Skip to content

TISAX

Frau fährt ein Auto, Hände am Lenkrad, durch die Windschutzscheibe gesehen.

What is TISAX®?

TISAX® is a cross-organisational assessment and exchange procedure for information security in the automotive industry. It focuses on the protection of data, its integrity and availability throughout the manufacturing process and during the operation of vehicles. 

This is achieved through an Information Security Management System (ISMS) analogous to the ISO 27001 standard. Based on this standard, the VDA has developed the specific ISA requirements and assessment catalogue for the automotive sector. 

The effectiveness of an ISMS can be demonstrated through assessments against the VDA-ISA. Upon successful testing, e.g. by TÜV NORD, ENX* – the administrator of the TISAX® programme – issues a TISAX® label in its database. This is recognised and required by all VDA members and vehicle manufacturers such as Audi, Volkswagen and BMW. 

Get in touch

How does TISAX® work?

Participants in the TISAX® process exchange information on the status of information security via a shared online portal. Registration on the portal is mandatory for participation in a TISAX® process. In addition to the exchange of assessment data, the portal also enables participants to contact audit service providers. Within the exchange model, there are two roles that each company can assume as required.

Passive participants include, for example, vehicle manufacturers. These require another company (e.g. their supplier) to provide evidence of specific TISAX® labels, thereby carrying out an assessment against the appropriate audit objectives, and request access to the audit results.

Active participants or auditees include, for example, suppliers: a company is either requested by another company (e.g. an OEM or car manufacturer) to undergo an audit against the criteria catalogue, or it undergoes an audit on its own initiative. Once the audit has been completed, the active participant decides who within the TISAX® network is granted access to its audit results.

Target group

  • Vehicle manufacturers
  • Suppliers and service providers to car manufacturers and suppliers

Participants in the TISAX® process exchange information on the status of information security with one another via a shared online portal. Registration on the portal is mandatory for participation in a TISAX® process. In addition to the exchange of assessment data, the portal also enables participants to contact audit service providers. Within the exchange model, there are two roles that each company can assume as required.

Benefits of a TISAX® certification

  • The test criteria are relevant to the automotive industry
  • The quality and results of the testing are consistent and of a high standard
  • The testing and reporting procedures are standardised
  • The comparability and significance of the results are high
  • Duplicate and multiple checks are avoided
  • A risk management system is established and risks are reduced
  • There is broad acceptance within the automotive sector
  • There is a consistent focus on customer needs

Process of a TISAX® certification audit

1

01

Online registration on the ENX platform

2

02

Selection and appointment of an inspection service provider (TÜV NORD)

3

03

Arranging appointments with auditors & providing documentation

4

04

Stage 1 audit: Focus on documentation review

5

05

Stage 2 audit: Focus on processes and interviews with stakeholders

6

06

Management of deviations

7

07

Making the label available on the ENX platform

The TISAX® process essentially consists of three phases: registration, assessment and exchange. Would you like to find out in detail how you can navigate these three phases? Our guide, ‘How do TISAX® assessments work?’, will help you understand the entire process.

Guide (PDF)

How do TISAX® assessments work?

The ENX Association, as the operator of the TISAX® programme, has clearly defined the levels and scope of the assessments. TISAX® distinguishes between three different protection classes and assessment levels against which an organisation can be assessed. These assessment objectives depend on the level of protection required for the information.

 

Assessment Levels

This is intended for standard security requirements. The auditee can carry out the assessment as a self-assessment.

Assessment Level 2 is aimed at suppliers and service providers with high security requirements. A prerequisite for this is the submission of a complete self-assessment. The audit provider then carries out the following steps:

  • Kick-off meeting
  • Completeness and plausibility check of the self-assessment and corresponding evidence
  • Telephone interview with those responsible for the Information Security Management System (ISMS) based on the plausibility check, or an on-site audit where third parties are involved and/or prototype protection is required

Level 3 assessment involves very high security requirements. An audit provider (TISAX® AP) must also be involved here, and a complete self-assessment must be submitted. The subsequent audit steps are similar to those for Level 2 assessment, except that key aspects are examined during an on-site audit.

  • Opening meeting
  • Checking the completeness and plausibility of the self-assessment and supporting evidence
  • Assessment of the effectiveness and maturity of the ISMS through an on-site audit with the parties involved (on-site expert interviews, inspection of relevant areas and premises) 

Following the assessments, the results and the requirements for corrective actions are summarised in a preliminary report. In this case, two further audit steps are required to obtain a TISAX® label:

  • Development of a corrective action plan by the auditee and evaluation by the accredited audit service provider – TISAX® Audit Provider (TISAX® AP).
  • Implementation of the corrective actions by the auditee and evaluation of the effectiveness of the measures by the TISAX® AP. 

Frequently asked questions

FAQ on TISAX® assessments

TISAX® stands for Trusted Information Security Assessment Exchange and describes an assessment and exchange process for information security in the automotive industry.

Only audit service providers approved by ENX for this purpose (TISAX® AP) are permitted to carry out TISAX® assessments. TÜV NORD CERT is ENX’s contractual partner for this purpose.

Developed by the German Association of the Automotive Industry (VDA), TISAX® is managed by the ENX Association, which monitors the quality of the assessments and their results.

The scope and duration of the TISAX® audit are primarily determined by the agreed audit objectives, the maturity and complexity of the ISMS, and the number of sites to be audited.

A fixed period of nine months is available from the closing meeting (concluding meeting of the initial assessment) until the completion of the entire assessment process (including verification of the successful implementation of any necessary corrective measures). If this deadline cannot be met, the process must be restarted from the beginning. After three years (the validity period of the TISAX® label), the process must be repeated.

All suppliers and service providers to car manufacturers and their suppliers who process sensitive information belonging to those organisations should have an interest in participating in TISAX®. On the one hand, this enables them to meet their customers’ requirements. On the other hand, it means they avoid having to undergo the same audits repeatedly at the hands of their customers. This is because clients regularly require their suppliers to provide evidence that they meet information security requirements.

To receive a quote for a TISAX® audit, interested parties must first register on the ENX portal and provide the relevant information. Please contact us if you would like us to assist you with the quote request process.

Companies can gain access to the TISAX® portal, which facilitates the exchange of assessment data, by registering as a participant. This is a prerequisite for commissioning an assessment from an assessment provider (TISAX® AP) such as TÜV NORD.

ENX has compiled detailed information on TISAX® in a participant handbook available on its website.

TISAX®-Assessments with TÜV NORD

TÜV NORD is your trusted partner when it comes to the quality of your Information Security Management System (ISMS). We have been accredited by the German Accreditation Body (DAkkS) for the auditing and certification of ISMS for many years. Specifically for the automotive sector, TÜV NORD is approved by the ENX Association as a TISAX® Audit Provider (TISAX® AP) and can carry out assessments worldwide.

*Note: TÜV NORD CERT GmbH is authorised by ENX to offer TISAX® audit services. The brands and trademarks associated with the TISAX® programme, as well as the associated intellectual property, belong to ENX.

Expert, international, TÜV NORD CERT

TÜV NORD CERT GmbH (copy 1)

TÜV NORD CERT is an internationally recognised and reliable partner for testing and certification services. Our experts and auditors possess in-depth knowledge and are all permanently employed by TÜV NORD. This ensures independence, impartiality and continuity in the support we provide to our clients. The benefit for you is clear: our auditors accompany and support the development of your business and provide you with objective feedback.

Discover your next service

Certification

ISO 14001 and EMAS certification

Strong positioning through active environmental management
Find out more about ISO 14001/EMAS
Certification

ISO 50001

Certified energy management system
Find out more about ISO 50001
Certification

Compliance

Compliance management systems to promote compliance with regulations
Find out more about the compliance management system