What is TISAX?

The secure and confidential transmission of information is essential in a highly resourceful environment where success depends on the contributions of multiple stakeholders. The automotive sector, with its vast and intricate supply chains, requires an information security strategy that takes a “systems” approach.

In the age of digitization, the requirements for information security go beyond the requirements of automotive suppliers and also include marketing companies and other stakeholders. The main requirement is to provide protection for:

Information pertaining to projects or designs, prototypes or top secret investment plans,
The new ideas related to digitization, such as the development of driverless vehicles, are closely linked to “big data” and “process data”.

Links within the supply chain network, and consumers’ personal data

What does the abbreviation TISAX stand for?

TISAX stands for ” Trusted Information Security Assessment eXchange ” and is an international standard for protecting sensitive data in the automotive industry. It is a maturity-based information security assessment methodology tailored to the needs of the automotive sector. The assessment is a prerequisite for working with some Original Equipment Manufacturers (OEMs) and while it is primarily for first and second tier suppliers, it can be extended to more widespread supply chains.


  • A uniform level of safety must be created for the automotive sector.
  • Ensuring that reviews are recognized by all parties in the same way to reduce costs, labor and complexity for manufacturers and suppliers.
  • Ensuring that all reviews are comparable and of high quality.
  • share successful strategies and insightful experiences
  • Each participant can decide for himself to whom he makes the results accessible and how much information he passes on.

TISAX is an amalgamation of the former German Association of the Automotive Industry (VDA) Information Security Rules (ISA) and Annex A (Technical Controls) of the ISO/IEC 27001 standard, supplemented with some data protection requirements.

TISAX compared to ISO/IEC 27001

TISAX is an information security management system that focuses on features that are particularly relevant to the automotive sector environment. It is based on core components of the ISO/IEC 27001 standard for information security management systems.

The main distinguishing features are the following:
TISAX is based on ISO/IEC 27001.

Information security procedures and components relevant to partners in the automotive industry are covered by the management system standard.

  • A switch-like method
  • Method based on own maturity level
  • Defining the scope prior to certification
  • The scope remains unchanged.
  • Studying the risks to the company
  • Risk analysis by the VDA-ISA working group
  • The certification body issues the following: Certificate TISAX is responsible for the identification and exchange registration.
  • Audits at regular intervals and recertification every three years Valid for three years without regular audits
  • Profits to be made from reviews

TISAX assessments help instill trust throughout the supply chain, beyond the fact that certain manufacturers require them as a “ticket to trade”. The participating providers have the following advantages:

Approval by the automobile manufacturers

  • Prevention of information security gaps and attacks via the Internet
  • establish credibility in the market;
  • identifying and managing risks;
  • Obtaining recognition for adequate information security measures;
  • Exchange of assessment results via the ENX information exchange.

First steps

Companies wishing to participate in the program must register as participants with ENX.


Create an account on the TISAX website, choose a TISAX recognized audit organization and start preparing for the audit. This includes a self-assessment to help you determine your level of preparedness and compliance.


The way the audit is conducted depends on whether you are applying for a remote audit (level 2) or a physical audit (level 3) eligible or not. The audit itself consists of interviews, the analysis of documents, the clarification of possible results and the planning of further measures.


Ensure that you provide the audit provider with a corrective action plan (CAP) to address the identified deficiencies or gaps. To assess the GAP, a follow-up interview (or more if required) is conducted and a TISAX report is completed.

presentation of results

The platform receives the TISAX report uploaded by the audit provider. The company that has been audited chooses who should see the results. The TISAX labels are awarded by ENX to the audited companies.

The ENX Association has recognized DNV as an acceptable certification provider. Thanks to our worldwide network of local offices and auditors, we can conduct assessments for TISAX customers all over the world.

assessment requirements

ENX is responsible for maintaining the assessment requirements and the criteria for audit providers (TISAX ACAR). It is responsible for reviewing auditing firms and monitors both the quality of implementation and the results of the assessment. The ENX project is supported by the TISAX Committee, which is made up of representatives from different companies, suppliers and organisations. Protect sensitive information like prototypes, maintain a positive image for your company, and foster brand loyalty among your customers.

The secure and confidential exchange of information is very important in an environment that encourages radical innovation and whose success depends on the participation of different actors. Within its vast and intricate supply networks, the automotive sector requires a type of information protection called “ecosystemic”.

In today’s digital age, information security requirements extend not only to automotive suppliers, but also to marketing companies and other stakeholders. The main requirement is to ensure the security of:

Project or design information, prototypes or confidential investment plans, prototypes, etc.

Big data and process data associated with the new ideas of digitization are essential for the development of autonomous vehicles.

the connections between the nodes that form the network of the supply chain,

and consumers’ private information