Skip to main content

Trusted Information Security Assessment Exchange

TISAX is an automotive-industry information-security assessment and exchange based on the VDA ISA catalogue, letting suppliers be assessed once and share results with many customers. It is effectively mandatory for the automotive supply chain, with commercial rather than legal consequences.

Jurisdiction
Global

What TISAX Is and Why It Exists

TISAX (Trusted Information Security Assessment Exchange) is an information-security assessment and exchange mechanism created for the automotive industry. It is governed by the ENX Association on behalf of the German automotive association VDA and is based on the VDA Information Security Assessment (ISA) catalogue, which itself draws heavily on ISO/IEC 27001. TISAX lets a supplier be assessed once and then share the standardized result with multiple automotive customers, avoiding repeated, divergent audits.

It exists because automakers exchange highly sensitive information, including prototype designs and personal data, with a vast network of suppliers, and needed a consistent, mutually recognized way to verify each partner's security maturity.

Who It Applies To

TISAX applies to organizations in the automotive supply chain, original equipment manufacturers, tier suppliers, engineering and software firms, and service providers, that handle sensitive information on behalf of automotive customers. While voluntary in the abstract, it is effectively mandatory in practice: many automakers require a valid TISAX label as a condition of doing business.

Key Requirements

  • Assessment against the VDA ISA: organizations are evaluated on information-security management, often including specific modules.
  • Assessment objectives and levels: the scope and depth depend on the protection needs, with higher assessment levels requiring on-site verification.
  • Specialized modules: additional requirements may apply for prototype protection (physical and organizational security for confidential vehicle parts) and for data protection.
  • Use of accredited audit providers: assessments are performed by TISAX-approved audit providers.
  • Label and exchange: successful organizations receive TISAX labels and share results through the ENX platform.

Penalties for Non-Compliance

TISAX is not a law, so there are no statutory fines. The consequences are commercial and contractual: without the required TISAX label, a supplier may be unable to win or keep automotive contracts, since customers condition business on it. Labels are time-limited (typically three years), so lapses can interrupt eligibility. Failing an assessment also signals security weaknesses that customers may act on.

How to Comply

  • Determine the assessment objectives and level your automotive customers require.
  • Build an information-security management system aligned to the VDA ISA (and, by extension, ISO/IEC 27001).
  • Address any required modules, such as prototype protection or data protection.
  • Engage a TISAX-accredited audit provider for the assessment.
  • Share results selectively with customers through the ENX exchange and re-assess before the label expires.

Because the VDA ISA closely tracks ISO/IEC 27001, organizations already certified to that standard have a strong head start.

Assessment Levels and Prototype Protection

TISAX assessments come in levels that scale with the sensitivity of the information involved. Higher levels require on-site or more rigorous verification rather than self-disclosure alone, and additional modules apply for organizations handling especially sensitive data such as vehicle prototypes. Prototype protection is distinctive to the automotive sector, demanding physical security measures, controlled access, and strict handling rules for confidential pre-release vehicles and parts. Suppliers should scope their assessment to match what their customers require, since over-scoping adds cost while under-scoping risks failing to meet a customer's mandated level. Aligning early with the relevant VDA ISA modules streamlines the whole process.