Skip to content

MEET AUTOMOTIVE INDUSTRY INFORMATION SECURITY REQUIREMENTS

TISAX Assessment and Certification

TISAX (Trusted Information Security Assessment Exchange) is the automotive industry’s standardized information security assessment framework. Developed by the VDA (German Association of the Automotive Industry) and administered by ENX Association, TISAX provides common recognition of security assessments throughout the global automotive supply chain. Our TISAX expertise guides organizations through assessment and certification across all levels.

Why TISAX Certification Matters

Supply Chain Requirement minus-icon

Automotive OEMs and tier-1 suppliers increasingly mandate TISAX certification for supply chain partners. Without TISAX certification at the required level, you cannot participate in many automotive projects or access sensitive information necessary for component development.

Competitive Advantage plus-icon
Industry-Wide Recognition plus-icon

Understanding TISAX Requirements

VDA ISA Catalogue Foundation

TISAX assessments are based on the VDA Information Security Assessment (ISA) catalogue, building upon ISO/IEC 27001 with automotive-specific requirements. The catalogue addresses information security management, physical security, organizational security, technology security, and supplier relationships specific to automotive industry needs.

Assessment Objectives

TISAX assessments address multiple objectives based on client requirements:

  • INFORMATION SECURITY: CORE VDA ISA REQUIREMENTS FOR PROTECTING INFORMATION ASSETS
  • PROTOTYPE PROTECTION: ENHANCED PHYSICAL SECURITY FOR PRE-PRODUCTION VEHICLES AND COMPONENTS
  • DATA PROTECTION: GDPR ARTICLE 28 REQUIREMENTS FOR PERSONAL DATA PROCESSORS

Clients specify which objectives and assessment levels their suppliers require.

TISAX ASSESSMENT LEVELS

BOOK A CALL
ASSESSMENT LEVEL 1 (AL1)

Self-assessment for internal purposes only. Organization evaluates its own controls against VDA ISA catalogue without external verification. Results cannot be shared with clients and don’t result in TISAX label. Limited applicability in automotive supply chain.

ASSESSMENT LEVEL 2 (AL2)

Self-assessment followed by remote plausibility check. Organization completes self-assessment, then TISAX audit provider conducts documentation review and remote interviews verifying plausibility. Results in shareable TISAX label. Suitable for low to medium protection needs.

ASSESSMENT LEVEL 3 (AL3)

Comprehensive on-site verification. Includes self-assessment, on-site audit with physical inspection, process observation, detailed interviews, and evidence review. Most rigorous level, required for high protection needs. Results in highest-confidence TISAX label.

Our Comprehensive TISAX Services

Gap Analysis and Readiness Assessment

We evaluate your current information security posture against TISAX requirements:

  • COMPREHENSIVE ASSESSMENT ACROSS ALL VDA ISA CONTROL
  • AREAS IDENTIFICATION OF GAPS AND NON-CONFORMITIES
  • PRIORITIZED REMEDIATION ROADMAP
  • RESOURCE REQUIREMENT ESTIMATION
  • REALISTIC TIMELINE DEVELOPMENT

ISMS Implementation

We help organizations implement information security management systems meeting TISAX expectations:

  • POLICY FRAMEWORK DEVELOPMENT
  • RISK ASSESSMENT AND TREATMENT PROCESSES
  • SECURITY CONTROL IMPLEMENTATION
  • DOCUMENTATION AND EVIDENCE PREPARATION
  • MANAGEMENT REVIEW MECHANISMS

Control Implementation

We support implementation of specific TISAX controls:

  • NETWORK SECURITY AND SEGMENTATION
  • ENCRYPTION FOR DATA PROTECTION
  • ACCESS CONTROL AND AUTHENTICATION
  • PHYSICAL SECURITY FOR PROTOTYPES AND SENSITIVE AREAS
  • SECURITY MONITORING AND LOGGING
  • INCIDENT DETECTION AND RESPONSE
  • SUPPLY CHAIN SECURITY MEASURES

Label Maintenance and Renewal

Three-Year Validity

TISAX labels are valid for three years. We establish ongoing compliance programs ensuring:

  • Continuous alignment with TISAX requirements
  • Monitoring for changes affecting certification
  • Periodic internal assessments
  • Label renewal and reassessment management
Scope Changes

Label scope may require updates when:

  • New sites or facilities are added
  • Business activities change significantly
  • Client requirements evolve
  • Additional assessment objectives are needed
Integration with ISO 27001
Leveraging Existing Certification

Organizations with ISO 27001 certification have foundational controls supporting TISAX:

  • Common ISMS framework and structure
  • Overlapping security controls
  • Similar documentation approaches
  • Aligned audit and review processes

We leverage ISO 27001 implementations to streamline TISAX preparation, addressing automotive-specific requirements efficiently while maintaining both certifications.

Prototype Protection
Enhanced Physical Security

Prototype protection objective requires stringent physical security:

  • Secured areas with access controls
  • Visitor management and escort procedures
  • Camera and photography restrictions
  • Prototype tracking and inventory
  • Transportation security
  • Disposal security for prototype materials
Balancing Security and Operations

We implement prototype protection controls that satisfy TISAX requirements while maintaining operational efficiency and collaborative development processes with automotive clients.

Data Protection Compliance

GDPR Article 28 Requirements

Data protection objective addresses processor obligations:

  • Processing agreements and documentation
  • Technical and organizational measures
  • Sub-processor management
  • Data subject rights procedures
  • Data breach notification processes
  • International data transfer safeguards

Achieve TISAX Certification Efficiently

TISAX certification protects your automotive business relationships and demonstrates information security commitment. Our automotive industry expertise ensures efficient certification and sustained compliance.

BOOK A CALL list-white-arrow

FAQ’s

What exactly is TISAX? minus-icon

It is a maturity-based cybersecurity framework developed by the German Association of the Automotive Industry (VDA) and managed by the ENX Association. It allows automotive suppliers and service providers to demonstrate their information security capabilities to original equipment manufacturers (OEMs) through a single, shared assessment.

Is TISAX a legal requirement? plus-icon
How does TISAX differ from ISO 27001? plus-icon
What are the Assessment Levels (AL)? plus-icon
How long is a TISAX label valid? plus-icon

Latest Insights

All Articles
Threat Advisory: Weaponisation of Anthropic's Claude LLM in Targeted Cyberattacks
Cyber Security

Threat Advisory: Weaponisation of Anthropic's...

Introduction: The Emergence of AI-Powered Cyber Threats In early 2026, a sophisticated cyber intrusion targeting the Mex...

Read More
AI Security Threat Series: Model Inversion
Cyber Security

AI Security Threat Series: Model Inversion

Extracting secrets from an AI that was never meant to share them A deployed AI model does not hand over its training dat...

Read More
Weekly Round-Up Issue 15
Cyber Essentials

Weekly Round-Up Issue 15

This week's round-up arrives against a backdrop of significant cyber, regulatory and assurance activity affecting health...

Read More
MHRA SaMD Classification for Agentic AI: Is Your Agent a Medical Device?
AI Security

MHRA SaMD Classification for Agentic AI: Is Y...

I have spent the better part of a decade navigating the intersection of cybersecurity and regulated industries, from the...

Read More
LiteLLM Supply Chain Attack: The $10 Billion Fallout and What We Now Know
Cyber Security

LiteLLM Supply Chain Attack: The $10 Billion ...

In our original post from 27 March, we covered the initial details of the LiteLLM supply chain compromise: the affected ...

Read More
AI Security Threat Series: Data Poisoning
AI Security

AI Security Threat Series: Data Poisoning

Corrupting an AI before it ever goes live Most AI attacks happen at the point of use. Data poisoning happens much earlie...

Read More
NHS Clinical Safety and AI Agents: What DCB0129/0160 Actually Requires
AI Security

NHS Clinical Safety and AI Agents: What DCB01...

I've spent the better part of a decade in cybersecurity, working with digital health organisations and later across the ...

Read More
Red Teaming the Microsoft Agent Governance Toolkit: 15 Bypass Vectors
AI Security

Red Teaming the Microsoft Agent Governance To...

I have spent the better part of a decade in the trenches of cybersecurity, moving from the high-stakes world of NHS digi...

Read More