#1 Manufacturing Glossary - SYMESTIC

TISAX in the Automotive Industry

Written by Symestic | Feb 26, 2026 12:11:06 PM

TISAX (Trusted Information Security Assessment Exchange) is a standardized assessment and exchange mechanism for information security in the automotive sector. Developed by the German Association of the Automotive Industry (VDA) and operated by the ENX Association, TISAX allows for a single, industry-wide security assessment. The results can be shared securely with multiple OEMs and Tier-1 suppliers, eliminating the need for redundant audits by every business partner.

For automotive suppliers today, TISAX is no longer a "nice-to-have." If you process sensitive data from OEMs like BMW, Mercedes-Benz, Volkswagen, or Porsche, a valid TISAX Label is a mandatory prerequisite for awarding contracts.

TISAX vs. ISO 27001: What’s the Difference?

While ISO 27001 is the global standard for Information Security Management Systems (ISMS), TISAX is built specifically for the automotive world. It is based on the VDA ISA (Information Security Assessment)—a catalog that uses ISO/IEC 27001 as a foundation but adds industry-specific requirements:

  • Prototype Protection: Physical and digital security for future vehicle models.
  • In-Vehicle Data Protection: Specific privacy standards for connected cars.
  • Supply Chain Rigor: Enhanced focus on sub-supplier management.

An ISO 27001 certificate does not replace a TISAX Label. Both can coexist, but TISAX is the currency required by automotive procurement.

The Three TISAX Assessment Levels

TISAX categorizes audits into three levels, depending on the sensitivity of the information involved:

  1. Level 1 (Self-Assessment): A self-assessment without external verification. Rarely accepted by OEMs; usually insufficient for production-related data.
  2. Level 2 (Plausibility Check): An accredited audit provider performs a remote "plausibility check" of your self-assessment. Standard for information with a "normal" protection requirement.
  3. Level 3 (Full On-Site Audit): A comprehensive on-site inspection by an accredited auditor. Mandatory for high-security data, such as prototype designs, highly sensitive PII (Personally Identifiable Information), or high-risk business data.

The OEM defines which level a supplier must achieve based on the data shared.

What is Evaluated in a TISAX Assessment?

The VDA ISA catalog covers several domains:

  • Organization & Management: ISMS structure and responsibilities.
  • Physical Security: Access control to buildings and server rooms.
  • IT Security: Identity and Access Management (IAM), encryption, and patch management.
  • Business Continuity: Incident response and disaster recovery plans.
  • Prototype Protection: Specialized controls for areas where new models are developed or manufactured.

Auditors rate the maturity level of each control on a scale of 0 to 5. A label is granted only if all "Must" requirements are met and no critical non-conformities remain.

The Role of Production Systems (MES/OT) in TISAX

A common mistake among suppliers is excluding the shop floor from the TISAX scope. If production data, CAD models, or bill-of-materials (BOM) are processed on systems connected to the shop floor, those systems are in scope.

Concretely, if your MES (Manufacturing Execution System) handles OEM-related work orders or quality data, its access controls, logging, and update management become part of the audit. Cloud-native MES solutions with documented security concepts, Role-Based Access Control (RBAC), and ISO 27001-compliant hosting offer significant structural advantages over legacy on-premise solutions during a TISAX assessment.

FAQ

Is TISAX mandatory for all suppliers? Legally, no. Factually, yes. Most major OEMs and Tier-1s will not award new business to a supplier who cannot provide the required TISAX Label.

How long is a TISAX Label valid? Three years. After that, a full re-assessment is required. Significant changes in scope (e.g., new locations) may trigger an earlier audit.

What are the costs? Costs vary by company size and assessment level. For a mid-sized company (one site, Level 2), expect a mid-to-high five-figure sum when including internal prep, external audit fees, and potential remediation measures.

TISAX vs. VDA ISA? The VDA ISA is the checklist (the content). TISAX is the exchange platform and process (the framework for sharing results). The current version is VDA ISA 6.0.
View full post