A component supplier receives a requirement from an OEM: “By the award decision in Q3, a valid TISAX label with Assessment Level 3 for the Stuttgart site must be in place, covering prototype protection and personal data.” The typical lead time for an AL3 assessment is six to nine months from the start of preparation. Waiting until the requirement arrives means losing the award to a better-prepared competitor. TISAX has become a market access condition in the automotive business: no label, no contract.
TISAX (Trusted Information Security Assessment Exchange) is the German automotive industry standard for information security assessments of suppliers and service providers. It is administered by the ENX Association, an initiative of manufacturers, suppliers and associations. The basis is the VDA ISA (Information Security Assessment) catalogue, published by the VDA (Verband der Automobilindustrie, the German Association of the Automotive Industry).
What does the standard cover?
The VDA ISA catalogue is structured into several modules. The main Information Security module is mandatory; additional modules address specific protection needs.
Modules of the ISA catalogue
- Information security — the main part, structurally based on ISO 27001 and 27002. Around 40 controls covering ISMS, asset management, personnel security, physical security, identity and access management, supplier management, incident management and compliance.
- Prototype protection — additional requirements for the handling of prototype information: structural requirements for rooms, photo and film bans, camouflage on test vehicles, visitor rules.
- Data protection — requirements for processing personal data, aligned with the GDPR and automotive-specific data flows (for example connected-car data).
- Artificial intelligence — module introduced with ISA 6.0 for suppliers that develop AI components or services for vehicles.
Maturity model
Each control is rated on a scale from 0 (incomplete) to 5 (optimising). The target maturity per control is typically 3 (established). Lower maturity levels lead to findings with remediation deadlines.
Protection classes and assessment levels
| Protection need | Assessment Level | Audit type |
|---|---|---|
| Normal | AL2 | Plausibility-checked self-assessment, remote audit |
| High (e.g. prototype protection, confidential design data) | AL3 | On-site audit at the supplier |
| Very high (e.g. special categories of personal data at scale) | AL3 | On-site audit, deeper sampling |
AL1 (pure self-assessment without external plausibility check) has become practically irrelevant — manufacturers hardly accept it any more.
Audit process
Registration on the ENX platform. The company registers, defines scope and assessment level and nominates an audit provider from the list of approved providers.
Self-assessment. The company assesses itself against the ISA catalogue. The assessment is documented on the ENX platform, including an action plan for controls below the target maturity.
Initial audit. The audit provider reviews the self-assessment. At AL2 the audit is predominantly remote; at AL3 it is on-site. Findings are classified as “Major Non-Conformity”, “Minor Non-Conformity” or “Observation”.
Corrective action phase. Major Non-Conformities must be remediated before the label is issued; Minor Non-Conformities within nine months. The remediation is verified by the audit provider.
Label issuance. On successful completion, the TISAX label is posted on the ENX platform for three years. The company can grant access to individual manufacturers.
Re-assessment. Before the three years elapse, a full re-assessment takes place. Material scope changes during the validity period require an update to the assessment.
Mapping to other standards
| Standard | Relation to TISAX |
|---|---|
| ISO/IEC 27001 | Structural blueprint; many controls overlap, an ISO certification is good preparation |
| ISO/IEC 27002 | Implementation guidance that also applies to TISAX controls |
| GDPR | Dedicated TISAX data protection module aligned with GDPR requirements |
| NIST CSF | Useful for an overarching cyber resilience strategy, not a direct mapping substitute |
| CIS Controls | Concrete technical implementation guidance that complements the ISA controls at the operational level |
| NIS2 | Where the supplier is also KRITIS or essential/important under NIS2, both regimes apply in parallel |
Implementation effort
Small supplier (< 50 people, single site, AL2): 4-9 months of build-up, then 0.2-0.5 FTE for ongoing operation. External consulting typically 5-15 days.
Medium engineering service provider (50-500 people, AL3 with prototype protection): 6-12 months of build-up, 0.5-1.5 FTE ongoing. Structural adaptations for prototype protection (lockable rooms, visual shielding, access control) can trigger substantial investment.
Large Tier 1 supplier (multiple sites, AL3, all modules): programme scale, several FTEs, coordinated site assessments. Often a central ISMS is built up and individual sites are certified separately.
Recurring costs: audit days (typically 2-8 per site), ENX platform fees, internal maintenance of the ISA assessment state, employee training, annual review of the action plan.
Related standards
- ISO/IEC 27001: structural foundation for TISAX; an ISO certificate significantly eases preparation.
- ISO/IEC 27002: implementation guidance for many TISAX controls.
- NIST CSF: overarching cyber resilience view for strategic planning.
- CIS Controls: concrete technical measures that operationally underpin many ISA controls.
Sources
- ENX Association — TISAX — official platform and documentation
- VDA ISA catalogue — current requirements catalogue (paid)
- ENX TISAX Participant Handbook — authoritative procedural guide
- VDA — German Association of the Automotive Industry — publisher of the ISA catalogue