and supplier management follow.
Day 3 (for larger scope): Prototype Protection and Closing If prototype protection is in scope, prototype rooms are visited, access controls reviewed, and photography policies verified. The closing meeting concludes the audit, where the auditor presents preliminary findings.
Phase 5: Results and Label
After the audit, the audit provider creates a report and enters the result on the ENX platform. There are three possible outcomes:
Conformant: All control questions achieve at least maturity level 3. You receive the TISAX label, valid for three years.
Temporarily conformant (with conditions): Individual control questions only achieve maturity level 2, but a plausible action plan exists. You receive a temporary label and must pass a follow-up audit within nine months to obtain the full label.
Non-conformant: Essential requirements are not met. You receive no label and must repeat the process after resolving the deficiencies, including a new assessment.
Timeline: From Decision to Label
How long the path to the TISAX label takes depends heavily on your company's starting position. Here are three typical scenarios:
Scenario 1: No Existing ISMS (9 to 12 Months)
If your company has not previously operated a formalized ISMS, you must start from scratch: write policies, conduct risk assessments, implement technical measures, conduct training, and establish processes. This typically takes nine to twelve months when driven forward with adequate resources.
| Phase | Duration | Activities |
|---|---|---|
| Preparation | Months 1-2 | Gap analysis, project planning, appoint CISO, engage executive management |
| ISMS build | Months 3-6 | Create policies, risk assessment, asset inventory, classification |
| Implementation | Months 5-9 | Technical measures, training, operationalize processes |
| Maturity period | Months 8-10 | Practice processes, collect evidence, internal audit |
| Assessment | Months 10-12 | ENX registration, self-assessment, external audit |
The "maturity period" in the table is a point many underestimate. The auditor wants to see that processes don't just exist on paper but are being practiced. If you only approved a policy last week and have no evidence of implementation, the auditor will flag it. Plan at least two to three months during which the ISMS generates evidence in operational practice.
Scenario 2: Existing ISO 27001 ISMS (4 to 6 Months)
If you are already ISO 27001 certified, you have a significant head start. Approximately 70 percent of VDA ISA requirements are covered by a functioning ISO 27001 ISMS. The remaining 30 percent primarily concern:
- Automotive-specific information classification (confidential, strictly confidential per VDA scheme)
- Prototype protection (if required)
- The data privacy module (if required)
- Some detailed requirements that ISO 27001 formulates more generally than the VDA ISA
In this scenario, four to six months are sufficient for the gap analysis, supplementing the missing elements, and the assessment.
Scenario 3: TISAX Recertification (2 to 3 Months)
TISAX labels are valid for three years. Before expiration, you must undergo a new assessment. If you've maintained your ISMS in the meantime, this is primarily a review and update, not a reimplementation. Plan two to three months for preparation, the updated self-assessment, and the audit.
Costs Realistically Calculated
The total costs of a TISAX certification comprise several components:
| Cost Component | Reference Value (mid-market company, 1 location) |
|---|---|
| ENX participation fee | approx. EUR 4,450 |
| Audit provider (AL3, initial audit) | EUR 8,000 - 15,000 |
| External consulting (optional but recommended) | EUR 15,000 - 40,000 |
| Technical measures (network, encryption, backup, etc.) | EUR 5,000 - 30,000 |
| Internal personnel costs (CISO, IT, management) | EUR 20,000 - 50,000 |
| Training | EUR 3,000 - 8,000 |
| Total costs (rough range) | EUR 30,000 - 80,000 |
For companies without an existing ISMS, costs tend toward the upper end; for companies with ISO 27001 certification, toward the lower end. Multiple locations increase costs linearly, though documentation is created once and only the location-specific audit is charged per site. For comparison: ISMS Lite costs EUR 500 per year and covers risk management, measure tracking, policies, and audit documentation in a single tool, without seat licenses.
A note on consulting costs: You can achieve TISAX certification without an external consultant if you have enough in-house expertise. However, the failure rate on the first attempt without consulting is significantly higher, and a failed assessment costs you not just audit fees but also time — which you usually don't have because your customer has set a deadline.
TISAX and ISO 27001: How Both Work Together
TISAX is based on ISO 27001 but is not identical. The question of whether to do ISO 27001 first and then TISAX or vice versa comes up constantly in consulting. The answer depends on your situation.
Commonalities
Both ISO 27001 and TISAX require a systematic information security management system with risk assessment, documented policies, technical and organizational measures, training, and continuous improvement. Approximately 70 percent of requirements are identical.
Differences
| Aspect | ISO 27001 | TISAX (VDA ISA) |
|---|---|---|
| Scope | Freely selectable | Must cover all processes touching automotive data |
| Assessment | Conformity (yes/no per control) | Maturity levels (0-5) |
| Prototype protection | Not included | Separate module with specific requirements |
| Data privacy | Annex A.18 (general) | Separate module with detailed requirements |
| Certification | By ISO-accredited certification body | By ENX-accredited audit provider |
| Validity | 3 years with annual surveillance audits | 3 years, then completely new assessment |
| Recognition | Cross-industry | Automotive industry only |
The Pragmatic Recommendation
If you work exclusively for the automotive industry and only need TISAX, you can skip the separate ISO 27001 certification. The ISMS you build for TISAX largely fulfills ISO 27001 requirements, even if you don't have an ISO certificate on the wall.
If, however, you also serve customers outside the automotive industry who require ISO 27001, or if you will prospectively fall under NIS2, a parallel ISO 27001 certification makes sense. The additional effort for both certifications is manageable if you design the ISMS from the start to meet both requirement catalogs.
TISAX and NIS2: Are There Overlaps?
Since NIS2 took effect in Germany, many automotive suppliers face the question of whether TISAX and NIS2 overlap. The answer: yes, significantly — but they don't replace each other.
NIS2 affects companies in the "manufacturing" sector, which includes vehicle manufacturing and suppliers, from 50 employees or EUR 10 million revenue onward. Many automotive suppliers that need TISAX therefore also fall under NIS2.
The NIS2 requirements for risk management, incident response, business continuity, and supply chain security are largely covered by a TISAX-compliant ISMS. What NIS2 additionally requires are the specific reporting obligations (24h/72h/1 month), BSI registration, and personal liability of executive management. These aspects must be addressed separately, even if you are TISAX-certified.
Typical Pitfalls on the Path to the TISAX Label
From practice, ten common mistakes can be identified that complicate the path to the TISAX label or cause the assessment to fail:
1. Starting too late. The most common mistake of all. The customer sets a six-month deadline, the company begins preparations after three months and realizes time is insufficient. Rule of thumb: Take your customer's deadline and plan at least double the time. Better to finish early than too late.
2. Treating TISAX as an IT project. TISAX is a management system, not an IT project. If only the IT department is involved, organizational measures, training evidence, management commitment, and department involvement are missing. Executive management must be actively engaged.
3. Using copy-paste policies. Generic templates from the internet or consultants are a starting point but not a result. The auditor immediately recognizes when a policy doesn't fit the company. Policies must reflect your company's actual processes and structures.
4. Not collecting evidence. Maturity level 3 means the process is being practiced. In ISMS Lite, all evidence is stored in an audit-proof manner and can be presented to the auditor directly from the system. Without evidence, there is no maturity level 3. Management review protocols, training attendance lists, security incident logs, penetration test results, internal audit reports — all of these are evidence you must systematically collect.
5. Forgetting supplier management. TISAX requires that you assess your suppliers' and service providers' information security. If you have no documented supplier assessment and no contractual security requirements with your IT service providers, that's a typical weak point in the assessment.
6. Not implementing classification. Information classification (public, internal, confidential, strictly confidential) must not only be defined but implemented. This means: Documents are actually labeled, emails with confidential content are encrypted, and employees know how to handle classified information.
7. Underestimating physical security. Access controls to offices and server rooms, clean desk policy, visitor management, and disposal of confidential documents are frequently neglected. The auditor will inspect the premises and check whether documented measures are also evident in practice.
8. Not conducting an internal audit. Before the external assessment, you should definitely conduct an internal audit. This allows you to identify weaknesses you can still fix. An internal audit is also a TISAX requirement itself, as it is part of the improvement process.
9. Underestimating prototype protection. If prototype protection is in your scope, it goes beyond IT security. It involves camera bans in certain areas, opaque coverings for prototypes, access controls to prototype rooms, and secured transport. These physical measures often require structural modifications that take time.
10. Treating the self-assessment as a formality. The self-assessment is your instrument for identifying and closing gaps before the external auditor arrives. If you fill it in superficially and gloss over problem areas, you'll encounter unpleasant surprises in the audit.
The Role of the Information Security Officer
TISAX requires that an Information Security Officer (ISO/CISO) is appointed who is responsible for the ISMS and serves as the point of contact for the audit provider. For mid-market suppliers, the question arises whether this role must be filled internally or can be outsourced.
Fundamentally, TISAX also accepts an external CISO, but the auditor will check whether this person is sufficiently integrated into the organization. An external CISO who visits once per quarter and is otherwise reachable by email is not sufficient. The CISO must know the operational processes, be regularly on-site, and have the authority to enforce security measures.
For companies with fewer than 100 employees, an external CISO combined with an internal point of contact is often the most pragmatic solution. From 100 employees onward, at least a partially internal appointment is recommended.
After the Label: TISAX Is Not a One-Time Project
The TISAX label is valid for three years. During this time, you must actively maintain your ISMS, because at the next assessment, the auditor will want to see that the system hasn't gone dormant after certification.
Specifically, this means: regular management reviews (at least annually), internal audits, ongoing risk assessment, updating policies when changes occur, training for new employees, and continuous improvement based on audit findings and security incidents.
If you consistently carry out these activities, recertification after three years is not a major hurdle but a routine exercise. If you neglect the ISMS after initial certification, you'll practically be starting from scratch at recertification.
Further Reading
- Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees
- NIS2 vs. ISO 27001: Differences, Commonalities, and How Both Fit Together
- Creating a Statement of Applicability: Step-by-Step Guide
- Internal ISMS Audit: How to Review Your Own Management System
- Risk Assessment in the ISMS: Methodology, Approach, and Practical Tips