TISAX®: What is it and who needs it?

First you have to understand why TISAX® came about:

Before TISAX® certification, automotive manufacturers were already asking their suppliers, partners and service providers to demonstrate that they had an adequate ISMS (Information Security Management System) in place to sufficiently protect the data delivered to them by these manufacturers. At that time, the information they received from suppliers was evaluated on the basis of the Information Security Assessment (ISA) requirements catalogue developed by the German Association of the Automotive Industry or VDA ( in German: Verband der Automobilindustrie e. V.) in collaboration with ENX.

However, the problem was that manufacturers were forced to perform assessments for each service provider individually, and in order to reduce duplication of effort in similar assessments for different companies, the VDA developed its own list of criteria: TISAX®.

What is TISAX®?

In 2017, the German Association of the Automotive Industry (Verband der Automobilindustrie, VDA) published its list of criteria relating to information security required of suppliers in the industry.

Through the ENX organization, the TISAX® (Trusted Information Security Assessment Exchange) initiative is managed by leading industry partners.

TISAX® is a specific assessment standard for information security in the automotive industry, with a catalog of criteria, audits, processes and KPIs that must be met. However, TISAX® is based on ISO 27001 (Information Security Management System).

The difference between TISAX® certification and ISO 27001 is that TISAX® certification is required by the automotive industry. Therefore, if you are a supplier or service provider to the automotive industry, then you may need TISAX® Certification.

Once TISAX® certification is obtained it is renewed every three years and verifies that the safety criteria required by the automotive industry are being met.

Who is required to have the TISAX® label?

If you are a supplier, service provider or partner of a VDA member (e.g. VW, Daimler, AUDI, BMW, Porsche, Continental, MAGNA, Škoda, etc.). In that case, a TISAX® certification will ensure that you can continue to demonstrate your services and/or participate in tenders. As more and more companies are becoming TISAX® certified, those that are not will find it difficult to become part of the supply chain of major automakers.

TISAX® is the entry ticket for suppliers to the automotive industry.

Key benefits of TISAX® certification

TISAX® in addition to being a trade entry requirement for certain manufacturers, TISAX® certification contributes to building confidence in the supply chain. The most relevant benefits:

  • Access to a global network of manufacturers.
  • Grow presence in the automotive sector
    Increased cybersecurity maturity.
  • Competitive advantage over other organizations

What are the TISAX® requirements for certification?

To obtain TISAX® certification, organizations must meet the requirements set by the VDA ISA assessment catalog available in version 5.1 from 2022, which consists of three modules: (1) Information Security, (2) Prototype Protection and (3) Data Protection. Your company will be evaluated in at least one of them, being Information security is the main module to be evaluated as a basis in all cases.

In order to start the certification process TISAX® recommends 4 main steps :

  1. Register online: A company registers in TISAX® and submits its self-assessment based on the VDA ISA questionnaire, including its target certification level.
  2. Select an ENX-approved audit service provider: The company selects an independent audit provider according to the ENX list of providers.
  3. Undergo a TISAX® assessment by the external provider: The company undergoes the TISAX assessment (Level 2: remote, Level 3: on-site).
  4. Exchange audit results on the TISAX® online platform: The company publishes the audit results via the TISAX® Exchange.

The audit provider submits the final evaluation results to the ENX Association. If there are minor deviations from the criteria, the company only receives a provisional TISAX® label, which is only valid for a limited time. Permanent certification will not be granted until the deviations have been corrected. In the case of major deviations, the TISAX® certification will only be valid on the day the deviation has been corrected and can be demonstrated.

If you are a supplier of products or services in the automotive industry and you are not yet TISAX® certified, we can help you achieve your certification goals.

At SECDAT we have a team specialized in the automotive industry and with national and international references. We will help you prepare for the external auditor’s assessment, validating the maturity level of your organization and implementing the information security management system based on VDA ISA, with different options according to the specific needs of our clients: consultancy, turnkey project and management of the assessment and implementation of the system together with the organization. We assist you and your organization with the overall management of the certification process, including the selection and management of the External Auditor. 

Feel free to visit our TISAX® page and contact us if you need assistance.