TISAX® is a testing procedure for information security in the automotive industry based on ISO 27001. It uses the VDA-ISA catalog to evaluate ISMS. Successful tests, such as those conducted by TÜV NORD, result in the issuance of a TISAX® label, which is recognized by VDA members and manufacturers such as Audi and BMW.
Request Offer
TISAX® is a cross-company assessment and exchange procedure for information security in the automotive industry. It is concerned with the protection of data, its integrity and availability in the manufacturing process and in the operation of vehicles.
This is achieved by means of an information security management system (ISMS) analogous to the ISO 27001 standard, on the basis of which the VDA has developed the special ISA requirements and test catalogue for the automotive sector.
The effectiveness of an ISMS can be verified by means of assessments (audits) against the VDA ISA catalogue. If the assessment is successful, e.g. by TÜV NORD, ENX* - the administrator of the TISAX® programme - issues a TISAX® label in its database. This is recognised and required by all VDA members and vehicle manufacturers such as Audi, Volkswagen or BMW.
Legal certainty and compliance: Automatic compliance with strict data protection and confidentiality requirements throughout the supply chain.
Participants in the TISAX® process exchange information on the status of information security via a shared online portal. Registration on the portal is mandatory for participation. In addition to the exchange of assessment data (audit results), the portal also enables participants to contact audit service providers directly. Within the exchange model, there are two roles that each company can assume as required.
Passive participants (e.g. vehicle manufacturers / OEMs): They require other companies (such as their suppliers) to provide evidence of specific TISAX® labels, carry out an appropriate audit, and then request access to the results.
Active participants/auditees (e.g. suppliers and service providers): They undergo an audit against the criteria catalogue either at a manufacturer’s request or on their own initiative. Following a successful TISAX® audit, the audited company itself decides who within the TISAX® network is granted access to the results
The process is primarily aimed at two main groups within the automotive industry:
• Vehicle manufacturers (OEMs) who wish to ensure the security of their supply chain.
• Suppliers and service providers to car manufacturers and suppliers who need to demonstrate that they handle sensitive data securely.
The TISAX® process essentially consists of three phases: registration, assessment and exchange. Would you like to find out in detail how you can navigate these three phases? Our guide, ‘How do TISAX® assessments work?’, will help you understand the entire process.
The ENX Association, as the operator of the TISAX® programme, has clearly defined the levels and scope of the assessments. TISAX® distinguishes between three different protection classes and assessment levels against which a company can be assessed. These assessment objectives depend on the level of protection required for the information.
Is intended for normal protection requirements. The auditor can carry out the assessment in the form of a self-assessment.
Assessment level 2 is aimed at suppliers and service providers with high protection requirements. The prerequisite for this is that a complete self-assessment is available. The audit provider then carries out the following test steps:
Assessment level 3 has very high protection requirements. An audit provider (TISAX® AP) must also be involved here and a complete self-assessment must be available. The subsequent audit steps are similar to the Level 2 assessment, except that key aspects are considered during an on-site audit.
After the assessments, the results and the requirements for corrective measures are summarised in a preliminary report. In this case, two further assessment steps are required to obtain a TISAX® label:
In order to manage the protection of the automotive supply chain in an even more targeted manner, the TISAX® system differentiates the requirements using two separate, mutually independent (new) labels:
Current status for companies: Companies already participating in the TISAX® process are generally awarded the ‘Availability’ label upon existing compliance, without the need for a separate additional audit.
TISAX® stands for Trusted Information Security Assessment Exchange and describes an assessment and exchange process for information security in the automotive industry.
The cost of a TISAX® audit depends on various factors, such as the number of sites, the assessment level and the internal costs relating to staff or technical measures. We would be happy to advise you on the actual costs for your organisation in a no-obligation consultation.
The TISAX® process is subject to fixed and strict timeframes. The three key deadlines you need to be aware of are:
3-year validity: A successfully awarded TISAX® label is valid for exactly three years. After that, a full re-assessment is required. As no extension is possible, the follow-up assessment should be initiated in good time (approximately 4 to 6 months before expiry).
9 months for rectification: If security deficiencies are identified during the main assessment, you have exactly 9 months from the last day of the assessment to rectify them and secure the label via a follow-up assessment. If this deadline is exceeded, the previous audit becomes invalid and the process must be restarted from the very beginning.
Project duration: The actual time taken to reach the audit stage depends heavily on the size of your organisation and the maturity of your ISMS. As a general rule, you should allow several months for preparation, registration and the conduct of the audit.
Here is an overview of the three levels:
Assessment Level 1 (Low security requirement):
At this stage, the company simply carries out a self-assessment. The completed questionnaire is usually checked only for plausibility. This level is generally insufficient for collaboration with OEMs and does not receive an official TISAX® label on the portal.
Assessment Level 2 (High Security Requirement):
The assessment is carried out by an official, independent audit service provider (such as TÜV). It is primarily conducted as a document review (plausibility check), usually supplemented by telephone calls or video interviews. An on-site visit to the company is not mandatory at this stage.
Assessment Level 3 (Very high security requirement):
The most demanding level. The audit service provider carries out an in-depth review of the documents and is required to conduct an on-site assessment at your business premises. This level is mandatory if you work with highly sensitive data, for example in prototype development or in extremely critical just-in-time processes.
In summary: For valid certification, only Levels 2 and 3 are actually relevant for service providers and suppliers.
Participation in TISAX® is essential for suppliers and service providers in the automotive industry in order to meet manufacturers’ strict security requirements and to be eligible for contracts in the first place. As the assessment procedure is uniformly recognised across the industry, you also save valuable time and money: once you have passed, there is no need for time-consuming and repetitive security checks by individual customers.
To receive a quote for a TISAX® audit, interested parties must first register on the ENX portal and provide the relevant information. Please get in touch with us if you would like us to assist you with the quote request process.
Companies can gain access to the TISAX® portal, which facilitates the exchange of assessment data, by registering as participants. This is a prerequisite for commissioning an assessment from an assessment provider (TISAX® AP) such as TÜV NORD.
Yes, to a very large extent. An information security management system (ISMS) structured and audited in accordance with TISAX® already covers the core technical and organisational requirements of the EU’s NIS-2 Directive as standard. Anyone who is TISAX®-certified has, in effect, already laid the foundations for NIS-2. However, regulatory compliance is not a foregone conclusion, as purely national obligations (such as regulatory reporting channels) must be addressed separately.
A detailed statement and analysis by ENX can be found at: TISAX as a contribution to cybersecurity in industry – Analysis of the NIS 2 Directive · ENX Portal
Only audit service providers authorised by ENX for this purpose (TISAX® AP) are permitted to carry out TISAX® assessments. TÜV NORD CERT is ENX’s contractual partner for this purpose.
Developed by the German Association of the Automotive Industry (VDA), TISAX® is managed by the ENX Association, which monitors the quality of the implementation and the results of the assessments.
ENX has compiled detailed information on TISAX® in a participant handbook available on its website.
Whilst both standards are based on an information security management system (ISMS), they differ fundamentally in their objectives and scope. It could be said that ISO/IEC 27001 is the foundation, whilst TISAX® is the sector-specific extension for the automotive industry.
Whilst TISAX® focuses on the protection of data and business processes (IT security), ISO/SAE 21434 deals exclusively with cybersecurity within the vehicle itself. In short, TISAX® protects the company’s data and infrastructure, whilst ISO/SAE 21434 ensures that the car cannot be hacked whilst on the road.
TÜV NORD is the partner at your side when it comes to the quality of your information security management system (ISMS). We have been accredited by the German Accreditation Body (DAkkS) for the auditing and certification of ISMS for many years. Specifically for the automotive sector, TÜV NORD is authorised by the ENX Association as a TISAX® Audit Provider (TISAX® AP) and can carry out assessments worldwide.
*Note: TÜV NORD CERT GmbH is authorised by ENX to offer TISAX® assessment services. The brands and trademarks associated with the TISAX® programme and the related intellectual property belong to ENX Association.
TÜV NORD CERT is an internationally recognised and reliable partner for testing and certification services. Our experts and auditors possess in-depth knowledge and are all permanently employed by TÜV NORD. This ensures independence, neutrality and continuity in the support we provide to our clients. The benefit for you is clear: our auditors guide and support the development of your business and provide you with objective feedback.