TISAX CERTIFICATION - SECURING THE AUTOMOTIVE SUPPLY CHAIN THROUGH INFORMATION SECURITY EXCELLENCE

The automotive industry operates on a foundation of trust. Vehicle manufacturers share prototype designs, component specifications, crash test data, and proprietary engineering intelligence with hundreds of suppliers and service providers across a global supply chain. The integrity of that supply chain depends directly on the information security standards maintained at every participating organization. TISAX — Trusted Information Security Assessment Exchange — is the mechanism through which those standards are assessed, verified, and shared across the automotive industry.

THE ORIGINS OF TISAX

Major automotive manufacturers independently assessed the information security practices of their suppliers. Each original equipment manufacturer (OEM) maintained its own audit criteria, questionnaires, and evaluation processes. Suppliers working with multiple OEMs were subjected to repeated, overlapping audits that consumed significant resources without producing uniform or mutually recognised outcomes.
To address this structural inefficiency, the German Association of the Automotive Industry (Verband der Automobilindustrie — VDA) developed a standardised Information Security Assessment (ISA) catalogue, drawing substantially from the requirements of ISO/IEC 27001. In 2017, the ENX Association — a joint initiative of European automotive manufacturers, suppliers, and national associations — launched TISAX as the formal assessment and exchange mechanism built upon the VDA ISA catalogue.

THE VDA ISA CATALOGUE AND THE ISA 6.0 UPDATE

The VDA ISA catalogue forms the technical foundation of every TISAX assessment. It defines the control requirements against which organizations are evaluated and is periodically revised to reflect the evolving threat landscape.
The most recent significant revision, ISA Version 6.0, was published by VDA in October 2023 and became mandatory for all new TISAX assessments commissioned from 1 April 2024. ISA 6.0 introduced material changes to the standard, including a strengthened focus on ransomware resilience and operational technology (OT) availability. Six new control questions specifically address security incident detection, ransomware defense, and recovery capabilities — a direct response to the escalating threat posed by ransomware attacks targeting industrial supply chains.
ISA 6.0 also revised the label structure for information security. The previous "Info High" and "Info Very High" labels were replaced with two new assessment objectives: "Confidential" and "Strictly Confidential." A standalone "Availability" label was simultaneously introduced to address supply chain continuity requirements. Additionally, ISA 6.0 expanded its references to international standards, incorporating explicit alignment with ISO/IEC 27001:2022, the NIST Cybersecurity Framework, and BSI IT-Grundschutz.

TISAX ASSESSMENT LEVELS

TISAX assessments are structured across three levels, with the applicable level determined by the sensitivity and classification of the information an organisation handles on behalf of automotive clients.
Assessment Level 1 (AL1) involves a self-assessment based on the VDA ISA questionnaire. It does not involve external third-party review and does not produce a TISAX label. AL1 is largely a preparatory or internal benchmarking exercise.
Assessment Level 2 (AL2) applies to organisations handling data with a high protection requirement — including confidential project data, supplier agreements, and sensitive technical specifications. The assessment involves completion of the VDA ISA questionnaire, submission of ISMS documentation, and a structured remote audit conducted by an accredited third-party assessment provider.
Assessment Level 3 (AL3) applies to the highest protection requirement scenarios — including organisations handling strictly confidential data, prototype vehicle information, crash test and simulation data, and artificial intelligence systems used in vehicle development. AL3 requires a full on-site audit, including facility inspection and in-person interviews with key personnel.

SCOPE OF THE TISAX ASSESSMENT

A TISAX assessment evaluates an organisation across several dimensions, with the specific modules assessed determined by the scope agreed at the point of registration.
Information Security Management forms the core of every assessment. Organisations must demonstrate an operational Information Security Management System (ISMS) capable of identifying and managing information security risks, establishing and enforcing security policies, and conducting regular internal reviews.
Prototype Protection is an optional but frequently required module, particularly for Tier 1 suppliers involved in vehicle development. It addresses the physical and logical measures in place to prevent unauthorised disclosure of vehicles, components, and parts that remain under non-disclosure obligations prior to public release.
Data Protection addresses the handling of personal data within the automotive context, extending beyond the baseline requirements of GDPR to include automotive-specific data privacy obligations. Organisations must demonstrate appropriate technical and organisational measures covering secure storage, access control, encryption, and staff training.
Availability — newly formalised as a standalone assessment objective under ISA 6.0 — addresses the resilience of IT and OT systems supporting automotive production and supply chain operations. This module evaluates business continuity capabilities, incident response preparedness, and recovery time objectives in the context of cyber disruptions.

WHO REQUIRES TISAX CERTIFICATION

TISAX certification is a prerequisite for conducting business with the majority of major German and European automotive manufacturers. The standard extends beyond Tier 1 suppliers to encompass the broader supply chain, including Tier 2 and Tier 3 suppliers, marketing agencies handling prototype imagery, software development firms engaged in vehicle systems development, logistics providers, and IT and cloud service providers processing automotive data.
As automotive digitalization accelerates — encompassing connected vehicles, autonomous driving systems, over-the-air software updates, and electrification platforms — the volume of sensitive data exchanged across the supply chain has expanded significantly. This expansion has correspondingly broadened the category of organisations for whom TISAX certification has become an operational necessity.
The standard has achieved substantial global reach. More than 10,000 locations have been assessed under TISAX, establishing it as the second most widely implemented information security standard globally, following ISO 27001.

THE TISAX CERTIFICATION PROCESS

• Registration with ENX: Organisations register on the ENX TISAX portal, select the applicable assessment scope and label objectives, and engage an accredited third-party audit provider. ENX-accredited providers include internationally recognised bodies.
  
• Self-Assessment and Gap Analysis: Organisations complete the VDA ISA questionnaire as a structured self-assessment, identifying current compliance levels and gaps that require remediation prior to formal assessment.
  
• Implementation and Remediation: Identified gaps are addressed through the establishment or enhancement of information security controls, documented policies, technical safeguards, and staff competency measures.
  
• Formal Assessment: Depending on the applicable assessment level, the audit is conducted remotely (AL2) or on-site (AL3) by the accredited assessment provider. Findings are documented and, where nonconformities are identified, corrective action plans are agreed and assessed.
  
• Label Issuance and Exchange: Upon successful completion, the TISAX label is issued and made available on the ENX portal. The assessed organisation controls which registered participants may access its label status or detailed results.
  

CONCLUSION

TISAX certification has established itself as an indispensable credential for organisations operating within the automotive supply chain. It provides OEMs with standardised, independently verified assurance of supplier information security, eliminates the inefficiency of redundant audits, and creates a shared language for data protection and confidentiality across one of the world's most complex industrial ecosystems.
For organisations seeking to enter, expand within, or maintain their position in the automotive supply chain, TISAX is not an optional consideration — it is a fundamental commercial and security requirement.
Niall Services provides expert TISAX consultancy services, guiding organisations through every stage of the certification process — from initial gap analysis and VDA ISA 6.0 readiness assessment to ISMS development, prototype protection planning, and formal audit preparation. Our structured approach is designed to achieve TISAX label status efficiently and sustainably.