Skip to content

TISAX® Assessment

TISAX® is a testing procedure for information security in the automotive industry based on ISO 27001. It uses the VDA-ISA catalog to evaluate ISMS. Successful tests, such as those conducted by TÜV NORD, result in the issuance of a TISAX® label, which is recognized by VDA members and manufacturers such as Audi and BMW.

Request Offer
Frau fährt ein Auto, Hände am Lenkrad, durch die Windschutzscheibe gesehen.

What is TISAX®?

TISAX® is a cross-company assessment and exchange procedure for information security in the automotive industry. It is concerned with the protection of data, its integrity and availability in the manufacturing process and in the operation of vehicles.

This is achieved by means of an information security management system (ISMS) analogous to the ISO 27001 standard, on the basis of which the VDA has developed the special ISA requirements and test catalogue for the automotive sector.

The effectiveness of an ISMS can be verified by means of assessments (audits) against the VDA ISA catalogue. If the assessment is successful, e.g. by TÜV NORD, ENX* - the administrator of the TISAX® programme - issues a TISAX® label in its database. This is recognised and required by all VDA members and vehicle manufacturers such as Audi, Volkswagen or BMW.

Advantages of a TISAX® Assessment

  • Market access and new customer acquisition: Meeting the mandatory supplier requirements of OEMs such as VW, BMW and Audi.
  • Cost savings by avoiding duplicate testing: A single test using a standardised procedure recognised across the entire industry.
  • Competitive advantage through building trust: A clear signal to customers that sensitive design data and prototypes are protected to the highest possible standard.
  • Minimising the risk of cyber-attacks: Systematic protection against production downtime, data loss and costly business interruptions.
  • Legal certainty and compliance: Automatic compliance with strict data protection and confidentiality requirements throughout the supply chain.

     

Request a non-binding offer now

How does TISAX® work?

Participants in the TISAX® process exchange information on the status of information security via a shared online portal. Registration on the portal is mandatory for participation. In addition to the exchange of assessment data (audit results), the portal also enables participants to contact audit service providers directly. Within the exchange model, there are two roles that each company can assume as required.

Passive participants (e.g. vehicle manufacturers / OEMs): They require other companies (such as their suppliers) to provide evidence of specific TISAX® labels, carry out an appropriate audit, and then request access to the results.

Active participants/auditees (e.g. suppliers and service providers): They undergo an audit against the criteria catalogue either at a manufacturer’s request or on their own initiative. Following a successful TISAX® audit, the audited company itself decides who within the TISAX® network is granted access to the results

Target groups for TISAX® certification

The process is primarily aimed at two main groups within the automotive industry:
•    Vehicle manufacturers (OEMs) who wish to ensure the security of their supply chain.
•    Suppliers and service providers to car manufacturers and suppliers who need to demonstrate that they handle sensitive data securely. 

Audit Procedure for TISAX® Certification

The TISAX® process essentially consists of three phases: registration, assessment and exchange. Would you like to find out in detail how you can navigate these three phases? Our guide, ‘How do TISAX® assessments work?’, will help you understand the entire process.

Instructions (PDF)

Stages of the Assessment Process

1

01

Online registration on the ENX platform

2

02

Selection and appointment of an inspection service provider (TÜV NORD)

3

03

Arranging appointments with auditors & providing the documentation

4

04

Stage 1 audit: Focus on documentation review

5

05

Stage 2 Audit: Focus on processes and interviews with stakeholders

6

06

Management of deviations

7

07

Making the label available on the ENX platform

What are the levels in the TISAX® assessment?

The ENX Association, as the operator of the TISAX® programme, has clearly defined the levels and scope of the assessments. TISAX® distinguishes between three different protection classes and assessment levels against which a company can be assessed. These assessment objectives depend on the level of protection required for the information.

 

Which Assessment Level Do I Need?

Is intended for normal protection requirements. The auditor can carry out the assessment in the form of a self-assessment.

Assessment level 2 is aimed at suppliers and service providers with high protection requirements. The prerequisite for this is that a complete self-assessment is available. The audit provider then carries out the following test steps:

  • Opening meeting (kick-off)
  • Completeness and plausibility check of the self-assessment and corresponding evidence
  • Telephone interview with the person responsible for the information security management system (ISMS) based on the plausibility check or an on-site audit with third parties and/or prototype protection

Assessment level 3 has very high protection requirements. An audit provider (TISAX® AP) must also be involved here and a complete self-assessment must be available. The subsequent audit steps are similar to the Level 2 assessment, except that key aspects are considered during an on-site audit.

  • Opening meeting
  • Completeness and plausibility check of the self-assessment and corresponding evidence
  • Assessment of the effectiveness and maturity of the ISMS through an on-site audit with those involved (on-site expert interviews, inspection of relevant areas and premises)

After the assessments, the results and the requirements for corrective measures are summarised in a preliminary report. In this case, two further assessment steps are required to obtain a TISAX® label:

  • Development of a corrective action plan by the auditor and assessment by the authorised audit provider - TISAX® Audit Provider (TISAX® AP).
  • Implementation of the corrective actions by the auditor and assessment of the effectiveness of the actions by the TISAX® AP.

Development of the TISAX® standard: The new ‘Availability’ and ‘Confidentiality’ labels

In order to manage the protection of the automotive supply chain in an even more targeted manner, the TISAX® system differentiates the requirements using two separate, mutually independent (new) labels:

  • ‘Availability’ label: Aimed primarily at direct suppliers (e.g. of standard parts or logistics service providers) within the just-in-time supply chain. The focus here is on safeguarding against production and delivery disruptions (e.g. due to cyber-attacks), without burdening companies with unnecessary requirements regarding the protection of trade secrets.
  • ‘Confidentiality’ label: Covers traditional, comprehensive protection of trade secrets and is mandatory for companies that work directly with highly sensitive data and prototypes from vehicle manufacturers (OEMs).

Current status for companies: Companies already participating in the TISAX® process are generally awarded the ‘Availability’ label upon existing compliance, without the need for a separate additional audit. 

TISAX – Managing information security and assessments in the automotive industry

Infographic accompanying the video ‘TISAX – Managing information security and assessments in the automotive industry’

FAQ on TISAX® certification

General

TISAX® stands for Trusted Information Security Assessment Exchange and describes an assessment and exchange process for information security in the automotive industry.

The cost of a TISAX® audit depends on various factors, such as the number of sites, the assessment level and the internal costs relating to staff or technical measures. We would be happy to advise you on the actual costs for your organisation in a no-obligation consultation.

The TISAX® process is subject to fixed and strict timeframes. The three key deadlines you need to be aware of are:

3-year validity: A successfully awarded TISAX® label is valid for exactly three years. After that, a full re-assessment is required. As no extension is possible, the follow-up assessment should be initiated in good time (approximately 4 to 6 months before expiry).

9 months for rectification: If security deficiencies are identified during the main assessment, you have exactly 9 months from the last day of the assessment to rectify them and secure the label via a follow-up assessment. If this deadline is exceeded, the previous audit becomes invalid and the process must be restarted from the very beginning.

Project duration: The actual time taken to reach the audit stage depends heavily on the size of your organisation and the maturity of your ISMS. As a general rule, you should allow several months for preparation, registration and the conduct of the audit.

Here is an overview of the three levels:

Assessment Level 1 (Low security requirement):

At this stage, the company simply carries out a self-assessment. The completed questionnaire is usually checked only for plausibility. This level is generally insufficient for collaboration with OEMs and does not receive an official TISAX® label on the portal.

Assessment Level 2 (High Security Requirement):

The assessment is carried out by an official, independent audit service provider (such as TÜV). It is primarily conducted as a document review (plausibility check), usually supplemented by telephone calls or video interviews. An on-site visit to the company is not mandatory at this stage.

Assessment Level 3 (Very high security requirement):

The most demanding level. The audit service provider carries out an in-depth review of the documents and is required to conduct an on-site assessment at your business premises. This level is mandatory if you work with highly sensitive data, for example in prototype development or in extremely critical just-in-time processes.

In summary: For valid certification, only Levels 2 and 3 are actually relevant for service providers and suppliers.

Participation in TISAX® is essential for suppliers and service providers in the automotive industry in order to meet manufacturers’ strict security requirements and to be eligible for contracts in the first place. As the assessment procedure is uniformly recognised across the industry, you also save valuable time and money: once you have passed, there is no need for time-consuming and repetitive security checks by individual customers.

To receive a quote for a TISAX® audit, interested parties must first register on the ENX portal and provide the relevant information. Please get in touch with us if you would like us to assist you with the quote request process.

Companies can gain access to the TISAX® portal, which facilitates the exchange of assessment data, by registering as participants. This is a prerequisite for commissioning an assessment from an assessment provider (TISAX® AP) such as TÜV NORD.

Yes, to a very large extent. An information security management system (ISMS) structured and audited in accordance with TISAX® already covers the core technical and organisational requirements of the EU’s NIS-2 Directive as standard. Anyone who is TISAX®-certified has, in effect, already laid the foundations for NIS-2. However, regulatory compliance is not a foregone conclusion, as purely national obligations (such as regulatory reporting channels) must be addressed separately. 
A detailed statement and analysis by ENX can be found at: TISAX as a contribution to cybersecurity in industry – Analysis of the NIS 2 Directive · ENX Portal

Only audit service providers authorised by ENX for this purpose (TISAX® AP) are permitted to carry out TISAX® assessments. TÜV NORD CERT is ENX’s contractual partner for this purpose.

Developed by the German Association of the Automotive Industry (VDA), TISAX® is managed by the ENX Association, which monitors the quality of the implementation and the results of the assessments.

ENX has compiled detailed information on TISAX® in a participant handbook available on its website.

TISAX® and other standards

Whilst both standards are based on an information security management system (ISMS), they differ fundamentally in their objectives and scope. It could be said that ISO/IEC 27001 is the foundation, whilst TISAX® is the sector-specific extension for the automotive industry.

Whilst TISAX® focuses on the protection of data and business processes (IT security), ISO/SAE 21434 deals exclusively with cybersecurity within the vehicle itself. In short, TISAX® protects the company’s data and infrastructure, whilst ISO/SAE 21434 ensures that the car cannot be hacked whilst on the road.

TISAX® assessments with TÜV NORD

TÜV NORD is the partner at your side when it comes to the quality of your information security management system (ISMS). We have been accredited by the German Accreditation Body (DAkkS) for the auditing and certification of ISMS for many years. Specifically for the automotive sector, TÜV NORD is authorised by the ENX Association as a TISAX® Audit Provider (TISAX® AP) and can carry out assessments worldwide.

*Note: TÜV NORD CERT GmbH is authorised by ENX to offer TISAX® assessment services. The brands and trademarks associated with the TISAX® programme and the related intellectual property belong to ENX Association.

Request an Offer

Would you like to learn more about TISAX® certification? Please feel free to contact us.

ISMS Sales & Projectmanagement, TÜV NORD CERT GmbH

Competent, international, TÜV NORD CERT

TÜV NORD CERT GmbH

TÜV NORD CERT is an internationally recognised and reliable partner for testing and certification services. Our experts and auditors possess in-depth knowledge and are all permanently employed by TÜV NORD. This ensures independence, neutrality and continuity in the support we provide to our clients. The benefit for you is clear: our auditors guide and support the development of your business and provide you with objective feedback.

This may also interest you